Add cosa import

This command takes as argument a `containers-transport(5)`-style pullspec
and creates a new cosa build dir from it. It essentially bridges the gap
between coreos/fedora-coreos-config#3348 and the
rest of the cosa pipeline.

Co-authored-by: Jonathan Lebon <[email protected]>

Author: PeaceRebel

cmd/coreos-assembler.go

@@ -13,7 +13,7 @@ import (
 
 // commands we'd expect to use in the local dev path
 var buildCommands = []string{"init", "fetch", "build", "osbuild", "run", "prune", "clean", "list"}
-var advancedBuildCommands = []string{"buildfetch", "buildupload", "oc-adm-release", "push-container"}
+var advancedBuildCommands = []string{"import", "buildfetch", "buildupload", "oc-adm-release", "push-container"}
 var buildextendCommands = []string{"aliyun", "applehv", "aws", "azure", "digitalocean", "exoscale", "extensions-container", "gcp", "hyperv", "ibmcloud", "kubevirt", "live", "metal", "metal4k", "nutanix", "openstack", "oraclecloud", "qemu", "secex", "virtualbox", "vmware", "vultr"}
 
 var utilityCommands = []string{"aws-replicate", "coreos-prune", "compress", "copy-container", "diff", "koji-upload", "kola", "push-container-manifest", "remote-build-container", "remote-session", "sign", "tag", "update-variant"}

pkg/builds/cosa_v1.go

@@ -1,7 +1,7 @@
 package builds
 
 // generated by 'make schema'
-// source hash: 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146
+// source hash: 40070aa13f4501cb0c6025e1a19e638e823fd9daef234406344482da5bdf5bb5
 
 type AdvisoryDiff []AdvisoryDiffItems
 
@@ -56,6 +56,7 @@ type Build struct {
 	CosaDelayedMetaMerge      bool                  `json:"coreos-assembler.delayed-meta-merge,omitempty"`
 	CosaImageChecksum         string                `json:"coreos-assembler.image-config-checksum,omitempty"`
 	CosaImageVersion          int                   `json:"coreos-assembler.image-genver,omitempty"`
+	CosaImportedOciImage      bool                  `json:"coreos-assembler.oci-imported,omitempty"`
 	Extensions                *Extensions           `json:"extensions,omitempty"`
 	ExtensionsContainer       *PrimaryImage         `json:"extensions-container,omitempty"`
 	FedoraCoreOsParentCommit  string                `json:"fedora-coreos.parent-commit,omitempty"`
@@ -64,15 +65,15 @@ type Build struct {
 	GitDirty                  string                `json:"coreos-assembler.config-dirty,omitempty"`
 	IbmCloud                  []Cloudartifact       `json:"ibmcloud,omitempty"`
 	ImageInputChecksum        string                `json:"coreos-assembler.image-input-checksum,omitempty"`
-	InputHashOfTheRpmOstree   string                `json:"rpm-ostree-inputhash"`
+	InputHashOfTheRpmOstree   string                `json:"rpm-ostree-inputhash,omitempty"`
 	Koji                      *Koji                 `json:"koji,omitempty"`
 	KubevirtContainer         *PrimaryImage         `json:"kubevirt,omitempty"`
 	MetaStamp                 float64               `json:"coreos-assembler.meta-stamp,omitempty"`
 	Name                      string                `json:"name"`
 	Oscontainer               *PrimaryImage         `json:"oscontainer,omitempty"`
-	OstreeCommit              string                `json:"ostree-commit"`
+	OstreeCommit              string                `json:"ostree-commit,omitempty"`
 	OstreeContentBytesWritten int                   `json:"ostree-content-bytes-written,omitempty"`
-	OstreeContentChecksum     string                `json:"ostree-content-checksum"`
+	OstreeContentChecksum     string                `json:"ostree-content-checksum,omitempty"`
 	OstreeNCacheHits          int                   `json:"ostree-n-cache-hits,omitempty"`
 	OstreeNContentTotal       int                   `json:"ostree-n-content-total,omitempty"`
 	OstreeNContentWritten     int                   `json:"ostree-n-content-written,omitempty"`

pkg/builds/schema_doc.go

@@ -1,5 +1,5 @@
 // Generated by ./generate-schema.sh
-// Source hash: 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146
+// Source hash: 40070aa13f4501cb0c6025e1a19e638e823fd9daef234406344482da5bdf5bb5
 // DO NOT EDIT
 
 package builds
@@ -254,11 +254,8 @@ var generatedSchemaJSON = `{
   "required": [
     "buildid",
     "name",
-    "ostree-commit",
-    "ostree-content-checksum",
     "ostree-timestamp",
-    "ostree-version",
-    "rpm-ostree-inputhash"
+    "ostree-version"
   ],
   "optional": [
     "aliyun",
@@ -273,13 +270,16 @@ var generatedSchemaJSON = `{
     "images",
     "koji",
     "oscontainer",
+    "ostree-commit",
+    "ostree-content-checksum",
     "extensions",
     "extensions-container",
     "parent-pkgdiff",
     "pkgdiff",
     "parent-advisories-diff",
     "advisories-diff",
     "release-payload",
+    "rpm-ostree-inputhash",
     "summary",
     "s3",
     "coreos-assembler.basearch",
@@ -297,6 +297,7 @@ var generatedSchemaJSON = `{
     "coreos-assembler.meta-stamp",
     "coreos-assembler.overrides-active",
     "coreos-assembler.yumrepos-git",
+    "coreos-assembeler.oci-imported",
     "fedora-coreos.parent-commit",
     "fedora-coreos.parent-version",
     "ref"
@@ -378,6 +379,12 @@ var generatedSchemaJSON = `{
       "default": "",
       "minLength": 1
     },
+    "coreos-assembler.oci-imported": {
+      "$id": "#/properties/coreos-assembler.oci-imported",
+      "type": "boolean",
+      "title": "COSA imported OCI image",
+      "default": "False"
+    },
     "coreos-assembler.code-source": {
       "$id": "#/properties/coreos-assembler.code-source",
       "type": "string",

src/cmd-coreos-prune

@@ -55,7 +55,7 @@ Build = collections.namedtuple("Build", ["id", "images", "arch", "meta_json"])
 # set metadata caching to 5m
 CACHE_MAX_AGE_METADATA = 60 * 5
 # These lists are up to date as of schema hash
-# 4bb5641ee8c32b122c412cbaefe3d068685ea6cbffcf3162e600a01268c92146. If changing
+# 40070aa13f4501cb0c6025e1a19e638e823fd9daef234406344482da5bdf5bb5. If changing
 # this hash, ensure that the list of SUPPORTED and UNSUPPORTED artifacts below
 # is up to date.
 SUPPORTED = ["amis", "aws-winli", "gcp"]

