rpm-ostree: add hermetic option

STONEBLD-2281 With HERMETIC=true, the rpm-ostree build will have its network access disabled. This is done by setting --network=none for the podman container executed on the remote VM (which runs the rpm-ostree command). Note that rpm-ostree has an --offline option, but it doesn't do anything useful for hermetic builds. Just prints a warning when RPMs have to be downloaded. Signed-off-by: Adam Cmiel <[email protected]>
konflux-ci · Apr 10, 2024 · 375ca7d · 375ca7d
1 parent fe3f1df
commit 375ca7d
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml
@@ -52,6 +52,10 @@ spec:
     name: CONFIG_FILE
     type: string
     default: ""
+  - default: "false"
+    description: Determines if build will be executed without network access.
+    name: HERMETIC
+    type: string
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -77,6 +81,8 @@ spec:
       value: $(params.BUILDER_IMAGE)
     - name: CONFIG_FILE
       value: $(params.CONFIG_FILE)
+    - name: HERMETIC
+      value: $(params.HERMETIC)
     computeResources: {}
   steps:
   - env:
@@ -146,12 +152,19 @@ spec:
       fi
 
       rpm-ostree compose image --initialize --format oci $CONFIG_FILE_ARG "source/$IMAGE_FILE" rhtap-final-image
-
       REMOTESSHEOF
+
+      if [ "$HERMETIC" = "true" ]; then
+        network_opt="--network=none"
+      else
+        network_opt=""
+      fi
+
       chmod +x scripts/script-build.sh
       rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
       ssh $SSH_ARGS "$SSH_HOST" \
         podman run \
+          $network_opt \
           --mount type=bind,source=$BUILD_DIR/tmp,target=/var/tmp,relabel=shared \
           --privileged \
           -e CONTEXT="$CONTEXT" \