WIP: Use podman pull to fetch containers

See #147 (comment)

With this bootc starts to really gain support for a different backend
than ostree.  Here we basically just fork off `podman pull` to
fetch container images into an *alternative root* in
`/ostree/container-storage`,
(Because otherwise basic things like `podman image prune` would
 delete the OS image)

This is quite distinct from our use of `skopeo` in the ostree-ext project
because suddenly now we gain support for things
implemented in the containers/storage library like `zstd:chunked` and
OCI crypt.

*However*...today we still need to generate a final flattened
filesystem tree (and an ostree commit) in order to maintain
compatibilty with stuff in rpm-ostree.  (A corrollary to this is
we're not booting into a `podman mount` overlayfs stack)
Related to this, we also need to handle SELinux labeling.

Hence, we implement "layer squashing", and then do some final
"postprocessing" on the resulting image matching the same logic
that's done in ostree-ext such as `etc -> usr/etc` and handling `/var`.

Note this also really wants
ostreedev/ostree#3106
to avoid duplicating disk space.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

lib/src/cli.rs

@@ -90,6 +90,10 @@ pub(crate) struct SwitchOpts {
 
     /// Target image to use for the next boot.
     pub(crate) target: String,
+
+    /// The storage backend
+    #[clap(long, hide = true)]
+    pub(crate) backend: Option<crate::spec::Backend>,
 }
 
 /// Options controlling rollback
@@ -251,6 +255,14 @@ impl InternalsOpts {
     const GENERATOR_BIN: &'static str = "bootc-systemd-generator";
 }
 
+#[derive(Debug, clap::Parser, PartialEq, Eq)]
+pub(crate) struct InternalPodmanOpts {
+    #[clap(long, value_parser, default_value = "/")]
+    root: Utf8PathBuf,
+    #[clap(trailing_var_arg = true, allow_hyphen_values = true)]
+    args: Vec<std::ffi::OsString>,
+}
+
 /// Deploy and transactionally in-place with bootable container images.
 ///
 /// The `bootc` project currently uses ostree-containers as a backend
@@ -379,6 +391,9 @@ pub(crate) enum Opt {
     #[clap(subcommand)]
     #[clap(hide = true)]
     Internals(InternalsOpts),
+    /// Execute podman in our internal configuration
+    #[clap(hide = true)]
+    InternalPodman(InternalPodmanOpts),
     #[clap(hide(true))]
     #[cfg(feature = "docgen")]
     Man(ManOpts),
@@ -540,7 +555,7 @@ async fn upgrade(opts: UpgradeOpts) -> Result<()> {
             }
         }
     } else {
-        let fetched = crate::deploy::pull(sysroot, imgref, opts.quiet).await?;
+        let fetched = crate::deploy::pull(sysroot, spec.backend, imgref, opts.quiet).await?;
         let kargs = crate::kargs::get_kargs(repo, &booted_deployment, fetched.as_ref())?;
         let staged_digest = staged_image.as_ref().map(|s| s.image_digest.as_str());
         let fetched_digest = fetched.manifest_digest.as_str();
@@ -628,6 +643,7 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
     let new_spec = {
         let mut new_spec = host.spec.clone();
         new_spec.image = Some(target.clone());
+        new_spec.backend = opts.backend.unwrap_or_default();
         new_spec
     };
 
@@ -637,7 +653,7 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
     }
     let new_spec = RequiredHostSpec::from_spec(&new_spec)?;
 
-    let fetched = crate::deploy::pull(sysroot, &target, opts.quiet).await?;
+    let fetched = crate::deploy::pull(sysroot, new_spec.backend, &target, opts.quiet).await?;
     let kargs = crate::kargs::get_kargs(repo, &booted_deployment, fetched.as_ref())?;
 
     if !opts.retain {
@@ -697,7 +713,8 @@ async fn edit(opts: EditOpts) -> Result<()> {
         return crate::deploy::rollback(sysroot).await;
     }
 
-    let fetched = crate::deploy::pull(sysroot, new_spec.image, opts.quiet).await?;
+    let fetched =
+        crate::deploy::pull(sysroot, new_spec.backend, new_spec.image, opts.quiet).await?;
     let repo = &sysroot.repo();
     let kargs = crate::kargs::get_kargs(repo, &booted_deployment, fetched.as_ref())?;
 
