Skip to content

build RHCOS as an OCI image#27779

Merged
openshift-merge-robot merged 2 commits intoopenshift:masterfrom
cheesesashimi:zzlotnik/build-rhcos-image-as-image
May 18, 2022
Merged

build RHCOS as an OCI image#27779
openshift-merge-robot merged 2 commits intoopenshift:masterfrom
cheesesashimi:zzlotnik/build-rhcos-image-as-image

Conversation

@cheesesashimi
Copy link
Copy Markdown
Member

@cheesesashimi cheesesashimi commented Apr 12, 2022
edited
Loading

This PR enables us to build RHCOS as a container image and take advantage of OpenShift CI's container-based workflow.

There are two key things which make this possible:

  1. The OpenShift Image Builder allows one to place a file from a previously built container into the build context for another container using inputs.
  2. Buildah supports multiple image transports, including oci-archive which allows one to write a Containerfile which points to an OCI archive on disk, e.g., FROM oci-archive:/path/to/oci/archive.

How this works is:

  1. COSA (coreos-assembler) runs within a container build context and creates an OCI archive, which is baked into the built image (cosa-build). Naturally, this OCI archive baked into another image is not very useful.
  2. The OCI archive is extracted from the cosa-build image and placed someplace where we can easily import it (cosa-oci-archive)
  3. We use the cosa-oci-archive image as an input to machine-os-oci-context. This reads the OCI image from the build context and uses it to build a new image. Since all we do is FROM oci-archive:/path/to/oci/archive, this performs a very basic image build and pushes the final image to the ephemeral CI ImageStream for further consumption.
  4. The tests make use of the cosa-build image because it has the full COSA build context contained within it. However, we can now shard the tests, which allows the suite to run concurrently and offers additional control over which tests should be executed / retried / etc.

For now, the periodic tests are duplicates of the PR builds and is configured to push images to the rhcos-devel namespace, whereas PR builds will not produce an artifact. Additionally, it was discovered that we were unintentionally mirroring the build-test-qemu-img via the core-services/image-mirroring/openshift/mapping_origin_4_11 file. A future TODO is to enable the PR builds to layer OS content on top of the nightly-built images which should dramatically reduce the total build / test time for PRs. This would likely require additional work within COSA to facilitate.

A more complete braindump of how this works as well as caveats / pitfalls encountered along the way is in progress here: openshift/os#780

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 12, 2022

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 12, 2022
@openshift-ci openshift-ci Bot requested review from ashcrow and saqibali-2k April 12, 2022 21:01
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch 9 times, most recently from ac40a56 to a8984d0 Compare April 14, 2022 15:32
@sohankunkerkar
Copy link
Copy Markdown
Member

sohankunkerkar commented Apr 18, 2022

/retest

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 18, 2022
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch from c7c11df to 617891e Compare April 18, 2022 18:12
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 18, 2022
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch 2 times, most recently from ed0a370 to b217755 Compare April 19, 2022 14:43
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 25, 2022
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch from 1b85152 to 2abe1a4 Compare May 2, 2022 15:40
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 2, 2022
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch from 965c9cf to 72dba36 Compare May 2, 2022 16:05
@cheesesashimi cheesesashimi marked this pull request as ready for review May 2, 2022 16:17
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2022
@openshift-ci openshift-ci Bot requested review from prestist and sohankunkerkar May 2, 2022 16:17
@cheesesashimi
Copy link
Copy Markdown
Member Author

cheesesashimi commented May 2, 2022

/assign cgwalters

cgwalters
cgwalters reviewed May 2, 2022
View reviewed changes
Comment thread ci-operator/config/openshift/os/openshift-os-master.yaml Outdated
Copy link
Copy Markdown
Member

@cgwalters cgwalters May 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think since we know we have passwordless sudo enabled int the cosa container this could also just be a && sudo chgrp -Rf root ... or so attached to the previous RUN invocation?

But good to know we're squashing anyways.

@openshift-bot
Copy link
Copy Markdown
Contributor

openshift-bot commented May 3, 2022

/retest-required

Please review the full test history for this PR and help us cut down flakes.

