Use skopeo for hermetic bootstrap images

[tkopecek]

Better replacement for #1716

[gemini-code-assist]

Code Review

The pull request successfully transitions from podman pull|save to skopeo for handling hermetic bootstrap images, which is a more robust approach for managing image digests and offline transports. However, there is a critical mismatch between how skopeo sync --scoped prepares the directory structure and how the configuration logic attempts to locate it. Switching to skopeo copy with a predictable destination directory (e.g., bootstrap/) would resolve this and maintain consistency with the previous implementation.

[gemini-code-assist]

The use of skopeo sync --scoped creates a nested directory hierarchy based on the registry and repository (e.g., docker.io/library/fedora), which does not match the flat path construction in mockbuild/config.py. Since this script is intended to fetch a specific bootstrap image for a build, skopeo copy is more appropriate as it allows specifying a predictable destination directory. Additionally, subprocess.check_call is preferred over check_output when the output is not being captured.

Suggested change

	pull_cmd = ["skopeo", "sync", "--src", "docker", "--dest", "dir",
	"--scoped", "--preserve-digests"]
	if "architecture" in bootstrap_data:
	pull_cmd += ["--override-arch", bootstrap_data["architecture"]]
	if "pull_digest" in bootstrap_data:
	image_specification += "@" + bootstrap_data["pull_digest"]
	if "architecture" in bootstrap_data:
	pull_cmd += ["--arch", bootstrap_data["architecture"]]
	pull_cmd += [image_specification]
	pull_cmd += [image_specification, outputdir]
	log.info("Pulling like: %s", ' '.join(pull_cmd))
	bootstrap_dir = os.path.join(outputdir, "bootstrap")
	pull_cmd = ["skopeo", "copy"]
	if "architecture" in bootstrap_data:
	pull_cmd += ["--override-arch", bootstrap_data["architecture"]]
	if "pull_digest" in bootstrap_data:
	image_specification += "@" + bootstrap_data["pull_digest"]
	pull_cmd += ["docker://" + image_specification, "dir:" + bootstrap_dir]
	log.info("Pulling like: %s", ' '.join(pull_cmd))
	subprocess.check_call(pull_cmd)

[tkopecek]

Should work in every case. docker.io/library/fedora is still the part of boostrap_image string, so nested directories will be part of final path?

[gemini-code-assist]

The current path construction for bootstrap_dir assumes a flat directory named after the pullspec, which conflicts with the hierarchical structure created by skopeo sync --scoped. To ensure the build can correctly locate the offline image, it is better to use a fixed directory name like bootstrap, matching the suggested change in mock-hermetic-repo.py.

Suggested change

	image_pullspec = f"{data['config']['bootstrap_image']}@{data['bootstrap']['pull_digest']}"
	bootstrap_dir = os.path.join(final_offline_repo, image_pullspec)
	config_opts["bootstrap_image"] = f"dir:{bootstrap_dir}"
	# Use the offline image for bootstrapping.
	bootstrap_dir = os.path.join(final_offline_repo, "bootstrap")
	config_opts["bootstrap_image"] = f"dir:{bootstrap_dir}"

[praiskup]

CI failure:

      INFO:__main__:Pulling like: skopeo sync --src docker --dest dir --scoped --preserve-digests --override-arch amd64 registry.fedoraproject.org/fedora:rawhide@sha256:926c55dd6993b0332abe54abbc993929b578fa0212bb05d23c187c424f203bbf /tmp/mock-tests-local-repo-3gghtsxg
      time="2026-02-20T16:17:55Z" level=info msg="Tag presence check" imagename="registry.fedoraproject.org/fedora:rawhide@sha256:926c55dd6993b0332abe54abbc993929b578fa0212bb05d23c187c424f203bbf" tagged=true
      time="2026-02-20T16:17:55Z" level=fatal msg="Cannot obtain a valid image reference for transport \"docker\" and reference \"registry.fedoraproject.org/fedora:rawhide@sha256:926c55dd6993b0332abe54abbc993929b578fa0212bb05d23c187c424f203bbf\": Docker references with both a tag and digest are currently not supported"
      Traceback (most recent call last):
        File "/usr/bin/mock-hermetic-repo", line 199, in <module>
          _main()
          ~~~~~^^
        File "/usr/bin/mock-hermetic-repo", line 194, in _main
          prepare_image(data["config"]["bootstrap_image"], data["bootstrap"],
          ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                        options.output_repo)
                        ^^^^^^^^^^^^^^^^^^^^
        File "/usr/bin/mock-hermetic-repo", line 138, in prepare_image
          subprocess.check_output(pull_cmd)
          ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
        File "/usr/lib64/python3.14/subprocess.py", line 472, in check_output
          return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
                 ~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                     **kwargs).stdout
                     ^^^^^^^^^
        File "/usr/lib64/python3.14/subprocess.py", line 577, in run
          raise CalledProcessError(retcode, process.args,
                                   output=stdout, stderr=stderr)
      subprocess.CalledProcessError: Command '['skopeo', 'sync', '--src', 'docker', '--dest', 'dir', '--scoped', '--preserve-digests', '--override-arch', 'amd64', 'registry.fedoraproject.org/fedora:rawhide@sha256:926c55dd6993b0332abe54abbc993929b578fa0212bb05d23c187c424f203bbf', '/tmp/mock-tests-local-repo-3gghtsxg']' returned non-zero exit status 1.

