Option to disable the dnf update from the assemble script

[raedrizk]

The assemble script runs a dnf update by default during the ee build. It would be useful to have the default behavior to not run the update (for consistency, disconnected environments...etc), and instead have an argument to update if desired.

Note: Opening issue in this repo based on the recommendation in ansible/ansible-builder#339

[anshulbehl]

@pabelanger what are your views on this one?

[abenokraitis]

with Paul gone, any ideas on this from anyone?

[pabelanger]

Right now, it would be difficult to support this. Given there are no indexes in the images today, dnf update will refresh them when it runs. That could be split out to only refersh indexes however, when it gets to the bindep phase, it will have to install packages from some place.

tl;dr we update everything in the image, to avoid package conflicts at install time.

[ryanmerolle]

It took me awhile to understand the assemble script originates here in this repo. For awhile I thought it was a binary. dnf update adds public repos back into the yum repo list even if you have deleted said repos and replaced with your own internal yum repo proxies like nexus. My entire ansible-builder process breaks because of my firm not allowing our internal CI to hit public repos not leveraging our yum proxy tool.

Is there anyway you could allow users to override the default repos when running assemble / dnf update if disabling dnf update would not be an option?

[pabelanger]

Yes, it is possible. Right now, disconnected environment out of the box won't work. It would be a fair bit of work to support it. When I was still paid to work on this, #44 was my first attempt to first allow for different mirrors in the build system. I never finished the code.

Even if we fixed dnf update, like I said, the next dnf install is going to be a problem as it will expect the package to live some place. The same goes for pip install, you would still need a pypi mirror some place.

How this works downstream in RedHat, was the build system (brew) injected both pypi and dnf mirrors at image build time. But there was some magic on how the docker build command worked.

Realistically, the HTTP_PROXY variable needs to be honored inside docker, so you could point to your own company proxy and manage the http request there.

[ryanmerolle]

How this works downstream in RedHat, was the build system (brew) injected both pypi and dnf mirrors at image build time. But there was some magic on how the docker build command worked.

Somewhat similar I inject pypi (in the relevant pip config) and yum mirrors (in the relevant repo list config) along with our cert into the various required locations in the ansible-builder leveraged images (builder and runner). I'm probably repeating myself here.

Realistically, the HTTP_PROXY variable needs to be honored inside docker, so you could point to your own company proxy and manage the http request there.

This sounds like an interesting option.

@pabelanger Thanks for even chiming in given you are not paid to work on this anymore.

[metalcated]

I submit this as an method: #51