lix/releng/docker.xsh

import json
import logging
from pathlib import Path
import tempfile

import requests

from .environment import DockerTarget, RelengEnvironment
from .version import VERSION, MAJOR
from . import gitutils
from .docker_assemble import Registry, OCIIndex, OCIIndexItem
from . import docker_assemble

log = logging.getLogger(__name__)
log.setLevel(logging.INFO)

def check_all_logins(env: RelengEnvironment):
    for target in env.docker_targets:
        check_login(target)

def check_login(target: DockerTarget):
    log.info('Checking login for %s', target.registry_name)
    skopeo login @(target.registry_name())

def upload_docker_images(target: DockerTarget, paths: list[Path]):
    if not paths: return

    sess = requests.Session()
    sess.headers['User-Agent'] = 'lix-releng'

    tag_names = [DockerTarget.resolve(tag, version=VERSION, major=MAJOR) for tag in target.tags]

    # latest only gets tagged for the current release branch of Lix
    if not gitutils.is_maintenance_branch('HEAD'):
        tag_names.append('latest')

    meta = {}

    reg = docker_assemble.Registry(sess)
    manifests = []

    with tempfile.TemporaryDirectory() as tmp:
        tmp = Path(tmp)

        for path in paths:
            digest_file = tmp / (path.name + '.digest')

            inspection = json.loads($(skopeo inspect docker-archive:@(path)))

            docker_arch = inspection['Architecture']
            docker_os = inspection['Os']
            meta = inspection['Labels']

            log.info('Pushing image %s for %s to %s', path, docker_arch, target.registry_path)

            # insecure-policy: we don't have any signature policy, we are just uploading an image
            skopeo --insecure-policy copy --digestfile @(digest_file) --all docker-archive:@(path) f'docker://{target.registry_path}@@unknown-digest@@'
            digest = digest_file.read_text().strip()

            # skopeo doesn't give us the manifest size directly, so we just ask the registry
            metadata = reg.image_info(target.registry_path, digest)

            manifests.append(OCIIndexItem(metadata=metadata, architecture=docker_arch, os=docker_os))

    log.info('Pushed images to %r, building a bigger and more menacing manifest from %r with metadata %r', target, manifests, meta)
    # send the multiarch manifest to each tag
    index = OCIIndex(manifests=manifests, annotations=meta)
    for tag in tag_names:
        reg.upload_index(target.registry_path, tag, index)
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00			`import json`
			`import logging`
Implement docker upload in the releng tools This uses skopeo to not think about docker daemons. I, however, noticed that the docker image we had would have totally terrible cache hits, so I rewrote it. Fixes: https://git.lix.systems/lix-project/lix/issues/252 Change-Id: I3c5b6c1f3ba0b9dfcac212b2148f390e0cd542b7 2024-06-07 05:28:49 +00:00			`from pathlib import Path`
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00			`import tempfile`

			`import requests`

			`from .environment import DockerTarget, RelengEnvironment`
			`from .version import VERSION, MAJOR`
			`from . import gitutils`
			`from .docker_assemble import Registry, OCIIndex, OCIIndexItem`
			`from . import docker_assemble`

			`log = logging.getLogger(__name__)`
			`log.setLevel(logging.INFO)`
Implement docker upload in the releng tools This uses skopeo to not think about docker daemons. I, however, noticed that the docker image we had would have totally terrible cache hits, so I rewrote it. Fixes: https://git.lix.systems/lix-project/lix/issues/252 Change-Id: I3c5b6c1f3ba0b9dfcac212b2148f390e0cd542b7 2024-06-07 05:28:49 +00:00
			`def check_all_logins(env: RelengEnvironment):`
			`for target in env.docker_targets:`
			`check_login(target)`

			`def check_login(target: DockerTarget):`
releng: fix upload of multiarch images to forgejo Forgejo appears to immediately delete registry content that is overwritten. This means that we are forced to delete our previous workaround of making a temporary tag and use a new, more absurd workaround of making an entire temporary image that we basically only need to create to get its hash. However, on the plus side, the new workaround doesn't create garbage tags to begin with, which means that we don't have to deal with GitHub not implementing the standardized tag delete endpoint and instead only implementing a proprietary one. Upstream-Bug: https://github.com/containers/skopeo/issues/2354 Change-Id: I220e7ce9a17fd230c38882f12c009a166dcc9336 2024-06-14 00:04:07 +00:00			`log.info('Checking login for %s', target.registry_name)`
Implement docker upload in the releng tools This uses skopeo to not think about docker daemons. I, however, noticed that the docker image we had would have totally terrible cache hits, so I rewrote it. Fixes: https://git.lix.systems/lix-project/lix/issues/252 Change-Id: I3c5b6c1f3ba0b9dfcac212b2148f390e0cd542b7 2024-06-07 05:28:49 +00:00			`skopeo login @(target.registry_name())`

releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00			`def upload_docker_images(target: DockerTarget, paths: list[Path]):`
			`if not paths: return`

