build container image based on unbase_oci (#10)

.github/workflows/ci.yaml

@@ -12,6 +12,8 @@ permissions:
   contents: read
   pages: write
   id-token: write
+  # Push container images
+  packages: write
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -48,6 +50,27 @@ jobs:
         name: build-artifacts
         path: 'build'
 
+  container-image:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    if: github.ref == 'refs/heads/main'
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up JDK 21
+      uses: actions/setup-java@v4
+      with:
+        java-version: '21'
+        distribution: 'temurin'
+    - run: mkdir -p build
+    - uses: actions/download-artifact@v4
+      with:
+        name: build-artifacts
+        path: build
+    - run: ./build.sh
+    - run: podman push ghcr.io/gardenlinux/glvd-api:edge
+    - run: podman push ghcr.io/gardenlinux/glvd-api:edge_bare
+
   dependency-submission:
 
     runs-on: ubuntu-latest

.gitignore

@@ -35,3 +35,6 @@ out/
 
 ### VS Code ###
 .vscode/
+
+### Unbase OCI ###
+*.oci

Containerfile

@@ -0,0 +1,8 @@
+FROM sapmachine:21-jre-ubuntu
+
+RUN mkdir /opt/glvd
+COPY build/libs/glvd-0.0.1-SNAPSHOT.jar /opt/glvd/glvd.jar
+
+EXPOSE 8080
+
+CMD ["java", "-jar", "/opt/glvd/glvd.jar"]

build.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -eufo pipefail
+
+if [[ ! -f build/libs/glvd-0.0.1-SNAPSHOT.jar ]]; then
+    ./gradlew bootJar
+fi
+
+podman build --tag ghcr.io/gardenlinux/glvd-api:edge .
+
+podman save --format oci-archive ghcr.io/gardenlinux/glvd-api:edge > glvd.oci
+
+podman pull ubuntu:22.04
+podman save --format oci-archive ubuntu:22.04 > ubuntu.oci
+
+./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree ubuntu.oci glvd.oci glvd_bare.oci
+
+image="$(podman load < glvd_bare.oci | awk '{ print $NF }')"
+podman tag "$image" ghcr.io/gardenlinux/glvd-api:edge_bare

exclude

@@ -0,0 +1,3 @@
+var/cache
+var/lib/apt
+var/log

include

@@ -0,0 +1 @@
+tmp

src/main/resources/application.properties

@@ -1,6 +1,6 @@
 spring.application.name=glvd
-spring.datasource.url=jdbc:postgresql://localhost:5432/glvd
+spring.datasource.url=jdbc:postgresql://postgres:5432/glvd
 spring.datasource.username=glvd
 spring.datasource.password=glvd
 spring.sql.init.mode=never
-spring.jpa.properties.javax.persistence.query.timeout=5000
+spring.jpa.properties.javax.persistence.query.timeout=5000

unbase_oci

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -eufo pipefail
+
+container_image=ghcr.io/gardenlinux/unbase_oci:233f4213036fadd4b91b965b4ca71b457f1a6b88
+container_engine=podman
+
+container_mount_opts=()
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+		--container-image)
+			container_image="$2"
+			shift 2
+			;;
+		--container-engine)
+			container_engine="$2"
+			shift 2
+			;;
+		--print-container-image)
+			printf '%s\n' "$container_image"
+			exit 0
+			;;
+		*)
+			break
+			;;
+	esac
+done
+
+args=()
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+		-i|--include|-x|--exclude|--dpkg-include)
+			container_mount_opts+=(-v "$(realpath "$2"):/mnt$(realpath "$2")")
+			args+=("$1" "/mnt$(realpath "$2")")
+			shift 2
+			;;
+		--no-default-include|--no-default-exclude|-d|--dpkg-dependencies|-l|--ldd-dependencies|--print-tree)
+			args+=("$1")
+			shift
+			;;
+		*)
+			break
+			;;
+	esac
+done
+
+container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")")
+[ "$1" = "$2" ] || container_mount_opts+=(-v "$(realpath "$2"):/mnt$(realpath "$2")")
+[ -e "$3" ] || touch "$3"
+container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")")
+args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")")
+
+"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"