Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3133

We must enable hermetic builds before releasing

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Duplicate
    • Icon: Medium Medium
    • None
    • None
    • None
    • None
    • Product / Portfolio Work
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • 5
    • Kata Sprint #268
    • 0
    • 0

      We need to follow the konflux doc to enable Hermetic builds
      But a pre-requisite is to make sure we can pre-fetch all dependencies.

      As always, the devil is in the details, and we may face issues like we had with CPaaS, forcing us to use git submodules, or modify the default (upstream) Makefile and/or Dockerfile. Those problems will show up as we enable hermetic builds for each of our images.

      Prefetching dependencies

      Go and rust

      According to the documentation, we "just" need to declare the prefetch-input parameter, as we already have go.mod and Cargo.lock files.

      See here
      With (very limited) pre-requisites for go and rust

      RPMs

      In addition to the prefetch-input declaration, we have to follow these steps

      In summary: we need to create some files that list the RPMs we want to install, using the rpm-lockfile-prototype tool.
      This will let cachi2 (Hermeto?) know which RPMs we need, pinning them to a specific version, so that it lets us install them (but nothing else).

      There may be some caveats

      NOTE: *The rpm-lockfile-prototype and the rpm package manager for cachi2 are not fully supported. You can use them to prefetch rpms for your hermetic builds, but the file format and technology may change in the future. If you’re interested in the future of this topic, join the discussion at rpm-software-management/dnf5#833.|

              jrope Julien ROPE
              beraldoleal Beraldo Leal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: