Run the entire installation of the compat layer in a container, without requiring root privileges

.github/workflows/build-and-publish-bootstrap-container.yml

@@ -4,14 +4,14 @@ on:
     branches:
       - main
     paths:
-      - Dockerfile.bootstrap-prefix-centos8
+      - Dockerfile.bootstrap-prefix-debian11
       - bootstrap-prefix.sh
 
   pull_request:
     branches:
       - main
     paths:
-      - Dockerfile.bootstrap-prefix-centos8
+      - Dockerfile.bootstrap-prefix-debian11
       - bootstrap-prefix.sh
 
 # Declare default permissions as read only.
@@ -48,7 +48,7 @@ jobs:
       - name: Build and push to GitHub Packages
         uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 #v3.2.0
         with:
-          tags: ghcr.io/${{ env.REPOSITORY_OWNER }}/bootstrap-prefix:centos8
-          file: Dockerfile.bootstrap-prefix-centos8
+          tags: ghcr.io/${{ env.REPOSITORY_OWNER }}/bootstrap-prefix:debian11
+          file: Dockerfile.bootstrap-prefix-debian11
           platforms: linux/amd64, linux/arm64, linux/ppc64le
           push: ${{ github.event_name != 'pull_request' }}

Dockerfile.bootstrap-prefix-debian11

@@ -0,0 +1,17 @@
+FROM debian:11-slim
+
+COPY bootstrap-prefix.sh /usr/local/bin/bootstrap-prefix.sh
+
+RUN apt-get update
+RUN apt-get install -y gcc g++ make diffutils libgmp-dev perl wget
+RUN apt-get install -y git python3-pip python3-cryptography
+RUN pip3 install --upgrade pip
+RUN pip3 install ansible
+RUN chmod 755 /usr/local/bin/bootstrap-prefix.sh
+
+ENV LC_ALL=C.UTF-8
+ENV PATH=/usr/local/bin:$PATH
+
+RUN groupadd -g 1000 portage && useradd -ms /bin/bash -u 1000 -g portage portage
+
+ENTRYPOINT ["/usr/local/bin/bootstrap-prefix.sh"]

README.md

@@ -8,124 +8,15 @@ An alternative would be the [NixOS](https://nixos.org/).
 
