Build: Add convert-to-ami and Multi container image build#4
Merged
yureutaejin merged 30 commits intomainfrom Oct 24, 2025
Merged
Build: Add convert-to-ami and Multi container image build#4yureutaejin merged 30 commits intomainfrom
convert-to-ami and Multi container image build#4yureutaejin merged 30 commits intomainfrom
Conversation
Collaborator
Author
# trust-policy.json
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}aws iam create-role --role-name vmimport --assume-role-policy-document "file://{YOUR_DIRECTORY}/trust-policy.json"# role-policy.json
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:GetBucketAcl",
"s3:ListAllMyBuckets",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::{YOUR_BUCKET}",
"arn:aws:s3:::{YOUR_BUCKET}/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
|
yureutaejin
changed the title
convert-to-ami command in Makefile
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
f76aa38 to
6b2bd32
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
143d77d to
bc3b834
Compare
yureutaejin
requested changes
Oct 9, 2025
Owner
There was a problem hiding this comment.
-
I added some suggestions and left a few self-reviews.
-
I just defined belows with dummy values in repository for future ami workflow test
- secrets.AWS_SECRET_ACCESS_KEY
- vars.AWS_ACCESS_KEY_ID
- vars.AWS_REGION
Request
-
Could you test
convert-to-amiwith this Makefile in your local environment, and report the result? -
Please fix the README.md with your ami set up. (No need to write too much detail)
Makefile
Outdated
Comment on lines
16
to
18
| AWS_AMI_NAME ?= immutable-os-bootc-$(GIT_COMMIT_HASH:0:8) | ||
| AWS_S3_BUCKET ?= immutable-os-bootc | ||
| AWS_REGION ?= us-east-1 |
Makefile
Outdated
Comment on lines
69
to
84
| .PHONY: convert-to-ami | ||
| convert-to-ami: | ||
| sudo podman load -i image-${GIT_COMMIT_HASH:0:8}.tar | ||
| sudo docker run --rm \ | ||
| --privileged \ | ||
| --security-opt label=type:unconfined_t \ | ||
| -v /var/lib/containers/storage:/var/lib/containers/storage \ | ||
| --env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | ||
| --env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | ||
| ${BIB_CONTAINER} \ | ||
| --type ${DISK_FORMAT} \ | ||
| --rootfs ${ROOTFS} \ | ||
| --aws-ami-name ${AWS_AMI_NAME} \ | ||
| --aws-bucket ${AWS_S3_BUCKET} \ | ||
| --aws-region ${AWS_REGION} \ | ||
| ${OCI_REGISTRY}/${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG} |
Owner
There was a problem hiding this comment.
@charlie3965
(Please make sure to write a code carefully considering how it works.)
I just removed lines regarding config.toml file
According to official README.md, config.toml is just for anaconda installer
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
9192b27 to
e57b180
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
e57b180 to
a91d293
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
5 times, most recently
from
2506e3c to
bb29364
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
725ad91 to
2135799
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
360d554 to
1b898d5
Compare
yureutaejin
force-pushed
the
build/convert-to-ami
branch
from
1b898d5 to
dd298b1
Compare
yureutaejin
approved these changes
Oct 24, 2025
Comment on lines
+96
to
+97
| - name: Push bootc image to registry | ||
| if: ${{ github.event_name == 'workflow_dispatch' }} |
Owner
There was a problem hiding this comment.
Prevent pushing OCI registry when merge queue or status checks works
Owner
There was a problem hiding this comment.
To use multi image build easily
See also
Owner
There was a problem hiding this comment.
I just made user run single make subcommand.
No need to define/install/fix something except Makefile
Owner
There was a problem hiding this comment.
Changed SELinux default state to permissive, not disabled.
