experimental: Add build-chunked-oci #5222

cgwalters · 2025-01-14T21:33:58Z

Closes: #5221

Signed-off-by: Colin Walters [email protected]

openshift-ci · 2025-01-14T21:34:02Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

cgwalters · 2025-01-14T21:37:43Z

OK I've been testing this out with this; the demo here is to make a smaller base image from our larger one, removing python and linux-firmware but even removing rpm-ostree and dnf.

(We can't yet remove rpm because paast-selinux depends on it for bad reasons))

# see below for artifacts
FROM quay.io/examplecorp/someartifacts:latest as artifacts
FROM quay.io/fedora/fedora-bootc:41 as rootfs
RUN <<EORUN
set -xeuo pipefail
# Needed by some scripts
mkdir -p /var/lib/rpm-state
# Remove various things with dnf
dnf -y remove python3 linux-firmware rpm-ostree
# And drop out dnf (TODO: teach dnf to be able to do this)
rpm -e dnf5 libdnf5 libdnf5-cli libsolv librepo libmodulemd
rm /var/lib/rpm-state -rf
EORUN
# Inject non-rpm content from other container
COPY --from=artifacts /usr /usr

FROM quay.io/fedora/fedora-bootc:rawhide as builder
RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
    --mount=from=rootfs,dst=/rootfs <<EORUN
set -xeuo pipefail
rm /buildcontext/out.oci -rf
rpm-ostree [experimental] compose build-chunked-oci --ostree --rootfs=/rootfs --output /buildcontext/out.oci
EORUN

FROM oci:./out.oci
LABEL containers.bootc 1
# Need to reference builder here to force ordering. But since we have to run
# something anyway, we might as well cleanup after ourselves.
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf

Anyways, this builds and starts to install, but what I get trying to do an install is:

Fetched layers: 292.75 MiB in 2 seconds (177.98 MiB/s)                          ERROR Installing to disk: Creating ostree deployment: Pulling: Importing: Unencapsulating base: Layer sha256:949f37ee3505878a579f04ca66d2c8822b38baf5c08a59e8fd5bffa2638aa42b: Importing objects: Importing object 95/d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953.file: Processing content object 95d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953: Importing regfile small: Writing content object: Corrupted file object; checksum expected='95d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953' actual='0e7f2e7de0309b3fc67fbeab4f5957c1a4b09a80d8ab3bff6763adb2579f81f3'
Error: unable to install bootc image: failed to create disk image: failed to run bootc install

And that's the only corrupt file - it turns out to be the rpmdb.sqlite-wal file which is clearly special in some way (maybe it's sparse? Digging)
This of course relates to rpm-software-management/rpm#2219

cgwalters · 2025-01-15T00:03:37Z

And that's the only corrupt file - it turns out to be the rpmdb.sqlite-wal file which is clearly special in some way (maybe it's sparse? Digging)

➡️ #5225

Holy cow was that painful to debug.

I'm working on doing container reencapsulation and using a user-mode repo and got burned by the hardlinking here and rpm always *writing* to the repo even when reading it. Most systems we care about have reflinks so it's cheap. And in practice most usage of this before was actually checking out from bare (not bare-user) repos, so we were copying anyways. Signed-off-by: Colin Walters <[email protected]>

Signed-off-by: Colin Walters <[email protected]>

Closes: coreos#5221 Signed-off-by: Colin Walters <[email protected]>

We really want this for coreos/rpm-ostree#5222 to be able to rebuild images from their container-synthesized rootfs. Really, the only xattr we don't want to emit in to the tar stream is security.selinux for now. Eventually we should try to switch to putting that into the tar stream too, but it needs more validation. Signed-off-by: Colin Walters <[email protected]>

openshift-ci bot added the do-not-merge/work-in-progress label Jan 14, 2025

cgwalters added 3 commits January 15, 2025 13:35

Use patched ostree-rs-ext

acc37dc

Signed-off-by: Colin Walters <[email protected]>

experimental: Add build-chunked-oci

6d58780

Closes: coreos#5221 Signed-off-by: Colin Walters <[email protected]>

cgwalters force-pushed the oci-from-rootfs branch from ba7cb67 to 6d58780 Compare January 15, 2025 18:36

cgwalters mentioned this pull request Jan 15, 2025

ostree-ext: Serialize xattrs into tar stream as well containers/bootc#1032

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

experimental: Add build-chunked-oci #5222

experimental: Add build-chunked-oci #5222

cgwalters commented Jan 14, 2025

openshift-ci bot commented Jan 14, 2025

cgwalters commented Jan 14, 2025 •

edited

Loading

cgwalters commented Jan 15, 2025

experimental: Add build-chunked-oci #5222

Are you sure you want to change the base?

experimental: Add build-chunked-oci #5222

Conversation

cgwalters commented Jan 14, 2025

openshift-ci bot commented Jan 14, 2025

cgwalters commented Jan 14, 2025 • edited Loading

cgwalters commented Jan 15, 2025

cgwalters commented Jan 14, 2025 •

edited

Loading