 ## Installation and Configuration
 
-### Prerequisites
-
-The bootstrap process will need a clean environment with C and C++ compilers (the system version of gcc and g++ will do) as well as the `make` command. It also is very sensitive to 
-the environment, so setup a user with unset `CFFLAGS`, `CFLAGS`, `LDFLAGS`, `PKG_CONFIG_PATH` and the always harmful `LD_LIBRARY_PATH` variables.
-
-EESSI provides a Docker container for this, which can be run via Singularity.
-
-### Bootstrapping Gentoo Prefix
-Gentoo Prefix provides a bootstrap script to build the prefix, see [Gentoo Prefix Bootstrap](https://wiki.gentoo.org/wiki/Project:Prefix/Bootstrap).
-We forked [this version](https://gitweb.gentoo.org/repo/proj/prefix.git/tree/scripts/bootstrap-prefix.sh?id=e77fd01734f21ec2e9c985c28ba4eb30c1b2bc9d)
-and made some modifications. See issue [#8](https://github.com/EESSI/compatibility-layer/issues/8) for more details. 
-
-You can run our version of the bootstrap script (see `bootstrap-prefix.sh`) inside the Singularity container by executing:
-```
-singularity run docker://ghcr.io/eessi/bootstrap-prefix:centos8
-```
-
-If you want to run your own version of the bootstrap script, use:
-```
-singularity exec docker://ghcr.io/eessi/bootstrap-prefix:centos8 ./bootstrap-prefix.sh
-```
-Our version of the script allows you to pick a custom snapshot for the Portage tree. This can be done by setting `CUSTOM_SNAPSHOT_URL` to
-a URL that points to a directory, and setting `CUSTOM_SNAPSHOT_URL` to the name of a snapshot file (must be a bzip2 archive). For instance:
-```
-env CUSTOM_SNAPSHOT_URL="http://cvmfs-s0.eessi-hpc.org/snapshots" CUSTOM_SNAPSHOT_VERSION="20201209" singularity run docker://ghcr.io/eessi/bootstrap-prefix:centos8
-```
-If you want to limit the supported/installed Python version(s), you can set the environment variable `PYTHON_TARGETS` before starting the bootstrap script. By only including a Python 3 version, you can prevent Python 2 from being installed, e.g.:
-```
-env PYTHON_TARGETS="python3_8" CUSTOM_SNAPSHOT_URL="http://cvmfs-s0.eessi-hpc.org/snapshots" CUSTOM_SNAPSHOT_VERSION="20201126" singularity run docker://ghcr.io/eessi/bootstrap-prefix:centos8
-```
-
-After starting the bootstrap have a long coffee...
-
-Once the bootstrap is completed, run the script to replace some paths with symlinks into the host OS:
-
-```
-scripts/prefix-symlink-host-paths.sh
-```
-
-In order to generate the right locales for your installation, see [this item](https://wiki.gentoo.org/wiki/Project:Prefix/FAQ#Add_an_en_US.UTF-8_locale)
-of the Gentoo Prefix FAQ.
-
-### Adding the EESSI overlay and packages
-Additional packages are added in the EESSI overlay, which is based on ComputeCanada.
-You can add them manually or in an automated way by using Ansible, being Ansible the preferred way. Below you can find the two options explained.
-
-#### Ansible playbook (Option 1)
-The installation of the EESSI-specific parts can be automatically executed by running the Ansible playbook `install.yml` inside the folder `ansible/playbooks`. 
-This playbook will install the [EESSI Gentoo overlay](https://github.com/EESSI/gentoo-overlay) and a set of packages, including `Lmod` and `archspec`. See the `README` in the `ansible/playbooks` folder for more details.
-
-#### Manually (Option 2)
-First, set `EPREFIX` to the path containing your Gentoo Prefix installation, and start the prefix:
-```
-export EPREFIX=/path/to/your/prefix
-${EPREFIX}/startprefix
-```
-Ensure that the configuration directory for repositories exists:
-```
-mkdir -p ${EPREFIX}/etc/portage/repos.conf
-```
-If you used `${PYTHON_TARGETS}` during the bootstrap, be sure to set it to the same value now, e.g.:
-```
-export PYTHON_TARGETS="python3_7"
-```
-
-Next, configure and sync the overlay:
-```
-emerge eselect-repository
-eselect repository add eessi git https://github.com/EESSI/gentoo-overlay.git
-emerge --sync eessi
-```
-
-After synchronizing the overlay, add the EESSI package set(s) that you would like to install, e.g. for set `2020.08`:
-```
-mkdir ${EPREFIX}/etc/portage/sets/
-ln -s  ${EPREFIX}/var/db/repos/eessi/etc/portage/sets/2020.08 ${EPREFIX}/etc/portage/sets/
-```
-
-Finally, install the package set(s) defined at `${EPREFIX}/etc/portage/sets/`, e.g.:
-```
-emerge @2020.08
-```
-
-### Updating the Prefix
-#### Packages
-Updating packages can be as easy as
-```
-emerge --sync
-emerge
-```
-If you run into problems, usually a newer ebuild is not suited to build in a prefix environment.
-Try to mask latest versions:
-
-Create a mask file if not existing and mask newer versions from thin provisioning tools greater or equal to 0.7.6:
-```
-echo ">=sys-block/thin-provisioning-tools-0.7.6" >> ${EPREFIX}/etc/portage/package.mask
-```
-
-#### Portage
-Updating Portage requires the kernel source which corresponds to your running kernel on the host. Emerge will detect it in `/usr/src/linux`.
-
-Check your running kernel version with:
-```
-cat /proc/version
-Linux version 4.20.0-1.el7.elrepo.x86_64 (mockbuild@Build64R7) 
-```
-
-On a Centos 7 host kernel sources are installed in `/usr/src/kernels`. Link `/usr/src/linux` to the appropiate kernel source after installation. Example for an `elrepo` kernel:
-```
-rpm -ivh kernel-ml-devel-4.20.0-1.el7.elrepo.x86_64.rpm
-cd /usr/src ; ln -s kernels/4.20.0-1.el7.elrepo.x86_64 linux
-```
-
- When ready update Portage from the Prefix environment:
-```
-startprefix
-emerge --oneshot sys-apps/portage
-```
+The installation of the compatibility layer is implemented with an Ansible playbook and Ansible role,
+which you can find in the `ansible` subdirectory. It will do the Gentoo Prefix bootstrap (which usually takes several hours to complete!),
+add a lot of EESSI configurations and customizations, install a bunch of packages that we require for EESSI, and finally it will
+run a ReFrame test suite to check the installation.
+
+To make the installation even easier, we provide a script `install_compatibility_layer.sh` that can be used on basically any host that has Apptainer installed,
+without requiring special privileges.
+The script will execute the Ansible playbook inside an Apptainer build container, ensuring that all dependencies (including Ansible itself) are available.
+In order to be able to write to `/cvmfs`, the container will bind mount a directory from the host as `/cvmfs` inside the container.
 
