From aae17241d8963666834ac02af32f81a2df0c3608 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 30 Jan 2025 17:23:20 -0500
Subject: [PATCH] Rework to stop using removed buildah feature

We can't rely on https://github.com/containers/buildah/issues/5952
anymore.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 .gitlab-ci.yml     | 13 ++++++++++---
 Containerfile      | 19 +------------------
 Containerfile.base | 22 +++++++---------------
 3 files changed, 18 insertions(+), 36 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ef4c96e..54c9329 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,12 +6,19 @@ variables:
 
 .build-image:
   stage: build
-  image: quay.io/buildah/stable:v1.38.0
+  # For newer rpm-ostree
+  image: registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide
   needs: []
 
 build:
   extends: .build-image
   stage: build
   script: |
-    buildah bud -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base .
-    buildah bud -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard .
+    # Necessary for nested containerization
+    export BUILDAH_ISOLATION=chroot
+    podman build -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --from=${IMAGE_PREFIX}-base:tmp --output containers-storage:${IMAGE_PREFIX}-base
+    podman build -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .
+    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --from=${IMAGE_PREFIX}-standard:tmp --output containers-storage:${IMAGE_PREFIX}-standard
diff --git a/Containerfile b/Containerfile
index f21a91e..49bd956 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,7 +1,7 @@
 # This generates the default base image.
 
 # This is a local reference by default because we haven't shipped this image yet.
-FROM localhost/fedora-bootc:base as rootfs
+FROM localhost/fedora-bootc:base
 # Drop our package sets into /usr/share/doc, so that other things can parse it
 COPY packages*.txt /usr/share/doc/fedora-bootc/
 # Overlay our defaults
@@ -40,20 +40,3 @@ dnf clean all
 rm -vrf /var/log /var/cache /var/lib/dnf
 bootc container lint
 EORUN
-
-# This image just needs rpm-ostree in the end that has
-# https://github.com/coreos/rpm-ostree/issues/5221
-FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
-RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=from=rootfs,dst=/rootfs <<EORUN
-set -xeuo pipefail
-rm /buildcontext/out.oci -rf
-rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
-           --rootfs=/rootfs --output /buildcontext/out.oci
-EORUN
-
-FROM oci:./out.oci
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf
diff --git a/Containerfile.base b/Containerfile.base
index 689976a..c29b1ec 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -10,15 +10,12 @@
 FROM quay.io/fedora/fedora:rawhide as repos
 
 # BOOTSTRAPPING: This can be any image that has the following packages.
-FROM quay.io/fedora/fedora:rawhide as builder
+FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
 RUN dnf -y install rpm-ostree selinux-policy-targeted sqlite
 # Copy in our source code.
 COPY . /src
 WORKDIR /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,from=repos,target=/repos \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
+RUN --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
 # Synchronize the dnf/rpm configs from the repos container.
 for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
@@ -26,13 +23,12 @@ for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
 done
 # And copy to the workdir; TODO fix this in rpm-ostree
 cp /etc/yum.repos.d/*.repo base
-rpm-ostree compose image \
-    --cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
-    --source-root=/repos /buildcontext/out.ociarchive
+env RUST_LOG=debug rpm-ostree experimental compose rootfs --source-root=/repos base/manifest.yaml /target-rootfs
 EORUN
 
-# This pulls in the OCI archive generated in the previous step.
-FROM oci-archive:./out.ociarchive
+# This pulls in the rootfs generated in the previous step
+FROM scratch
+COPY --from=builder /target-rootfs/ /
 LABEL containers.bootc 1
 # This is an ad-hoc way for us to reference bootc-image-builder in
 # a way that in theory client tooling can inspect and find. Today
@@ -43,8 +39,4 @@ ENV container=oci
 # Make systemd the default
 STOPSIGNAL SIGRTMIN+3
 CMD ["/sbin/init"]
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+