Install podman in container for container-based builds

This installs podman inside the nodepool container, which is used by
the dependent change in DIB to extract initial chroot environments
from upstream containers.  This eliminates the need to run non-native
tools on build hosts (rpm/zypper on Ubuntu, etc.).

As noted in the config, podman defaults to assuming systemd is
installed and using various systemd interfaces.

Additionally, we map the a volume into the container which allows
nested podman to do what it needs to do.

Needed-By: https://review.opendev.org/700083
Change-Id: I6722aa2b32db57e099dae4417955a8a2cd28847e

Dockerfile

@@ -69,10 +69,13 @@ RUN echo "nodepool ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nodepool-sudo \
 #    are incoporated into the openstack-ci-core version
 
 COPY tools/openstack-ci-core-ppa.asc /etc/apt/trusted.gpg.d/
+COPY tools/kubic.asc /etc/apt/trusted.gpg.d/
 
 RUN \
   echo "deb http://ppa.launchpad.net/openstack-ci-core/vhd-util/ubuntu focal main" >> /etc/apt/sources.list \
   && echo "deb http://ppa.launchpad.net/openstack-ci-core/debootstrap/ubuntu focal main" >> /etc/apt/sources.list \
+  && echo "deb https://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list \
+  && echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > "/etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" \
   && apt-get update \
   && apt-get install -y \
       curl \
@@ -90,9 +93,17 @@ RUN \
       yum \
       yum-utils \
       zypper \
+      libseccomp2/buster-backports \
+      podman \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+# Podman defaults to trying to use systemd to do cgroup things (insert
+# hand-wavy motion) but it's not in the container.
+RUN \
+  mkdir -p /etc/containers \
+  && echo 'cgroup_manager="cgroupfs"' >> /etc/containers/libpod.conf
+
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
     _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
     /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}

playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2

@@ -1,4 +1,8 @@
 version: '3.0'
+
+volumes:
+  nested_var_lib_containers:
+
 services:
   nodepool-builder:
     image: zuul/nodepool-builder{{ nodepool_container_tag|default('') }}
@@ -23,6 +27,8 @@ services:
       - /var/log/nodepool:/var/log/nodepool
       # devstack tls-proxy puts CA here that is referenced by cloud config
       - /opt/stack/data:/opt/stack/data:ro
+      # for nested podman/docker runs (container elements)
+      - nested_var_lib_containers:/var/lib/containers
       # zookeeper certs
       - /opt/zookeeper/ca:/opt/zookeeper/ca:ro
 

tools/kubic.asc

@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
+XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
+GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
+Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
+Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
++yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
+UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
+CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
+ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
+xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
+89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
+PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
+x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
+uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
+t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
+Pu9n
+=42uC
+-----END PGP PUBLIC KEY BLOCK-----