Use skopeo for hermetic bootstrap images

tkopecek · tkopecek · commit eeb59fe3fff9 · 2026-02-20T16:50:14.000+01:00
diff --git a/mock/mock.spec b/mock/mock.spec
@@ -96,6 +96,7 @@ Suggests: qemu-user-static
 Suggests: procenv
 Recommends: buildah
 Recommends: podman
+Recommends: skopeo
 Recommends: fuse-overlayfs
 
 %if %{with tests}
diff --git a/mock/py/mock-hermetic-repo.py b/mock/py/mock-hermetic-repo.py
@@ -127,17 +127,14 @@ def prepare_image(image_specification, bootstrap_data, outputdir):
     """
     Store the tarball into the same directory where the RPMs are
     """
-    pull_cmd = ["podman", "pull"]
+    pull_cmd = ["skopeo", "sync", "--scoped", "--src", "docker", "--dest", "dir"]
+    if "architecture" in bootstrap_data:
+        pull_cmd += ["--override-arch", bootstrap_data["architecture"]]
     if "pull_digest" in bootstrap_data:
         image_specification +=  "@" + bootstrap_data["pull_digest"]
-    if "architecture" in bootstrap_data:
-        pull_cmd += ["--arch", bootstrap_data["architecture"]]
-    pull_cmd += [image_specification]
+    pull_cmd += [image_specification, outputdir]
     log.info("Pulling like: %s", ' '.join(pull_cmd))
     subprocess.check_output(pull_cmd)
-    subprocess.check_output(["podman", "save", "--format=oci-archive", "--quiet",
-                             "-o", os.path.join(outputdir, "bootstrap.tar"),
-                             image_specification])
 
 
 def _main():
diff --git a/mock/py/mockbuild/config.py b/mock/py/mockbuild/config.py
@@ -806,8 +806,9 @@ def process_hermetic_build_config(cmdline_opts, config_opts):
             "offline RPM repository (RPM metadata not found)")
 
     # Use the offline image for bootstrapping.
-    bootstrap_tarball = os.path.join(final_offline_repo, "bootstrap.tar")
-    config_opts["bootstrap_image"] = f"oci-archive:{bootstrap_tarball}"
+    image_pullspec = f"{data['config']['bootstrap_image']}@{data['bootstrap']['pull_digest']}"
+    bootstrap_dir = os.path.join(final_offline_repo, image_pullspec)
+    config_opts["bootstrap_image"] = f"dir:{bootstrap_dir}"
 
     config_opts["offline_local_repository"] = final_offline_repo
 
diff --git a/mock/py/mockbuild/podman.py b/mock/py/mockbuild/podman.py
@@ -192,7 +192,7 @@ def get_oci_digest(self):
         as the check that we've loaded same image.
         """
         the_image = self.image
-        if the_image.startswith("oci-archive:"):
+        if the_image.startswith("oci-archive:") or the_image.startswith("dir:"):
             # We can't query digest from tarball directly, but note
             # the image needs to be tagged first!
             the_image = self._tagged_id
diff --git a/releng/release-notes-next/hermetic-repo-skopeo.bugfix.md b/releng/release-notes-next/hermetic-repo-skopeo.bugfix.md
@@ -0,0 +1,4 @@
+Bootstrap image caching for hermetic builds now use
+[skopeo](https://github.com/containers/skopeo) sync instead of ``podman
+pull|save`` commands. Skopeo better handles digests, so we can always be sure
+that we're using correct image.
