Use podman for container image builds

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
saschagrunert · Jun 22, 2019 · afc7114 · afc7114
1 parent 125e9b8
commit afc7114
Show file tree

Hide file tree

Showing 11 changed files with 57 additions and 29 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,10 +8,6 @@ executors:
   performabot-build:
     docker:
       - image: saschagrunert/performabot-build
-  machine:
-    machine:
-      docker_layer_caching: true
-      image: ubuntu-1604:201903-01
 
 workflows:
   version: 2
@@ -141,25 +137,33 @@ jobs:
             git push -f origin gh-pages
 
   image:
-    executor: machine
+    executor: container
     parameters:
       target:
         type: string
     steps:
+      - <<: *prepare-env
       - checkout
       - attach_workspace:
           at: .
       - run:
-          name: create container image
-          command: make image-<< parameters.target >> CONTAINER_RUNTIME=docker
-      - run:
-          name: save container image
+          name: setup container policy
           command: |
-            docker save -o image-<< parameters.target >>.tar \
-              performabot-<< parameters.target >>
+            mkdir -p /etc/containers
+            cp hack/policy.json /etc/containers
+      - restore_cache:
+          keys:
+            - v1-image-{{ checksum "nix/nixpkgs.json" }}
+      - run:
+          name: create container image
+          command: make image-<< parameters.target >>
+      - save_cache:
+          key: v1-image-{{ checksum "nix/nixpkgs.json" }}
+          paths:
+            - /nix
       - store_artifacts:
-          path: image-<< parameters.target >>.tar
-          destination: image-<< parameters.target >>.tar
+          path: build/image-<< parameters.target >>.tar
+          destination: build/image-<< parameters.target >>.tar
 
   lint:
     executor: container

diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 *.orig
 *.sqlite3*
+*.tar
 *.tix
 .ghc.environment.*
 .sass-cache

diff --git a/Makefile b/Makefile
@@ -3,7 +3,6 @@ GLOB_SCSS := config/bulma.scss
 BULMA_DIR := $(BUILD_DIR)/bulma
 BULMA_TAG := 0.7.5
 BULMA_URL := https://github.com/jgthms/bulma
-CONTAINER_RUNTIME := podman
 
 define nix-shell
 	nix-shell nix/shell.nix $(1)
@@ -21,9 +20,14 @@ define nix-shell-pure-run
 	$(call nix-shell-pure,--run "$(1)")
 endef
 
-define image-build
-	$(CONTAINER_RUNTIME) build --pull --no-cache \
-		-f Dockerfile-$(1) -t performabot-$(1) .
+define image
+	$(call nix-shell-pure-run,\
+		hack/podman-config &&\
+		podman --config=$(BUILD_DIR)/podman.conf --storage-driver=vfs \
+			build --pull --no-cache -f image-$(1) -t performabot-$(1) &&\
+		rm -f $(BUILD_DIR)/image-$(1).tar &&\
+		podman --config=$(BUILD_DIR)/podman.conf --storage-driver=vfs \
+			save  -o $(BUILD_DIR)/image-$(1).tar performabot-$(1))
 endef
 
 
@@ -40,7 +44,7 @@ build-static:
 .PHONY: build-static-with-image
 build-static-with-image:
 	export WORKDIR=/performabot &&\
-	$(CONTAINER_RUNTIME) run --rm -it -v $(shell pwd):/$$WORKDIR \
+	podman run --rm -it -v $(shell pwd):/$$WORKDIR \
 		saschagrunert/performabot-build sh -c "\
 			export BUILD_DIR=$$WORKDIR/result/bin &&\
 			rm -rf $$WORKDIR/result &&\
@@ -81,17 +85,17 @@ hlint:
 
 .PHONY: image-build
 image-build:
-	$(call image-build,build)
+	$(call image,build)
 
 .PHONY: image-client
 image-client:
-	$(nix-shell-pure-run,hack/is-static result/bin/client)
-	$(call image-build,client)
+	$(call nix-shell-pure-run,hack/is-static result/bin/client)
+	$(call image,client)
 
 .PHONY: image-server
 image-server:
-	$(nix-shell-pure-run,hack/is-static result/bin/server)
-	$(call image-build,server)
+	$(call nix-shell-pure-run,hack/is-static result/bin/server)
+	$(call image,server)
 
 .PHONY: lint
 lint: bulma cabal2nix floskell hlint

diff --git a/hack/is-static b/hack/is-static
@@ -1,11 +1,12 @@
 #!/usr/bin/env bash
-if [ ! -f $1 ]; then
-    echo "File '$1' does not exist"
+set -euo pipefail
+
+if [ ! -x "$1" ]; then
+    echo "File is not executable"
     exit 1
 fi
 
-file $1 | grep "statically linked" | grep -q stripped
-if [ $? -ne 0 ]; then
-    echo "Binary does not seem to be statically linked"
+if ! file "$1" | grep "statically linked" | grep -q stripped; then
+    echo "Binary is not statically linked and stripped"
     exit 1
 fi
diff --git a/hack/podman-config b/hack/podman-config
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BUILD_DIR=build
+mkdir -p $BUILD_DIR
+
+CONFIG=$BUILD_DIR/podman.conf
+cat >$CONFIG <<EOL
+conmon_path = [ "$(command -v conmon)" ]
+[runtimes]
+runc = [ "$(command -v runc)" ]
+EOL
diff --git a/hack/policy.json b/hack/policy.json
@@ -0,0 +1 @@
+{"default": [{"type": "insecureAcceptAnything"}]}
diff --git a/Dockerfile-build → image-build b/Dockerfile-build → image-build
diff --git a/Dockerfile-client → image-client b/Dockerfile-client → image-client
diff --git a/Dockerfile-server → image-server b/Dockerfile-server → image-server
diff --git a/nix/shell.nix b/nix/shell.nix
@@ -17,6 +17,7 @@ pkgs.stdenv.mkDerivation {
     bash
     cabal-install
     cabal2nix
+    conmon
     expect
     file
     git
@@ -25,9 +26,13 @@ pkgs.stdenv.mkDerivation {
     haskellPackages.hpc-coveralls
     haskellPackages.yesod-bin
     hlint
+    iptables
     nix-prefetch-git
+    podman
+    runc
     sass
     sqlite
+    utillinux
     wget
     zlib
   ];

diff --git a/stack.yaml b/stack.yaml
@@ -3,6 +3,6 @@ nix:
   enable: true
   pure: true
   shell-file: nix/shell.nix
-resolver: lts-13.25
+resolver: lts-13.26
 packages:
   - .