Skip to content

[multiple] Add bootc CP job and wire EDPM image outputs #3952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rabi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[multiple] Add bootc CP job and wire EDPM image outputs #3952

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions ci/playbooks/content_provider/content_provider.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@
ansible.builtin.include_role:
name: registry_deploy

- name: Build content provider images
when: >-
(cifmw_edpm_build_images_all | default(false) | bool) or
(cifmw_edpm_build_images_hardened_uefi | default(false) | bool) or
(cifmw_edpm_build_images_ironic_python_agent | default(false) | bool) or
(cifmw_edpm_build_images_bootc | default(false) | bool)
ansible.builtin.import_tasks: "{{ playbook_dir }}/../edpm_build_images/content_provider_tasks.yml"

- name: Set var for cifmw_operator_build_operators var
# It handles the case of setting image_base for
# openstack-ansibleee-operator and openstack-operator project
Expand Down
1 change: 1 addition & 0 deletions ci/playbooks/content_provider/run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
zuul:
pause: true
cifmw_operator_build_output: "{{ inner_ansible_vars.cifmw_operator_build_output }}"
cifmw_build_images_output: "{{ inner_ansible_vars.cifmw_build_images_output | default({}) }}"
content_provider_registry_available: "{{ _registry_available }}"
content_provider_registry_ip: "{{ _registry_ip }}"
content_provider_registry_ip_port: "{{ _registry_ip_port if _registry_available else '' }}"
106 changes: 106 additions & 0 deletions ci/playbooks/edpm_build_images/content_provider_tasks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
- name: Construct project change list
ansible.builtin.set_fact:
zuul_change_list: "{{ zuul_change_list | default([]) + [item.project.short_name] }}"
cacheable: true
loop: "{{ zuul['items'] }}"
when:
- zuul is defined
- "'items' in zuul"
- "'change_url' in item"

- name: Build EDPM content provider images
when:
- (cifmw_edpm_build_images_force | default(false) | bool) or
('edpm-image-builder' in (zuul_change_list | default([])))
block:
- name: Call repo setup
ansible.builtin.import_role:
name: repo_setup
vars:
cifmw_repo_setup_output: "/etc/yum.repos.d/"

- name: Get latest commit when no PR is provided
ansible.builtin.command: # noqa: command-instead-of-module
cmd: git show-ref --head --hash head
args:
chdir: "{{ ansible_user_dir }}/src/github.com/openstack-k8s-operators/edpm-image-builder"
register: git_head_out

- name: Set pr_sha to be used as image tag
ansible.builtin.set_fact:
pr_sha: "{{ git_head_out.stdout | trim }}"
cacheable: true

- name: Build edpm and ipa images
ansible.builtin.include_role:
name: edpm_build_images
vars:
cifmw_edpm_build_images_via_rpm: false
cifmw_edpm_build_images_tag: "{{ pr_sha }}"
cifmw_edpm_build_images_push_container_images: true
cifmw_edpm_build_images_push_registry: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001"
cifmw_edpm_build_images_push_registry_namespace: ""
cifmw_edpm_build_images_bootc_repo: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/edpm-bootc"

- name: Set build images output
ansible.builtin.set_fact:
cifmw_build_images_output: >-
{{
{
'images': {}
}
|
combine(
{
'images': {
'edpm-hardened-uefi': {
'image': (cifmw_rp_registry_ip | default('localhost')) ~ ':5001/edpm-hardened-uefi:' ~ pr_sha
}
}
}
if (
(
cifmw_edpm_build_images_hardened_uefi | default(false) | bool
) or (
cifmw_edpm_build_images_all | default(true) | bool
)
) and (
cifmw_edpm_build_images_hardened_uefi_package | default(true) | bool
)
else {},
recursive=true
)
|
combine(
{
'images': {
'ironic-python-agent': {
'image': (cifmw_rp_registry_ip | default('localhost')) ~ ':5001/ironic-python-agent:' ~ pr_sha
}
}
}
if (
(
cifmw_edpm_build_images_ironic_python_agent | default(false) | bool
) or (
cifmw_edpm_build_images_all | default(true) | bool
)
) and (
cifmw_edpm_build_images_ironic_python_agent_package | default(true) | bool
)
else {},
recursive=true
)
|
combine(cifmw_edpm_build_images_bootc_output | default({}), recursive=true)
}}
cacheable: true

- name: Set build images output when EDPM image is not built
when:
- not (cifmw_edpm_build_images_force | default(false) | bool)
- "'edpm-image-builder' not in (zuul_change_list | default([]))"
ansible.builtin.set_fact:
cifmw_build_images_output: {}
cacheable: true
46 changes: 2 additions & 44 deletions ci/playbooks/edpm_build_images/edpm_build_images_content_provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,50 +7,8 @@
ansible.builtin.include_role:
name: registry_deploy

- name: Call repo setup
ansible.builtin.import_role:
name: repo_setup
vars:
cifmw_repo_setup_output: "/etc/yum.repos.d/"

