From afc71140e5ab38107263ee330c88f27dd7cce73b Mon Sep 17 00:00:00 2001
From: Sascha Grunert <mail@saschagrunert.de>
Date: Sat, 22 Jun 2019 11:36:07 +0200
Subject: [PATCH] Use podman for container image builds

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
---
 .circleci/config.yml              | 30 +++++++++++++++++-------------
 .gitignore                        |  1 +
 Makefile                          | 24 ++++++++++++++----------
 hack/is-static                    | 11 ++++++-----
 hack/podman-config                | 12 ++++++++++++
 hack/policy.json                  |  1 +
 Dockerfile-build => image-build   |  0
 Dockerfile-client => image-client |  0
 Dockerfile-server => image-server |  0
 nix/shell.nix                     |  5 +++++
 stack.yaml                        |  2 +-
 11 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100755 hack/podman-config
 create mode 100644 hack/policy.json
 rename Dockerfile-build => image-build (100%)
 rename Dockerfile-client => image-client (100%)
 rename Dockerfile-server => image-server (100%)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index c9cc8d1..64057a0 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -8,10 +8,6 @@ executors:
   performabot-build:
     docker:
       - image: saschagrunert/performabot-build
-  machine:
-    machine:
-      docker_layer_caching: true
-      image: ubuntu-1604:201903-01
 
 workflows:
   version: 2
@@ -141,25 +137,33 @@ jobs:
             git push -f origin gh-pages
 
   image:
-    executor: machine
+    executor: container
     parameters:
       target:
         type: string
     steps:
+      - <<: *prepare-env
       - checkout
       - attach_workspace:
           at: .
       - run:
-          name: create container image
-          command: make image-<< parameters.target >> CONTAINER_RUNTIME=docker
-      - run:
-          name: save container image
+          name: setup container policy
           command: |
-            docker save -o image-<< parameters.target >>.tar \
-              performabot-<< parameters.target >>
+            mkdir -p /etc/containers
+            cp hack/policy.json /etc/containers
+      - restore_cache:
+          keys:
+            - v1-image-{{ checksum "nix/nixpkgs.json" }}
+      - run:
+          name: create container image
+          command: make image-<< parameters.target >>
+      - save_cache:
+          key: v1-image-{{ checksum "nix/nixpkgs.json" }}
+          paths:
+            - /nix
       - store_artifacts:
-          path: image-<< parameters.target >>.tar
-          destination: image-<< parameters.target >>.tar
+          path: build/image-<< parameters.target >>.tar
+          destination: build/image-<< parameters.target >>.tar
 
   lint:
     executor: container
diff --git a/.gitignore b/.gitignore
index e10a824..8ee3912 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 *.orig
 *.sqlite3*
+*.tar
 *.tix
 .ghc.environment.*
 .sass-cache
diff --git a/Makefile b/Makefile
index 8404007..2ca81fb 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,6 @@ GLOB_SCSS := config/bulma.scss
 BULMA_DIR := $(BUILD_DIR)/bulma
 BULMA_TAG := 0.7.5
 BULMA_URL := https://github.com/jgthms/bulma
-CONTAINER_RUNTIME := podman
 
 define nix-shell
 	nix-shell nix/shell.nix $(1)
@@ -21,9 +20,14 @@ define nix-shell-pure-run
 	$(call nix-shell-pure,--run "$(1)")
 endef
 
-define image-build
-	$(CONTAINER_RUNTIME) build --pull --no-cache \
-		-f Dockerfile-$(1) -t performabot-$(1) .
+define image
+	$(call nix-shell-pure-run,\
+		hack/podman-config &&\
+		podman --config=$(BUILD_DIR)/podman.conf --storage-driver=vfs \
+			build --pull --no-cache -f image-$(1) -t performabot-$(1) &&\
+		rm -f $(BUILD_DIR)/image-$(1).tar &&\
+		podman --config=$(BUILD_DIR)/podman.conf --storage-driver=vfs \
+			save  -o $(BUILD_DIR)/image-$(1).tar performabot-$(1))
 endef
 
