-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
5
-
False
-
-
False
-
-
-
MCO Sprint 268, MCO Sprint 269, MCO Sprint 270, MCO Sprint 271, MCO Sprint 272
-
0
To make the OCL build process more consistent as well as enabling it to work in a disconnected environment, we should inject the contents of the /etc/containers directory into the builder pod. These files arre managed by the container-runtime-config controller., which creates the 01-<poolname>-container-runtime and 99<poolname>-generated-registries MachineConfigs, which get combined into the current rendered MachineConfig:
$ oc get mc/01-master-container-runtime -o yaml | yq '.spec.config.storage.files[].path' /etc/containers/registries.conf /etc/crio/crio.conf.d/00-default /etc/machine-config-daemon/policy-for-old-podman.json /etc/containers/policy.json $ oc get mc/99-master-generated-registries -o yaml | yq '.spec.config.storage.files[].path' /etc/containers/policy.json /etc/containers/registries.d/sigstore-registries.yaml $ oc get mc/rendered-master-e672503185ad8192879e51af6c867d3b -o yaml | yq '.spec.config.storage.files[].path' | grep "/etc/containers" /etc/containers/storage.conf /etc/containers/registries.conf /etc/containers/policy.json /etc/containers/registries.d/sigstore-registries.yaml
As an implementation detail, the most straightforward way to do this would be to have the BuildRequest object get the relevant files from the current rendered MachineConfig and create an ephemeral ConfigMap that will be injected into the build pod. It is possible that the builder script may need to copy those files into place or adjust an SELinux context before starting the build, since that was needed for the /etc/pki/entitlements functionality to work. Although that might also not be necessary since these files were passed through to the build context whereas /etc/containers is more for configuring Buildah itself.
Unknowns at the time of this writing:
- Should the ControllerRuntimeConfig be considered as part of this?
- Is /etc/containers/storage.conf appropriate to inject into the builder pod?
Done When:
- The contents of /etc/containers are mounted into the builder pod.
- The unknowns are resolved and additional files, if any, are injected into the builder pod.