[edpm_build_images] Build/publish bootc images in the content provider

ci/playbooks/content_provider/content_provider.yml

@@ -21,6 +21,9 @@
       ansible.builtin.include_role:
         name: registry_deploy
 
+    - name: Build content provider images
+      ansible.builtin.import_tasks: "{{ playbook_dir }}/../edpm_build_images/content_provider_tasks.yml"
+
     - name: Set var for cifmw_operator_build_operators var
       # It handles the case of setting image_base for
       # openstack-ansibleee-operator and openstack-operator project

ci/playbooks/content_provider/run.yml

@@ -53,6 +53,7 @@
           zuul:
             pause: true
           cifmw_operator_build_output: "{{ inner_ansible_vars.cifmw_operator_build_output }}"
+          cifmw_build_images_output: "{{ inner_ansible_vars.cifmw_build_images_output | default({}) }}"
           content_provider_registry_available: "{{ _registry_available }}"
           content_provider_registry_ip: "{{ _registry_ip }}"
           content_provider_registry_ip_port: "{{ _registry_ip_port if _registry_available else '' }}"

ci/playbooks/edpm_build_images/content_provider_tasks.yml

@@ -0,0 +1,83 @@
+---
+- name: Call repo setup
+  ansible.builtin.import_role:
+    name: repo_setup
+  vars:
+    cifmw_repo_setup_output: "/etc/yum.repos.d/"
+
+- name: Get latest commit when no PR is provided
+  ansible.builtin.command:  # noqa: command-instead-of-module
+    cmd: git show-ref --head --hash head
+  args:
+    chdir: "{{ ansible_user_dir }}/src/github.com/openstack-k8s-operators/edpm-image-builder"
+  register: git_head_out
+
+- name: Set pr_sha to be used as image tag
+  ansible.builtin.set_fact:
+    pr_sha: "{{ git_head_out.stdout | trim }}"
+    cacheable: true
+
+- name: Build edpm and ipa images
+  ansible.builtin.include_role:
+    name: edpm_build_images
+  vars:
+    cifmw_edpm_build_images_via_rpm: false
+    cifmw_edpm_build_images_tag: "{{ pr_sha }}"
+    cifmw_edpm_build_images_push_container_images: true
+    cifmw_edpm_build_images_push_registry: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001"
+    cifmw_edpm_build_images_push_registry_namespace: ""
+    cifmw_edpm_build_images_bootc_repo: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/edpm-bootc"
+
+- name: Set build images output
+  ansible.builtin.set_fact:
+    cifmw_build_images_output: >-
+      {{
+        {
+          'images': {}
+        }
+        |
+        combine(
+          {
+            'images': {
+              'edpm-hardened-uefi': {
+                'image': (cifmw_rp_registry_ip | default('localhost')) ~ ':5001/edpm-hardened-uefi:' ~ pr_sha
+              }
+            }
+          }
+          if (
+            (
+              cifmw_edpm_build_images_hardened_uefi | default(false) | bool
+            ) or (
+              cifmw_edpm_build_images_all | default(true) | bool
+            )
+          ) and (
+            cifmw_edpm_build_images_hardened_uefi_package | default(true) | bool
+          )
+          else {},
+          recursive=true
+        )
+        |
+        combine(
+          {
+            'images': {
+              'ironic-python-agent': {
+                'image': (cifmw_rp_registry_ip | default('localhost')) ~ ':5001/ironic-python-agent:' ~ pr_sha
+              }
+            }
+          }
+          if (
+            (
+              cifmw_edpm_build_images_ironic_python_agent | default(false) | bool
+            ) or (
+              cifmw_edpm_build_images_all | default(true) | bool
+            )
+          ) and (
+            cifmw_edpm_build_images_ironic_python_agent_package | default(true) | bool
+          )
+          else {},
+          recursive=true
+        )
+        |
+        combine(cifmw_edpm_build_images_bootc_output | default({}), recursive=true)
+      }}
+    cacheable: true

ci/playbooks/edpm_build_images/edpm_build_images_content_provider.yaml

@@ -7,50 +7,8 @@
       ansible.builtin.include_role:
         name: registry_deploy
 