3 similar comments
@openshift-bot
Copy link
Copy Markdown
Contributor

openshift-bot commented May 3, 2022

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Copy Markdown
Contributor

openshift-bot commented May 3, 2022

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Copy Markdown
Contributor

openshift-bot commented May 3, 2022

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@cheesesashimi
Copy link
Copy Markdown
Member Author

cheesesashimi commented May 3, 2022

/test build05-dry

@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch from 72dba36 to 23d4284 Compare May 3, 2022 14:36
@openshift-ci openshift-ci Bot removed lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 3, 2022
@cheesesashimi cheesesashimi changed the title try building RHCOS as an OCI image build RHCOS as an OCI image May 3, 2022
@cgwalters
Copy link
Copy Markdown
Member

cgwalters commented May 3, 2022

/approve

@cheesesashimi cheesesashimi mentioned this pull request May 3, 2022
Closed
@cheesesashimi
Copy link
Copy Markdown
Member Author

cheesesashimi commented May 4, 2022

/assign @bparees

Context for approval: While setting up the PR builds, I was somewhat surprised to see that we were promoting and mirroring the build-test-qemu-img. This is an intermediate image used for this build and not very useful outside of that context, so I'm not sure why it was being mirrored to Quay, especially since the config used the .promotion.excluded_images[0] = '*' convention. For the time-being, I've explicitly disabled image promotion for PR builds (.promotion.disabled = true), which removed the entry from the core-services/image-mirroring/openshift/mapping_origin_4_11 file, hence the need for approval. I'm happy to answer any further questions!

@bparees
Copy link
Copy Markdown
Contributor

bparees commented May 4, 2022

approving removal of the mirroring config for this image, thanks for the explanation!

/approve

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 4, 2022
@cheesesashimi cheesesashimi force-pushed the zzlotnik/build-rhcos-image-as-image branch from 23d4284 to 83f07d2 Compare May 17, 2022 19:22
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 17, 2022

@cheesesashimi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/openshift/os/master/validate-image-build 2e70ac270b8ecadfb121046ceb3c6747fca9d4b7 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/test-qemu 66d1b4e8434224faca999724ca56392831f16574 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/validate-user-id b217755e24f62857a84e6bace9c7d1f64e0f6c41 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/test-qemu-kola-upgrade 1b85152c634b5da2dd82f2edb536cac30d748c62 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/test-qemu-nvme 1b85152c634b5da2dd82f2edb536cac30d748c62 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/test-qemu-kola 1b85152c634b5da2dd82f2edb536cac30d748c62 link unknown /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-qemu-kola-upgrade 83f07d2 link unknown /test pj-rehearse
ci/prow/pj-rehearse 83f07d2 link false /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-qemu-metal 83f07d2 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/validate 83f07d2 link unknown /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-qemu-firmware-uefi 83f07d2 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/periodic-images 83f07d2 link unknown /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-qemu-nvme 83f07d2 link unknown /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-in-cluster 83f07d2 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/images 83f07d2 link unknown /test pj-rehearse
ci/rehearse/periodic-ci-openshift-os-master-periodic-test-qemu-kola 83f07d2 link unknown /test pj-rehearse
ci/rehearse/openshift/os/master/test-in-cluster 83f07d2 link unknown /test pj-rehearse

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@miabbott
Copy link
Copy Markdown
Member

miabbott commented May 18, 2022

@cheesesashimi Thank you for doing this and wiring it all together! The comments are immensely useful for understanding how this is pieced together. Let's see it in action!

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 18, 2022
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 18, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, cgwalters, cheesesashimi, miabbott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit b0e94fd into openshift:master May 18, 2022
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 18, 2022

@cheesesashimi: Updated the following 5 configmaps:

  • job-config-master-postsubmits configmap in namespace ci at cluster app.ci using the following files:
    • key openshift-os-master-postsubmits.yaml using file ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml
  • job-config-master-presubmits configmap in namespace ci at cluster app.ci using the following files:
    • key openshift-os-master-presubmits.yaml using file ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml
  • image-mirror-mappings configmap in namespace ci at cluster app.ci using the following files:
    • key mapping_origin_4_11 using file core-services/image-mirroring/openshift/mapping_origin_4_11
  • ci-operator-master-configs configmap in namespace ci at cluster app.ci using the following files:
    • key openshift-os-master.yaml using file ci-operator/config/openshift/os/openshift-os-master.yaml
    • key openshift-os-master__periodic.yaml using file ci-operator/config/openshift/os/openshift-os-master__periodic.yaml
  • job-config-master-periodics configmap in namespace ci at cluster app.ci using the following files:
    • key openshift-os-master-periodics.yaml using file ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml
Details

In response to this:

This PR enables us to build RHCOS as a container image and take advantage of OpenShift CI's container-based workflow.