			`sess = requests.Session()`
			`sess.headers['User-Agent'] = 'lix-releng'`

			`tag_names = [DockerTarget.resolve(tag, version=VERSION, major=MAJOR) for tag in target.tags]`

			`# latest only gets tagged for the current release branch of Lix`
			`if not gitutils.is_maintenance_branch('HEAD'):`
			`tag_names.append('latest')`

			`meta = {}`

			`reg = docker_assemble.Registry(sess)`
			`manifests = []`

			`with tempfile.TemporaryDirectory() as tmp:`
			`tmp = Path(tmp)`

			`for path in paths:`
			`digest_file = tmp / (path.name + '.digest')`
releng: fix upload of multiarch images to forgejo Forgejo appears to immediately delete registry content that is overwritten. This means that we are forced to delete our previous workaround of making a temporary tag and use a new, more absurd workaround of making an entire temporary image that we basically only need to create to get its hash. However, on the plus side, the new workaround doesn't create garbage tags to begin with, which means that we don't have to deal with GitHub not implementing the standardized tag delete endpoint and instead only implementing a proprietary one. Upstream-Bug: https://github.com/containers/skopeo/issues/2354 Change-Id: I220e7ce9a17fd230c38882f12c009a166dcc9336 2024-06-14 00:04:07 +00:00
releng: Remove workaround for skopeo feature we didn't know about It turns out skopeo does support not saying the tag, but I couldn't find it in the docs. Asking the author in https://github.com/containers/skopeo/issues/2354 yielded that this can be requested as `@@unknown-digest@@`. So now we have a perfectly cromulent docker upload chain, yay!! Change-Id: I256f3cbeef4fe28b3d68d0dda57f02cdaee3996b 2024-06-28 20:56:11 +00:00			`inspection = json.loads($(skopeo inspect docker-archive:@(path)))`
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00
			`docker_arch = inspection['Architecture']`
			`docker_os = inspection['Os']`
			`meta = inspection['Labels']`

releng: add prod environment, ready for release I am reasonably confident that this releng infrastructure can actually build a Lix 2.90 and release it successfully. Let's make it possible to do, and add some cute colours to the confirmation message. Change-Id: I85e498b6fb49ffc5e75c0a72c5e45fb1f69030d3 2024-06-09 08:26:21 +00:00			`log.info('Pushing image %s for %s to %s', path, docker_arch, target.registry_path)`
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00
releng: Remove workaround for skopeo feature we didn't know about It turns out skopeo does support not saying the tag, but I couldn't find it in the docs. Asking the author in https://github.com/containers/skopeo/issues/2354 yielded that this can be requested as `@@unknown-digest@@`. So now we have a perfectly cromulent docker upload chain, yay!! Change-Id: I256f3cbeef4fe28b3d68d0dda57f02cdaee3996b 2024-06-28 20:56:11 +00:00			`# insecure-policy: we don't have any signature policy, we are just uploading an image`
			`skopeo --insecure-policy copy --digestfile @(digest_file) --all docker-archive:@(path) f'docker://{target.registry_path}@@unknown-digest@@'`
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00			`digest = digest_file.read_text().strip()`

			`# skopeo doesn't give us the manifest size directly, so we just ask the registry`
			`metadata = reg.image_info(target.registry_path, digest)`

			`manifests.append(OCIIndexItem(metadata=metadata, architecture=docker_arch, os=docker_os))`

releng: add prod environment, ready for release I am reasonably confident that this releng infrastructure can actually build a Lix 2.90 and release it successfully. Let's make it possible to do, and add some cute colours to the confirmation message. Change-Id: I85e498b6fb49ffc5e75c0a72c5e45fb1f69030d3 2024-06-09 08:26:21 +00:00			`log.info('Pushed images to %r, building a bigger and more menacing manifest from %r with metadata %r', target, manifests, meta)`
releng: support multiarch docker images If we don't want to have separate registry tags by architecture (EWWWW), we need to be able to build multiarch docker images. This is pretty simple, and just requires making a manifest pointing to each of the component images. I was going to just do this API prodding with manifest-tool, but it doesn't support putting metadata on the outer manifest, which is actually kind of a problem because it then doesn't render the metadata on github. So I guess we get a simple little containers API implementation that is 90% auth code. Change-Id: I8bdd118d4cbc13b23224f2fb174b232432686bea 2024-06-09 07:27:06 +00:00			`# send the multiarch manifest to each tag`
			`index = OCIIndex(manifests=manifests, annotations=meta)`
			`for tag in tag_names:`
			`reg.upload_index(target.registry_path, tag, index)`