Add cosa import

This command takes as argument a `containers-transport(5)`-style pullspec
and creates a new cosa build dir from it. It essentially bridges the gap
between coreos/fedora-coreos-config#3348 and the
rest of the cosa pipeline.

Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>

Author: PeaceRebel

cmd/coreos-assembler.go

@@ -13,7 +13,7 @@ import (
 
 // commands we'd expect to use in the local dev path
 var buildCommands = []string{"init", "fetch", "build", "osbuild", "run", "prune", "clean", "list"}
-var advancedBuildCommands = []string{"buildfetch", "buildupload", "oc-adm-release", "push-container"}
+var advancedBuildCommands = []string{"import", "buildfetch", "buildupload", "oc-adm-release", "push-container"}
 var buildextendCommands = []string{"aliyun", "applehv", "aws", "azure", "digitalocean", "exoscale", "extensions-container", "gcp", "hyperv", "ibmcloud", "kubevirt", "live", "metal", "metal4k", "nutanix", "openstack", "oraclecloud", "qemu", "secex", "virtualbox", "vmware", "vultr"}
 
 var utilityCommands = []string{"aws-replicate", "coreos-prune", "compress", "copy-container", "diff", "koji-upload", "kola", "push-container-manifest", "remote-build-container", "remote-session", "sign", "tag", "update-variant"}

pkg/builds/cosa_v1.go

@@ -1,7 +1,7 @@
 package builds
 
 // generated by 'make schema'
-// source hash: 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146
+// source hash: 445150ada0fe019c7bb33c793185b312111ed7538a59e1a0b424c10c6c2dbc0d
 
 type AdvisoryDiff []AdvisoryDiffItems
 
@@ -56,6 +56,7 @@ type Build struct {
 	CosaDelayedMetaMerge      bool                  `json:"coreos-assembler.delayed-meta-merge,omitempty"`
 	CosaImageChecksum         string                `json:"coreos-assembler.image-config-checksum,omitempty"`
 	CosaImageVersion          int                   `json:"coreos-assembler.image-genver,omitempty"`
+	CosaImportedOciImage      bool                  `json:"coreos-assembler.oci-imported,omitempty"`
 	Extensions                *Extensions           `json:"extensions,omitempty"`
 	ExtensionsContainer       *PrimaryImage         `json:"extensions-container,omitempty"`
 	FedoraCoreOsParentCommit  string                `json:"fedora-coreos.parent-commit,omitempty"`
@@ -64,15 +65,15 @@ type Build struct {
 	GitDirty                  string                `json:"coreos-assembler.config-dirty,omitempty"`
 	IbmCloud                  []Cloudartifact       `json:"ibmcloud,omitempty"`
 	ImageInputChecksum        string                `json:"coreos-assembler.image-input-checksum,omitempty"`
-	InputHashOfTheRpmOstree   string                `json:"rpm-ostree-inputhash"`
+	InputHashOfTheRpmOstree   string                `json:"rpm-ostree-inputhash,omitempty"`
 	Koji                      *Koji                 `json:"koji,omitempty"`
 	KubevirtContainer         *PrimaryImage         `json:"kubevirt,omitempty"`
 	MetaStamp                 float64               `json:"coreos-assembler.meta-stamp,omitempty"`
 	Name                      string                `json:"name"`
 	Oscontainer               *PrimaryImage         `json:"oscontainer,omitempty"`
 	OstreeCommit              string                `json:"ostree-commit"`
 	OstreeContentBytesWritten int                   `json:"ostree-content-bytes-written,omitempty"`
-	OstreeContentChecksum     string                `json:"ostree-content-checksum"`
+	OstreeContentChecksum     string                `json:"ostree-content-checksum,omitempty"`
 	OstreeNCacheHits          int                   `json:"ostree-n-cache-hits,omitempty"`
 	OstreeNContentTotal       int                   `json:"ostree-n-content-total,omitempty"`
 	OstreeNContentWritten     int                   `json:"ostree-n-content-written,omitempty"`

pkg/builds/schema_doc.go

@@ -1,5 +1,5 @@
 // Generated by ./generate-schema.sh
-// Source hash: 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146
+// Source hash: 445150ada0fe019c7bb33c793185b312111ed7538a59e1a0b424c10c6c2dbc0d
 // DO NOT EDIT
 