 # License
 

ansible/playbooks/README.md

@@ -14,7 +14,6 @@ all functionality for installing the EESSI compatibility layer. It performs the
  - install a given list of additional packages.
 
 The playbook `install.yml` will execute this role on a given server. 
-Note that if you want the role to install Gentoo Prefix, this particular task currently only supports Linux distributions based on RHEL 8 on the installation host.
 
 ## Configuration
 
@@ -29,9 +28,6 @@ Before running the playbook, make sure the following settings are correct, and o
 ### CVMFS settings
 | Variable | Description |
 | --- | --- |
-| cvmfs_start_transaction | Whether a CVMFS transaction should be start at the start |
-| cvmfs_publish_transaction | Whether a CVMFS transaction should be published at the end |
-| cvmfs_abort_transaction_on_failures | Whether a CVMFS transaction should be aborted on failures |
 | cvmfs_repository | Name of your CVMFS repository (used for the transaction) |
 
 ### Prefix and packages
@@ -48,8 +44,6 @@ Before running the playbook, make sure the following settings are correct, and o
 | prefix_bootstrap_use_flags | Contents of [package.use file](https://wiki.gentoo.org/wiki//etc/portage/package.use) to put in place after bootstrap stage 3 |
 | prefix_use_builtin_bootstrap | Use the container's built-in bootstrap script? |
 | prefix_custom_bootstrap_script | Dictionary with the `local` source and `remote` destination of the bootstrap script |
-| prefix_singularity_command | Singularity command for launching the container with the bootstrap script |
-| prefix_source | Singularity container path used for the Prefix installtion |
 | prefix_source_options | Arguments to be passed to the Prefix bootstrap script |
 | prefix_install | Prefix installation command |
 | prefix_locales | List of locales to be generated |

ansible/playbooks/install.yml

@@ -1,7 +1,7 @@
 # Playbook for installing the EESSI compatibility layer.
 ---
 - name: Install compatibility layer
-  hosts: cvmfsstratum0servers
+  hosts: localhost
   environment:
     PATH:
       "{{ gentoo_prefix_path }}/usr/sbin\
@@ -14,4 +14,3 @@
     LC_ALL: C
   roles:
     - compatibility_layer
-  become: true

ansible/playbooks/roles/compatibility_layer/defaults/main.yml

@@ -8,9 +8,6 @@ custom_overlays:
     url: https://github.com/EESSI/gentoo-overlay.git
     eclass-overrides: true
 
-cvmfs_start_transaction: false
-cvmfs_publish_transaction: false
-cvmfs_abort_transaction_on_failures: false
 cvmfs_repository: pilot.eessi-hpc.org
 
 gentoo_prefix_path: /cvmfs/{{ cvmfs_repository }}/versions/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}
@@ -41,12 +38,8 @@ prefix_use_builtin_bootstrap: false
 prefix_custom_bootstrap_script:
   local: "{{ playbook_dir }}/../../bootstrap-prefix.sh"
   remote: /tmp/bootstrap-prefix.sh
-prefix_singularity_command: "singularity exec -B {{ gentoo_prefix_path }}:{{ gentoo_prefix_path }}"
-prefix_source: "docker://ghcr.io/eessi/bootstrap-prefix:centos8"
 prefix_source_options: "{{ gentoo_prefix_path }} noninteractive"
 prefix_install: >-
-    SINGULARITYENV_USE_CPU_CORES={{ ansible_processor_vcpus }}
-    {{ prefix_singularity_command }} {{ prefix_source }}
     {{ prefix_use_builtin_bootstrap | ternary('/usr/local/bin/bootstrap-prefix.sh', prefix_custom_bootstrap_script.remote) }}
     {{ prefix_source_options }}
 

ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml

@@ -1,19 +1,5 @@
 # Add a custom overlay to the Gentoo Prefix installation.
 ---
-- name: Add portage user if missing
-  become: true
-  ansible.builtin.lineinfile:
-    path: /etc/passwd
-    regexp: portage
-    line: portage:x:250:250:portage:/var/tmp/portage:/bin/false
-
-- name: Add portage group if missing
-  become: true
-  ansible.builtin.lineinfile:
-    path: /etc/group
-    regexp: portage
-    line: portage::250:portage
-
 - name: Install equery command (dependency for the portage module)
   ansible.builtin.command:
     cmd: emerge gentoolkit

ansible/playbooks/roles/compatibility_layer/tasks/install_packages.yml

@@ -5,7 +5,6 @@
     package: "@{{ item }}"
     state: present
   with_items: "{{ package_sets }}"
-  become: false
   tags:
     - set
 
@@ -14,18 +13,3 @@
     package: "{{ item }}"
     state: present
   with_items: "{{ prefix_packages }}"
-  become: false
-
-- name: "Get the username running the deployment (not root)"
-  ansible.builtin.command: whoami
-  changed_when: false
-  become: false
-  register: username_on_host
-
-- name: "Fix permissions after installing as portage/root"
-  ansible.builtin.file:
-    owner: "{{ username_on_host.stdout }}"
-    group: "{{ username_on_host.stdout }}"
-    path: "{{ gentoo_prefix_path }}"
-    recurse: true
-  become: false

ansible/playbooks/roles/compatibility_layer/tasks/install_prefix.yml

@@ -1,46 +1,11 @@
 # Install Gentoo Prefix.
 ---
 
-- name: Fail if host OS is not supported
-  ansible.builtin.fail:
-    msg: |
-      Error: the operating system of the installation host is {{ ansible_os_family }} {{ ansible_distribution_version }}.
-      The task for installing Gentoo Prefix currently only supports Linux distributions based on RHEL 8.
-  when: not (ansible_os_family == "RedHat" and ansible_distribution_major_version is version("8", "=="))
-
-- name: "Install EPEL"
-  ansible.builtin.yum:
-    name:
-      - https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-    disable_gpg_check: true
-    state: present
-  tags:
-    - build_prefix
-
-- name: "Install other requirements (Singularity and git)"
-  ansible.builtin.yum:
-    name:
-      - singularity
-      - git
-    state: present
-  tags:
-    - build_prefix
-
-- name: "Get the username running the deployment (not root)"
-  ansible.builtin.shell: set -o pipefail && who | grep -v root | awk '{print $1}' | uniq
-  become: false
-  register: username_on_host
-  changed_when: true
-  tags:
-    - build_prefix
-
 - name: "Create Gentoo prefix path and log directory"
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
     recurse: true
-    owner: "{{ username_on_host.stdout }}"
-    group: "{{ username_on_host.stdout }}"
     mode: "0755"
   with_items:
     - "{{ gentoo_prefix_path }}"
@@ -180,15 +145,6 @@
   tags:
     - build_prefix
 
-- name: "Give build user recursive user and group ownership of {{ gentoo_prefix_path }}"
-  ansible.builtin.file:
-    dest: "{{ gentoo_prefix_path }}"
-    owner: "{{ username_on_host.stdout }}"
-    group: "{{ username_on_host.stdout }}"
-    recurse: true
-  tags:
-    - build_prefix
-
 - name: "Run Gentoo Prefix bootstrap stages 1-3 via {{ prefix_install }}"
   ansible.builtin.shell: set -o pipefail && ( {{ prefix_install }} | tee -a {{ prefix_build_log }} | grep -E '^(>>> Installing|\\* )' )
   become: false