    And a hermetic build is retriggered with the lockfile and repository                 # None
    Then the build succeeds                                                              # None

[praiskup]

As discussed before, this worked for me correctly - but I didn't even use --scoped and --preserve-digests 🤷 please document why we need those.

[tkopecek]

added

[praiskup]

We probably need skopeo in Recommends.

[tkopecek]

Yes, it is there.

[praiskup]

      INFO:__main__:Pulling like: skopeo sync --src docker --dest dir --scoped --preserve-digests --override-arch amd64 quay.io/centos/centos:stream9@sha256:8e47e1ac4bfb7ae13d18403389d0ae0d6b44aa3c5a66e4561bc6cb881c140cd4 /tmp/mock-tests-local-repo-29xlxzf_
      time="2026-02-23T13:09:45Z" level=info msg="Tag presence check" imagename="quay.io/centos/centos:stream9@sha256:8e47e1ac4bfb7ae13d18403389d0ae0d6b44aa3c5a66e4561bc6cb881c140cd4" tagged=true
      time="2026-02-23T13:09:45Z" level=fatal msg="Cannot obtain a valid image reference for transport \"docker\" and reference \"quay.io/centos/centos:stream9@sha256:8e47e1ac4bfb7ae13d18403389d0ae0d6b44aa3c5a66e4561bc6cb881c140cd4\": Docker references with both a tag and digest are currently not supported"
      Traceback (most recent call last):
        File "/usr/bin/mock-hermetic-repo", line 204, in <module>
          _main()
          ~~~~~^^
        File "/usr/bin/mock-hermetic-repo", line 199, in _main
          prepare_image(data["config"]["bootstrap_image"], data["bootstrap"],
          ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                        options.output_repo)
                        ^^^^^^^^^^^^^^^^^^^^
        File "/usr/bin/mock-hermetic-repo", line 143, in prepare_image
          subprocess.check_output(pull_cmd)
          ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
        File "/usr/lib64/python3.14/subprocess.py", line 472, in check_output
          return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
                 ~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                     **kwargs).stdout
                     ^^^^^^^^^
        File "/usr/lib64/python3.14/subprocess.py", line 577, in run
          raise CalledProcessError(retcode, process.args,
                                   output=stdout, stderr=stderr)
      subprocess.CalledProcessError: Command '['skopeo', 'sync', '--src', 'docker', '--dest', 'dir', '--scoped', '--preserve-digests', '--override-arch', 'amd64', 'quay.io/centos/centos:stream9@sha256:8e47e1ac4bfb7ae13d18403389d0ae0d6b44aa3c5a66e4561bc6cb881c140cd4', '/tmp/mock-tests-local-repo-29xlxzf_']' returned non-zero exit status 1.

    And a hermetic build is retriggered with the lockfile and repository                                # None
    Then the build succeeds                                                                             # None
    And the produced lockfile is validated properly                                                     # None

Feature: Test the "library" methods # features/library.feature:1

  @library @simple_load_config
  Scenario: The --resultdir option is incompatible with --chain                                    # features/library.feature:4

[tkopecek]

#1717 (comment) - interesting - works for me locally, I'll try to debug it more.

[tkopecek]

#1717 (comment) - interesting - works for me locally, I'll try to debug it more.

ouch, missed a file to commit

[praiskup]

Thank you!

[praiskup]

Would you mind squashing the PR?

[praiskup]

These are in EL8, too 👍