create an osc container for package maintenance

Co-authored-by: Dmitri Popov <dmpop@cameracode.coffee>
Co-authored-by: Daniel Mach <daniel.mach@suse.com>

Author: 3 people

src/bci_build/package/__init__.py

@@ -1563,6 +1563,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
 from .appcontainers import GRAFANA_CONTAINERS  # noqa: E402
 from .appcontainers import HELM_CONTAINERS  # noqa: E402
 from .appcontainers import NGINX_CONTAINERS  # noqa: E402
+from .appcontainers import OSC_CONTAINER  # noqa: E402
 from .appcontainers import PCP_CONTAINERS  # noqa: E402
 from .appcontainers import PROMETHEUS_CONTAINERS  # noqa: E402
 from .appcontainers import REGISTRY_CONTAINERS  # noqa: E402
@@ -1636,6 +1637,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
         *TOMCAT_CONTAINERS,
         *GCC_CONTAINERS,
         *SPACK_CONTAINERS,
+        OSC_CONTAINER,
     )
 }
 

src/bci_build/package/appcontainers.py

@@ -486,3 +486,94 @@ def _get_nginx_kwargs(os_version: OsVersion):
     )
     for os_version in (OsVersion.TUMBLEWEED,)
 ]
+
+
+_BASE_PODMAN_OSC_CMD = (
+    "podman run --rm -it --privileged "
+    + r"-v \$HOME/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z "
+    + r"-v \$HOME/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z"
+)
+
+OSC_CONTAINER = ApplicationStackContainer(
+    name="osc",
+    pretty_name="Packaging",
+    package_name="packaging-image",
+    os_version=OsVersion.TUMBLEWEED,
+    is_latest=True,
+    # we want all the recommends from osc & build
+    no_recommends=False,
+    version_in_uid=False,
+    version="%%osc_version%%",
+    replacements_via_service=[
+        Replacement(regex_in_build_description="%%osc_version%%", package_name="osc")
+    ],
+    extra_files={
+        "entrypoint.sh": (Path(__file__).parent / "osc" / "entrypoint.sh").read_bytes()
+    },
+    extra_labels={
+        "run": f"{_BASE_PODMAN_OSC_CMD} IMAGE",
+        "runv": f"{_BASE_PODMAN_OSC_CMD} {(_pkg_cache_vol := '-v pkgcache:/var/tmp/osbuild-packagecache')} IMAGE",
+        "runcwd": f"{_BASE_PODMAN_OSC_CMD} {(_cwd_mount := '-v .:/root/osc-workdir:z')} IMAGE",
+        "runcwdv": f"{_BASE_PODMAN_OSC_CMD} {_pkg_cache_vol} {_cwd_mount} IMAGE",
+    },
+    package_list=[
+        # osc + osc build
+        "osc",
+        "build",
+        "cpio",
+        "hostname",
+        # all the services
+        "obs-service-appimage",
+        "obs-service-cargo",
+        "obs-service-cdi_containers_meta",
+        "obs-service-compose_kiwi_description",
+        "obs-service-docker_label_helper",
+        "obs-service-download_assets",
+        "obs-service-download_files",
+        "obs-service-download_url",
+        "obs-service-extract_file",
+        "obs-service-format_spec_file",
+        "obs-service-go_modules",
+        "obs-service-kiwi_label_helper",
+        "obs-service-kiwi_metainfo_helper",
+        "obs-service-kubevirt_containers_meta",
+        "obs-service-node_modules",
+        "obs-service-obs_scm",
+        "obs-service-product_converter",
+        "obs-service-recompress",
+        "obs-service-refresh_patches",
+        "obs-service-replace_using_env",
+        "obs-service-replace_using_package_version",
+        "obs-service-set_version",
+        "obs-service-snapcraft",
+        "obs-service-source_validator",
+        "obs-service-tar",
+        "obs-service-tar_scm",
+        "obs-service-verify_file",
+        *OsVersion.TUMBLEWEED.release_package_names,
+        # for convenience
+        "bash-completion",
+        # for scmsync packages
+        "git",
+        "obs-scm-bridge",
+        # IBS access
+        "openssh-common",
+        "openssh-clients",
+        # for building
+        "podman",
+        "runc",
+    ],
+    cmd=["/bin/bash"],
+    custom_end="""WORKDIR /root/osc-workdir
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENV OSC_VM_TYPE=podman
+""",
+    entrypoint=["/usr/local/bin/entrypoint.sh"],
+    volumes=[
+        # default location of the package cache
+        "/var/tmp/osbuild-packagecache",
+        # default buildroot path
+        "/var/tmp/build-root-root",
+    ],
+)

