From 2d2a2ef277725b06ca2dd10ff6abb87be2edfdbf Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@scylladb.com>
Date: Tue, 29 Apr 2025 20:38:27 +0300
Subject: [PATCH] tools: toolchain: dbuild: support nested containers

Pass through the local containers directory (it cannot
be bind-mounted to /var/lib/containers since podman checks
the path hasn't changed) with overrides to the paths. This
allows containers to be created inside the dbuild container,
so we can enlist pre-packaged software (such as opensearch)
in test.py. If the container images are already downloaded
in the host, they won't be downloaded again.

It turns out that the container ecosystem doesn't support
nested network namespaces well, so we configure the outer
container to use host networking for the inner containers.
It's useful anyway.

The frozen toolchain now installs podman and buildah so
there's something to actually drive those nested containers.
We disable weak dnf dependencies to avoid installing qemu.

The frozen toolchain is regenerated with optimized clang from

  https://devpkg.scylladb.com/clang/clang-19.1.7-Fedora-41-aarch64.tar.gz
  https://devpkg.scylladb.com/clang/clang-19.1.7-Fedora-41-x86_64.tar.gz

Closes scylladb/scylladb#24020
---
 install-dependencies.sh    |  3 +++
 tools/toolchain/Dockerfile |  1 +
 tools/toolchain/dbuild     | 16 ++++++++++++++++
 tools/toolchain/image      |  2 +-
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/install-dependencies.sh b/install-dependencies.sh
index 66a47446cf..a2b9c25641 100755
--- a/install-dependencies.sh
+++ b/install-dependencies.sh
@@ -132,6 +132,9 @@ fedora_packages=(
     fipscheck
     cpp-jwt-devel
 
+    podman
+    buildah
+
     https://github.com/scylladb/cassandra-stress/releases/download/v3.17.5/cassandra-stress-3.17.5-1.noarch.rpm
 )
 
diff --git a/tools/toolchain/Dockerfile b/tools/toolchain/Dockerfile
index 3d8d11b5cd..1cfc3df0d0 100644
--- a/tools/toolchain/Dockerfile
+++ b/tools/toolchain/Dockerfile
@@ -4,6 +4,7 @@ ARG CLANG_BUILD="SKIP"
 ARG CLANG_ARCHIVES
 
 WORKDIR /mnt
+RUN echo install_weak_deps=False >> /etc/dnf/dnf.conf
 RUN dnf -y update \
     && dnf -y install 'dnf-command(copr)' \
     && dnf -y install ccache \
diff --git a/tools/toolchain/dbuild b/tools/toolchain/dbuild
index ebdd0df23a..5fabe6b1e5 100755
--- a/tools/toolchain/dbuild
+++ b/tools/toolchain/dbuild
@@ -32,6 +32,7 @@ here="$(realpath $(dirname "$0"))"
 toplevel="$(realpath "$here/../..")"
 group_args=()
 docker_args=()
+tmpfiles=()
 image="$(<"$here/image")"
 
 for gid in $(id -G); do
@@ -161,8 +162,22 @@ else
     # --pids-limit is not supported on podman with cgroupsv1
     # detection code from
     #   https://unix.stackexchange.com/questions/617764/how-do-i-check-if-system-is-using-cgroupv1
+    containers_conf="$(mktemp)"
+    tmpfiles+=("$containers_conf")
+    cat > "$containers_conf" <<EOF
+[engine]
+static_dir = "$HOME/.local/share/containers/storage/libpod"
+volume_path = "$HOME/.local/share/containers/storage/libpod"
+
+[containers]
+# netns = private, the default, doesn't work in nested containers,
+# and we don't mind using the host network anyway.
+netns = "host"
+EOF
     if grep -q 'cgroup2.*/sys/fs/cgroup ' /proc/mounts; then
         docker_common_args+=(
+            -v "$HOME/.local/share/containers:$HOME/.local/share/containers"
+            -v "$containers_conf:/etc/containers/containers.conf.d/nested.conf"
             --pids-limit -1
             --annotation run.oci.keep_original_groups=1
         )
@@ -222,6 +237,7 @@ cleanup() {
     if [ -v TMP_PASSWD ]; then
         rm -f "$TMP_PASSWD"
     fi
+    rm -f "${tmpfiles[@]}"
 }
 
 if [[ -n "$interactive" || -n "$is_podman" ]]; then
diff --git a/tools/toolchain/image b/tools/toolchain/image
index c1855aa3e0..7a1157c29f 100644
--- a/tools/toolchain/image
+++ b/tools/toolchain/image
@@ -1 +1 @@
-docker.io/scylladb/scylla-toolchain:fedora-41-20250410
+docker.io/scylladb/scylla-toolchain:fedora-41-20250505