There are two key things which make this possible:

  1. The OpenShift Image Builder allows one to place a file from a previously built container into the build context for another container using inputs.
  2. Buildah supports multiple image transports, including oci-archive which allows one to write a Containerfile which points to an OCI archive on disk, e.g., FROM oci-archive:/path/to/oci/archive.

How this works is:

  1. COSA (coreos-assembler) runs within a container build context and creates an OCI archive, which is baked into the built image (cosa-build). Naturally, this OCI archive baked into another image is not very useful.
  2. The OCI archive is extracted from the cosa-build image and placed someplace where we can easily import it (cosa-oci-archive)
  3. We use the cosa-oci-archive image as an input to machine-os-oci-context. This reads the OCI image from the build context and uses it to build a new image. Since all we do is FROM oci-archive:/path/to/oci/archive, this performs a very basic image build and pushes the final image to the ephemeral CI ImageStream for further consumption.
  4. The tests make use of the cosa-build image because it has the full COSA build context contained within it. However, we can now shard the tests, which allows the suite to run concurrently and offers additional control over which tests should be executed / retried / etc.

For now, the periodic tests are duplicates of the PR builds and is configured to push images to the rhcos-devel namespace, whereas PR builds will not produce an artifact. Additionally, it was discovered that we were unintentionally mirroring the build-test-qemu-img via the core-services/image-mirroring/openshift/mapping_origin_4_11 file. A future TODO is to enable the PR builds to layer OS content on top of the nightly-built images which should dramatically reduce the total build / test time for PRs. This would likely require additional work within COSA to facilitate.

A more complete braindump of how this works as well as caveats / pitfalls encountered along the way is in progress here: openshift/os#780

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

miabbott added a commit to miabbott/os that referenced this pull request May 23, 2022
@miabbott
ci: fix prow-build.sh to fetch same repos
eb2e9bd 
The introduction of new Prow periodic jobs (openshift/release#27779)
means we have to keep the `prow-build.sh` and
`prow-build-test-qemu.sh` scripts in sync, with regards to fetching
the repo configs.

This brings `prow-build.sh` in sync with the changes from openshift#796.

Closes openshift#801
@miabbott miabbott mentioned this pull request May 23, 2022
Merged
miabbott added a commit to miabbott/os that referenced this pull request May 25, 2022
@miabbott
ci: fix prow-build.sh to fetch same repos
a52f5c4 
The introduction of new Prow periodic jobs (openshift/release#27779)
means we have to keep the `prow-build.sh` and
`prow-build-test-qemu.sh` scripts in sync, with regards to fetching
the repo configs.

This brings `prow-build.sh` in sync with the changes from openshift#796.

Closes openshift#801
miabbott added a commit to miabbott/os that referenced this pull request May 25, 2022
@miabbott
ci: fix prow-build.sh to fetch same repos
a939a71 
The introduction of new Prow periodic jobs (openshift/release#27779)
means we have to keep the `prow-build.sh` and
`prow-build-test-qemu.sh` scripts in sync, with regards to fetching
the repo configs.

This brings `prow-build.sh` in sync with the changes from openshift#796.

Closes openshift#801
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/os that referenced this pull request Jun 3, 2022
@miabbott
ci: fix prow-build.sh to fetch same repos
dab2daa 
The introduction of new Prow periodic jobs (openshift/release#27779)
means we have to keep the `prow-build.sh` and
`prow-build-test-qemu.sh` scripts in sync, with regards to fetching
the repo configs.

This brings `prow-build.sh` in sync with the changes from openshift#796.

Closes openshift#801
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashcrow ashcrow Awaiting requested review from ashcrow

@saqibali-2k saqibali-2k Awaiting requested review from saqibali-2k

@prestist prestist Awaiting requested review from prestist

@sohankunkerkar sohankunkerkar Awaiting requested review from sohankunkerkar

1 more reviewer

@cgwalters cgwalters cgwalters left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@cgwalters cgwalters

@bparees bparees

@miabbott miabbott

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@cheesesashimi @sohankunkerkar @cgwalters @openshift-bot @bparees @miabbott @openshift-merge-robot