WIP: Use `podman pull` to fetch containers #215

cgwalters · 2023-12-03T19:29:33Z

Prep in https://github.com/containers/bootc/pull/214Move pull code into deploy

WIP: Use podman pull to fetch containers

With this bootc starts to really gain support for a different backend
than ostree. Here we basically just fork off podman pull to
fetch container images into an alternative root in
/ostree/container-storage,
(Because otherwise basic things like podman image prune would
delete the OS image)

This is quite distinct from our use of skopeo in the ostree-ext project
because suddenly now we gain support for things
implemented in the containers/storage library like zstd:chunked and
OCI crypt.

However...today we still need to generate a final flattened
filesystem tree (and an ostree commit) in order to maintain
compatibilty with stuff in rpm-ostree. (A corrollary to this is
we're not booting into a podman mount overlayfs stack)
Related to this, we also need to handle SELinux labeling.

Hence, we implement "layer squashing", and then do some final
"postprocessing" on the resulting image matching the same logic
that's done in ostree-ext such as etc -> usr/etc and handling /var.

Note this also really wants
ostreedev/ostree#3106
to avoid duplicating disk space.

cgwalters · 2023-12-03T19:34:25Z

Demo:

$ env RUST_LOG=debug /run/hostsrv/src/github/containers/bootc/target/release/bootc switch --backend container quay.io/cgwalters/ostest
DEBUG Re-executing current process for _ostree_unshared
DEBUG Already in a mount namespace
DEBUG Current security context is unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
DEBUG Copying self to temporary file for re-exec
DEBUG Label for /tmp/.tmpnua4Vn is system_u:object_r:install_exec_t:s0
DEBUG Created "/tmp/.tmpnua4Vn"
DEBUG Re-executing _bootc_selinuxfs_mounted="/tmp/.tmpnua4Vn" "/tmp/.tmpnua4Vn" "switch" "--backend" "container" "quay.io/cgwalters/ostest"
DEBUG Already in a mount namespace
DEBUG Current security context is unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
DEBUG Removing temporary file
DEBUG Pulling docker://quay.io/cgwalters/ostest
Trying to pull quay.io/cgwalters/ostest:latest...
Getting image source signatures
Copying blob 797644653c72 skipped: already exists  
Copying blob 797644653c72 skipped: already exists  
Copying blob ef5675472650 skipped: already exists  
...
Writing manifest to image destination
DEBUG Creating temporary container for c864f541834eaef553a6e49d5a7da8f91a7fec26a7fdd9ce492a004499a4eef6
DEBUG Mounting 6674154c085cda1abf3f17b28c1fede55e74f975ad1acb0ec2d03252c2de340e
DEBUG Merging layer: ostree/container-storage/overlay/1cc5fa9dff7d8c9ce68cb1a635aede85960085b7bf5c6bce2ff91527fa0fb5ac/diff
DEBUG Merging layer: ostree/container-storage/overlay/f16810ac59f484691c15a8f186df29e54ac378e801972e3ca8416896bc882814/diff
DEBUG Merging layer: ostree/container-storage/overlay/705dd7ffd5fea45eee3dbe85688091c696f918746576419d1a22dfa2d666e8b3/diff
...
DEBUG Writing ostree commit
829754790d5c947c4816e15c3e07a11db72c7e64928e5620fa32b9a36f6c8409
Queued for next boot: ostree-image-signed:docker://quay.io/cgwalters/ostest
  Version: 39.20231123.1
  Digest: sha256:f7afa32ff5a924a9660c7ebd0c567cd37d9d85c6598ea08784961e13477d24e8
$

Now, we can also expose every single podman command but operating on our internal root, like:

$ /run/hostsrv/src/github/containers/bootc/target/release/bootc internal-podman images
REPOSITORY                TAG         IMAGE ID      CREATED       SIZE
quay.io/cgwalters/ostest  latest      c864f541834e  27 hours ago  1.24 GB
$

And also for example, we can optimize pushes and pulls between the bootc storage and the default containers-storage in /var/lib/containers. (Particularly if they're on the same filesystem); i.e. we want something like a handy bootc push-to-podman as well as bootc pull-from-podman as sugar for effectively skopeo copy containers-storage:[overlay@/ostree/containers-storage]:foo containers-storage:foo.

vrothberg

@rhatdan PTAL
FYI @giuseppe

lib/src/podman.rs

lib/src/podman_ostree.rs

cgwalters · 2024-05-31T18:17:26Z

lib/src/ostree_authfile.rs

@@ -0,0 +1,72 @@
+//! # Copy of the ostree authfile bits as they're not public


Let's do ostreedev/ostree-rs-ext#636

OK, #581 merged

We'll use this even in cases where we don't have the `install` feature. Signed-off-by: Colin Walters <walters@verbum.org>

