Skip to content

Commit

Permalink
✨ Move Earthly logic into Dockerfiles (#2008)
Browse files Browse the repository at this point in the history
* Add framework files

and generate os-release

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Install provider and k3s

Plus clean at the end

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Fix os-release names

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Use no-base-image on Earthly as a first step

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Fix KAIROS_VERSION calculation

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Move logic for alpine

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Move logic for opensuse

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Lint

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Add debian & rhel

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Fix ubuntu arm generic

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Framework changes and luet versions

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* hadolint

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* yamllint

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* test building nvidia on pr

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* fix push

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* fix path

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* use quay

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* login quay

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* 🤦

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* define the nvidia jetson strategy in the ubuntu file

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Only run build of nvidia if dockerfile changed

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* same for all other steps

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* No need to push latest

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* process nvidia on master and release

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* remove no-base-image

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* extract kairos common & remove non-hwe

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* Remove Dockerfile.kairos-*

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* hadolint

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* forgot to remove this section on debian

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* move non-hwe to examples

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* feedback

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* add name generation for base-images

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* shoot

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* lint

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

* oops

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>

---------

Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>
  • Loading branch information
mauromorales authored Nov 30, 2023
1 parent 631b7c7 commit 84f1eaa
Show file tree
Hide file tree
Showing 24 changed files with 1,677 additions and 310 deletions.
4 changes: 2 additions & 2 deletions .earthlyignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build/*iso
build/*
# this is created by the strat_vm_qemu.sh script
disk.img
*.img
*.raw
10 changes: 0 additions & 10 deletions .github/flavors.json
Original file line number Diff line number Diff line change
Expand Up @@ -338,15 +338,5 @@
"baseImage": "rockylinux:9",
"arch": "amd64",
"worker": "self-hosted"
},
{
"family": "nvidia",
"flavor": "ubuntu",
"flavorRelease": "20.04",
"variant": "core",
"model": "nvidia-jetson-agx-orin",
"baseImage": "ubuntu:20.04",
"arch": "arm64",
"worker": "fast"
}
]
4 changes: 2 additions & 2 deletions .github/workflows/image-arm-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ env:
FORCE_COLOR: 1

jobs:
docker:
opensuse:
uses: ./.github/workflows/reusable-docker-arm-build.yaml
with:
flavor: opensuse
Expand All @@ -21,7 +21,7 @@ jobs:
base_image: opensuse/leap:15.5
model: rpi4
worker: fast
docker-alpine:
alpine:
uses: ./.github/workflows/reusable-docker-arm-build.yaml
with:
flavor: alpine
Expand Down
77 changes: 77 additions & 0 deletions .github/workflows/image-arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,83 @@ jobs:
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
build-nvidia-base:
runs-on: fast
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v40
with:
files_yaml: |
nvidia:
- 'images/Dockerfile.nvidia'
- name: Release space from worker
if: steps.changed-files.outputs.nvidia_any_changed == 'true'
run: |
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
df -h
- name: Set up Docker Buildx
if: steps.changed-files.outputs.nvidia_any_changed == 'true'
id: buildx
uses: docker/setup-buildx-action@master
- name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines
if: steps.changed-files.outputs.nvidia_any_changed == 'true'
run: |
sudo iptables -I INPUT -s 169.254.169.254 -j DROP
sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
- name: Login to Quay Registry
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.changed-files.outputs.nvidia_any_changed == 'true' }}
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧 & Push 🚀
if: steps.changed-files.outputs.nvidia_any_changed == 'true'
run: |
export IMAGE=$(FAMILY=ubuntu FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" ./images/naming.sh container_artifact_base_name)
docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images
docker push $IMAGE
nvidia-arm-core:
needs: build-nvidia-base
uses: ./.github/workflows/reusable-docker-arm-build.yaml
with:
flavor: ubuntu
flavor_release: "20.04"
family: ubuntu
# is there a way to run the naming.sh script here?
base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-master
model: nvidia-jetson-agx-orin
worker: fast

build-arm-core:
uses: ./.github/workflows/reusable-docker-arm-build.yaml
secrets: inherit
Expand Down
65 changes: 65 additions & 0 deletions .github/workflows/release-arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,71 @@ jobs:
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
build-nvidia-base:
runs-on: fast
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Release space from worker
if: steps.changed-files.outputs.nvidia_any_changed == 'true'
run: |
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
df -h
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines
run: |
sudo iptables -I INPUT -s 169.254.169.254 -j DROP
sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Build 🔧 & Push 🚀
run: |
export IMAGE=$(FAMILY=ubuntu FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" BRANCH=release ./images/naming.sh container_artifact_base_name)
docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images
docker push $IMAGE
nvidia-arm-core:
uses: ./.github/workflows/reusable-docker-arm-build.yaml
with:
flavor: ubuntu
flavor_release: "20.04"
family: ubuntu
# is there a way to run the naming.sh script here?
base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-release
model: nvidia-jetson-agx-orin
worker: fast

