[master] RHEL PoC #991
[master] RHEL PoC #991
Conversation
rpm/rhel-7/Dockerfile
Outdated
| @@ -1,30 +0,0 @@ | |||
| # syntax=docker/dockerfile:1 | |||
There was a problem hiding this comment.
This one may be in use by IBM?
rpm/rhel-8/Dockerfile
Outdated
| RUN subscription-manager register --username=$RH_USER --password=$RH_PASS | ||
| RUN subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms |
There was a problem hiding this comment.
Didn't this produce a subscription-file, so something we could run in CI, and --mount ? Passing these as argument means they leak into the image produced (and build-cache).
There was a problem hiding this comment.
This is somewhat intentional for now; the cleanup step is "manual" (read: a cron job elsewhere) as a stopgap while I work on lifecycle robustness. That being said, I hadn't considered build cache issues since we don't actually clean the cache on the Jenkins nodes, as best I can tell...
Given that, maybe it would be better to use fixed certificates; this is somewhat messier (mostly for containerd-packaging) and introduces the manual update process/point of failure, but I can mock it up as an alternative (and it does obviate the runtime lifecycle issues).
neersighted
force-pushed
the
rhel-poc
branch
from
af4d718 to
2bb1964
Compare
rpm/rhel-8/Dockerfile
Outdated
| ARG RH_USER | ||
| ARG RH_PASS | ||
| RUN rm /etc/rhsm-host | ||
| RUN subscription-manager register --username=$RH_USER --password=$RH_PASS |
There was a problem hiding this comment.
This should use RUN --mount=type=secret to avoid leaking the password in the image history (although the image is never pushed to public)
neersighted
force-pushed
the
rhel-poc
branch
2 times, most recently
from
98a8275 to
6485b2d
Compare
neersighted
force-pushed
the
rhel-poc
branch
6 times, most recently
from
3739fa8 to
a1e3656
Compare
|
Rebased |
|
rebased |
|
Rebased |
thaJeztah
force-pushed
the
rhel-poc
branch
2 times, most recently
from
59a5b59 to
97ab93b
Compare
|
Rebased after #1031 |
|
Rebased after #1032 |
|
Rebased after #1034 |
|
Rebased after #1038 |
|
Rebased after #1039 |
|
rebased after #1041 |
|
rebased after #1042 |
|
rebased after #1043 |
|
Rebased after #1044 |
Signed-off-by: Bjorn Neergaard <[email protected]> Signed-off-by: Paweł Gronowski <[email protected]>
Signed-off-by: Bjorn Neergaard <[email protected]> Signed-off-by: Paweł Gronowski <[email protected]>
|
Rebased after #1050 |
Taking a similar approach as is used for containerd-packaging. Note that the resulting subscription file will still be persisted in the image, but this image is only used as an ephemeral image, and on our builder-nodes. Signed-off-by: Sebastiaan van Stijn <[email protected]>
|
@vvoland I pushed a commit to change the |
|
If the change LGTY, I can squash the last two commits |
| --username="$(cat /run/secrets/rh-user)" \ | ||
| --password="$(cat /run/secrets/rh-pass)" | ||
|
|
||
| subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms |
There was a problem hiding this comment.
FWIW; still looking at the $(arch) bit here; is this expanding using a RPM arg or is this a bug, just “happened to work”?
There was a problem hiding this comment.
It's just shelling out to arch. Looks intentional to me, but maybe not?
There was a problem hiding this comment.
DOH! Of course; was with my head in env-vars and build-args, and I was thinking it was depending on some env-var or RPM macro/var 🙈
Yeah, perhaps keeping the commit separate is still fine. |
|
Let me bring this one in 👍 |
This is a PoC for building RHEL packages assuming that a RHEL username/password is available in the environment.
This is mostly intended for internal use by Docker, as it is assumed that the main utility is performing builds with a 'real RHEL' for enterprise customers.
However, when a unencumbered RHEL-equivalent distribution (e.g. Rocky) is supported, it will make sense to generalize the 'rhel' infrastructure in this repo.