- SELINUX=permissive is just for logging
- osbuild and rpm-ostree have some problems in BIB process (SELinux enabled, but no policy found)
- BIB project considers iso build process as legacy
It might be helpful to read belows
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
- Requires running under rootful podman osbuild/bootc-image-builder#98
- when selinux:false, rpm-ostree still looks for selinux policies and raises error coreos/rpm-ostree#3261
Comment on lines
+61
to
+125
| .PHONY: convert-to-iso | ||
| convert-to-iso: bib-dind-down bib-dind-up | ||
| cp -rf template-iso.toml config.toml | ||
| sed -i "s|{DEFAULT_DISK}|${DEFAULT_DISK}|g" config.toml | ||
| sed -i "s|{DEFAULT_USER_NAME}|${DEFAULT_USER_NAME}|g" config.toml && \ | ||
| sed -i "s|{DEFAULT_USER_PASSWD}|${DEFAULT_USER_PASSWD}|g" config.toml && \ | ||
| sudo docker run --rm \ | ||
| --privileged \ | ||
| --security-opt label=type:unconfined_t \ | ||
| -v ./image-builder-output:/output \ | ||
| -v /var/lib/containers/storage:/var/lib/containers/storage \ | ||
| -v ./config.toml:/config.toml:ro \ | ||
| $(BIB_CONTAINER) \ | ||
| --type $(DISK_FORMAT) \ | ||
| --use-librepo=True \ | ||
| --rootfs $(ROOTFS) \ | ||
| $(OCI_REGISTRY)/$(OCI_IMAGE_REPO):${OCI_IMAGE_TAG} | ||
| sed -i "s|{DEFAULT_USER_NAME}|${DEFAULT_USER_NAME}|g" config.toml | ||
| sed -i "s|{DEFAULT_USER_PASSWD}|${DEFAULT_USER_PASSWD}|g" config.toml | ||
| docker cp config.toml bib-dind:/config.toml | ||
| [[ "${TARGET_INTERFACE}" == "all" ]] && TARGETS="core desktop" || TARGETS="${TARGET_INTERFACE}"; \ | ||
| for target in $${TARGETS}; do \ | ||
| mkdir -p image-builder-output/$${target}; \ | ||
| docker exec bib-dind /bin/bash -c " \ | ||
| podman load -i container-tarbells/image-${SHORT_COMMIT_HASH}-$${target}.tar.gz; \ | ||
| podman run --rm \ | ||
| --privileged \ | ||
| --security-opt label=type:unconfined_t \ | ||
| -v ./image-builder-output/$${target}:/output \ | ||
| -v /var/lib/containers/storage:/var/lib/containers/storage \ | ||
| -v ./config.toml:/config.toml:ro \ | ||
| ${BIB_CONTAINER} \ | ||
| --type iso \ | ||
| --use-librepo=True \ | ||
| --rootfs ${ROOTFS} \ | ||
| ${OCI_REGISTRY}/${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}-$${target}"; \ | ||
| done | ||
| $(MAKE) bib-dind-down | ||
|
|
||
| # See https://github.com/osbuild/bootc-image-builder?tab=readme-ov-file#amazon-machine-images-amis | ||
| .PHONY: convert-to-ami | ||
| convert-to-ami: bib-dind-down bib-dind-up | ||
| cp -rf template-ami.toml config.toml | ||
| sed -i "s|{DEFAULT_USER_NAME}|${DEFAULT_USER_NAME}|g" config.toml | ||
| sed -i "s|{DEFAULT_USER_PASSWD}|${DEFAULT_USER_PASSWD}|g" config.toml | ||
| docker cp config.toml bib-dind:/config.toml | ||
| AWS_AMI_NAME=${SHORT_COMMIT_HASH}-core; \ | ||
| docker exec bib-dind /bin/bash -c " \ | ||
| podman load -i container-tarbells/image-${SHORT_COMMIT_HASH}-core.tar.gz; \ | ||
| podman run --rm \ | ||
| --privileged \ | ||
| --security-opt label=type:unconfined_t \ | ||
| -v /var/lib/containers/storage:/var/lib/containers/storage \ | ||
| -v ./config.toml:/config.toml:ro \ | ||
| --env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | ||
| --env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | ||
| ${BIB_CONTAINER} \ | ||
| --type ami \ | ||
| --rootfs ${ROOTFS} \ | ||
| --aws-ami-name $${AWS_AMI_NAME} \ | ||
| --aws-bucket ${AWS_S3_BUCKET} \ | ||
| --aws-region ${AWS_REGION} \ | ||
| ${OCI_REGISTRY}/${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}-core" | ||
| $(MAKE) bib-dind-down | ||
|
|
||
| .PHONY: bib-dind-up | ||
| bib-dind-up: | ||
| docker run \ | ||
| -itd \ | ||
| --privileged \ | ||
| --name bib-dind \ | ||
| -v ./container-tarbells:/container-tarbells \ | ||
| -v ./image-builder-output:/image-builder-output \ | ||
| quay.io/containers/podman:latest | ||
|
|
||
| .PHONY: bib-dind-down | ||
| bib-dind-down: | ||
| docker rm -f bib-dind || true |
Owner
There was a problem hiding this comment.
