From 58096f43aa1db56d16ff393f074e7496499cc113 Mon Sep 17 00:00:00 2001 From: Zack Zlotnik Date: Tue, 5 Jul 2022 11:50:53 -0400 Subject: [PATCH] ci-operator/openshift/os: Re-enable nightly RHCOS builds Only build the machine-os-content container image and push it to the rhcos-devel namespace. Revert and improve on: - 4fcb704f4f ci-operator/openshift/os: 4.11: Remove unused periodic jobs --- .../os/openshift-os-master__periodic.yaml | 136 ++++++++++++++++++ .../os/openshift-os-master-periodics.yaml | 50 +++++++ .../os/openshift-os-master-postsubmits.yaml | 57 ++++++++ .../os/openshift-os-master-presubmits.yaml | 52 +++++++ 4 files changed, 295 insertions(+) create mode 100644 ci-operator/config/openshift/os/openshift-os-master__periodic.yaml create mode 100644 ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml diff --git a/ci-operator/config/openshift/os/openshift-os-master__periodic.yaml b/ci-operator/config/openshift/os/openshift-os-master__periodic.yaml new file mode 100644 index 0000000000000..075968923532d --- /dev/null +++ b/ci-operator/config/openshift/os/openshift-os-master__periodic.yaml @@ -0,0 +1,136 @@ +base_images: + coreos_coreos-assembler_latest: + name: coreos-assembler + namespace: coreos + tag: latest +build_root: + image_stream_tag: + name: fcos-buildroot + namespace: coreos + tag: testing-devel +images: +- dockerfile_literal: | + # Container image that has COSA + source code + FROM registry.svc.ci.openshift.org/coreos/coreos-assembler:latest + WORKDIR /src + # Tell the build scripts that we have setup a directory for unprivileged build + ENV COSA_DIR=/tmp/cosa + RUN mkdir -p "${COSA_DIR}" + # Prow doesn't support emptydir for jobs today + ENV COSA_SKIP_OVERLAY=1 + # Copy the source code + COPY . . + # Setup ownership for /src & $COSA_DIR. This is required for: + # - Builds that run during the build phase under the builder user + # - Builds that run during test jobs under a random non root user but with + # the root group. + USER root + RUN chgrp -Rf root "${COSA_DIR}" && \ + chmod -Rf g+w "${COSA_DIR}" && \ + chown -R builder:builder /src && \ + chmod -R a+rX /src + # Go back to unprivileged user for COSA + USER builder + WORKDIR /tmp/cosa + inputs: + coreos_coreos-assembler_latest: + as: + - registry.svc.ci.openshift.org/coreos/coreos-assembler:latest + to: build-image +- dockerfile_literal: | + # Container image used to build RHCOS in Prow build step to be able to push + # it and use it as a native container image for other jobs in Prow CI. + # + # This stage thus builds the RHCOS OCI image just like the test jobs do + # before the tests. However, due to limitations within OpenShift CI, we + # need to do the following: + # 1. Disable KVM by using the COSA_NO_KVM env var. This is due to OpenShift + # CI using the default OpenShift Docker Build strategy, which precludes us + # from mounting /dev/kvm into the build context. + # 2. Due to a limitation in the version of Buildah that OpenShift Builds + # uses (at the time of this writing, it uses a v1.23.z version of Buildah), + # we cannot mount the build context into the container build (e.g., `RUN + # --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared + # `), which would allow it to mutate the build context. This is due to + # https://github.com/containers/buildah/pull/3548 not being present. + # For now, this necessitates passing this image into the cosa-build image + # build below to extract the OCI archive and inject it into the + # ImageStream. However, once the OpenShift CI system is upgraded to use + # OpenShift 4.11, we can create the RHCOS image in a single shot via this + # stage. + FROM build-image:latest as base + ENV COSA_NO_KVM=1 + # TODO: Remove me once https://github.com/openshift/os/pull/882 is merged + ENV RHELVER="rhel-8.6" + # We need to reduce the size of this image because we can run out of space + # on the underlying volume when the layer is committed. All we care about + # is the rhcos.x86_64.ociarchive file. + # 1. Run only the ostree build step + # 2. Keep only the OCI archive + # 3. Clean-up the cache + RUN /src/ci/prow-entrypoint.sh build && \ + /src/ci/simplify-ociarchive-path.sh && \ + mv /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive && \ + rm -rf /tmp/cosa/builds /tmp/cosa/cache + + # We don't need the rest of the build-image container, so we copy the OCI + # archive into its own scratch image in preparation for extraction. + FROM scratch + COPY --from=base /tmp/cosa/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive + inputs: + build-image: + as: + - build-image:latest + to: oci-archive +- dockerfile_literal: | + # This extracts the OCI archive from the oci-archive image, injects it into + # the build context, and then uses that OCI archive as this image. + # This makes use of the following: + # - OpenShift Image Builds allows one to pass in a path from another + # container image. It places this under /tmp/build/inputs/. See: + # https://github.com/openshift/builder/blob/37525a77fa07e26c420962dee47193d672ef0b35/pkg/build/builder/common.go#L72 + # - Buildah allows one to use oci-archive as a transport. See: + # https://www.redhat.com/sysadmin/7-transports-features + # - Utilizing the above features in concert with one another and using an + # absolute path to refer to the OCI archive in the build context allows us + # to "import" the OCI archive into the CI ImageStream. + FROM oci-archive:/tmp/build/inputs/magic/cosa/rhcos.x86_64.ociarchive + inputs: + oci-archive: + paths: + - destination_dir: magic + source_path: /tmp/cosa + to: machine-os-oci-content +promotion: + additional_images: + rhel-coreos: machine-os-oci-content + excluded_images: + - '*' + namespace: rhcos-devel + tag: latest +releases: + initial: + integration: + name: "4.12" + namespace: ocp + latest: + integration: + include_built_images: true + name: "4.12" + namespace: ocp +resources: + '*': + requests: + cpu: 2000m + memory: 4Gi +tests: +- as: validate-machine-os-oci-image + commands: cat /etc/os-release + container: + from: machine-os-oci-content + cron: '@daily' +zz_generated_metadata: + branch: master + org: openshift + repo: os + variant: periodic diff --git a/ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml b/ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml new file mode 100644 index 0000000000000..5202a1358caad --- /dev/null +++ b/ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml @@ -0,0 +1,50 @@ +periodics: +- agent: kubernetes + cluster: build01 + cron: 38 0 * * * + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: os + labels: + ci-operator.openshift.io/variant: periodic + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-os-master-periodic-validate-machine-os-oci-image + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=validate-machine-os-oci-image + - --variant=periodic + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml b/ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml index e6d2c29dcf552..b0a50cac2ff08 100644 --- a/ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml +++ b/ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml @@ -54,3 +54,60 @@ postsubmits: - name: result-aggregator secret: secretName: result-aggregator + - agent: kubernetes + always_run: true + branches: + - ^master$ + cluster: build03 + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/is-promotion: "true" + ci-operator.openshift.io/variant: periodic + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-os-master-periodic-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --target=machine-os-oci-content + - --variant=periodic + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml b/ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml index 761e24e37d374..d3fc308209088 100644 --- a/ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml @@ -50,6 +50,58 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^master$ + - ^master- + cluster: build03 + context: ci/prow/periodic-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: periodic + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-os-master-periodic-images + rerun_command: /test periodic-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --target=machine-os-oci-content + - --variant=periodic + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )periodic-images,?($|\s.*) - agent: kubernetes always_run: false branches: