From 4e3d0aeb7015535b1aa25c477f747bc19e96d4ce Mon Sep 17 00:00:00 2001 From: mkosiarc Date: Thu, 15 Aug 2024 17:08:35 +0200 Subject: [PATCH] Replace grep base images parsing with dockerfile-json This is more reliable and allow us to fix bugs where base images were loaded incorrectly. For example, previously this part in Dockerfile: LABEL description="this is a build \ from single-arch" Would return "single-arch" as a base image. Using dockerfile-json also solves the problem of omitting "scratch" from the results. Another advantage is that when we have something such as: FROM registry.access.redhat.com/ubi9/ubi:latest as builder ... FROM builder AS build1 then only the original image "registry.access.redhat.com/ubi9/ubi:latest" will be reported. KFLUXBUGS-1269 Signed-off-by: mkosiarc --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 12 ++++-------- .../0.2/buildah-remote-oci-ta.yaml | 14 +++++--------- task/buildah-remote/0.2/buildah-remote.yaml | 14 +++++--------- task/buildah/0.2/buildah.yaml | 12 ++++-------- 4 files changed, 18 insertions(+), 34 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index e9958b4961..89e9cac93b 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -222,7 +222,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + image: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 args: - $(params.BUILD_ARGS[*]) workingDir: /var/workdir @@ -288,14 +288,12 @@ spec: BUILDAH_ARGS=() - BASE_IMAGES=$(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}' | (grep -v ^oci-archive: || true)) + BASE_IMAGES=$(dockerfile-json "$dockerfile_path" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName') if [ "${HERMETIC}" == "true" ]; then BUILDAH_ARGS+=("--pull=never") UNSHARE_ARGS="--net" for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image - fi + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image done echo "Build will be executed with network isolation" fi @@ -413,9 +411,7 @@ spec: touch /shared/base_images_digests for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests - fi + buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests done # Needed to generate base images SBOM diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index e46c8c5935..1fee844284 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -191,7 +191,7 @@ spec: - name: YUM_REPOS_D_TARGET value: $(params.YUM_REPOS_D_TARGET) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + value: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 - name: PLATFORM value: $(params.PLATFORM) - name: IMAGE_APPEND_PLATFORM @@ -221,7 +221,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + image: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 name: build script: |- #!/bin/bash @@ -323,14 +323,12 @@ spec: BUILDAH_ARGS=() - BASE_IMAGES=$(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}' | (grep -v ^oci-archive: || true)) + BASE_IMAGES=$(dockerfile-json "$dockerfile_path" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName') if [ "${HERMETIC}" == "true" ]; then BUILDAH_ARGS+=("--pull=never") UNSHARE_ARGS="--net" for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image - fi + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image done echo "Build will be executed with network isolation" fi @@ -448,9 +446,7 @@ spec: touch /shared/base_images_digests for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests - fi + buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests done # Needed to generate base images SBOM diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 05562e787a..6196d19592 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -182,7 +182,7 @@ spec: - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: BUILDER_IMAGE - value: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + value: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 - name: PLATFORM value: $(params.PLATFORM) - name: IMAGE_APPEND_PLATFORM @@ -203,7 +203,7 @@ spec: env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + image: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 name: build script: |- #!/bin/bash @@ -305,14 +305,12 @@ spec: BUILDAH_ARGS=() - BASE_IMAGES=$(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}' | (grep -v ^oci-archive: || true)) + BASE_IMAGES=$(dockerfile-json "$dockerfile_path" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName') if [ "${HERMETIC}" == "true" ]; then BUILDAH_ARGS+=("--pull=never") UNSHARE_ARGS="--net" for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image - fi + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image done echo "Build will be executed with network isolation" fi @@ -430,9 +428,7 @@ spec: touch /shared/base_images_digests for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests - fi + buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests done # Needed to generate base images SBOM diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index a5793f3325..a40e67c98f 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -164,7 +164,7 @@ spec: value: $(params.SKIP_UNUSED_STAGES) steps: - - image: quay.io/konflux-ci/buildah-task:latest@sha256:5d933087a49a6e0b959b9a9fa5a91d545380217e565d7be7cc74a9588f64c314 + - image: quay.io/redhat-user-workloads/rhtap-build-tenant/buildah-container/buildah-task:on-pr-975a99f3a66987703e5d5c08f3f2a049165f71e5 name: build computeResources: limits: @@ -225,14 +225,12 @@ spec: BUILDAH_ARGS=() - BASE_IMAGES=$(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}' | (grep -v ^oci-archive: || true)) + BASE_IMAGES=$(dockerfile-json "$dockerfile_path" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName') if [ "${HERMETIC}" == "true" ]; then BUILDAH_ARGS+=("--pull=never") UNSHARE_ARGS="--net" for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image - fi + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image done echo "Build will be executed with network isolation" fi @@ -350,9 +348,7 @@ spec: touch /shared/base_images_digests for image in $BASE_IMAGES; do - if [ "${image}" != "scratch" ]; then - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests - fi + buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests done # Needed to generate base images SBOM