@@ -813,6 +830,12 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
             }
             InternalsOpts::FixupEtcFstab => crate::deploy::fixup_etc_fstab(&root),
         },
+        Opt::InternalPodman(args) => {
+            prepare_for_write()?;
+            // This also remounts writable
+            let _sysroot = get_locked_sysroot().await?;
+            crate::podman::exec(args.root.as_path(), args.args.as_slice())
+        }
         #[cfg(feature = "docgen")]
         Opt::Man(manopts) => crate::docgen::generate_manpages(&manopts.directory),
     }

lib/src/deploy.rs

@@ -9,17 +9,19 @@ use anyhow::{anyhow, Context, Result};
 use cap_std::fs::{Dir, MetadataExt};
 use cap_std_ext::cap_std;
 use cap_std_ext::dirext::CapStdExtDirExt;
+use chrono::DateTime;
 use fn_error_context::context;
 use ostree::{gio, glib};
 use ostree_container::OstreeImageReference;
 use ostree_ext::container as ostree_container;
 use ostree_ext::container::store::PrepareResult;
+use ostree_ext::oci_spec;
 use ostree_ext::ostree;
 use ostree_ext::ostree::Deployment;
 use ostree_ext::sysroot::SysrootLock;
 
 use crate::spec::ImageReference;
-use crate::spec::{BootOrder, HostSpec};
+use crate::spec::{Backend, BootOrder, HostSpec};
 use crate::status::labels_of_config;
 
 // TODO use https://github.com/ostreedev/ostree-rs-ext/pull/493/commits/afc1837ff383681b947de30c0cefc70080a4f87a
@@ -31,11 +33,14 @@ const BOOTC_DERIVED_KEY: &str = "bootc.derived";
 /// Variant of HostSpec but required to be filled out
 pub(crate) struct RequiredHostSpec<'a> {
     pub(crate) image: &'a ImageReference,
+    pub(crate) backend: Backend,
 }
 
 /// State of a locally fetched image
 pub(crate) struct ImageState {
+    pub(crate) backend: Backend,
     pub(crate) manifest_digest: String,
+    pub(crate) created: Option<DateTime<chrono::Utc>>,
     pub(crate) version: Option<String>,
     pub(crate) ostree_commit: String,
 }
@@ -48,16 +53,28 @@ impl<'a> RequiredHostSpec<'a> {
             .image
             .as_ref()
             .ok_or_else(|| anyhow::anyhow!("Missing image in specification"))?;
-        Ok(Self { image })
+        Ok(Self {
+            image,
+            backend: spec.backend,
+        })
     }
 }
 
 impl From<ostree_container::store::LayeredImageState> for ImageState {
     fn from(value: ostree_container::store::LayeredImageState) -> Self {
         let version = value.version().map(|v| v.to_owned());
         let ostree_commit = value.get_commit().to_owned();
+        let labels = crate::status::labels_of_config(&value.configuration);
+        let created = labels
+            .and_then(|l| {
+                l.get(oci_spec::image::ANNOTATION_CREATED)
+                    .map(|s| s.as_str())
+            })
+            .and_then(crate::status::try_deserialize_timestamp);
         Self {
+            backend: Backend::OstreeContainer,
             manifest_digest: value.manifest_digest,
+            created,
             version,
             ostree_commit,
         }
@@ -70,8 +87,14 @@ impl ImageState {
         &self,
         repo: &ostree::Repo,
     ) -> Result<Option<ostree_ext::oci_spec::image::ImageManifest>> {
-        ostree_container::store::query_image_commit(repo, &self.ostree_commit)
-            .map(|v| Some(v.manifest))
+        match self.backend {
+            Backend::OstreeContainer => {
+                ostree_container::store::query_image_commit(repo, &self.ostree_commit)
+                    .map(|v| Some(v.manifest))
+            }
+            // TODO: Figure out if we can get the OCI manifest from podman
+            Backend::Container => Ok(None),
+        }
     }
 }
 
