staged-images: Add chunkah-staged bootc base image builds#152
staged-images: Add chunkah-staged bootc base image builds#152cgwalters wants to merge 1 commit intobootc-dev:mainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a workflow for rechunking bootc base images using the chunkah tool and updates the Renovate configuration to support container image digest pinning in YAML files. Feedback highlights several architectural concerns in the new Containerfile, including the use of non-portable Podman-specific features like oci-archive, the lack of reproducibility due to using the :latest tag for build tools, and a dependency on external, gitignored configuration files. Additionally, a more robust regex for the Renovate custom manager was suggested to better handle varied YAML syntax and optional parameters.
cgwalters
force-pushed
the
chunkah-images
branch
from
db1464d to
480b425
Compare
Right now we always build a "from scratch" image in bootc
to avoid the mtime issue for ostree. We may as well
have pre-cached images that do this.
Add infrastructure to build rechunked bootc base images using
chunkah. These 'staged' images mirror upstream fedora-bootc and
centos-bootc, strip /sysroot (ostree data), and rechunk with
content-based layers for optimal layer reuse across updates.
The workflow has three phases:
mirror — skopeo copy --all from quay.io to GHCR so we own the
copies and aren't broken when upstream deletes old
manifests on tag re-push.
build — per-arch (amd64 + arm64) chunkah builds on native
runners, pushed by digest.
manifest — assemble per-arch digests into multi-arch manifest
lists using bootc-dev/actions/create-manifest.
Source images are pinned by @sha256 digest for reproducibility,
with a Renovate custom regex manager to automatically bump digests
when upstream tags are updated.
Target images:
- ghcr.io/bootc-dev/fedora-bootc-staged:43
- ghcr.io/bootc-dev/fedora-bootc-staged:44
- ghcr.io/bootc-dev/centos-bootc-staged:stream9
- ghcr.io/bootc-dev/centos-bootc-staged:stream10
Closes: bootc-dev#151
Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
chunkah-images
branch
from
480b425 to
b72ffb8
Compare
| set -euo pipefail | ||
| image="${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.name }}" | ||
| podman tag localhost/${{ matrix.name }}:latest "${image}:latest" | ||
| podman push --retry 3 --digestfile "${{ runner.temp }}/digestfile" "${image}:latest" |
There was a problem hiding this comment.
To avoid fedora matrix jobs push collisions ( sometimes push at the same time, or push to same url one by one), unique tag like "${image}:${{ matrix.tag }}-${{ matrix.arch }}" would be better.
|
|
||
| FROM ${CHUNKAH} AS chunkah | ||
| ARG MAX_LAYERS | ||
| RUN --mount=type=bind,target=/run/src,rw \ |
There was a problem hiding this comment.
The rw bind mount doesn't persist out.ociarchive back to the build context. I tried --mount=type=bind,source=.,target=/run/src,rw, it does not work too.
I can't figure out the solution inside Containerfile.
2 participants
Add infrastructure to build rechunked bootc base images using chunkah. These 'staged' images mirror upstream fedora-bootc and centos-bootc, strip /sysroot (ostree data), and rechunk with content-based layers for optimal layer reuse across updates.
Source images are pinned by @sha256 digest for reproducibility, with a Renovate custom regex manager to automatically bump digests when upstream tags are updated.
Target images:
Closes: #151
Assisted-by: OpenCode (Claude Opus 4)