-
Epic
-
Resolution: Done
-
Medium
-
None
-
None
-
None
-
Hermetic builds in Konflux
-
Product / Portfolio Work
-
False
-
-
False
-
Not Selected
-
In Progress
-
KATA-2420 - [initiative] OSC release using Konflux (RHTAP)
-
0% To Do, 0% In Progress, 100% Done
-
No
-
0
Epic Goal
- As part of the move to Konflux, our image have to be built in isolation from the network. This creates some problems during builds, and requires careful work for each separate image.
Why is this important?
- Hermetic builds is a requirement for releasing OSC
How to do it?
We need to follow the konflux doc to enable Hermetic builds
But a pre-requisite is to make sure we can pre-fetch all dependencies.
As always, the devil is in the details, and we may face issues like we had with CPaaS, forcing us to use git submodules, or modify the default (upstream) Makefile and/or Dockerfile. Those problems will show up as we enable hermetic builds for each of our images.
Prefetching dependencies
Go and rust
According to the documentation, we "just" need to declare the prefetch-input parameter, as we already have go.mod and Cargo.lock files.
See here
With (very limited) pre-requisites for go and rust
RPMs
In addition to the prefetch-input declaration, we have to follow these steps
In summary: we need to create some files that list the RPMs we want to install, using the rpm-lockfile-prototype tool.
This will let cachi2 (Hermeto?) know which RPMs we need, pinning them to a specific version, so that it lets us install them (but nothing else).
For packages that require a subscription, we need to follow additional steps to generate the lockfile.
See https://konflux.pages.redhat.com/docs/users/building/activation-keys-subscription.html#hermetic-network-isolated-builds
There may be some caveats
NOTE: *The rpm-lockfile-prototype and the rpm package manager for cachi2 are not fully supported. You can use them to prefetch rpms for your hermetic builds, but the file format and technology may change in the future. If you’re interested in the future of this topic, join the discussion at rpm-software-management/dnf5#833.|
Acceptance Criteria
All images we ship must be built in isolation, OR an exception is given by Prodsec/management.
Additional context:
This Epic is created from https://issues.redhat.com/browse/KATA-3133, and moved out of https://issues.redhat.com/browse/KATA-2351, because we need several stories just for it.
- is duplicated by
-
KATA-3133 We must enable hermetic builds before releasing
-
- Closed
-