README.md: Document cosa via unprivileged podman as primary

[cgwalters]

The advantages of this are compelling - among others, we don't
need the ACL dance, and it emphasizes how one can do builds as
non-root.

The doc has a lot of sudo podman which I've excised.

A downside of this is it's less documented how to get things
to work with Docker; I didn't try that, but it should be really
easy.

[cgwalters]

The main reason I was working on this is so we can have alt-arch teams just spin up plain bare metal machines with jenkins workers running as non-root and connect to the FCOS Jenkins master in the normal Jenkins way.

Then if we change the pipeline to run podman in this way via plain shell instead of podTemplate, that gives us a fairly decent architecture that supports scheduling builds across architectures while ensuring consistency - (although I think we should still use the Jenkins Kubernetes plugin for other things).

[cgwalters]

I mean, this is tricky because on x86_64 we kind of do want to continue using podTemplate rather than manually managing Jenkins slaves probably, but eh, it shouldn't be too hard to abstract. And anyways we want x86_64 builds to go first and only then do altarches if x86_64 is sane, per this plan.

[dustymabe]

A few comments. Strategy mostly LGTM

[dustymabe]

The main reason I was working on this is so we can have alt-arch teams just spin up plain bare metal machines with jenkins workers running as non-root and connect to the FCOS Jenkins master in the normal Jenkins way.

Then if we change the pipeline to run podman in this way via plain shell instead of podTemplate, that gives us a fairly decent architecture that supports scheduling builds across architectures while ensuring consistency - (although I think we should still use the Jenkins Kubernetes plugin for other things).

Thanks for working on this. Running fully rootless is nice even just in my normal workflow. If it also has side benefits of helping us get to multi-arch support then that's another plus.

[dustymabe]

I'll use the documented cosa bash function for a day or two and see if I hit any problems!

Thanks @cgwalters

[dustymabe]

looks like this variable no longer exists

[dustymabe]

since we are using a static user in the container (the builder user with uid=1000) we need this mapping to be --uidmap=1000:0:1 --uidmap=0:1:1000. The other way will work for users if their uid on their laptop happens to be 1000, but won't work otherwise. In my case I am user with uid 1001.

[dustymabe]

i'm getting an error from cosa buildextend-installer because I think it is running out of space in /var/tmp:

supermin: ext2: creating empty ext2 filesystem '/var/tmp/.guestfs-1000/appliance.d.4x7eb0jg/root'
supermin: ext2: populating from base image
supermin: ext2: copying files from host filesystem
supermin: error: statvfs: No space left on device: /var/tmp/.guestfs-1000/appliance.d.4x7eb0jg/root
libguestfs: error: /usr/bin/supermin exited with error status 1, see debug messages above
libguestfs: trace: launch = -1 (error)
libguestfs: trace: close
libguestfs: closing guestfs handle 0x558c2687a700 (state 0)
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsHTcQf9
fatal: Error running command virt-make-fs

[coreos-assembler]$ df -kh /var/tmp/
Filesystem      Size  Used Avail Use% Mounted on
tmpfs            64M     0   64M   0% /var/tmp

[dustymabe]

seems like this also affects some other commands.. one of them being buildextend-openstack

[cgwalters]

Hmm. Right, as of recently coretoolbox forwards /var/tmp to the host. That's probably the best bet here.

It seems like podman defaults --tmpfs to 64M for unprivileged users? The desktop toolbox reverted a change to make it larger and seems to have /tmp actually persist in the container root filesystem (bad idea).

[dustymabe]

remove the --tmpfs lines fixes it for me.

[cgwalters]

That said...I think it'd be cleaner to move all of our large temporary data into the tmp/ in the builddir so we're using space in just one place.

[cgwalters]

remove the --tmpfs lines fixes it for me.

Yeah but that will break rpm-ostree unless you have a very new fuse-overlayfs.

Also we want /tmp to actually be a tmpfs since that's part of its "ABI"; updated to bind mount /var/tmp for now like coretoolbox does, but I'll also do a separate patch for TMPDIR.

[dustymabe]

one more error I'm seeing now with latest testing-devel branch:

Input state hash: 4e85dc27239a9b29bf903debc0b8cbe5da42c17aa290a291e6f58312ea6cbb76
Will download: 8 packages (13.5?MB)
Downloading from 'fedora-coreos-pool'... done
Importing packages... done
error: Importing package console-login-helper-messages-motdgen: llistxattr: Is a directory
+ rc=1
+ set +x

This is without the --tmpfs lines

[dustymabe]

This is without the --tmpfs lines

and if I update it to --tmpfs /tmp -v /var/tmp:/var/tmp like is done in the current version of this PR then the issue seems to go away, so ignore that previous message.

[dustymabe]

LGTM

[dustymabe]

I think we can merge this now