 package builds
@@ -255,10 +255,8 @@ var generatedSchemaJSON = `{
     "buildid",
     "name",
     "ostree-commit",
-    "ostree-content-checksum",
     "ostree-timestamp",
-    "ostree-version",
-    "rpm-ostree-inputhash"
+    "ostree-version"
   ],
   "optional": [
     "aliyun",
@@ -273,13 +271,15 @@ var generatedSchemaJSON = `{
     "images",
     "koji",
     "oscontainer",
+    "ostree-content-checksum",
     "extensions",
     "extensions-container",
     "parent-pkgdiff",
     "pkgdiff",
     "parent-advisories-diff",
     "advisories-diff",
     "release-payload",
+    "rpm-ostree-inputhash",
     "summary",
     "s3",
     "coreos-assembler.basearch",
@@ -297,6 +297,7 @@ var generatedSchemaJSON = `{
     "coreos-assembler.meta-stamp",
     "coreos-assembler.overrides-active",
     "coreos-assembler.yumrepos-git",
+    "coreos-assembeler.oci-imported",
     "fedora-coreos.parent-commit",
     "fedora-coreos.parent-version",
     "ref"
@@ -378,6 +379,12 @@ var generatedSchemaJSON = `{
       "default": "",
       "minLength": 1
     },
+    "coreos-assembler.oci-imported": {
+      "$id": "#/properties/coreos-assembler.oci-imported",
+      "type": "boolean",
+      "title": "COSA imported OCI image",
+      "default": "False"
+    },
     "coreos-assembler.code-source": {
       "$id": "#/properties/coreos-assembler.code-source",
       "type": "string",

src/cmd-coreos-prune

@@ -55,7 +55,7 @@ Build = collections.namedtuple("Build", ["id", "images", "arch", "meta_json"])
 # set metadata caching to 5m
 CACHE_MAX_AGE_METADATA = 60 * 5
 # These lists are up to date as of schema hash
-# 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146. If changing
+# 445150ada0fe019c7bb33c793185b312111ed7538a59e1a0b424c10c6c2dbc0d. If changing
 # this hash, ensure that the list of SUPPORTED and UNSUPPORTED artifacts below
 # is up to date.
 SUPPORTED = ["amis", "aws-winli", "gcp"]

src/cmd-import

@@ -0,0 +1,200 @@
+#!/usr/bin/python3
+
+import argparse
+import datetime
+import json
+import os
+import subprocess
+import tempfile
+import shutil
+import sys
+from stat import (
+    S_IREAD,
+    S_IRGRP,
+    S_IROTH)
+from cosalib.builds import Builds
+from cosalib.cmdlib import (
+    rfc3339_time,
+    get_basearch,
+    sha256sum_file)
+
+VALID_NAMES = ["fedora-coreos", "rhcos", "scos"]
+
+
+def main():
+    args = parse_args()
+    with tempfile.TemporaryDirectory(prefix='cosa-import-', dir='tmp') as tmpd:
+        tmp_ociarchive = os.path.join(tmpd, "out.ociarchive")
+
+        metadata = skopeo_inspect(args.srcimg)
+        name = metadata['Labels']['com.coreos.osname']
+        buildid = metadata['Labels']['org.opencontainers.image.version']
+
+        builds = Builds()
+        if builds.has(buildid):
+            print(f"ERROR: Build ID {buildid} already exists!")
+            sys.exit(1)
+
+        import_oci_archive(args, tmp_ociarchive)
+
+        arch = get_basearch()
+
+        manifest = generate_manifest_json(tmpd, tmp_ociarchive, name, buildid, arch)
+        meta_json = generate_meta_json(tmp_ociarchive, metadata, manifest['metadata'], name)
+
+        # import into the tmp/repo not only so it's cached, but also to get the ostree-commit
+        meta_json['ostree-commit'] = ostree_import(tmpd, tmp_ociarchive, buildid)
+
+        finalize_build(builds, tmp_ociarchive, meta_json, manifest, buildid, arch)
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(prog='cosa import')
+    parser.add_argument("srcimg", metavar='IMAGE',
+                        help="image to import (containers-transports(5) format)")
+    return parser.parse_args()
+
+
+def finalize_build(builds, source_ociarchive, meta_json, manifest, buildid, arch):
+    os.makedirs(f'builds/{buildid}/{arch}/', exist_ok=True)
+
+    archive_name = meta_json['images']['ostree']['path']
+    archive_path = f'builds/{buildid}/{arch}/{archive_name}'
+    # Move ociarchive to build dir
+    shutil.move(source_ociarchive, archive_path)
+
+    # move manifest file
+    manifest_fname = manifest['metadata']['path']
+    shutil.move(manifest['src_path'], f'builds/{buildid}/{arch}/{manifest_fname}')
+
+    with open(f'builds/{buildid}/{arch}/meta.json', 'w') as meta_file:
+        json.dump(meta_json, meta_file, indent=4)
+
+    # Symlink build to latest
+    if os.path.exists('builds/latest'):
+        os.remove('builds/latest')
+    os.symlink(f'{buildid}', 'builds/latest', target_is_directory=True)
+
+    update_builds_json(builds, buildid, arch)
+
+    print(f'Imported OCI image as build {buildid}')
+
+
+def update_builds_json(builds, buildid, arch):
+    builds.insert_build(buildid, arch)
+    builds.bump_timestamp()
+    builds.flush()
+
+
+def import_oci_archive(args, target):
+    subprocess.check_call(['skopeo', 'copy', '--preserve-digests', args.srcimg,
+                           f"oci-archive:{target}"])
+
+
+def skopeo_inspect(image):
+    return json.loads(subprocess.check_output(['skopeo', 'inspect', '-n', image]))
+
+
+def generate_manifest_json(tmpd, ociarchive, name, buildid, arch):
+    manifest = subprocess.check_output(["skopeo", "inspect", "--raw", f"oci-archive:{ociarchive}"])
+
+    ostree_oci_manifest_path = f"{name}-{buildid}-ostree.{arch}-manifest.json"
+    manifest_json_dest = f'{tmpd}/manifest.json'
+
+    manifest_json_sha256 = None
+    manifest_json_size = None
+    with open(manifest_json_dest, 'wb') as manifest_json:
+        manifest_json.write(manifest)
+        os.fchmod(manifest_json.fileno(), S_IREAD | S_IRGRP | S_IROTH)
+
+        manifest_json_sha256 = sha256sum_file(manifest_json_dest)
+        manifest_json_size = os.path.getsize(manifest_json_dest)
+
+    manifest_metadata = {
+        'path': ostree_oci_manifest_path,
+        'sha256': manifest_json_sha256,
+        'size': manifest_json_size,
+        "skip-compression": True,
+    }
+
+    return {
+        'metadata': manifest_metadata,
+        'src_path': manifest_json_dest
+    }
+
+
+def parse_timestamp(timestamp):
+    # datetime's doesn't support nanoseconds.
+    # So trim it.
+    if len(timestamp) > 26 and timestamp[19] == '.':
+        timestamp = timestamp[:26] + "Z"
+
+    timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%S.%fZ')
+    return rfc3339_time(timestamp.replace(tzinfo=datetime.timezone.utc))
+
+
+def generate_meta_json(ociarchive, metadata, oci_manifest, name):
+    archive_sha256sum = sha256sum_file(ociarchive)
+
+    # let raise if missing
+    assert metadata['Labels']['containers.bootc'] == '1'
+
+    buildid = metadata['Labels']['org.opencontainers.image.version']
+    arch = get_basearch()
+    created_timestamp = parse_timestamp(metadata['Created'])
+
+    meta_json = {
+        'ostree-version': buildid,  # proxy version label
+        'buildid': buildid,  # also version label
+        'coreos-assembler.build-timestamp': created_timestamp,  # proxy OCI build timestamp
+        'coreos-assembler.oci-imported': True,
+        'name': name,
+        'ostree-timestamp': created_timestamp,
+        'images': {
+            'ostree': {
+                "path": f"{name}-{buildid}-ostree.{arch}.ociarchive",
+                "sha256": archive_sha256sum,
+                "skip-compression": True
+            },
+            'oci-manifest': oci_manifest,
+        },
+        'coreos-assembler.basearch': arch,
+    }
+
+    return meta_json
+
+
+def ostree_import(parent_tmpd, ociarchive, buildid):
+    with tempfile.TemporaryDirectory(dir=parent_tmpd) as tmpd:
+        subprocess.check_call(['ostree', 'init', '--repo', tmpd, '--mode=bare-user'])
+
+        # import all the blob refs for more efficient import into bare-user repo
+        blob_refs = subprocess.check_output(['ostree', 'refs', '--repo', 'tmp/repo',
+                                             '--list', 'ostree/container/blob'],
+                                            encoding='utf-8').splitlines()
+        if len(blob_refs) > 0:
+            subprocess.check_call(['ostree', 'pull-local', '--repo', tmpd, 'tmp/repo'] + blob_refs)
+
+        subprocess.check_call(['ostree', 'container', 'image', 'pull', tmpd,
+                               f'ostree-unverified-image:oci-archive:{ociarchive}'])
+
+        # awkwardly work around the fact that there is no --write-ref equivalent
+        refs = subprocess.check_output(['ostree', 'refs', '--repo', tmpd,
+                                        '--list', 'ostree/container/image'],
+                                       encoding='utf-8').splitlines()
+        assert len(refs) == 1
+        subprocess.check_call(['ostree', 'refs', '--repo', tmpd, refs[0], '--create', buildid])
+        subprocess.check_call(['ostree', 'refs', '--repo', 'tmp/repo', buildid, '--delete'])
+        subprocess.check_call(['ostree', 'pull-local', '--repo', 'tmp/repo', tmpd, buildid])
+
+        # export back all the blob refs for more efficient imports of next builds
+        blob_refs = subprocess.check_output(['ostree', 'refs', '--repo', tmpd,
+                                             '--list', 'ostree/container/blob'],
+                                            encoding='utf-8').splitlines()
+        subprocess.check_call(['ostree', 'pull-local', '--repo', 'tmp/repo', tmpd] + blob_refs)
+
+    return subprocess.check_output(['ostree', 'rev-parse', '--repo', 'tmp/repo', buildid], encoding='utf-8').strip()
+
+
+if __name__ == '__main__':
+    main()