-    - name: Call repo setup
-      ansible.builtin.import_role:
-        name: repo_setup
-      vars:
-        cifmw_repo_setup_output: "/etc/yum.repos.d/"
-
-    - name: Get latest commit when no PR is provided
-      ansible.builtin.command:  # noqa: command-instead-of-module
-        cmd: git show-ref --head --hash head
-      args:
-        chdir: "{{ ansible_user_dir }}/src/github.com/openstack-k8s-operators/edpm-image-builder"
-      register: git_head_out
-
-    - name: Set pr_sha to be used as image tag
-      ansible.builtin.set_fact:
-        pr_sha: "{{ git_head_out.stdout | trim }}"
-        cacheable: true
-
-    - name: Build edpm and ipa images
-      ansible.builtin.include_role:
-        name: edpm_build_images
-      vars:
-        cifmw_edpm_build_images_tag: "{{ pr_sha }}"
-
-    - name: Push edpm-hardened-uefi image to registry
-      containers.podman.podman_image:
-        name: "{{ item }}"
-        push_args:
-          dest: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/{{ item }}:{{ pr_sha }}"
-        tag: "{{ pr_sha }}"
-        push: true
-      loop:
-        - edpm-hardened-uefi
-        - ironic-python-agent
-
-    - name: Set build images output
-      ansible.builtin.set_fact:
-        cifmw_build_images_output:
-          images:
-            edpm-hardened-uefi:
-              image: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/edpm-hardened-uefi:{{ pr_sha }}"
-            ironic-python-agent:
-              image: "{{ cifmw_rp_registry_ip | default('localhost') }}:5001/ironic-python-agent:{{ pr_sha }}"
-        cacheable: true
+    - name: Build content provider images
+      ansible.builtin.import_tasks: "{{ playbook_dir }}/content_provider_tasks.yml"
 
     - name: Get the containers list from container registry
       ansible.builtin.uri:

ci/templates/projects.yaml

@@ -7,6 +7,7 @@
     name: openstack-k8s-operators/ci-framework
     templates:
       - podified-multinode-edpm-ci-framework-pipeline
+      - podified-multinode-edpm-baremetal-bootc-pipeline
       - data-plane-adoption-ci-framework-pipeline
       - whitebox-neutron-tempest-plugin-podified-pipeline
     github-check:

roles/edpm_build_images/defaults/main.yml

@@ -36,8 +36,17 @@ cifmw_edpm_build_images_elements:
 cifmw_edpm_build_images_all: true
 cifmw_edpm_build_images_hardened_uefi: false
 cifmw_edpm_build_images_ironic_python_agent: false
+cifmw_edpm_build_images_bootc: false
 cifmw_edpm_build_images_hardened_uefi_package: true
 cifmw_edpm_build_images_ironic_python_agent_package: true
+cifmw_edpm_build_images_bootc_repo: "{{ cifmw_edpm_build_images_push_registry }}/edpm-bootc"
+cifmw_edpm_build_images_bootc_repo_path: "{{ cifmw_edpm_image_builder_repo_path }}/bootc"
+cifmw_edpm_build_images_bootc_base_image: "quay.io/centos-bootc/centos-bootc:stream9"
+cifmw_edpm_build_images_bootc_builder_image: "quay.io/centos-bootc/bootc-image-builder:latest"
+cifmw_edpm_build_images_bootc_qcow2_name: "edpm-bootc.qcow2"
+cifmw_edpm_build_images_bootc_rhsm_script: "empty.sh"
+cifmw_edpm_build_images_bootc_fips: "1"
+cifmw_edpm_build_images_bootc_user_packages: ""
 cifmw_edpm_build_images_dib_yum_repo_conf_centos:
   - /etc/yum.repos.d/*
 cifmw_edpm_build_images_dib_yum_repo_conf_rhel:

roles/edpm_build_images/tasks/bootc.yml

@@ -0,0 +1,118 @@
+---
+- name: Ensure bootc output directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ cifmw_edpm_build_images_bootc_repo_path }}/output"
+    - "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d"
+
+- name: Discover repo files for bootc build
+  ansible.builtin.find:
+    paths: /etc/yum.repos.d
+    file_type: file
+    recurse: false
+  register: cifmw_edpm_build_images_bootc_repo_files
+
+- name: Copy repo files for bootc build
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item.path }}"
+    dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d/{{ item.path | basename }}"
+    remote_src: true
+    mode: "0644"
+  loop: "{{ cifmw_edpm_build_images_bootc_repo_files.files }}"
+  loop_control:
+    label: "{{ item.path | basename }}"
+
+- name: Build bootc container image
+  become: true
+  args:
+    chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}"
+  ansible.builtin.shell: >-
+    buildah bud
+    --network host
+    --build-arg EDPM_BASE_IMAGE={{ cifmw_edpm_build_images_bootc_base_image }}
+    --build-arg RHSM_SCRIPT={{ cifmw_edpm_build_images_bootc_rhsm_script }}
+    --build-arg FIPS={{ cifmw_edpm_build_images_bootc_fips }}
+    --build-arg USER_PACKAGES={{ cifmw_edpm_build_images_bootc_user_packages }}
+    --volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro,Z
+    --volume {{ cifmw_edpm_build_images_bootc_repo_path }}/output/yum.repos.d:/etc/yum.repos.d:rw,Z
+    -f ./Containerfile
+    -t localhost/edpm-bootc:{{ cifmw_edpm_build_images_tag }}
+    . > {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_image_build.log
+    2> {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_image_build_err.log
+
+- name: Generate bootc qcow2 image
+  become: true
+  args:
+    chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}"
+  ansible.builtin.shell: >-
+    podman run --rm --privileged
+    --security-opt label=type:unconfined_t
+    -v ./output:/output
+    -v /var/lib/containers/storage:/var/lib/containers/storage
+    {{ cifmw_edpm_build_images_bootc_builder_image }}
+    --type qcow2
+    --local
+    localhost/edpm-bootc:{{ cifmw_edpm_build_images_tag }}
+    > {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_build.log
+    2> {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_build_err.log
+
+- name: Rename generated bootc qcow2 image
+  become: true
+  ansible.builtin.command:
+    cmd: >-
+      mv
+      {{ cifmw_edpm_build_images_bootc_repo_path }}/output/qcow2/disk.qcow2
+      {{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}
+    creates: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}"
+    removes: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/qcow2/disk.qcow2"
+
+- name: Get bootc qcow2 checksum
+  ansible.builtin.stat:
+    path: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}"
+    checksum_algorithm: sha256
+  register: cifmw_edpm_build_images_bootc_qcow2_stat
+
+- name: Write bootc qcow2 checksum file
+  ansible.builtin.copy:
+    dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/{{ cifmw_edpm_build_images_bootc_qcow2_name }}.sha256"
+    content: >-
+      {{ cifmw_edpm_build_images_bootc_qcow2_stat.stat.checksum }}  ./{{ cifmw_edpm_build_images_bootc_qcow2_name }}
+    mode: "0644"
+
+- name: Copy bootc qcow2 packaging helper files
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    remote_src: true
+    mode: "{{ item.mode }}"
+  loop:
+    - src: "{{ cifmw_edpm_image_builder_repo_path }}/copy_out.sh"
+      dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/copy_out.sh"
+      mode: "0755"
+    - src: "{{ cifmw_edpm_image_builder_repo_path }}/Containerfile.image"
+      dest: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output/Containerfile.image"
+      mode: "0644"
+
+- name: Package bootc qcow2 image inside container image
+  become: true
+  args:
+    chdir: "{{ cifmw_edpm_build_images_bootc_repo_path }}/output"
+  ansible.builtin.command:
+    cmd: >-
+      buildah bud -f ./Containerfile.image
+      -t edpm-bootc:{{ cifmw_edpm_build_images_tag }}-qcow2
+      --build-arg IMAGE_NAME=edpm-bootc
+      --build-arg BASE_IMAGE={{ cifmw_edpm_build_images_base_image }}
+      --logfile {{ cifmw_edpm_build_images_basedir }}/logs/edpm_images/edpm_bootc_qcow2_container_package.log
+
+- name: Set bootc build images output
+  ansible.builtin.set_fact:
+    cifmw_edpm_build_images_bootc_output:
+      images:
+        edpm-bootc-qcow2:
+          image: "{{ cifmw_edpm_build_images_bootc_repo }}:{{ cifmw_edpm_build_images_tag }}-qcow2"
+    cacheable: true

roles/edpm_build_images/tasks/install.yml

@@ -6,6 +6,13 @@
     - cifmw_edpm_build_images_via_rpm
     - not cifmw_edpm_build_images_dry_run
 
+- name: Add bootc host packages when needed
+  ansible.builtin.set_fact:
+    cifmw_edpm_build_images_host_packages: "{{ cifmw_edpm_build_images_host_packages + ['podman', 'osbuild-selinux'] }}"
+  when:
+    - cifmw_edpm_build_images_bootc | bool
+    - not cifmw_edpm_build_images_dry_run
+
 - name: Install required packages
   when:
     - not cifmw_edpm_build_images_dry_run

roles/edpm_build_images/tasks/main.yml

@@ -47,6 +47,10 @@
 - name: Package build images inside container image
   ansible.builtin.import_tasks: package.yml
 
+- name: Build bootc images
+  when: cifmw_edpm_build_images_bootc | bool
+  ansible.builtin.import_tasks: bootc.yml
+
 - name: Push container images to quay.rdoproject.org
   when: cifmw_edpm_build_images_push_container_images | bool
   ansible.builtin.import_tasks: post.yaml