-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
install: add --source-imgref #263
Conversation
c96d517
to
276c68a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, thanks for this! Overall mostly LGTM, just some nits and optionals.
@@ -197,7 +197,7 @@ pub(crate) fn find_parent_devices(device: &str) -> Result<Vec<String>> { | |||
let kind = dev | |||
.get("TYPE") | |||
.with_context(|| format!("device in hierarchy of {device} missing TYPE"))?; | |||
if kind == "disk" { | |||
if kind == "disk" || kind == "loop" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes. It would probably make sense to try to use a shared crate for dealing with block devices at some point.
lib/src/skopeo.rs
Outdated
} | ||
|
||
/// Given an image ID, return its manifest digest | ||
pub(crate) fn oci_archive_digest(imageref: &str) -> Result<String> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't specific to oci archives right? If we want it to be, let's make this a &Utf8Path
, and then explicitly specify dir:
below say.
If we want to keep it general...we also already use https://docs.rs/containers-image-proxy/latest/containers_image_proxy/ which is a handy Rust client for talking to skopeo, but I don't really in the end have a problem with being practical and just forking it either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Forgot to mention, see below where we could also probably drop this code)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dropped (see below).
} else { | ||
let td = tempfile::tempdir_in("/var/tmp")?; | ||
let path: &Utf8Path = td.path().try_into().unwrap(); | ||
let r = copy_to_oci(&state.source.imageref, path)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Unrelated to this change, but I would probably be fine just hard dropping this hacky "copy to oci" code that I don't think we need anymore since c9s has a new enough skopeo and that's fine from my PoV)
Totally optional of course...just reminded by the seeing the code again here. If you want I can also do a prep PR removing it (or feel free to yourself), it seems like it would simplify this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ended up doing this in #265 - but I still don't have a really strong opinion - we can merge this before that one if you prefer too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lib/src/install.rs
Outdated
|
||
#[context("Gathering source info from an external source")] | ||
pub(crate) fn from_imageref(imageref: &str) -> Result<Self> { | ||
let digest = crate::skopeo::oci_archive_digest(imageref)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Today, the ostree-container stack very much handles just being passed a non-digested pull spec; we'll do the digest resolution there. An alternative here is to make digest
an Option<T>
instead. I have a mild preference for this, but I'm also fine with the code as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope I understood your comment correctly. I made digest
an Option<T>
. This loses a bit of "null-safety" (handled gracefully, ofc), but it allowed me to drop the whole skopeo
crate. I have a backup of the old code if we change our midns.
Let's just hard require a skopeo that can fetch from `containers-storage`. Motivated by containers#263 which was moving this code around. Signed-off-by: Colin Walters <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd love to see docs on that as well. Which containers-transports
are supported? I feel that the name --source
is so generic that different users/personas will have a very different interpretation/feeling for that a source may be.
lsblk returns TYPE == loop for loop devices, modify the code so loop devices are correctly recognized. Signed-off-by: Ondřej Budai <[email protected]>
276c68a
to
e63c3b1
Compare
This is a prep work for the following commit. It will implement pulling the container image from an explicitly given container reference. Thus, there's no need to always fetch the digest because the caller is being explicit about the container image, so let's make the field optional. Signed-off-by: Ondřej Budai <[email protected]>
e63c3b1
to
5e4c639
Compare
I renamed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one final nit, feel free to merge after addressing!
lib/src/install.rs
Outdated
/// it takes the container image to install from the podman's container registry. | ||
/// If --source-imgref is given, bootc uses it as the installation source, instead of the behaviour explained | ||
/// in the previous paragraph. See skopeo(1) for accepted formats. | ||
#[clap(long, hide = true)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But documenting seems to clash with hide = true
. Either it's something we support ~forever or it's a hidden thing that could be removed in theory. I guess given the state, we should probably lift hide = true
right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed hide = true
.
5e4c639
to
1db3040
Compare
bootc install and install-to-filesystem currently rely on the fact that they run inside a podman container. That's quite inconvenient for using bootc for osbuild, because osbuild already run everything in a container. While having a container in a container is surely possible, it gets quite messy. Instead of going this route, this commit implements a new --source-imgref argument. --source-imgref accepts a container image reference (the same one that skopeo uses). When --source-imgref is used, bootc doesn't escape the container to fetch the container image from host's container storage. Instead, the container image given by --source-imgref is used. Even when running in this mode, bootc needs to run in a container created from the same container image that is passed using --source-imgref. However, this isn't a problem to do in osbuild. This really just removes the need for bootc to escape the container to the host mount namespace. Signed-off-by: Ondřej Budai <[email protected]>
1db3040
to
7c3ed0b
Compare
Let's just hard require a skopeo that can fetch from `containers-storage`. Motivated by containers#263 which was moving this code around. Signed-off-by: Colin Walters <[email protected]>
Let's just hard require a skopeo that can fetch from `containers-storage`. Motivated by containers#263 which was moving this code around. Signed-off-by: Colin Walters <[email protected]>
blockdev: fix recognizing parent loop devices
lsblk returns TYPE == loop for loop devices, modify the code
so loop devices are correctly recognized.
install: make the source digest optional
This is a prep work for the following commit. It will implement pulling
the container image from an explicitly given container reference. Thus,
there's no need to always fetch the digest because the caller is being
explicit about the container image, so let's make the field optional.
install: add --source-imgref
bootc install and install-to-filesystem currently rely on the fact that they
run inside a podman container. That's quite inconvenient for using bootc
for osbuild, because osbuild already run everything in a container.
While having a container in a container is surely possible, it gets quite
messy.
Instead of going this route, this commit implements a new --source-imgref
argument. --source-imgref accepts a container image reference (the same one
that skopeo uses). When --source-imgref is used, bootc doesn't escape the
container to fetch the container image from host's container storage. Instead,
the container image given by --source-imgref is used.
Even when running in this mode, bootc needs to run in a container created from
the same container image that is passed using --source-imgref. However, this
isn't a problem to do in osbuild. This really just removes the need for bootc
to escape the container to the host mount namespace.