Table of Contents

TBD - May not need linux_username and github_username for the purposes of this api.

(POST) Build Image:

Code Block
'headers': {
    "linux_username": "string",
    "github_username": "string"
'body': {
    "dockerfile": file,
    "component": "string",
    "branch": "string",
	"architecture": "string" // OS environment


Code Block
    "status": "string"
    "errorMessage": "string" // Optional
	"component": "string" // TBD (return filepath or component itself)

Other Information

  1. TODO: Right now your trying to see if can get podman to build without user id 1000
    Seems like you can't, i tried setting 46487 to podman, doesnt work, and then tried
    setting it above its subuid range, same problem.
    Maybe its fine to run as user 1000 for now, try mounting s3df volume and see if we
    can build the dockerfile on registry. 
    If not fine, then may have to use alternative like buildah
    Then work on getting the testing structure done. like unit tests and integration tests, add to bom, parse, and make a basic unit test for the test-ioc
  2. Motivation for API to artifact storage: we don't want to repeat logic 3 times, one each for building, testing, and deployment. So have the logic once in the artifact storage itself, and can call it from each stage of the build system. Ex: When building, build this image I give, when testing, give me the built image to run my app, when deploying give me the built image to run my app. Also the build containers will run different os's including old ones like rhel5, and may have trouble building images in there, so moving the logic over to a container that has a single os consistent environment and podman version, then its less likely to have errors. Also only able to use podman ROOTLESS in a container if we use a podman image, so we cant do it in the build containers unless they're root, which we want to avoid.
  3. Also trying to see if can run podman in container because that may have more hopes of building images within an image than docker. Try kubectl exec it podman priv – sh, Then try to build an image.
  4. For this to work, need img with podman installed, and need to be root user, and security context privileged: true. 

    Code Block
    [root@rocky9-testd /]# cd build/
    [root@rocky9-testd build]# ls
    __pycache__  asyn  epics-base
    [root@rocky9-testd build]# vim Dockerfile
    [root@rocky9-testd build]# podman build -t -f Dockerfile .
    Successfully tagged
    Successfully tagged localhost/pnispero/rocky9-env:podman
    [root@rocky9-testd build]# podman images
    REPOSITORY                     TAG         IMAGE ID      CREATED             SIZE  podman      6dea88dccb6a  About a minute ago  984 MB
    localhost/pnispero/rocky9-env  podman      6dea88dccb6a  About a minute ago  984 MB
    # The following is needed for me to push on pnispero/ on dockerhub
    [root@rocky9-testd build]# podman login
    Username: pnispero
    Login Succeeded!
    [root@rocky9-testd build]# podman push
    Getting image source signatures
    Copying blob 7c554e5c0228 done   |
    Copying blob 9e3fa8fc4839 done   |
    Copying blob 22514acd460a done   |
    Copying blob d3c9bab34657 done   |
    Copying blob e489bb4f45f2 done   |
    Copying blob 446f83f14b23 skipped: already exists
    Copying blob 9142ea245948 done   |
    Copying blob a9ebe5aa7e2b done   |
    Copying blob c776803672c2 done   |
    Copying blob f2f869ceb9a5 done   |
    Copying blob 7f312795052b done   |
    Copying config 6dea88dccb done   |
    Writing manifest to image destination

    Since confirmed it worked, we can have buildscript generate the Dockerfile, send it over to the artifact storage, then start another container on ad-build that is root/privliged so it can build the image from the Dockerfile and push to the registry. 

  5. Update: Found a way to use podman to build image WITHOUT root user or privleged. See podman-test.yaml
    Possible workflow: Buildscript generate Dockerfile → api request to artifact storage to build → artifact storage starts container to build Dockerfile.
    TODO: We can make the rest api ourselves, (django/flask/fastapi framework, and swagger ui for doc?) 
    This artifact storage process/container should have logic to build dockerfile images, and components themselves. It'll be a middle man accepting client requests, and starting up containers to do its work.
    Then the artifact storage container can just return the filepath to copy the built components from
    Come up with api definitions and what we need, then go over with Jerry, and see if we should use django or flask
    authenticate rest api with api key to pass to build containers.