src/cmd-import

@@ -0,0 +1,165 @@
+#!/usr/bin/python3
+
+import argparse
+import datetime
+import json
+import os
+import subprocess
+import tempfile
+import shutil
+from stat import (
+    S_IREAD,
+    S_IRGRP,
+    S_IROTH)
+from cosalib.builds import Builds
+from cosalib.cmdlib import (
+    rfc3339_time,
+    get_basearch,
+    sha256sum_file)
+
+VALID_NAMES = ["fedora-coreos", "rhcos", "scos"]
+
+
+def main():
+    args = parse_args()
+    with tempfile.TemporaryDirectory(prefix='cosa-import-', dir='tmp') as tmpd:
+        tmp_ociarchive = os.path.join(tmpd, "out.ociarchive")
+
+        metadata = prepare_build(args, tmp_ociarchive)
+
+        name = metadata['Labels']['com.coreos.osname']
+        buildid = metadata['Labels']['org.opencontainers.image.version']
+        arch = get_basearch()
+
+        manifest = generate_manifest_json(tmpd, tmp_ociarchive, name, buildid, arch)
+        meta_json = generate_meta_json(tmp_ociarchive, metadata, manifest['metadata'], name)
+
+        finalize_build(tmp_ociarchive, meta_json, manifest, buildid, arch)
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(prog='cosa import')
+    parser.add_argument("srcimg", metavar='IMAGE',
+                        help="image to import (containers-transports(5) format)")
+    return parser.parse_args()
+
+
+def prepare_build(args, target_ociarchive):
+    import_oci_archive(args, target_ociarchive)
+    return inspect_oci_archive(target_ociarchive)
+
+
+def finalize_build(source_ociarchive, meta_json, manifest, buildid, arch):
+    os.makedirs(f'builds/{buildid}/{arch}/', exist_ok=True)
+
+    archive_name = meta_json['images']['ostree']['path']
+    archive_path = f'builds/{buildid}/{arch}/{archive_name}'
+    # Move ociarchive to build dir
+    shutil.move(source_ociarchive, archive_path)
+
+    # move manifest file
+    manifest_fname = manifest['metadata']['path']
+    shutil.move(manifest['src_path'], f'builds/{buildid}/{arch}/{manifest_fname}')
+
+    with open(f'builds/{buildid}/{arch}/meta.json', 'w') as meta_file:
+        json.dump(meta_json, meta_file, indent=4)
+
+    # Symlink build to latest
+    if os.path.exists('builds/latest'):
+        os.remove('builds/latest')
+    os.symlink(f'{buildid}', 'builds/latest', target_is_directory=True)
+
+    builds = Builds()
+    update_builds_json(builds, buildid, arch)
+
+    print(f'Successfully import oci image to {archive_path}')
+
+
+def update_builds_json(builds, buildid, arch):
+    builds.insert_build(buildid, arch)
+    builds.bump_timestamp()
+    builds.flush()
+
+
+def import_oci_archive(args, target):
+    subprocess.check_call(['skopeo', 'copy', args.srcimg,
+                           f"oci-archive:{target}"])
+
+
+def inspect_oci_archive(image):
+    out = subprocess.check_output(['skopeo', 'inspect',
+                                   f'oci-archive:{image}'])
+    return json.loads(out)
+
+
+def generate_manifest_json(tmpd, ociarchive, name, buildid, arch):
+    manifest = subprocess.check_output(["skopeo", "inspect", "--raw", f"oci-archive:{ociarchive}"])
+
+    ostree_oci_manifest_path = f"{name}-{buildid}-ostree.{arch}-manifest.json"
+    manifest_json_dest = f'{tmpd}/manifest.json'
+
+    manifest_json_sha256 = None
+    manifest_json_size = None
+    with open(manifest_json_dest, 'wb') as manifest_json:
+        manifest_json.write(manifest)
+        os.fchmod(manifest_json.fileno(), S_IREAD | S_IRGRP | S_IROTH)
+
+        manifest_json_sha256 = sha256sum_file(manifest_json_dest)
+        manifest_json_size = os.path.getsize(manifest_json_dest)
+
+    manifest_metadata = {
+        'path': ostree_oci_manifest_path,
+        'sha256': manifest_json_sha256,
+        'size': manifest_json_size,
+        "skip-compression": True,
+    }
+
+    return {
+        'metadata': manifest_metadata,
+        'src_path': manifest_json_dest
+    }
+
+
+def parse_timestamp(timestamp):
+    # datetime's doesn't support nanoseconds.
+    # So trim it.
+    if len(timestamp) > 26 and timestamp[19] == '.':
+        timestamp = timestamp[:26] + "Z"
+
+    timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%S.%fZ')
+    return rfc3339_time(timestamp.replace(tzinfo=datetime.timezone.utc))
+
+
+def generate_meta_json(ociarchive, metadata, oci_manifest, name):
+    archive_sha256sum = sha256sum_file(ociarchive)
+
+    # let raise if missing
+    assert metadata['Labels']['containers.bootc'] == '1'
+
+    buildid = metadata['Labels']['org.opencontainers.image.version']
+    arch = get_basearch()
+    created_timestamp = parse_timestamp(metadata['Created'])
+
+    meta_json = {
+        'ostree-version': buildid,  # proxy version label
+        'buildid': buildid,  # also version label
+        'coreos-assembler.build-timestamp': created_timestamp,  # proxy OCI build timestamp
+        'coreos-assembler.oci-imported': True,
+        'name': name,
+        'ostree-timestamp': created_timestamp,
+        'images': {
+            'ostree': {
+                "path": f"{name}-{buildid}-ostree.{arch}.ociarchive",
+                "sha256": archive_sha256sum,
+                "skip-compression": True
+            },
+            'oci-manifest': oci_manifest,
+        },
+        'coreos-assembler.basearch': arch,
+    }
+
+    return meta_json
+
+
+if __name__ == '__main__':
+    main()

src/cmd-osbuild

@@ -170,17 +170,19 @@ generate_runvm_osbuild_config() {
     fi
     rm -f "${workdir}"/tmp/runvm-osbuild-config-*.json # clean up any previous configs
 
-    # reread these values from the build itself rather than rely on the ones loaded
+    # Ensure that we have the cached unpacked commit
+    import_ostree_commit_for_build "${build}"
+
+    # reread these values from the repo itself rather than rely on the ones loaded
     # by prepare_build since the config might've changed since then
-    ostree_commit=$(meta_key ostree-commit)
+    ostree_commit=$(ostree rev-parse --repo "${tmprepo}" "${build}")
+
     ostree_ref=$(meta_key ref)
     if [ "${ostree_ref}" = "None" ]; then
         ostree_ref=""
     fi
 
     ostree_repo=${tmprepo}
-    # Ensure that we have the cached unpacked commit
-    import_ostree_commit_for_build "${build}"
     # Note this overwrote the bits generated in prepare_build
     # for image_json.  In the future we expect to split prepare_build
     # into prepare_ostree_build and prepare_diskimage_build; the