- name: Get latest commit when no PR is provided
ansible.builtin.command: # noqa: command-instead-of-module
cmd: git show-ref --head --hash head
args:
chdir: "{{ ansible_user_dir }}/src/github.com/openstack-k8s-operators/edpm-image-builder"
register: git_head_out

- name: Set pr_sha to be used as image tag
ansible.builtin.set_fact:
pr_sha: "{{ git_head_out.stdout | trim }}"
cacheable: true

- name: Build edpm and ipa images
ansible.builtin.include_role:
name: edpm_build_images
vars:
cifmw_edpm_build_images_tag: "{{ pr_sha }}"

- name: Push edpm-hardened-uefi image to registry
containers.podman.podman_image:
name: "{{ item }}"
push_args:
dest: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/{{ item }}:{{ pr_sha }}"
tag: "{{ pr_sha }}"
push: true
loop:
- edpm-hardened-uefi
- ironic-python-agent

- name: Set build images output
ansible.builtin.set_fact:
cifmw_build_images_output:
images:
edpm-hardened-uefi:
image: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/edpm-hardened-uefi:{{ pr_sha }}"
ironic-python-agent:
image: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/ironic-python-agent:{{ pr_sha }}"
cacheable: true
- name: Build content provider images
ansible.builtin.import_tasks: "{{ playbook_dir }}/content_provider_tasks.yml"

- name: Get the containers list from container registry
ansible.builtin.uri:
Expand Down
9 changes: 9 additions & 0 deletions ci/templates/projects.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
name: openstack-k8s-operators/ci-framework
templates:
- podified-multinode-edpm-ci-framework-pipeline
- podified-multinode-edpm-baremetal-bootc-pipeline
- data-plane-adoption-ci-framework-pipeline
- whitebox-neutron-tempest-plugin-podified-pipeline
github-check:
Expand All @@ -22,4 +23,12 @@
- cifmw-tcib
- cifmw-architecture-validate-hci
- ci-framework-openstack-meta-content-provider
# Build EDPM OS container images on ci-framework PRs to validate CP wiring here.
# Other repos using the same templates build OS container images only on edpm-image-builder changes.
- openstack-k8s-operators-content-provider:
vars:
cifmw_edpm_build_images_force: true
- openstack-k8s-operators-content-provider-bootc:
vars:
cifmw_edpm_build_images_force: true
# Start generated content
9 changes: 9 additions & 0 deletions roles/edpm_build_images/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,17 @@ cifmw_edpm_build_images_elements:
cifmw_edpm_build_images_all: true
cifmw_edpm_build_images_hardened_uefi: false
cifmw_edpm_build_images_ironic_python_agent: false
cifmw_edpm_build_images_bootc: false
cifmw_edpm_build_images_hardened_uefi_package: true
cifmw_edpm_build_images_ironic_python_agent_package: true
cifmw_edpm_build_images_bootc_repo: "{{ cifmw_edpm_build_images_push_registry }}/edpm-bootc"
cifmw_edpm_build_images_bootc_repo_path: "{{ cifmw_edpm_image_builder_repo_path }}/bootc"
cifmw_edpm_build_images_bootc_base_image: "quay.io/centos-bootc/centos-bootc:stream9"
cifmw_edpm_build_images_bootc_builder_image: "quay.io/centos-bootc/bootc-image-builder:latest"
cifmw_edpm_build_images_bootc_qcow2_name: "edpm-bootc.qcow2"
cifmw_edpm_build_images_bootc_rhsm_script: "empty.sh"
cifmw_edpm_build_images_bootc_fips: "1"
Comment thread
evallesp marked this conversation as resolved.
cifmw_edpm_build_images_bootc_user_packages: ""
cifmw_edpm_build_images_dib_yum_repo_conf_centos:
- /etc/yum.repos.d/*
cifmw_edpm_build_images_dib_yum_repo_conf_rhel:
Expand Down
122 changes: 122 additions & 0 deletions roles/edpm_build_images/tasks/bootc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
---
- name: Ensure bootc output directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0755"
loop:
- "{{ cifmw_edpm_build_images_bootc_repo_path }}/output"
- "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d"

- name: Discover repo files for bootc build
ansible.builtin.find:
paths: /etc/yum.repos.d
file_type: file
recurse: false
register: cifmw_edpm_build_images_bootc_repo_files

- name: Copy repo files for bootc build
become: true
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d/{{ item.path | basename }}"
remote_src: true
mode: "0644"
loop: "{{ cifmw_edpm_build_images_bootc_repo_files.files }}"
loop_control:
label: "{{ item.path | basename }}"

