From a07bb0a0ae2951c5ca6d4bf7ac6fcd09ea41f73f Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 8 Oct 2020 17:59:29 +1100
Subject: [PATCH] Install podman in container for container-based builds

This installs podman inside the nodepool container, which is used by
the dependent change in DIB to extract initial chroot environments
from upstream containers.  This eliminates the need to run non-native
tools on build hosts (rpm/zypper on Ubuntu, etc.).

As noted in the config, podman defaults to assuming systemd is
installed and using various systemd interfaces.

Additionally, we map the a volume into the container which allows
nested podman to do what it needs to do.

Needed-By: https://review.opendev.org/700083
Change-Id: I6722aa2b32db57e099dae4417955a8a2cd28847e
---
 Dockerfile                                    | 11 ++++++++++
 .../templates/docker-compose.yaml.j2          |  6 ++++++
 tools/kubic.asc                               | 21 +++++++++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 tools/kubic.asc

diff --git a/Dockerfile b/Dockerfile
index 83f7b3b3a..2688da628 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,10 +69,13 @@ RUN echo "nodepool ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nodepool-sudo \
 #    are incoporated into the openstack-ci-core version
 
 COPY tools/openstack-ci-core-ppa.asc /etc/apt/trusted.gpg.d/
+COPY tools/kubic.asc /etc/apt/trusted.gpg.d/
 
 RUN \
   echo "deb http://ppa.launchpad.net/openstack-ci-core/vhd-util/ubuntu focal main" >> /etc/apt/sources.list \
   && echo "deb http://ppa.launchpad.net/openstack-ci-core/debootstrap/ubuntu focal main" >> /etc/apt/sources.list \
+  && echo "deb https://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list \
+  && echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > "/etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" \
   && apt-get update \
   && apt-get install -y \
       curl \
@@ -90,9 +93,17 @@ RUN \
       yum \
       yum-utils \
       zypper \
+      libseccomp2/buster-backports \
+      podman \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+# Podman defaults to trying to use systemd to do cgroup things (insert
+# hand-wavy motion) but it's not in the container.
+RUN \
+  mkdir -p /etc/containers \
+  && echo 'cgroup_manager="cgroupfs"' >> /etc/containers/libpod.conf
+
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
     _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
     /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}
diff --git a/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2 b/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2
index 7477ba9dd..b28b3c1af 100644
--- a/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2
+++ b/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2
@@ -1,4 +1,8 @@
 version: '3.0'
+
+volumes:
+  nested_var_lib_containers:
+
 services:
   nodepool-builder:
     image: zuul/nodepool-builder{{ nodepool_container_tag|default('') }}
@@ -23,6 +27,8 @@ services:
       - /var/log/nodepool:/var/log/nodepool
       # devstack tls-proxy puts CA here that is referenced by cloud config
       - /opt/stack/data:/opt/stack/data:ro
+      # for nested podman/docker runs (container elements)
+      - nested_var_lib_containers:/var/lib/containers
       # zookeeper certs
       - /opt/zookeeper/ca:/opt/zookeeper/ca:ro
 
diff --git a/tools/kubic.asc b/tools/kubic.asc
new file mode 100644
index 000000000..704c04b47
--- /dev/null
+++ b/tools/kubic.asc
@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
+XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
+GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
+Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
+Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
++yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
+UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
+CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
+ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
+xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
+89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
+PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
+x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
+uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
+t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
+Pu9n
+=42uC
+-----END PGP PUBLIC KEY BLOCK-----