@@ -164,6 +187,31 @@ async fn handle_layer_progress_print(
 /// Wrapper for pulling a container image, wiring up status output.
 #[context("Pulling")]
 pub(crate) async fn pull(
+    sysroot: &SysrootLock,
+    backend: Backend,
+    imgref: &ImageReference,
+    quiet: bool,
+) -> Result<Box<ImageState>> {
+    match backend {
+        Backend::OstreeContainer => pull_via_ostree(sysroot, imgref, quiet).await,
+        Backend::Container => pull_via_podman(sysroot, imgref, quiet).await,
+    }
+}
+
+/// Wrapper for pulling a container image, wiring up status output.
+async fn pull_via_podman(
+    sysroot: &SysrootLock,
+    imgref: &ImageReference,
+    quiet: bool,
+) -> Result<Box<ImageState>> {
+    let rootfs = &Dir::reopen_dir(&crate::utils::sysroot_fd_borrowed(sysroot))?;
+    let fetched_imageid = crate::podman::podman_pull(rootfs, imgref, quiet).await?;
+    crate::podman_ostree::commit_image_to_ostree(sysroot, &fetched_imageid)
+        .await
+        .map(Box::new)
+}
+
+async fn pull_via_ostree(
     sysroot: &SysrootLock,
     imgref: &ImageReference,
     quiet: bool,

lib/src/lib.rs

@@ -27,6 +27,9 @@ pub(crate) mod kargs;
 mod lints;
 mod lsm;
 pub(crate) mod metadata;
+mod ostree_authfile;
+mod podman;
+mod podman_ostree;
 mod reboot;
 mod reexec;
 mod status;
@@ -46,8 +49,6 @@ mod k8sapitypes;
 mod kernel;
 #[cfg(feature = "install")]
 pub(crate) mod mount;
-#[cfg(feature = "install")]
-mod podman;
 pub mod spec;
 
 #[cfg(feature = "docgen")]

lib/src/ostree_authfile.rs

@@ -0,0 +1,72 @@
+//! # Copy of the ostree authfile bits as they're not public
+
+use anyhow::Result;
+use ostree_ext::glib;
+use std::fs::File;
+use std::path::{Path, PathBuf};
+use std::sync::OnceLock;
+
+// https://docs.rs/openat-ext/0.1.10/openat_ext/trait.OpenatDirExt.html#tymethod.open_file_optional
+// https://users.rust-lang.org/t/why-i-use-anyhow-error-even-in-libraries/68592
+pub(crate) fn open_optional(path: impl AsRef<Path>) -> std::io::Result<Option<std::fs::File>> {
+    match std::fs::File::open(path.as_ref()) {
+        Ok(r) => Ok(Some(r)),
+        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(None),
+        Err(e) => Err(e),
+    }
+}
+
+struct ConfigPaths {
+    persistent: PathBuf,
+    runtime: PathBuf,
+}
+
+/// Get the runtime and persistent config directories.  In the system (root) case, these
+/// system(root) case:  /run/ostree           /etc/ostree
+/// user(nonroot) case: /run/user/$uid/ostree ~/.config/ostree
+fn get_config_paths() -> &'static ConfigPaths {
+    static PATHS: OnceLock<ConfigPaths> = OnceLock::new();
+    PATHS.get_or_init(|| {
+        let mut r = if rustix::process::getuid() == rustix::process::Uid::ROOT {
+            ConfigPaths {
+                persistent: PathBuf::from("/etc"),
+                runtime: PathBuf::from("/run"),
+            }
+        } else {
+            ConfigPaths {
+                persistent: glib::user_config_dir(),
+                runtime: glib::user_runtime_dir(),
+            }
+        };
+        let path = "ostree";
+        r.persistent.push(path);
+        r.runtime.push(path);
+        r
+    })
+}
+
+impl ConfigPaths {
+    /// Return the path and an open fd for a config file, if it exists.
+    pub(crate) fn open_file(&self, p: impl AsRef<Path>) -> Result<Option<(PathBuf, File)>> {
+        let p = p.as_ref();
+        let mut runtime = self.runtime.clone();
+        runtime.push(p);
+        if let Some(f) = open_optional(&runtime)? {
+            return Ok(Some((runtime, f)));
+        }
+        let mut persistent = self.persistent.clone();
+        persistent.push(p);
+        if let Some(f) = open_optional(&persistent)? {
+            return Ok(Some((persistent, f)));
+        }
+        Ok(None)
+    }
+}
+
+/// Return the path to the global container authentication file, if it exists.
+pub(crate) fn get_global_authfile_path() -> Result<Option<PathBuf>> {
+    let paths = get_config_paths();
+    let r = paths.open_file("auth.json")?;
+    // TODO pass the file descriptor to the proxy, not a global path
+    Ok(r.map(|v| v.0))
+}