[merged] compose: support adding external files

[giuseppe]

This will allow to copy arbitrary files into the rootfs, specifying something like:

"add-files": [["service.template", "/exports/service.template"],
["config.json.template", "/exports/config.json.template"]]

It is quite useful when building a container image.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

[cgwalters]

#96 is related here.

But there's multiples reasons I've hesitated on this until now. It's an obvious feature but the thing is, as soon as it's introduced, it breaks the default "skip if unchanged" logic we have now which understands just RPMs.

It means that anyone doing a build system now needs to know about both RPMs and files (presumably stored in git).

We'd then need to separate out the logic for "detect if RPM set is unchanged" from "detect if files are changed".

Or alternatively we could add the external files into the checksum? Or another approach - automatically synthesize a noarch RPM from them?

[cgwalters]

I've really struggled with this problem...convenience (aka Dockerfile) is nice, but accuracy and efficiency are important too.

Particularly since for the use case you're thinking of is Docker format, we could maybe merge together ostree export with another tarball? Something like:

rpm-ostree compose tree --touch-if-changed=changed.stamp foo.json
if test -f changed.stamp; then
  return
fi
ostree export mycontainer | tar -Af - config.template service.template | docker load

?

[cgwalters]

We already had the checksum/check-if-changed problem with postprocess-script btw.

[giuseppe]

Even if it can be used by Docker, my idea is to skip Docker completely and use directly an ostree commit for storing the container image.
I thought about creating a rpm with the additional files but wouldn't it make the .json file less clear?

My other doubt about having add-files is: how will this co-exists with the new container command? Should something like this end up in container assemble?

[giuseppe]

actually not, files under /exports will be deleted even if I add them through a .rpm: #233

I have added a new patch, that takes added-files into account for the cache.

Would something like this work?

[cgwalters]

See my comment in ostreedev/ostree#219 (comment) - this will also checksum uid/gid/xattrs, which is a bit weird since we'll be checksumming e.g. security.selinux on the host system, but on target may have a different one.

This does raise a general question about what the uid/gid for copied files should be. If for example rpm-ostree starts supporting non-root operation, we'd still want the target files to be owned by UID 0, not whatever UID was used to build the system.

[cgwalters]

I hadn't seen this updated PR before my comments in our standup today. It is looking like a good start. I don't want to block this, and it looks like it won't conflict too much with @jlebon 's work.

That said we don't have any tests yet either, and I'm worried about adding more features without those. I'll work some more on that.

[jlebon]

Definitely shouldn't be an issue to rebase pkg-layering on this.

[giuseppe]

I can add tests. I have not done it yet as this version was still a RFC

[giuseppe]

I added a fixup ⬆️ to use only the file content for the checksum. I added some tests as well

[giuseppe]

tests fixed now

[cgwalters]

Can you have the test also use --touch-if-changed and exercise the checksums?

[cgwalters]

I'd just delete this now.

[giuseppe]

I have added --touch-if-changed to the tests. How would you like to test the checksums? Modify the code to break if an environment variable is set?

[cgwalters]

I meant that we change one of the external files, verify that results in a new commit. And conversely that not changing the files shouldn't result in a new commit.

[giuseppe]

I have changed the patch to also test the file changed case ⬆️

[cgwalters]

Forgotten git add?

make[2]: *** No rule to make target 'tests/compose/exported_file', needed by 'all-am'.  Stop.

[giuseppe]

ops I forgot to git add the Makefile-tests.am file. Done now.

[cgwalters]

Unfortunately fixup! fixup! doesn't work, can you rebase/squash?

[cgwalters]

I still have a hesitation about this regarding overall philosophy (having components come purely as RPM vs Dockerfile like whatever you want), but it does have a high enough utility/size ratio that I think it's worth adding. Thanks for the patch!

@cgwalters-bot r+ 4ccea7b

[cgwalters-bot]

⌛ Testing commit 4ccea7b with merge caa4d27...

[cgwalters-bot]

💔 Test failed - status-atomicjenkins

[cgwalters]

This is rpm-software-management/libdnf#108

[jlebon]

Looks like it was merged, so it should probably work now.
@cgwalters-bot retry

[cgwalters-bot]

⌛ Testing commit 4ccea7b with merge 9f29b24...

[cgwalters-bot]

☀️ Test successful - status-atomicjenkins
Approved by: cgwalters
Pushing 9f29b24 to master...

[copumpkin]

@giuseppe @cgwalters A couple of thoughts (I'm not yet running a version that has this feature, but I find it appealing):

1. Why "The source file must be in the same directory as the treefile."? First off, doesn't the current state of the code allow for .. in the source path? Second, I have at least a couple of use cases for wanting an absolute path there.
2. Can the file copy happen before postprocess-script? My current strategy with postprocess-script is to use makeself to make the script carry a bunch of files with it, but this feels a little less hacky.

[giuseppe]

1. that was made to work in a similar way to Docker which uses the current directory as the context for the build. I think it is cleaner that allowing files not in the tree to be copied, as the build can be (more) easily reproduced.
2. the issue with that is then to decide what files will be kept. For example I would not be able to copy anything under /exports, as it would be wiped out by rpmostree_prepare_rootfs_for_commit. Not sure what would be the best solution for this. Probably add a new directive pre-copy-files that copies files before directories are moved around by rpmostree_prepare_rootfs_for_commit