    1. Resource: How to use Podman inside of Kubernetes | Enable Sysadmin (
      How to run systemd in a container | Red Hat Developer

How to authorize api service onto kubernetes cluster

  1. Create a service account. a role binding, and a service account token secret. See BuildSystem/artifact_storage/api/artifact_service_account.yaml at main · ad-build-test/BuildSystem (
  2. Apply this manifest with
    1. kubectl apply -f artifact_service_account.yaml 
  3. Then look at the secret
    1. kubectl describe -n artifact secret/myexample-sa-token
  4. Add that to environment variable passed in to artifact_api_deployment.yaml BuildSystem/artifact_storage/api/artifact_api_deployment.yaml at main · ad-build-test/BuildSystem (
  5. Apply this manifest with
    1. kubectl apply -f artifact_api_deployment.yaml
    2. What this does is starts the api deployment, it'll start the script to add in the kube config at $HOME/.kube/config, then start the api process
  6. done

How to test service is accessible to other build containers

  1. TODO: Apparently the artifact needs to be in the same namespace as the build containers if they want to access it, so in that case, may just put the build containers in the artifact namespace? Or put the artifact api in the namespace of the build containers


Jerry vacation 7-11 to 7-16

S3DF down 7-10 to 7-12 including the cluster

So come up with what work your going to do in those days since clusters are down

  1. documentation, diagrams, planning?
  2. mps prep?
  3. Look into ansible (alternative for some systems that can't use containers yet. Also can configure more than the app/packages, can also configure networking, DNS, monitoring). Then once done, maybe help out Lukas with the python conversions, at least until s3df is back up

Ansible Notes (TODO: Move to a different page once done)

  1. Introduction information
    1. Ansible is an orchestration/automation tool, just like Chef or Pupper which are other alternatives to ansible, but ansible main advantage is that it can work through ssh, so target machines don't need ansible installed.
    2. ansible solves the problem of performing 'day-1' operations of infrastructure (installing os, dependency packages, network configurations, etc) source:DevOps: Difference between Ansible and orchestrators like Kubernetes - Stack Overflow
    3. Big advantage is that it uses declarative playbooks (define what you want done) instead of imperative scripting (define what you want and how). 
    4. day-0; get all of your infrastructure; hardware/public-cloud etc. day-1; use something like Ansible to setup the infrastructure components (EC2 nodes, hardware servers or GCE instances) day-2; install k8s on them to start running containerized workloads day-3; use k8s native mechanisms to deploy and manage and monitor applications
      (Day 2 and 3 is ideal, but i think we will just deploy the containers through our build system not k8s)
    5. Ansible can help with availability, and we will use it to test, like if an ioc needs another ioc to run for testing, specifying which machine and what resources, ansible should handle that deployment.
  2. Why Ansible
    1. Reduces complexity and runs anywhere.
    2. Lets you automate any task,
    3. Agentless, the managed nodes only need to be accessible via ssh and sftp or scp, and python installed.
  3. How it works Ansible Tutorial for Beginners: Playbook & Examples (
    1. A control node (machine with ansible installed) sends commands/instructions to host/managed nodes/machines.
    2. Ansible structure: 
      1. Units of code that the control node executes on the managed nodes are modules
      2. Each module is invoked by a task
      3. An ordered list of tasks form a playbook
      4. The managed nodes are represented in a simplistic inventory file
    3. The user defines the playbooks using YAML

Ansible practice (fail)

  1. Get some mock machines (can use containers for this) Building an inventory — Ansible Community Documentation
  2. 1st attempt: docker network create -d bridge my-net
    1. docker run --network=my-net -itd --name=container3 busybox
    2. docker pull alpine
    3. docker container run --name target --network my-net -it --rm alpine /bin/ash
      1. apk update
      2. apk add openssh
      3. ssh-keygen -A
    4. docker container run --name controller --network my-net -it --rm alpine /bin/ash
      1. apk update
      2. apk add openssh
      3. ssh-keygen
      4. enter for all options
      5. save the public key on this controller "/root/.ssh/" to the target container at "~/.ssh/authrorized_keys"
  3. 2nd attempt

    1. docker pull ubuntu
    2. docker run -it -d -p 2200:22 --name ssh-access-server ubuntu:latest

    3. docker exec -it ssh-access-server bash
      1. apt update
        apt install openssh-server -y
        apt install vim -y
        vim /etc/ssh/sshd_config
        Search for PermitRootLogin and make it Yes
        service ssh start
        service ssh status