[libvirt-jenkins-ci PATCH] dco: build and publish a container image for DCO check

Daniel P. Berrangé berrange at redhat.com
Wed Apr 8 14:26:20 UTC 2020 

On Wed, Apr 08, 2020 at 04:21:31PM +0200, Andrea Bolognani wrote:
> On Wed, 2020-04-08 at 12:54 +0100, Daniel P. Berrangé wrote:
> > This builds a container image containing the DCO checking script.
> > It is then published at:
> > 
> >    registry.gitlab.com/libvirt/libvirt-jenkins-ci/check-dco:master
> > 
> > from where it can be used in all other project repositories. This
> > avoids having to copy the check-dco.py script into every repo
> > when we want to make changes to it.
> 
> So the idea is that the current dco job in, for example, libvirt,
> will become
> 
>   dco:
>     stage: prebuild
>     script:
>       - /check-dco.py
>     image: registry.gitlab.com/libvirt/libvirt-jenkins-ci/check-dco:master
> 
> and the same job will be added for all other projects, correct?

Yeah, exactly.

> 
> > +.build_container_template: &build_container_definition
> > +  image: docker:stable
> > +  stage: containers
> > +  services:
> > +    - docker:dind
> 
> TIL: dind means "Docker in Docker".
> 
> > +  before_script:
> > +    - docker info
> > +    - docker login registry.gitlab.com -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD}
> 
> For those following along at home, these variables are set
> automatically by GitLab:
> 
>   https://gitlab.com/help/ci/variables/predefined_variables.md
> 
> > +  script:
> > +    - docker build --tag ${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_REF_SLUG} -f ${NAME}/Dockerfile ${NAME}
> 
> The '-f ${NAME}/Dockerfile' part is unnecessary, because Dockerfile
> is the default name 'docker build' looks for and it will already
> enter the directory you provided (it wouldn't find the script
> otherwise).

Oh yes.

> > +    - docker push ${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_REF_SLUG}
> 
> I'm not super happy about returning to the image:master naming
> convention, because most tooling around containers will expect the
> tag name to be 'latest' and we had just recently managed to adopt it
> throughout, but of course we need to make sure containers build off
> branches do not overwrite the known good image built from master...

We could have conditional logic that changes it to "latest" if
$CI_COMMIT_REF_SLUG == "master"

> I was going to suggest that, once the Jenkins stuff has been removed,
> we could rename the repository to lcitool, but maybe we should call
> it libvirt-ci instead? Or even just ci for that matter: we already
> have a number of non-prefixed repositories, and if they contain
> internal tools rather than projects that are intended to be released
> and distributed I think that's perfectly fine and if anything
> highlights the distinction.

Yeah, I was about to suggest that we just rename this to "libvirt-ci",
and accept the short term pain for people with broken URLs.

It is highly desirable to avoid very short, generic names like "ci",
because when you fork a repo into your own namespace, the repo names
must match and thus you risk a clash if you've forked a repo called
"ci" from an unrelated project.


> 
> > +++ b/check-dco/Dockerfile
> > @@ -0,0 +1,6 @@
> > +FROM centos:8
> > +
> > +RUN dnf -y install python3 git && \
> > +    dnf -y clean all
> > +
> > +COPY check-dco.py check-dco.py
> 
> I suggest using an absolute path for the destination for clarity,
> though it shouldn't actually make a difference.
> 
> Can we call the script "check-dco" without the .py suffix? The
> language used is an implementation detail that users will not be
> interested in.

Sure, we can drop the .py

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list