Skip to content

Konflux: switch to hermetic builds #4141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Konflux: switch to hermetic builds #4141

wants to merge 3 commits into from
+7,760 −23

Conversation

jcapiitao
Copy link
Member

see commit messages

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 12, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jcapiitao
Copy link
Member Author

This needs konflux-ci/build-definitions#2421 first

@jcapiitao jcapiitao changed the title Switch to hermetic Switch to hermetic builds Jun 12, 2025
@jcapiitao jcapiitao force-pushed the switch-to-hermetic branch from 2945ab3 to 7dccdd8 Compare June 12, 2025 10:49
jlebon
jlebon reviewed Jun 12, 2025
View reviewed changes
rpms.lock.yaml Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels really weird to have specific mirrors hardcoded here, but I suspect those URLs are not actually used to fetch the packages but rather to record where it was cached from?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, dunno why rpm-lockfile-prototype does not have a feature that takes the repo of the base container image for the libdnf resolution. Though, they have the feature that extracts installed packages from a container image see point 3. and determine only the necessary ones to fetch of the input file. We'll use this feature in this PR BTW, I'm doing my experimentation with jcapiitao#13 for now.

I suspect those URLs are not actually used to fetch the packages but rather to record where it was cached from?

Those URLs are actually used to do the libdnf resolution, and then generating the rpms.lock.yaml file. Then you can use a CLI tool that fetch those dependencies e.g https://github.com/hermetoproject/hermeto .
I'll update this PR with all the explanation very soon.

@jlebon jlebon changed the title Switch to hermetic builds Konflux: switch to hermetic builds Jun 12, 2025
@jlebon
Copy link
Member

jlebon commented Jun 12, 2025

👍 from me. Locking cosa is something we've talked about for quite a while because it helps debugging issues. E.g. this would render coreos/coreos-ci-lib#165 obsolete.

A little concerned about the PR churn, but let's see how it goes and we can adjust strategy as needed.

@jcapiitao jcapiitao mentioned this pull request Jun 17, 2025
Merged
@jcapiitao jcapiitao force-pushed the switch-to-hermetic branch from 7dccdd8 to 52c071f Compare June 17, 2025 14:21
@jcapiitao jcapiitao closed this Jun 18, 2025
@jcapiitao jcapiitao deleted the switch-to-hermetic branch June 18, 2025 07:45
@jcapiitao jcapiitao reopened this Jun 18, 2025
@jcapiitao
Copy link
Member Author

/retest

@jcapiitao jcapiitao force-pushed the switch-to-hermetic branch 6 times, most recently from a0519f6 to d8578f6 Compare June 18, 2025 11:14
@jcapiitao jcapiitao marked this pull request as ready for review June 18, 2025 12:19
@jcapiitao
Copy link
Member Author

👍 from me. Locking cosa is something we've talked about for quite a while because it helps debugging issues. E.g. this would render coreos/coreos-ci-lib#165 obsolete.

A little concerned about the PR churn, but let's see how it goes and we can adjust strategy as needed.

You mean the PRs submitted by MintMaker (i.e the Konflux Renovate service), or this PR ?

Also, as a follow-up of this PR, I'll propose a github workflow to submit PRs automatically to update the lock YAML files.

jcapiitao added 3 commits June 18, 2025 16:26
@jcapiitao
.tekton: enabling hermetic builds
b2beb01 
This will enforce Konflux to prefetch the dependencies defined in
the lock.yaml files with [1]. Then during the build, Konflux will
1. inject the repositories where the deps are stored, 2. configure
the clients to pull the deps from there, 3. build without network.

As rpm is still not fully supported [2], we have to enable
`dev-package-managers` for now in the pipeline.

All specific files enabling hermetic builds are located in the
`ci/hermetic/` folder. You can find the helper scripts that automate
the process of generating the lock YAML files, replacing the manual
steps. The automation streamlines the workflow, reduces the chance
of human error, and ensures consistency in the generated lock files.
More details can be found in the updated README.

This required adaptations to `build.sh` and the Dockerfile to support
both hermetic and non-hermetic build processes.

[1] https://github.com/konflux-ci/build-definitions/tree/main/task/prefetch-dependencies-oci-ta/0.2
[2] https://github.com/hermetoproject/hermeto?tab=readme-ov-file#package-managers
@jcapiitao
tests/containers: switch to standard base image
efaf575 
In 'rpms.in.yaml' file, we configured the rpm lockfile CLI tool to
extract installed packages from the main Dockerfile which use the
standard base image of Fedora. For consistency, we have to rbase
all the container images of the project on the same image.
Otherwise, we may end up with missing packages during the build
(i.e tzdata is available in standard image, but not in minimal
one, making the targetcli fail as tzdata was not add to the lock
YAML file).
@jcapiitao
.tekton: switch to own pipeline
d508ed9 
This is temporary while awaiting [1] to be merged and push in
quay.io.

[1] konflux-ci/build-definitions#2421
@jcapiitao jcapiitao force-pushed the switch-to-hermetic branch from d8578f6 to d508ed9 Compare June 18, 2025 14:27
@jcapiitao
Copy link
Member Author

/retest

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 18, 2025

@jcapiitao: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/rhcos d508ed9 link true /test rhcos

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jlebon
Copy link
Member

jlebon commented Jun 18, 2025

Also, as a follow-up of this PR, I'll propose a github workflow to submit PRs automatically to update the lock YAML files.

That sounds good. I'm not sure if it's possible, though it'd be nice if it could auto-enable the auto-merge feature so it self-merges once CI passes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlebon jlebon jlebon left review comments

@dustymabe dustymabe Awaiting requested review from dustymabe

@jbtrystram jbtrystram Awaiting requested review from jbtrystram

@c4rt0 c4rt0 Awaiting requested review from c4rt0

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jcapiitao @jlebon