See containers#147 (comment) With this bootc starts to really gain support for a different backend than ostree. Here we basically just fork off `podman pull` to fetch container images into an *alternative root* in `/ostree/container-storage`, (Because otherwise basic things like `podman image prune` would delete the OS image) This is quite distinct from our use of `skopeo` in the ostree-ext project because suddenly now we gain support for things implemented in the containers/storage library like `zstd:chunked` and OCI crypt. *However*...today we still need to generate a final flattened filesystem tree (and an ostree commit) in order to maintain compatibilty with stuff in rpm-ostree. (A corrollary to this is we're not booting into a `podman mount` overlayfs stack) Related to this, we also need to handle SELinux labeling. Hence, we implement "layer squashing", and then do some final "postprocessing" on the resulting image matching the same logic that's done in ostree-ext such as `etc -> usr/etc` and handling `/var`. Note this also really wants ostreedev/ostree#3106 to avoid duplicating disk space. Signed-off-by: Colin Walters <walters@verbum.org>

Signed-off-by: John Eckersberg <jeckersb@redhat.com>

jeckersb · 2024-06-05T20:38:18Z

Ok, I've pushed my rebased and seemingly-working fork onto the original here so I can continue to iterate here instead of off in my own world. I know there are things that are still half-done or hacked-around that needs cleaned up, but this is at least something people can look at and build and play around with.

openshift-ci bot added the do-not-merge/work-in-progress label Dec 3, 2023

cgwalters mentioned this pull request Dec 3, 2023

add support or verify support of OCI crypt #147

Open

vrothberg reviewed Dec 4, 2023

View reviewed changes

lib/src/podman.rs Outdated Show resolved Hide resolved

lib/src/podman.rs Show resolved Hide resolved

lib/src/podman_ostree.rs Show resolved Hide resolved

cgwalters force-pushed the podman-pull branch 5 times, most recently from 91856eb to 0415f12 Compare December 4, 2023 22:28

This was referenced Dec 5, 2023

using bootc install-to-filesystem osbuild/bootc-image-builder#18

Open

Add bootc build commit #216

Closed

achilleas-k mentioned this pull request Dec 7, 2023

HMS-3235 sources/skopeo: check containers-storage osbuild/osbuild#1489

Merged

srd424 mentioned this pull request Jan 17, 2024

Possible to add vauxite to ostree.fedoraproject.org? fedora-silverblue/issue-tracker#526

Closed

cgwalters mentioned this pull request Feb 15, 2024

Optionally expose all underlying container metadata in status #348

Open

This was referenced Mar 1, 2024

key composefs/transient handling off label ostreedev/ostree-rs-ext#607

Open

We are slowly moving to zstd:chunked format for container images but osbuild is not handling it. osbuild/bootc-image-builder#236

Closed

prydom mentioned this pull request Mar 24, 2024

fix: ostree-rs-ext does not yet support zstd:chunked blue-build/cli#136

Closed

This was referenced Mar 26, 2024

SELinux behaves completely differently when I podman run vs. bootc switch my container image #439

Open

Add journaling for image finalization and firstboot #452

Open

cgwalters mentioned this pull request Apr 6, 2024

Add opinionated container binding with podman #128

Open

jeckersb mentioned this pull request May 6, 2024

docs: Describe how to boot local builds #512

Merged

cgwalters mentioned this pull request May 6, 2024

OCI SELinux labeling mismatch when package only ships binary policy - greetd is broken ostreedev/ostree-rs-ext#510

Open

cgwalters mentioned this pull request May 15, 2024

container: Add spinner/progress for layer fetches coreos/rpm-ostree#4962

Merged

This was referenced May 22, 2024

"Layers needed" progress should show in bootc status #515

Closed

bootc integration tracker containers/podman#22785

Open

antheas mentioned this pull request May 23, 2024

Partial Images Feature is slower than not using it containers/storage#1928

Open

cgwalters commented May 31, 2024

View reviewed changes

cgwalters and others added 3 commits June 5, 2024 09:01

Split out a hostexec module

7517d68

We'll use this even in cases where we don't have the `install` feature. Signed-off-by: Colin Walters <walters@verbum.org>

Use authfile from ostree_ext

0ff0acb

Signed-off-by: John Eckersberg <jeckersb@redhat.com>

jeckersb added 2 commits June 5, 2024 16:32

WIP async propagation for podman image inspection

37b35d5

Handle bootc backend in origin file

2a0dbe1

Signed-off-by: John Eckersberg <jeckersb@redhat.com>

jeckersb force-pushed the podman-pull branch from 0415f12 to 2a0dbe1 Compare June 5, 2024 20:35

github-actions bot added the area/install Issues related to `bootc install` label Jun 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WIP: Use `podman pull` to fetch containers #215

WIP: Use `podman pull` to fetch containers #215

cgwalters commented Dec 3, 2023

cgwalters commented Dec 3, 2023

vrothberg left a comment

cgwalters May 31, 2024

cgwalters Jun 4, 2024

jeckersb commented Jun 5, 2024

		@@ -0,0 +1,72 @@
		//! # Copy of the ostree authfile bits as they're not public

WIP: Use podman pull to fetch containers #215

Are you sure you want to change the base?

WIP: Use podman pull to fetch containers #215

Conversation

cgwalters commented Dec 3, 2023

cgwalters commented Dec 3, 2023

vrothberg left a comment

Choose a reason for hiding this comment

cgwalters May 31, 2024

Choose a reason for hiding this comment

cgwalters Jun 4, 2024

Choose a reason for hiding this comment

jeckersb commented Jun 5, 2024

WIP: Use `podman pull` to fetch containers #215

WIP: Use `podman pull` to fetch containers #215