Skip to content

Commit

Permalink
Build and tag Dangerzone images
Browse files Browse the repository at this point in the history
Build Dangerzone images and tag them with a unique ID that stems from
the Git reop. Note that using tags as image IDs instead of regular image
IDs breaks the current Dangerzone expectations, but this will be
addressed in subsequent commits.
  • Loading branch information
apyrgio committed Dec 2, 2024
1 parent e3b0edb commit d7f43ee
Showing 4 changed files with 40 additions and 20 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -74,6 +74,8 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get current date
id: date
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -48,6 +48,8 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get current date
id: date
@@ -245,7 +247,7 @@ jobs:
install-deb:
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
runs-on: ubuntu-latest
needs:
needs:
- build-deb
strategy:
matrix:
2 changes: 2 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -14,6 +14,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install container build dependencies
run: sudo apt install pipx && pipx install poetry
- name: Build container image
52 changes: 33 additions & 19 deletions install/common/build-image.py
Original file line number Diff line number Diff line change
@@ -2,12 +2,13 @@
import gzip
import os
import platform
import secrets
import subprocess
import sys
from pathlib import Path

BUILD_CONTEXT = "dangerzone/"
TAG = "dangerzone.rocks/dangerzone:latest"
IMAGE_NAME = "dangerzone.rocks/dangerzone"
REQUIREMENTS_TXT = "container-pip-requirements.txt"
if platform.system() in ["Darwin", "Windows"]:
CONTAINER_RUNTIME = "docker"
@@ -44,8 +45,31 @@ def main():
)
args = parser.parse_args()

tarball_path = Path("share") / "container.tar.gz"
image_id_path = Path("share") / "image-id.txt"

print(f"Building for architecture '{ARCH}'")

# Designate a unique tag for this image, depending on the Git commit it was created
# from:
# 1. If created from a Git tag (e.g., 0.8.0), the image tag will be `0.8.0`.
# 2. If created from a commit, it will be something like `0.8.0-31-g6bdaa7a`.
# 3. If the contents of the Git repo are dirty, we will append a unique identifier
# for this run, something like `0.8.0-31-g6bdaa7a-fdcb` or `0.8.0-fdcb`.
dirty_ident = secrets.token_hex(2)
tag = (
subprocess.check_output(
["git", "describe", "--first-parent", f"--dirty=-{dirty_ident}"],
)
.decode()
.strip()[1:] # remove the "v" prefix of the tag.
)
image_name_tagged = IMAGE_NAME + ":" + tag

print(f"Will tag the container image as '{image_name_tagged}'")
with open(image_id_path, "w") as f:
f.write(tag)

print("Exporting container pip dependencies")
with ContainerPipDependencies():
if not args.use_cache:
@@ -59,8 +83,11 @@ def main():
check=True,
)

# Build the container image, and tag it with two tags; the one we calculated
# above, and the "latest" tag.
print("Building container image")
cache_args = [] if args.use_cache else ["--no-cache"]
image_name_latest = IMAGE_NAME + ":latest"
subprocess.run(
[
args.runtime,
@@ -74,7 +101,9 @@ def main():
"-f",
"Dockerfile",
"--tag",
TAG,
image_name_latest,
"--tag",
image_name_tagged,
],
check=True,
)
@@ -85,15 +114,15 @@ def main():
[
CONTAINER_RUNTIME,
"save",
TAG,
image_name_tagged,
],
stdout=subprocess.PIPE,
)

print("Compressing container image")
chunk_size = 4 << 20
with gzip.open(
"share/container.tar.gz",
tarball_path,
"wb",
compresslevel=args.compress_level,
) as gzip_f:
@@ -105,21 +134,6 @@ def main():
break
cmd.wait(5)

print("Looking up the image id")
image_id = subprocess.check_output(
[
args.runtime,
"image",
"list",
"--format",
"{{.ID}}",
TAG,
],
text=True,
)
with open("share/image-id.txt", "w") as f:
f.write(image_id)


class ContainerPipDependencies:
"""Generates PIP dependencies within container"""

0 comments on commit d7f43ee

Please sign in to comment.