Sk/buildah rootless fixes

Dockerfile

@@ -76,6 +76,16 @@ RUN cp /usr/share/ca-certificates/mozilla/* /cit/ssl/certs/
 
 FROM quay.io/buildah/stable:${BUILDAH_VERSION}
 
+# Configure for rootless container execution
+RUN touch /etc/subgid /etc/subuid \
+ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \
+ && echo build:10000:65536 > /etc/subuid \
+ && echo build:10000:65536 > /etc/subgid
+
+# Configure Buildah storage driver
+RUN mkdir -p /home/build/.config/containers \
+ && (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf
+
 #COPY --from=busybox:1.37.0-musl /bin /busybox
 ## Declare /busybox as a volume to get it automatically in the path to ignore
 #VOLUME /busybox
@@ -86,6 +96,11 @@ VOLUME /container-image-tools
 
 COPY --from=skopeo /go/github.com/containers/skopeo/default-policy.json /etc/containers/policy.json
 
+# Buildah configuration for rootless execution
+ENV BUILDAH_ISOLATION=chroot
+ENV BUILDAH_FORMAT=docker
+ENV STORAGE_DRIVER=vfs
+
 ENV PATH=/usr/local/bin:/usr/bin:/container-image-tools/bin
 ENV DOCKER_CONFIG=/container-image-tools/.docker/
 ENV SSL_CERT_DIR=/container-image-tools/ssl/certs

README.md

@@ -1,34 +1,38 @@
 # cookielab/container-image-tools
 
 This container image contains tools for building and managing container images.
-Container is based on scratch but contains minimal shell tools from busybox.
+Container is based on the official Buildah image with additional credential helpers and tools.
 
 ## Tools
 
-- [Busybox](https://hub.docker.com/_/busybox?tab=description)
 - [buildah](https://github.com/containers/buildah/)
 - [Manifest Tool](https://github.com/estesp/manifest-tool)
 - [Skopeo](https://github.com/containers/skopeo)
 - Credential Helpers
   - [ENV](https://github.com/isometry/docker-credential-env) for Docker Hub, GitLab Container Registry etc.
   - [AWS ECR](https://github.com/awslabs/amazon-ecr-credential-helper)
-  - [Google Clous GCR](https://github.com/GoogleCloudPlatform/docker-credential-gcr)
+  - [Google Cloud GCR](https://github.com/GoogleCloudPlatform/docker-credential-gcr)
 
 ## Usage
 
-Build container image and push it to GitLab Registru.
+Build container image and push it to GitLab Registry.
 
 ```shell
 export DOCKER_registry_gitlab_com_USR="${CI_REGISTRY_USER}"
 export DOCKER_registry_gitlab_com_PSW="${CI_REGISTRY_PASSWORD}"
-# TODO: buildah example
+
+# Build image with buildah
+buildah build -t "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" .
+
+# Push image to registry
+buildah push "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}"
 ```
 
-As you can see we don't need to create any _docker config.json_ file. But wes use power of Creds Helpers.
+As you can see we don't need to create any _docker config.json_ file. But we use power of Creds Helpers.
 In this case ENV Cred Helper.
 
-If you want to build multiarch images with kaniko you need to build separate image on HW with that arch.
-And than join them with manifest.
+If you want to build multiarch images with buildah you need to build separate image on HW with that arch.
+And then join them with manifest.
 
 ```yaml
 include:
@@ -42,11 +46,27 @@ variables:
 build:
   extends: .multiarch
   script:
-    # TODO: replace with buildah example
-    - kaniko --build-arg TARGETARCH="${TARGETARCH}" --destination "${REGISTRY_IMAGE}-${TARGETARCH}"
+    - buildah build --build-arg TARGETARCH="${TARGETARCH}" -t "${REGISTRY_IMAGE}-${TARGETARCH}" .
+    - buildah push "${REGISTRY_IMAGE}-${TARGETARCH}"
 
 build-multiarch:
   extends: .manifest
   needs:
     - build
 ```
+
+### GitLab CI/CD Example
+
+Complete example for building and pushing container images with buildah:
+
+```yaml
+build:
+  stage: build
+  image: cookielab/container-image-tools:latest
+  variables:
+    DOCKER_registry_gitlab_com_USR: "${CI_REGISTRY_USER}"
+    DOCKER_registry_gitlab_com_PSW: "${CI_REGISTRY_PASSWORD}"
+  script:
+    - buildah build -t "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" .
+    - buildah push "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}"
+```