BIB requires /var/lib/containers which podman, buildah usually uses.
So I resolved the issues using quay.io/containers/podman container with DinD.
Now we don't need to require user to install podman/buildah for prerequisites
Additional Info
You might want to read additional comments about SELinux errors
Changed SELinux default state to permissive, not disabled.
SELINUX=permissive is just for logging
osbuild and rpm-ostree have some problems in BIB process (SELinux enabled, but no policy found)
- BIB project considers iso build process as legacy
It might be helpful to read belows
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
- Requires running under rootful podman osbuild/bootc-image-builder#98
- when selinux:false, rpm-ostree still looks for selinux policies and raises error coreos/rpm-ostree#3261
yureutaejin
previously approved these changes
Oct 24, 2025
Comment on lines
112
to
+128
| - name: Convert OCI image into specified disk format | ||
| run: | | ||
| echo "::group::Convert OCI image into specified disk format:" | ||
| make convert-to-disk-image | ||
| make convert-to-${DISK_FORMAT} | ||
| echo "::endgroup::" | ||
| env: | ||
| OCI_REGISTRY: ${{ inputs.oci_registry }} | ||
| OCI_IMAGE_REPO: ${{ inputs.oci_image_repo }} | ||
| OCI_IMAGE_TAG: ${{ inputs.oci_image_tag }} | ||
| TARGET_INTERFACE: ${{ inputs.target-interface }} | ||
| DISK_FORMAT: ${{ inputs.disk_format }} | ||
| DEFAULT_DISK: ${{ inputs.default_disk }} | ||
| DEFAULT_USER_NAME: ${{ secrets.DEFAULT_USER_NAME }} | ||
| DEFAULT_USER_PASSWD: ${{ secrets.DEFAULT_USER_PASSWD }} | ||
| ROOTFS: ${{ inputs.rootfs }} | ||
| AWS_S3_BUCKET: ${{ inputs.aws_s3_bucket }} | ||
| AWS_REGION: ${{ vars.AWS_REGION }} | ||
| AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |
Owner
There was a problem hiding this comment.
GitHub Actions masked AWS Credential info
-https://github.com/yureutaejin/yob/actions/runs/18771909470/job/53557974734#step:8:95
yureutaejin
dismissed
their stale review
The merge-base changed after approval.
Dockerfile Lint Resultcommit hash : 2bc6267 [
{
"code": "DL3041",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 7,
"message": "Specify version with `dnf install -y <package>-<version>`."
},
{
"code": "DL3059",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 35,
"message": "Multiple consecutive `RUN` instructions. Consider consolidation."
},
{
"code": "DL3040",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 41,
"message": "`dnf clean all` missing after dnf command."
},
{
"code": "DL3041",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 46,
"message": "Specify version with `dnf install -y <package>-<version>`."
},
{
"code": "DL3041",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 101,
"message": "Specify version with `dnf install -y <package>-<version>`."
},
{
"code": "DL3059",
"column": 1,
"file": "./Dockerfile",
"level": "info",
"line": 111,
"message": "Multiple consecutive `RUN` instructions. Consider consolidation."
}
]
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
convert-to-amisub-command to Makefiledocker-bake.hcldisabledtopermissiveconvert-to-amiand Multi container image build #4 (comment)convert-to-{iso,ami}use DinD instead of requiring podman/buildah pre-installationconvert-to-amiand Multi container image build #4 (comment)Tests
(Misc) Prerequisites for AMI build
Refer to Cloud uploaders section in BIB
convert-to-amiand Multi container image build #4 (comment)