- name: Build bootc container image
become: true
args:
chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}"
ansible.builtin.shell: >-
buildah bud
--network host
--build-arg EDPM_BASE_IMAGE={{ cifmw_edpm_build_images_bootc_base_image }}
--build-arg RHSM_SCRIPT={{ cifmw_edpm_build_images_bootc_rhsm_script }}
--build-arg FIPS={{ cifmw_edpm_build_images_bootc_fips }}
--build-arg USER_PACKAGES={{ cifmw_edpm_build_images_bootc_user_packages }}
--volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro,Z
--volume {{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d:/etc/yum.repos.d:rw,Z
-f ./Containerfile
-t localhost/edpm-bootc:{{ cifmw_edpm_build_images_tag }}
. > {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_image_build.log
2> {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_image_build_err.log

- name: Generate bootc qcow2 image
become: true
args:
chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}"
ansible.builtin.shell: >-
podman run --rm --privileged
--security-opt label=type:unconfined_t
-v ./output:/output
-v /var/lib/containers/storage:/var/lib/containers/storage
{{ cifmw_edpm_build_images_bootc_builder_image }}
--type qcow2
--local
localhost/edpm-bootc:{{ cifmw_edpm_build_images_tag }}
> {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_build.log
2> {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_build_err.log

- name: Rename generated bootc qcow2 image
Copy link
Copy Markdown
Contributor

@evallesp evallesp May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(blocking) suggestion: Let's move to use copy module.

Copy link
Copy Markdown
Contributor Author

@rabi rabi May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why? This is a large image and we should not duplicate it.

Copy link
Copy Markdown
Contributor

@evallesp evallesp May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definetely sorry because my comment was too short.
I mean about the pipelines to the normal exit and the error exit.

Copy link
Copy Markdown
Contributor Author

@rabi rabi May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh you mean use copy for the logs, not the qcow2. register + copy would work but adds 4 tasks and buffers all build output in memory. Keeping > / 2>: we already get separate stdout/stderr log files streamed to disk, Ansible still fails on non-zero exit, and the error log is written even when the build fails. I did not see the pattern of register+copy elsewhere in the repo for logs.

become: true
ansible.builtin.command:
cmd: >-
mv
{{ cifmw_edpm_build_images_bootc_repo_path }}/output/qcow2/disk.qcow2
{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}
creates: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}"
removes: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/qcow2/disk.qcow2"

- name: Generate bootc qcow2 checksum
become: true
args:
chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output"
ansible.builtin.command:
cmd: sha256sum {{ cifmw_edpm_build_images_bootc_qcow2_name }}
register: _cifmw_edpm_build_images_bootc_qcow2_checksum

- name: Write bootc qcow2 checksum file
become: true
ansible.builtin.copy:
dest: >-
{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{
cifmw_edpm_build_images_bootc_qcow2_name }}.sha256
content: "{{ _cifmw_edpm_build_images_bootc_qcow2_checksum.stdout }}\n"
mode: "0644"

- name: Copy bootc qcow2 packaging helper files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
remote_src: true
mode: "{{ item.mode }}"
loop:
- src: "{{ cifmw_edpm_image_builder_repo_path }}/copy_out.sh"
dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/copy_out.sh"
mode: "0755"
- src: "{{ cifmw_edpm_image_builder_repo_path }}/Containerfile.image"
dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/Containerfile.image"
mode: "0644"

- name: Package bootc qcow2 image inside container image
become: true
args:
chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output"
ansible.builtin.command:
cmd: >-
buildah bud -f ./Containerfile.image
-t edpm-bootc:{{ cifmw_edpm_build_images_tag }}-qcow2
--build-arg IMAGE_NAME=edpm-bootc
--build-arg BASE_IMAGE={{ cifmw_edpm_build_images_base_image }}
--logfile {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_container_package.log

- name: Set bootc build images output
ansible.builtin.set_fact:
cifmw_edpm_build_images_bootc_output:
images:
edpm-bootc-qcow2:
image: "{{ cifmw_edpm_build_images_bootc_repo }}:{{ cifmw_edpm_build_images_tag }}-qcow2"
cacheable: true
7 changes: 7 additions & 0 deletions roles/edpm_build_images/tasks/install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@
- cifmw_edpm_build_images_via_rpm
- not cifmw_edpm_build_images_dry_run

- name: Add bootc host packages when needed
ansible.builtin.set_fact:
cifmw_edpm_build_images_host_packages: "{{ cifmw_edpm_build_images_host_packages + ['podman', 'osbuild-selinux'] }}"
when:
- cifmw_edpm_build_images_bootc | bool
- not cifmw_edpm_build_images_dry_run

- name: Install required packages
when:
- not cifmw_edpm_build_images_dry_run
Expand Down
4 changes: 4 additions & 0 deletions roles/edpm_build_images/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@
- name: Package build images inside container image
ansible.builtin.import_tasks: package.yml

- name: Build bootc images
when: cifmw_edpm_build_images_bootc | bool
ansible.builtin.import_tasks: bootc.yml

- name: Push container images to quay.rdoproject.org
when: cifmw_edpm_build_images_push_container_images | bool
ansible.builtin.import_tasks: post.yaml
Loading
Loading