src/bci_build/package/osc/README.md.j2

@@ -0,0 +1,136 @@
+# OSC Packaging Container
+
+{% include 'badges.j2' %}
+
+This is the openSUSE packaging container image that includes all the required
+tools for creating and modifying packages in the [Open Build
+Service](https://build.opensuse.org/) using
+[osc](https://github.com/openSUSE/osc/).
+
+
+## How to use this container image
+
+The container image is intended for interactive usage with a `.oscrc` configuration file and
+the osc cookiejar mounted into the container:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:rw,z \
+      {{ image.pretty_reference }}
+```
+
+The command launches an interactive shell environment that uses the local osc
+configuration. You can then check out packages, perform modifications, and send
+submissions to OBS.
+
+To work on an already checked out package, mount the current working directory:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      -v .:/root/osc-workdir:z \
+      {{ image.pretty_reference }}
+```
+
+The container entrypoint recognizes whether you are launching it for interactive
+usage or invoking `osc` directly. You can omit the command `osc` in the second
+case. For example:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      {{ image.pretty_reference }} \
+          ls openSUSE:Factory
+```
+
+The command automatically forwards the arguments to `osc` and calls
+`osc ls openSUSE:Factory`.
+
+
+### Building packages
+
+The container image can be used to build packages using the podman build backend
+(the default in this container image). The podman backend can only build RPM
+packages, building containers with docker or disk images with kiwi is not
+supported at the moment.
+
+`osc` will cache build dependencies in the pre-configured `packagecachedir`. The
+`packagecachedir` defaults to `/var/tmp/osbuild-packagecache` and is declared as
+a volume in this container image. To speed up package builds, it is recommended
+to bind mount the package cache directory onto the host or use a persistent
+container volume, e.g. as follows:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      -v pkgcache:/var/tmp/osbuild-packagecache \
+          {{ image.pretty_reference }}
+```
+
+The above command only applies if you are using the default package cache
+location. Obtain the current setting via:
+
+```ShellSession
+# osc config general packagecachedir
+'general': 'packagecachedir' is set to '/var/tmp/osbuild-packagecache'
+```
+
+
+### Using the image labels
+
+The image provides four labels: `run`, `runv`, `runcwd`, `runcwdv`. The `run`
+label includes the full command, to run the `osc` container, while the `runcwd`
+label additionally mounts the current working directory to `/root/osc-workdir`
+(the container images' working directory). The labels with the `v` appended
+additionally include the directive to mount a container volume called `pkgcache`
+to `/var/tmp/osbuild-packagecache`.
+
+To view the labels, use the following command:
+
+```ShellSession
+# podman container runlabel run --display {{ image.pretty_reference }}
+```
+
+The labels can be used to run the container with Podman version 5.1.0 or later:
+
+```ShellSession
+# podman container runlabel run \
+      {{ image.pretty_reference }} \
+          ls openSUSE:Factory
+```
+
+
+### Connecting to build.suse.de
+
+build.suse.de uses an SSH-based authentication, which requires additional
+resources to be available in the container. You also must provide the internal certificate to the container:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      -v /etc/ssl/ca-bundle.pem:/etc/ssl/ca-bundle.pem:ro,z \
+      -v $SSH_AUTH_SOCK:/run/user/0/ssh-agent.socket:z \
+      -e SSH_AUTH_SOCK=/var/run/user/0/ssh-agent.socket:z \
+      -v "$PWD":/root/osc-workdir:z \
+      {{ image.pretty_reference }}
+```
+
+
+## Limitations
+
+- Currently, it is not possible to build container images or disk images in a
+  container.
+- The `runlabel run` command only works with Podman 5.1.0 and newer.
+
+
+## Volumes
+
+The container image is preconfigured to put `/var/tmp` into a volume. This
+directory is used by `osc` to store the buildroot and the package cache.
+
+{% include 'licensing_and_eula.j2' %}

src/bci_build/package/osc/entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [[ ! -e /root/.config/osc/oscrc ]]; then
+    cat << EOF
+This container is expected to be launched with your oscrc mounted to
+/root/.config/osc/oscrc
+
+Please consult the README or the label 'run' for the full invocation.
+EOF
+fi
+
+if [[ "-h --help -v --verbose -q --quiet --debug --debugger --post-mortem --traceback -H --http-debug --http-full-debug -A --apiurl --config --setopt --no-keyring add addchannels addcontainers addremove ar aggregatepac api branch getpac bco branchco browse build wipe shell chroot buildconfig buildhistory buildhist buildinfo buildlog buildlogtail blt bl cat less blame changedevelrequest changedevelreq cr checkconstraints checkout co clean cleanassets ca clone comment commit checkin ci config copypac create-pbuild-config cpc createincident createrequest creq delete remove del rm deleterequest deletereq droprequest dropreq dr dependson detachbranch develproject dp bsdevelproject diff di ldiff linkdiff distributions dists downloadassets da enablechannels enablechannel fork getbinaries help importsrcpkg info init jobhistory jobhist linkpac linktobranch list LL lL ll ls localbuildlog lbl lock log maintainer bugowner maintenancerequest mr mbranch maintained sm meta mkpac mv my patchinfo pdiff prdiff projdiff projectdiff prjresults pr pull pull_request rdelete rdiff rebuild rebuildpac release releaserequest remotebuildlog remotebuildlogtail rbuildlogtail rblt rbuildlog rbl repairlink repairwc repo repositories platforms repos repourls request review rq requestmaintainership reqbs reqms reqmaintainership requestbugownership reqbugownership resolved restartbuild abortbuild results r revert rpmlintlog lint rpmlint rremove search bse se sendsysrq service setdevelproject sdp setlinkrev showlinked signkey staging status st submitrequest submitpac submitreq sr token triggerreason tr undelete unlock update up updatepacmetafromspec updatepkgmetafromspec metafromspec vc version whatdependson whois user who wipebinaries unpublish workerinfo" =~ (^|[[:space:]])$1($|[[:space:]]) ]]; then
+    # looks like the user is executing the container as the osc command
+    osc "$@"
+else
+    exec "$@"
+fi