- Describe the issue
We have grown a bit of a mess around how we build and publish container images. We need to straighten it out.
Here’s the 10,000 foot view, as I understand it:
-
For unstable releases, we build both ‘traditional’ (generic, generic minimal, toolbox) and atomic desktop OCI containers in the nightly compose. We also build atomic desktop ostrees. When the compose completes, we run
sync-latest-container-base-image.sh
- which publishes the ‘traditional’ containers to registries - andsync-ostree-base-containers.sh
- which converts the silverblue, kinoite and sericea ostrees to containers and publishes those to registries. We don’t actually publish the native atomic desktop OCI containers anywhere. -
For stable releases, we have a Fedora-Container compose that builds ‘traditional’ containers and should publish them (only because of the thing @kevin is fixing in PR#1267: f39: fix container-nightly.sh script to sync the right thing - pungi-fedora - Pagure.io , it doesn’t). That compose does not build atomic desktop containers. Instead, Bodhi creates atomic desktop ostrees daily, which is how people get updates. But it does not produce native OCI containers, or run
sync-ostree-base-containers.sh
to convert the ostrees it creates into containers and publish those.
There are several problems here:
- We shouldn’t have two janky bash scripts for publishing containers to registries. We should have one tool in a sensible language (Python!) which can be properly tested. Also, it should use compose metadata to find the images (not weirdly hardcoded Koji searches, like the current
sync-latest-container-base-image.sh
does) - although this is a bit complicated if we’re building things in Bodhi, which doesn’t produce productmd metadata (AFAIK). - Stable release ostree builds being off in Bodhi while everything else is in composes is a bit awkward, especially since we are trying to move away from ostrees towards native OCI containers for atomic desktops. Do we want to move more container builds into Bodhi, or move the stable release nightly ones out of Bodhi? Do we need to teach Bodhi to build OCI containers? Publish to registries?
- It would be good to have the ability to gate registry pushes. We can test all these images to some extent; it would be good to set things up such that we can gate publishing to the registry tags used to update user systems on test results.