Containerfiles: move logic to separate shell script

The OCP builder API path isn't parsing the heredoc correctly for some
reason:

     error: build error: EOF: unterminated heredoc

This will be fixed by openshift/builder#469.

Anyway, just work around this for now by moving all the logic to
scripts. It does make the Containerfiles cleaner at least now that it
has gotten so larger and we get syntax highlighting, ShellCheck, etc...
so probably for the best.

Author: jlebon

Containerfile

@@ -29,48 +29,7 @@
 
 FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build
 ARG OPENSHIFT_CI=0
-RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo <<EOF
-    set -xeuo pipefail
-
-    # Avoid shipping modified .pyc files. Due to
-    # https://github.com/ostreedev/ostree/issues/1469, any Python apps that
-    # run (e.g. dnf) will cause pyc creation. We do this by backing them up and
-    # restoring them at the end.
-    find /usr -name '*.pyc' -exec mv {} {}.bak \;
-
-    # fetch repos from in-cluster mirrors if we're running in OpenShift CI
-    if [ "${OPENSHIFT_CI}" != 0 ]; then
-        /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo
-    fi
-
-    source /etc/os-release
-
-    # XXX: For SCOS, only allow certain packages to come from ART; everything else
-    # should come from CentOS. We should eventually sever this.
-    if [ $ID = centos ]; then
-        # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on."
-        awk "/\[.*\]/{p=0} /\[rhel-9.6-server-ose-4.19\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp
-        sed -i -e 's,rhel-9.6-server-ose-4.19,rhel-9.6-server-ose-4.19-okd,' /etc/yum.repos.d/okd.repo.tmp
-        echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*' >> /etc/yum.repos.d/okd.repo.tmp
-        mv /etc/yum.repos.d/okd.repo{.tmp,}
-    fi
-
-    # XXX: patch cri-o spec to use tmpfiles
-    # https://github.com/CentOS/centos-bootc/issues/393
-    mkdir -p /var/opt
-
-    # this is where all the real work happens
-    rpm-ostree experimental compose treefile-apply \
-        --var id=$ID /run/src/packages-openshift.yaml
-
-    # cleanup the repo file we injected
-    if [ "${OPENSHIFT_CI}" != 0 ]; then
-        rm /etc/yum.repos.d/ocp.repo
-    fi
-
-    find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
-    ostree container commit
-EOF
+RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh
 
 FROM build as metadata
 RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-metadata

build-node-image.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script builds the OpenShift node image. It's called from `Containerfile`.    set -xeuo pipefail
+
+# Avoid shipping modified .pyc files. Due to
+# https://github.com/ostreedev/ostree/issues/1469, any Python apps that
+# run (e.g. dnf) will cause pyc creation. We do this by backing them up and
+# restoring them at the end.
+find /usr -name '*.pyc' -exec mv {} {}.bak \;
+
+# fetch repos from in-cluster mirrors if we're running in OpenShift CI
+if [ "${OPENSHIFT_CI}" != 0 ]; then
+    /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo
+fi
+
+source /etc/os-release
+
+# XXX: For SCOS, only allow certain packages to come from ART; everything else
+# should come from CentOS. We should eventually sever this.
+if [ $ID = centos ]; then
+    # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on."
+    awk "/\[.*\]/{p=0} /\[rhel-9.6-server-ose-4.19\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp
+    sed -i -e 's,rhel-9.6-server-ose-4.19,rhel-9.6-server-ose-4.19-okd,' /etc/yum.repos.d/okd.repo.tmp
+    echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*' >> /etc/yum.repos.d/okd.repo.tmp
+    mv /etc/yum.repos.d/okd.repo{.tmp,}
+fi
+
+# XXX: patch cri-o spec to use tmpfiles
+# https://github.com/CentOS/centos-bootc/issues/393
+mkdir -p /var/opt
+
+# this is where all the real work happens
+rpm-ostree experimental compose treefile-apply \
+    --var id=$ID /run/src/packages-openshift.yaml
+
+# cleanup the repo file we injected
+if [ "${OPENSHIFT_CI}" != 0 ]; then
+    rm /etc/yum.repos.d/ocp.repo
+fi
+
+find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
+ostree container commit

extensions/Dockerfile

@@ -7,28 +7,7 @@ RUN mkdir /os
 WORKDIR /os
 ADD . .
 ARG OPENSHIFT_CI=0
-RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo <<EOF
-    set -xeuo pipefail
-
-    # fetch repos from in-cluster mirrors if we're running in OpenShift CI
-    if [ "${OPENSHIFT_CI}" != 0 ]; then
-        /run/src/ci/get-ocp-repo.sh ocp.repo
-    fi
-
-    . /etc/os-release
-    # XXX: we can drop the rhcos check once we've dropped the `ocp-rhel-9.6` variant
-    if [ $ID = rhel ] || [ $ID = rhcos ]; then
-        MANIFEST="manifest-rhel-9.6.yaml"
-        EXTENSIONS="extensions-ocp-rhel-9.6.yaml"
-    else
-        MANIFEST="manifest-c9s.yaml"
-        EXTENSIONS="extensions-okd-c9s.yaml"
-    fi
-
-    rpm-ostree compose extensions --rootfs=/ \
-        --output-dir=/usr/share/rpm-ostree/extensions/ \
-        "${MANIFEST}" "${EXTENSIONS}"
-EOF
+RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo extensions/build.sh
 
 ## Creates the repo metadata for the extensions.
 ## This uses Fedora as a lowest-common-denominator because it will work on

extensions/build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# fetch repos from in-cluster mirrors if we're running in OpenShift CI
+if [ "${OPENSHIFT_CI}" != 0 ]; then
+    ci/get-ocp-repo.sh ocp.repo
+fi
+
+. /etc/os-release
+# XXX: we can drop the rhcos check once we've dropped the `ocp-rhel-9.6` variant
+if [ $ID = rhel ] || [ $ID = rhcos ]; then
+    MANIFEST="manifest-rhel-9.6.yaml"
+    EXTENSIONS="extensions-ocp-rhel-9.6.yaml"
+else
+    MANIFEST="manifest-c9s.yaml"
+    EXTENSIONS="extensions-okd-c9s.yaml"
+fi
+
+rpm-ostree compose extensions --rootfs=/ \
+    --output-dir=/usr/share/rpm-ostree/extensions/ \
+    "${MANIFEST}" "${EXTENSIONS}"
+