Build a new skopeo for the zuul-executor container image

New versions of docker are no longer compatible with old versions of skopeo. To correct this, build a new version of skopeo for the container images. We need 1.14+ which is not available in debian yet, so we build 1.15 (the latest tagged release) from source. Change-Id: I5a5c351e90b06d3acdd02f3117aa29eafb72445e
2024-03-21 08:26:00 -07:00 · 2024-03-21 08:26:00 -07:00 · 179fa02ed0
parent 3bcd923a68
commit 179fa02ed0
2 changed files with 23 additions and 1 deletions
--- a/23
+++ b/23
@ -1,4 +1,5 @@
 # Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2024 Acme Gating, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -19,6 +20,21 @@ COPY web /tmp/src
 # Explicitly run the Javascript build
 RUN cd /tmp/src && yarn install -d && yarn build

+# We need skopeo >=v1.14.0 to negotioate with newer docker; once this
+# is available in debian we can drop the custom build.
+FROM golang:1.22-bookworm as go-builder
+
+# Keep this in sync with zuul-jobs ensure-skopeo
+ARG SKOPEO_VERSION=v1.14.2
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && \
+    apt-get -y install libgpgme-dev libassuan-dev \
+                       libbtrfs-dev libdevmapper-dev pkg-config && \
+    git clone https://github.com/containers/skopeo /go/src/github.com/containers/skopeo &&\
+    cd /go/src/github.com/containers/skopeo && \
+    git checkout $SKOPEO_VERSION && \
+    make bin/skopeo
+
 FROM docker.io/opendevorg/python-builder:3.11-bookworm as builder
 ENV DEBIAN_FRONTEND=noninteractive

@ -68,12 +84,17 @@ FROM zuul as zuul-executor
 ENV DEBIAN_FRONTEND=noninteractive
 COPY --from=builder /usr/local/lib/zuul/ /usr/local/lib/zuul
 COPY --from=builder /tmp/openshift-install/oc /usr/local/bin/oc
+COPY --from=go-builder /go/src/github.com/containers/skopeo/bin/skopeo /usr/local/bin/skopeo
+COPY --from=go-builder /go/src/github.com/containers/skopeo/default-policy.json /etc/containers/policy.json
 # The oc and kubectl binaries are large and have the same hash.
 # Copy them only once and use a symlink to save space.
 RUN ln -s /usr/local/bin/oc /usr/local/bin/kubectl

+# Once we can use skopeo from Debian again, just change this to
+# install skopeo; in the interim, this installes the runtime
+# dependencies.
 RUN apt-get update \
-  && apt-get install -y skopeo \
+  && apt-get install -y libgpgme11 libdevmapper1.02.1 \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

--- a/zuul/driver/bubblewrap/init.py
+++ b/zuul/driver/bubblewrap/init.py
@ -307,6 +307,7 @@ class BubblewrapDriver(Driver, WrapperInterface):
                     '/etc/alternatives',
                     '/etc/ssl/certs',
                     '/etc/subuid',
+                     '/etc/containers',
                     ]:
            if os.path.exists(path):
                bwrap_command.extend(['--ro-bind', path, path])