From 179fa02ed0aa85f30cf4da8d23585bfee93270d7 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jim@acmegating.com>
Date: Thu, 21 Mar 2024 08:26:00 -0700
Subject: [PATCH] Build a new skopeo for the zuul-executor container image

New versions of docker are no longer compatible with old versions
of skopeo.  To correct this, build a new version of skopeo for
the container images.  We need 1.14+ which is not available in
debian yet, so we build 1.15 (the latest tagged release) from
source.

Change-Id: I5a5c351e90b06d3acdd02f3117aa29eafb72445e
---
 Dockerfile                         | 23 ++++++++++++++++++++++-
 zuul/driver/bubblewrap/__init__.py |  1 +
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 8cf8abec60..af2f31538e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,5 @@
 # Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2024 Acme Gating, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,6 +20,21 @@ COPY web /tmp/src
 # Explicitly run the Javascript build
 RUN cd /tmp/src && yarn install -d && yarn build
 
+# We need skopeo >=v1.14.0 to negotioate with newer docker; once this
+# is available in debian we can drop the custom build.
+FROM golang:1.22-bookworm as go-builder
+
+# Keep this in sync with zuul-jobs ensure-skopeo
+ARG SKOPEO_VERSION=v1.14.2
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && \
+    apt-get -y install libgpgme-dev libassuan-dev \
+                       libbtrfs-dev libdevmapper-dev pkg-config && \
+    git clone https://github.com/containers/skopeo /go/src/github.com/containers/skopeo &&\
+    cd /go/src/github.com/containers/skopeo && \
+    git checkout $SKOPEO_VERSION && \
+    make bin/skopeo
+
 FROM docker.io/opendevorg/python-builder:3.11-bookworm as builder
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -68,12 +84,17 @@ FROM zuul as zuul-executor
 ENV DEBIAN_FRONTEND=noninteractive
 COPY --from=builder /usr/local/lib/zuul/ /usr/local/lib/zuul
 COPY --from=builder /tmp/openshift-install/oc /usr/local/bin/oc
+COPY --from=go-builder /go/src/github.com/containers/skopeo/bin/skopeo /usr/local/bin/skopeo
+COPY --from=go-builder /go/src/github.com/containers/skopeo/default-policy.json /etc/containers/policy.json
 # The oc and kubectl binaries are large and have the same hash.
 # Copy them only once and use a symlink to save space.
 RUN ln -s /usr/local/bin/oc /usr/local/bin/kubectl
 
+# Once we can use skopeo from Debian again, just change this to
+# install skopeo; in the interim, this installes the runtime
+# dependencies.
 RUN apt-get update \
-  && apt-get install -y skopeo \
+  && apt-get install -y libgpgme11 libdevmapper1.02.1 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py
index aa8d179b5d..d1b0b6a24a 100644
--- a/zuul/driver/bubblewrap/__init__.py
+++ b/zuul/driver/bubblewrap/__init__.py
@@ -307,6 +307,7 @@ class BubblewrapDriver(Driver, WrapperInterface):
                      '/etc/alternatives',
                      '/etc/ssl/certs',
                      '/etc/subuid',
+                     '/etc/containers',
                      ]:
             if os.path.exists(path):
                 bwrap_command.extend(['--ro-bind', path, path])