 
@@ -40,7 +44,7 @@ build-static:
 .PHONY: build-static-with-image
 build-static-with-image:
 	export WORKDIR=/performabot &&\
-	$(CONTAINER_RUNTIME) run --rm -it -v $(shell pwd):/$$WORKDIR \
+	podman run --rm -it -v $(shell pwd):/$$WORKDIR \
 		saschagrunert/performabot-build sh -c "\
 			export BUILD_DIR=$$WORKDIR/result/bin &&\
 			rm -rf $$WORKDIR/result &&\
@@ -81,17 +85,17 @@ hlint:
 
 .PHONY: image-build
 image-build:
-	$(call image-build,build)
+	$(call image,build)
 
 .PHONY: image-client
 image-client:
-	$(nix-shell-pure-run,hack/is-static result/bin/client)
-	$(call image-build,client)
+	$(call nix-shell-pure-run,hack/is-static result/bin/client)
+	$(call image,client)
 
 .PHONY: image-server
 image-server:
-	$(nix-shell-pure-run,hack/is-static result/bin/server)
-	$(call image-build,server)
+	$(call nix-shell-pure-run,hack/is-static result/bin/server)
+	$(call image,server)
 
 .PHONY: lint
 lint: bulma cabal2nix floskell hlint
diff --git a/hack/is-static b/hack/is-static
index adf4ed7..1588d3b 100755
--- a/hack/is-static
+++ b/hack/is-static
@@ -1,11 +1,12 @@
 #!/usr/bin/env bash
-if [ ! -f $1 ]; then
-    echo "File '$1' does not exist"
+set -euo pipefail
+
+if [ ! -x "$1" ]; then
+    echo "File is not executable"
     exit 1
 fi
 
-file $1 | grep "statically linked" | grep -q stripped
-if [ $? -ne 0 ]; then
-    echo "Binary does not seem to be statically linked"
+if ! file "$1" | grep "statically linked" | grep -q stripped; then
+    echo "Binary is not statically linked and stripped"
     exit 1
 fi
diff --git a/hack/podman-config b/hack/podman-config
new file mode 100755
index 0000000..c45edbe
--- /dev/null
+++ b/hack/podman-config
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BUILD_DIR=build
+mkdir -p $BUILD_DIR
+
+CONFIG=$BUILD_DIR/podman.conf
+cat >$CONFIG <<EOL
+conmon_path = [ "$(command -v conmon)" ]
+[runtimes]
+runc = [ "$(command -v runc)" ]
+EOL
diff --git a/hack/policy.json b/hack/policy.json
new file mode 100644
index 0000000..02a8058
--- /dev/null
+++ b/hack/policy.json
@@ -0,0 +1 @@
+{"default": [{"type": "insecureAcceptAnything"}]}
diff --git a/Dockerfile-build b/image-build
similarity index 100%
rename from Dockerfile-build
rename to image-build
diff --git a/Dockerfile-client b/image-client
similarity index 100%
rename from Dockerfile-client
rename to image-client
diff --git a/Dockerfile-server b/image-server
similarity index 100%
rename from Dockerfile-server
rename to image-server
diff --git a/nix/shell.nix b/nix/shell.nix
index 180e96d..ec49a57 100644
--- a/nix/shell.nix
+++ b/nix/shell.nix
@@ -17,6 +17,7 @@ pkgs.stdenv.mkDerivation {
     bash
     cabal-install
     cabal2nix
+    conmon
     expect
     file
     git
@@ -25,9 +26,13 @@ pkgs.stdenv.mkDerivation {
     haskellPackages.hpc-coveralls
     haskellPackages.yesod-bin
     hlint
+    iptables
     nix-prefetch-git
+    podman
+    runc
     sass
     sqlite
+    utillinux
     wget
     zlib
   ];
diff --git a/stack.yaml b/stack.yaml
index 008e086..39d3a1a 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -3,6 +3,6 @@ nix:
   enable: true
   pure: true
   shell-file: nix/shell.nix
-resolver: lts-13.25
+resolver: lts-13.26
 packages:
   - .