src/cosalib/cmdlib.py

@@ -295,12 +295,14 @@ def import_ostree_commit(workdir, buildpath, buildmeta, extract_json=True, parti
               lifetime=LOCK_DEFAULT_LIFETIME):
         repo = os.path.join(tmpdir, 'repo')
         commit = buildmeta['ostree-commit']
+        is_oci_imported = buildmeta.get('coreos-assembler.oci-imported', False)
         tarfile = os.path.join(buildpath, buildmeta['images']['ostree']['path'])
         # create repo in case e.g. tmp/ was cleared out; idempotent
         subprocess.check_call(['ostree', 'init', '--repo', repo, '--mode=archive'])
 
-        # in the common case where we're operating on a recent build, the OSTree
-        # commit should already be in the tmprepo
+        # in the common case where we're operating on a recent build (or
+        # recently imported OCI image), the OSTree commit should already be in
+        # the tmprepo
         commitpartial = os.path.join(repo, f'state/{commit}.commitpartial')
         if (subprocess.call(['ostree', 'show', '--repo', repo, commit],
                             stdout=subprocess.DEVNULL,
@@ -332,8 +334,10 @@ def import_ostree_commit(workdir, buildpath, buildmeta, extract_json=True, parti
         # We do this in two stages, because right now ex-container only writes to
         # non-archive repos.  Also, in the privileged case we need sudo to write
         # to `repo-build`, though it might be good to change this by default.
-        if os.environ.get('COSA_PRIVILEGED', '') == '1':
+        if not is_oci_imported and os.environ.get('COSA_PRIVILEGED', '') == '1':
             build_repo = os.path.join(repo, '../../cache/repo-build')
+            # note: this actually is the same as `container unencapsulate` and
+            # so only works with "pure OSTree OCI" encapsulated commits (legacy path)
             subprocess.check_call(['sudo', 'ostree', 'container', 'import', '--repo', build_repo,
                                    '--write-ref', buildmeta['buildid'],
                                    'ostree-unverified-image:oci-archive:' + tarfile])
@@ -344,9 +348,14 @@ def import_ostree_commit(workdir, buildpath, buildmeta, extract_json=True, parti
         else:
             with tempfile.TemporaryDirectory(dir=tmpdir) as tmpd:
                 subprocess.check_call(['ostree', 'init', '--repo', tmpd, '--mode=bare-user'])
-                subprocess.check_call(['ostree', 'container', 'import', '--repo', tmpd,
-                                       '--write-ref', buildmeta['buildid'],
-                                       'ostree-unverified-image:oci-archive:' + tarfile])
+                if not is_oci_imported:
+                    subprocess.check_call(['ostree', 'container', 'import', '--repo', tmpd,
+                                           '--write-ref', buildmeta['buildid'],
+                                           'ostree-unverified-image:oci-archive:' + tarfile])
+                else:
+                    subprocess.check_call(['ostree', 'container', 'image', 'pull', tmpd,
+                                           f'ostree-unverified-image:oci-archive:{tarfile}'])
+                    subprocess.check_call(['ostree', 'refs', '--repo', tmpd, commit, '--create', buildmeta['buildid']])
                 subprocess.check_call(['ostree', f'--repo={repo}', 'pull-local', tmpd, buildmeta['buildid']])
 
         # Also extract image.json since it's commonly needed by image builds