build-arm-core:
runs-on: ${{ matrix.worker }}
needs:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-build-framework.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,5 @@ jobs:
# Push with earthly so it pushes the multi-arch properly
earthly --push +multi-build-framework-image --SECURITY_PROFILE=${{ inputs.security_profile }} --VERSION=master
# Fetch the RepoDigests for the mutli-arch image
docker pull "$ARTIFACT"
docker pull "$ARTIFACT"
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$ARTIFACT")
96 changes: 63 additions & 33 deletions .github/workflows/reusable-docker-arm-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,26 +68,34 @@ jobs:
echo
sudo rm -rfv build || true
df -h
- name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines
run: |
sudo iptables -I INPUT -s 169.254.169.254 -j DROP
sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Login to Quay Registry
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Install earthly
uses: Luet-lab/luet-install-action@v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Login to Quay Registry
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Set compression for PR
if: ${{ github.event_name == 'pull_request' }}
run: |
Expand All @@ -96,31 +104,66 @@ jobs:
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
run: |
echo "IMG_COMPRESSION=xz" >> $GITHUB_ENV
- name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines
run: |
sudo iptables -I INPUT -s 169.254.169.254 -j DROP
sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
- name: Build 🔧
run: |
earthly --allow-privileged +all-arm \
--FAMILY=${{ inputs.family }} \
earthly -P +all-arm \
--VARIANT=core \
--MODEL=${{ inputs.model }} \
--FLAVOR=${{ inputs.flavor }} \
--FLAVOR_RELEASE=${{ inputs.flavor_release }} \
--FAMILY=${{ inputs.family }} \
--BASE_IMAGE=${{ inputs.base_image }} \
--MODEL=${{ inputs.model }} \
--VARIANT=core \
--IMG_COMPRESSION=${{env.IMG_COMPRESSION}}
- name: Show img sizes
run: |
ls -ltra build
ls -ltrh build
- name: Convert all json files into a reports.tar.gz file
if: startsWith(github.ref, 'refs/tags/v')
run: |
export VERSION=$(cat build/VERSION)
cd build
filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json}
sudo tar cvf "${filename}-scan-reports.tar.gz" *.json
- name: Push 🔧
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
if: startsWith(github.ref, 'refs/tags/v')
run: |
docker push $(cat build/IMAGE)
- name: Sign image
if: startsWith(github.ref, 'refs/tags/v')
env:
COSIGN_YES: true
run: |
export IMAGE=$(cat build/IMAGE)
docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason
cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
- name: Upload Image
if: startsWith(github.ref, 'refs/tags/v')
run: |
curl https://luet.io/install.sh | sudo sh
IMAGE=$(cat build/IMAGE | sed 's/$/-img/')
sudo tar cvf build.tar build
sudo luet util pack $IMAGE build.tar image.tar
sudo -E docker load -i image.tar
sudo -E docker push "$IMAGE"
sudo rm -rf build/IMAGE build/VERSION
- name: Release
if: startsWith(github.ref, 'refs/tags/v')
uses: softprops/action-gh-release@v1
with:
files: |
build/*scan-reports.tar.gz
- name: Prepare sarif files 🔧
if: startsWith(github.ref, 'refs/tags/v')
run: |
export _IMG=$(cat build/IMAGE)
export _NEW_IMG=$(echo $_IMG | cut -f1 -d:):latest
docker tag $_IMG $_NEW_IMG
docker push $_NEW_IMG
mkdir sarif
sudo mv build/*.sarif sarif/
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: startsWith(github.ref, 'refs/tags/v')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
- name: Prepare sarif files 🔧
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
run: |
Expand All @@ -132,21 +175,8 @@ jobs:
with:
sarif_file: 'sarif'
category: ${{ inputs.flavor }}
- name: Sign image
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
run: |
# Avoid pushing a new image for every commit (re-use latest)
export _IMG=$(cat build/IMAGE)
export _LATEST=$(echo $_IMG | cut -f1 -d:):latest
docker push $_LATEST
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$_LATEST")
spdx=$(ls build/*.spdx.json)
cosign attach sbom --sbom $spdx $image_ref
cosign sign -y $image_ref --attachment sbom
# in-toto attestation
cosign attest -y --type spdx --predicate $spdx $image_ref
- name: Upload results
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor != 'ubuntu-20-lts-arm-nvidia-jetson-agx-orin' }}
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }}
uses: actions/upload-artifact@v3
with:
name: ${{ inputs.flavor }}-image
Expand Down
2 changes: 2 additions & 0 deletions .hadolint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,6 @@ override:
# warning: Use WORKDIR to switch to a directory
# Reason: Sometimes we don't want to change the workdir
- DL3003
# Do not use --platform= with FROM. https://github.com/hadolint/hadolint/wiki/DL3029
- DL3029
failure-threshold: warning
Loading

0 comments on commit 84f1eaa

Please sign in to comment.