Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3795

Enable hermetic builds for OSC in Konflux

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Medium Medium
    • OSC 1.10.0
    • None
    • None
    • None
    • Hermetic builds in Konflux
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • In Progress
    • KATA-2420 - [initiative] OSC release using Konflux (RHTAP)
    • 0% To Do, 0% In Progress, 100% Done
    • No
    • 0

      Epic Goal

      • As part of the move to Konflux, our image have to be built in isolation from the network. This creates some problems during builds, and requires careful work for each separate image.
      •  

      Why is this important?

      • Hermetic builds is a requirement for releasing OSC

       

      How to do it?

      We need to follow the konflux doc to enable Hermetic builds
      But a pre-requisite is to make sure we can pre-fetch all dependencies.

      As always, the devil is in the details, and we may face issues like we had with CPaaS, forcing us to use git submodules, or modify the default (upstream) Makefile and/or Dockerfile. Those problems will show up as we enable hermetic builds for each of our images.

      Prefetching dependencies

      Go and rust

      According to the documentation, we "just" need to declare the prefetch-input parameter, as we already have go.mod and Cargo.lock files.

      See here
      With (very limited) pre-requisites for go and rust

      RPMs

      In addition to the prefetch-input declaration, we have to follow these steps

      In summary: we need to create some files that list the RPMs we want to install, using the rpm-lockfile-prototype tool.
      This will let cachi2 (Hermeto?) know which RPMs we need, pinning them to a specific version, so that it lets us install them (but nothing else).

      For packages that require a subscription, we need to follow additional steps to generate the lockfile.
      See https://konflux.pages.redhat.com/docs/users/building/activation-keys-subscription.html#hermetic-network-isolated-builds

       

      There may be some caveats

      NOTE: *The rpm-lockfile-prototype and the rpm package manager for cachi2 are not fully supported. You can use them to prefetch rpms for your hermetic builds, but the file format and technology may change in the future. If you’re interested in the future of this topic, join the discussion at rpm-software-management/dnf5#833.|

      Acceptance Criteria 

      All images we ship must be built in isolation, OR an exception is given by Prodsec/management.

      Additional context:

      This Epic is created from https://issues.redhat.com/browse/KATA-3133, and moved out of https://issues.redhat.com/browse/KATA-2351, because we need several stories just for it.

              jrope Julien ROPE
              jrope Julien ROPE
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: