Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "pkg_collect" [email protected]:w9n/linuxkit.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

I don't understand the explanation for this PR (maybe I'm missing some context).

Could you first describe which problem you try to solve?

added some context to the description.

When writing a moby yml I do not care about the container version and hashes (only if I specifically want to stay with a version) and would like to simplify the process of writing them. I also do not want to keep track of all pkg version I use downstream and update them manually when something changes upstream

I have a hard time understanding how that would work with immutable images (which is what LinuxKit is all about).

I think this might be easier to understand if you gave sample .yml files for what it would look like if this were in place?

i basically thought of a not buildable config

kernel:
  image: linuxkit/kernel:4.9.58
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
init:
  - linuxkit/init:mutable
  - linuxkit/runc:mutable
  - linuxkit/containerd:82be2bbb7cf83bab161ffe2a64624ba1107725ff
  - linuxkit/ca-certificates:mutable
onboot:
  - name: sysctl
    image: linuxkit/sysctl:mutable
  - name: rngd1
    image: linuxkit/rngd:mutable
    command: ["/sbin/rngd", "-1"]
services:
  - name: getty
    image: linuxkit/getty:mutable
    env:
     - INSECURE=true
  - name: rngd
    image: linuxkit/rngd:mutable
  - name: dhcpcd
    image: linuxkit/dhcpcd:mutable
  - name: sshd
    image: linuxkit/sshd:mutable
files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
    mode: "0600"
    optional: true
trust:
  org:
    - linuxkit

when used with linuxkit pkg collect --pkgroot /path/to/repo/linuxkit ssh-mutable.yml creates a new file artifacts/ssh-vXYZ.yml with the most current hashes of pkgroot

kernel:
  image: linuxkit/kernel:4.9.58
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
init:
  - linuxkit/init:42a92119e1ca10380e0d33e26c0cbcf85b9b3558
  - linuxkit/runc:817fdc592eac6cb7804fa1721a43a7f6e23fb50f
  - linuxkit/containerd:82be2bbb7cf83bab161ffe2a64624ba1107725ff
  - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26
onboot:
  - name: sysctl
    image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489
  - name: rngd1
    image: linuxkit/rngd:842e5e8ece7934f0cab9fd0027b595ff3471e5b9
    command: ["/sbin/rngd", "-1"]
services:
  - name: getty
    image: linuxkit/getty:626ccc8e1766c40447f29a790d3a7cfff126f2a2
    env:
     - INSECURE=true
  - name: rngd
    image: linuxkit/rngd:842e5e8ece7934f0cab9fd0027b595ff3471e5b9
  - name: dhcpcd
    image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e
  - name: sshd
    image: linuxkit/sshd:f55ec010619e19178d5daecb4e595e84ecbf7d67
files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
    mode: "0600"
    optional: true
trust:
  org:
    - linuxkit

I think the main practical reason is to use it in CI where it is necessary to know which pkg has changed to not rebuild everything on a merge. It also gives gives rollback capabilities outside the git history.

But I reevaluated priorities and think its a nice to have but linuxkit is working fine now and i dont think its worth the moby dep. I might create a little external tool for practicing, but low priority.

There is a different problem that a container linuxkit/sshd:f55ec010619e19178d5daecb4e595e84ecbf7d67 is not really immutable because it pulls latest alpine packages on container build time. The current Hash is needed for multi arch but by creating ymls as artifacts it might be possible to use real hashes of a container and make the yml artifacts platform specific. But this gets out of scope for me.

So, is this basically a way of saying, "for some packages, I want the latest available hash at build time"?

yep, but still create the immutable ymls so its reproducable what has been build and compare what has been changed.

So rather than the usual moby .yml, it kind of is a moby "template" .yml, that gets parsed to generate the real .yml with immutable hashes? Still immutable, but somewhat easier to maintain?

exactly. It would enable other possibilities as well as described above but there might be other ideas for CI and real hashes.

OK, I get it now; want to think it over somewhat. @rn had commented earlier; let's see his thoughts.

I am going to rename the issue.

This would be better done in the moby tool as it handles the build YAML files. There are two related proposals:

• ability to override the images in a configuration file moby/tool#95
• [RFC] Add support for an option .mobytags file moby/tool#101

Ah yes, the .mobytags and overrides proposals.

@w9n does that address the question?

yes, it pretty much goes is in the right direction. I will read and think about the related Issues and PRs in the next days.

I'm still catching up on my post PTO backlog(s) so I haven't fully grokked this one yet, but one quick though I had was that what is called foo:mutable here would be called foo:latest in many other contexts.

i didnt choose foo:latest because it can conflict with other contexts. But can maybe be prevented if carefully designed. I created a proper proposal.

Since moby became a dependency this works now depending on moby/tool#194 linuxkit pkg collect --pkgroot ~/go/src/github.com/linuxkit/linuxkit/pkg test.yml

kernel:
  image: linuxkit/kernel:4.9.58
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
init:
  - linuxkit/init:<latest>
  - linuxkit/runc:<latest>
  - linuxkit/containerd:82be2bbb7cf83bab161ffe2a64624ba1107725ff
  - linuxkit/ca-certificates:<latest>
onboot:
  - name: sysctl
    image: linuxkit/sysctl:<latest>
  - name: rngd1
    image: linuxkit/rngd:<latest>
    command: ["/sbin/rngd", "-1"]
services:
  - name: getty
    image: linuxkit/getty:<latest>
    env:
     - INSECURE=true
  - name: rngd
    image: linuxkit/rngd:<latest>
  - name: dhcpcd
    image: linuxkit/dhcpcd:<latest>
  - name: sshd
    image: linuxkit/sshd:<latest>
files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
    mode: "0600"
    optional: true
trust:
  org:
    - linuxkit

kernel:
  image: linuxkit/kernel:4.9.58
  cmdline: console=tty0 console=ttyS0 console=ttyAMA0
init:
- linuxkit/init:9250948d0de494df8a811edb3242b4584057cfe4
- linuxkit/runc:abc3f292653e64a2fd488e9675ace19a55ec7023
- linuxkit/containerd:82be2bbb7cf83bab161ffe2a64624ba1107725ff
- linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
onboot:
- name: sysctl
  image: linuxkit/sysctl:ce3bde5118a41092f1b7048c85d14fb35237ed45
- name: rngd1
  image: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
  command:
  - /sbin/rngd
  - "-1"
onshutdown: []
services:
- name: getty
  image: linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
  env:
  - INSECURE=true
- name: rngd
  image: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
- name: dhcpcd
  image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
- name: sshd
  image: linuxkit/sshd:ac5e8364e2e9aa8717a3295c51eb60b8c57373d5
trust:
  org:
  - linuxkit
files:
- path: root/.ssh/authorized_keys
  directory: false
  source: ~/.ssh/id_rsa.pub
  optional: true
  mode: "0600"

_
I would like to have a file like ~/.linuxkit.conf where i can specify multiple pkg roots.
It could also easily be upgraded to support version tags in that file (as proposed in moby/tool#101 ) or in the build.yml in the pkg directory.

I don't understand what the output of linuxkit bake example/linuxkit_template.yml is. Does it output another file, modify the existing file or do a build?

It's a new file which you can pass to linuxkit build (after archiving it for reproducibility purposes etc).

Does it output to stdout or what? This needs to be documented properly.

Okay, so I could live with this somewhere:

tags:
    - name: v1.0
        init: some_hash
        dhcp: some_hash
    - name: v2.0
        init: some_other_hash
        dhcp: another_hash

Its basically the same information as if tags -> hashes would be in build.yml(what i proposed) just at a different location (undecided if this is the better position or just a cache). The advantage is that you can e.g. hotfix v1.0 or what else for one pkg without influencing everything else.

@justincormack yes its writing to stdout and logging to stderr but i could also give it a -o multiflag if wished.

@w9n please read my comment #2648 (comment). Could we initially focus on the templating stuff itself (ie replacing <latest> with the hash of the package). It seem separate from the version tags and both @ijc and myself are not sure if we should handle the version tags that way, ie by extending build.yml

Do you have an example for a baked YAML file. It would be useful if it would contain comments at the top stating that the file was generated, and ideally also the HEAD of the package repositories used to generate it. I would check in the generated file and this info would be useful. The first part (the log) is written to stderr, so that stdout can be piped anywhere.

added ###----------- AUTO-GENERATED--------### to the output. Here is the output of linuxkit bake linuxkit_template.yml. I dont think i could easily print a comment above an image field in a moby structure when marshalling the yml.

EDIT: I would need to make a git method public (or hack together something) to get the hash of a pkgroot for a comment in the bake or cli context.

template: linuxkit/ca-certificates:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/ca-certificates
  hashed: linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
--------------------------
template: linuxkit/containerd:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/containerd
  hashed: linuxkit/containerd:e58a382c33bb509ba3e0e8170dfaa5a100504c5b
--------------------------
template: linuxkit/dhcpcd:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/dhcpcd
  hashed: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
--------------------------
template: linuxkit/getty:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/getty
  hashed: linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
--------------------------
template: linuxkit/init:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/init
  hashed: linuxkit/init:5a577d070817b4f17821657823082651baafd4ed
--------------------------
template: linuxkit/rngd:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/rngd
  hashed: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
--------------------------
template: linuxkit/runc:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/runc
  hashed: linuxkit/runc:abc3f292653e64a2fd488e9675ace19a55ec7023
--------------------------
template: linuxkit/sysctl:<latest>
    path: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/sysctl
  hashed: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
--------------------------
###----------- AUTO-GENERATED--------###
kernel:
  image: linuxkit/kernel:4.9.75
  cmdline: console=tty0 console=ttyS0 console=ttyAMA0
init:
- linuxkit/init:5a577d070817b4f17821657823082651baafd4ed
- linuxkit/runc:abc3f292653e64a2fd488e9675ace19a55ec7023
- linuxkit/containerd:e58a382c33bb509ba3e0e8170dfaa5a100504c5b
- linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
onboot:
- name: sysctl
  image: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
- name: dhcpcd
  image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
  command:
  - /sbin/dhcpcd
  - --nobackground
  - -f
  - /dhcpcd.conf
  - "-1"
onshutdown:
- name: shutdown
  image: busybox:latest
  command:
  - /bin/echo
  - so long and thanks for all the fish
services:
- name: getty
  image: linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
  env:
  - INSECURE=true
- name: rngd
  image: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
- name: nginx
  image: nginx:alpine
  capabilities:
  - CAP_NET_BIND_SERVICE
  - CAP_CHOWN
  - CAP_SETUID
  - CAP_SETGID
  - CAP_DAC_OVERRIDE
  binds:
  - /etc/resolv.conf:/etc/resolv.conf
trust:
  org:
  - linuxkit
  - library
files:
- path: etc/containerd/config.toml
  directory: false
  contents: |
    state = "/run/containerd"
    root = "/var/lib/containerd"
    snapshotter = "io.containerd.snapshotter.v1.overlayfs"
    differ = "io.containerd.differ.v1.base-diff"
    subreaper = false

    [grpc]
    address = "/run/containerd/containerd.sock"
    uid = 0
    gid = 0

    [debug]
    address = "/run/containerd/debug.sock"
    level = "info"

    [metrics]
    address = ":13337"
  optional: false
- path: etc/linuxkit-config
  directory: false
  metadata: yaml
  optional: false

i dont really trust the test time, something must be wrong...

[+ 24m 58s] [PASS    ] linuxkit.build.examples.bake 0.04s

@ijc

linuxkit bake -D foo=abcdef foo.yml

This can actually be done with envsubst and also be piped from bake as it is.

EDIT:
I can see now how linuxkit pkg push --release v1.1 and git tags can work together but im still not completly convinced that its a good a idea to make a pkg version explicitly dependend on a repo that contains a pkg root and not the other way round(you have to checkout the whole repo to rebuild one old pkg e.g.).

Additional tags in build.yml could still be helpful (future, not in this pr).

There is https://github.com/a8m/envsubst I could implement this from a file, global conf, cli and/or env after merging the moby confs and before substituting the latest tag, for 1:1 substitution on the whole config file. This could allow something like lkt_version=<latest> linuxkit bake some.yml more.yml on

services:
- name: getty
  image: ${lkt_repo-linuxkit}/getty:${lkt_version-v1.0} 

It had a few "bugs" for nested stuff i tried but should work for simple envsubst

otherwise there could be go templates

init:
{{if .Dev}}
  {{call .Image "linuxkit/getty"}} 
{{end}}
  {{call .Image "linuxkit/dhcpcd"}} 
  {{call .Image "linuxkit/runc"}} 
#which could either do the `latest` logic or set a tag based on some variable

....

but it gets pretty ugly from my experience

or

services:
- name: getty
  image: linuxkit/getty:<lkt_version>
- name: dhcpcd
  image: linuxkit/dhcpcd:<lkt_version>
- name: sshd
  image: linuxkit/sshd:<latest> 

updated the last comment, otherwise i guess i should revert setting global config in its own namespace and pass the repos as strings into Bake for better encapsulation. Let me know if you would like one of the proposed solutions in this PR. I could implement it tonight or leave it.

Sorry for all these changes

• dropped putting GlobalConfig in its own namespace
• squashed the git commit stuff
• moved logging from Template to bake cli and writing it as comment into the result
• add Time.Now() to log comment
• gave Template a more defined surface based on a Template, Result and Substitution structures. Template.Bake() (Result,error) is the only public function.

here is a result yml:

###-------------------------------AUTO-GENERATED-------------------------------###
#     time: 2018-01-12 08:28:29.070212358 +0100 CET m=+0.383653088
#-----------------------------------------------------------------------------------
# template: linuxkit/ca-certificates:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/ca-certificates
#   result: linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
#-----------------------------------------------------------------------------------
# template: linuxkit/containerd:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/containerd
#   result: linuxkit/containerd:e58a382c33bb509ba3e0e8170dfaa5a100504c5b
#-----------------------------------------------------------------------------------
# template: linuxkit/dhcpcd:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/dhcpcd
#   result: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
#-----------------------------------------------------------------------------------
# template: linuxkit/getty:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/getty
#   result: linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
#-----------------------------------------------------------------------------------
# template: linuxkit/init:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/init
#   result: linuxkit/init:5a577d070817b4f17821657823082651baafd4ed
#-----------------------------------------------------------------------------------
# template: linuxkit/rngd:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/rngd
#   result: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
#-----------------------------------------------------------------------------------
# template: linuxkit/runc:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/runc
#   result: linuxkit/runc:abc3f292653e64a2fd488e9675ace19a55ec7023
#-----------------------------------------------------------------------------------
# template: linuxkit/sysctl:<latest>
#   source: /home/user/go/src/github.com/linuxkit/linuxkit/pkg/sysctl
#   result: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
#-----------------------------------------------------------------------------------
kernel:
  image: linuxkit/kernel:4.9.75
  cmdline: console=tty0 console=ttyS0 console=ttyAMA0
init:
- linuxkit/init:5a577d070817b4f17821657823082651baafd4ed
- linuxkit/runc:abc3f292653e64a2fd488e9675ace19a55ec7023
- linuxkit/containerd:e58a382c33bb509ba3e0e8170dfaa5a100504c5b
- linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
onboot:
- name: sysctl
  image: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
- name: dhcpcd
  image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
  command:
  - /sbin/dhcpcd
  - --nobackground
  - -f
  - /dhcpcd.conf
  - "-1"
onshutdown:
- name: shutdown
  image: busybox:latest
  command:
  - /bin/echo
  - so long and thanks for all the fish
services:
- name: getty
  image: linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
  env:
  - INSECURE=true
- name: rngd
  image: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
- name: nginx
  image: nginx:alpine
  capabilities:
  - CAP_NET_BIND_SERVICE
  - CAP_CHOWN
  - CAP_SETUID
  - CAP_SETGID
  - CAP_DAC_OVERRIDE
  binds:
  - /etc/resolv.conf:/etc/resolv.conf
trust:
  org:
  - linuxkit
  - library
files:
- path: etc/containerd/config.toml
  directory: false
  contents: |
    state = "/run/containerd"
    root = "/var/lib/containerd"
    snapshotter = "io.containerd.snapshotter.v1.overlayfs"
    differ = "io.containerd.differ.v1.base-diff"
    subreaper = false

    [grpc]
    address = "/run/containerd/containerd.sock"
    uid = 0
    gid = 0

    [debug]
    address = "/run/containerd/debug.sock"
    level = "info"

    [metrics]
    address = ":13337"
  optional: false
- path: etc/linuxkit-config
  directory: false
  metadata: yaml
  optional: false

It should be easier to review and extend now. I didnt implement 1:1 substitution because its not needed yet and pipes can be used.

EDIT: needed to add a deep copy function of Moby to make the result not change the initial template.

[+ 24m 27s] [PASS    ] linuxkit.build.examples.bake 32.57s

fixed test. Should cover everything but global config parsing.

I think we probably still want to have some improvement in this area, but this PR is pretty outdated so closing it for now