Build OpenStack container images with TCIB

TCIB (The Container Image Build) is the tool created by the OpenStack k8s operators project to build the OpenStack services container images used by the operators. The images are built on top of a base EL9 (CentOS Stream 9, i.e.) image and use RPM packages from RDO or similar repositories. TCIB supports RDO versions since Antelope.

The operators project maintains public OpenStack images in the Quay registry for certain RDO versions:

• RDO Trunk Antelope (default): https://quay.io/organization/podified-antelope-centos9
• RDO Trunk Master (development branch): https://quay.io/organization/podified-master-centos9

This document provides instructions to build the images locally which allow to build container for other untested OpenStack releases or apply customizations. A brief introduction to the operators architecture can be found in this doc.

Build TCIB container images locally

This procedure requires a CentOS Stream 9 system where the images will be built.

1. In your CentOS Stream 9 server, install the desired RDO repos. In this example, the RDO CloudSIG Bobcat 2023.2 will be used:

$ sudo dnf install -y centos-release-openstack-bobcat
$ sudo dnf install -y  centos-release-opstools
$ sudo dnf config-manager --enable crb

The container images require some Ceph packages from the Storage SIG. Follow the instructions in the RDO Webpage to enable and configure epel:

$ sudo dnf install epel-release
$ sudo dnf config-manager --disable epel-next
$ sudo dnf config-manager --disable epel-cisco-openh264
$ sudo dnf config-manager --setopt epel.priority=100 --save epel
$ sudo dnf config-manager --setopt epel.includepkgs="libarrow*,parquet*,python3-asyncssh,re2,python3-grpcio,grpc*,abseil*" --save epel

2. Install the required packages:

$ sudo dnf install -y buildah podman python3-tcib

3. Build the container images:

$ openstack tcib container image build --base quay.io/centos/centos:stream9 --distro centos --release 9 --namespace openstack --tag cloudsig-bobcat

You can use your preferred namespace and tag.

Note: in some cases you may want to build only a subset of the images. In that case, copy the /usr/share/tcib/container-images/containers.yaml file, edit it to leave only the desired images and add --config-file < path to custom containers.yaml> to the build command.

This command will create the containers in the local registry as root. You can check them with command:

$ sudo podman images

4. Push the images to an external registry

Tipically, the container images needs to be available in a registry to be pulled from the OKD cluster where the operators are deployed. You can use podman push for that after creating the images locally or tcib can do it for you when building them if you add options --push --registry <registry destination> to the build command. Note that you must login into the registry before building the images.

For example, following commands will push the cloudsig-bobcat images to the registry running in a OKD server deployed using CRC:

$ sudo podman login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing --tls-verify=false
$ openstack tcib container image build --base quay.io/centos/centos:stream9 --distro centos --release 9 --namespace openstack --tag cloudsig-bobcat --push --registry default-route-openshift-image-registry.apps-crc.testing

Note: make sure the namespace exists in the OpenShift cluster, otherwise tcib will fail in pushing the images to the OpenShift registry.