-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a new container/store module #99
Conversation
31f75f7
to
a138e92
Compare
This will close #12 once it has more tests and validation. |
Open design question: right now I'm trying to strongly differentiate non-layered (i.e. pure ostree encapsulation, ideally GPG signed) from layered (from e.g. |
a138e92
to
3de4008
Compare
Rebased 🏄 - now depends on #102 And when I tried this in the real world, I hit
So we need to teach our tar importer to drop that junk. |
5ef7337
to
3edff72
Compare
3edff72
to
17b5b80
Compare
OK upgrades don't work yet, we're not storing tags correctly. |
17b5b80
to
da2f279
Compare
Fixed |
aab643e
to
40d6816
Compare
Trying to use this to deploy the initial container, we also need a copy API I think so we can schlep the already-downloaded container from the cosa side into the VM without re-pulling. This also ties into #115 |
d60de71
to
4458215
Compare
4458215
to
a569c94
Compare
OK lifting draft on this. There's a huge amount of stuff left to do, but I think iterating on |
a569c94
to
b6e69f6
Compare
Since we're not meaning to fetch this via libostree, using bindings inhibits native pulls for forthcoming `container copy` work.
The initial scope of this project was just "encapsulating" ostree commits in containers. However, when doing that a very, very natural question arises: Why not support *deriving* from that base image container, and have the tooling natively support importing it? This initial prototype code implements that. Here, we still use the `tar::import` path for the base image - we expect it to have a pre-generated ostree commit. This new `container::store` module processes layered images and generates (client side) ostree commits from the tar layers. There's a whole lot of new infrastructure we need around mapping ostree refs to blobs and images, etc.
b6e69f6
to
944cf76
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, though I think @travier was going through reviewing this right now too, so could wait a bit before merging.
@@ -58,7 +58,7 @@ fn generate_test_repo(dir: &Utf8Path) -> Result<Utf8PathBuf> { | |||
indoc! {" | |||
cd {dir} | |||
ostree --repo=repo init --mode=archive | |||
ostree --repo=repo commit -b {testref} --bootable --add-metadata-string=version=42.0 --gpg-homedir={gpghome} --gpg-sign={keyid} \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do understand the problem behind this, but I'm a bit less sure about the nuances/ramifications of it.
Are ref-bindings going to be problematic in the general case when we try to unencapsulate/import arbitrary commits built from an existing pipeline we don't control (yocto/endless/etc)?
@@ -0,0 +1,383 @@ | |||
//! APIs for storing (layered) container images as OSTree commits |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a general note that this module has a bunch of for
loops where the inner body is already fully async
, but the current await
arrangement follows head-of-line blocking. Those should be easy places where to win some speedup through concurrency, it would be good to mark them with clear TODO
or XXX
comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, though as https://docs.rs/tokio/1/tokio/task/fn.spawn_blocking.html says we should probably use rayon inside loops.
I haven't investigated that.
|
||
/// Import a layered container image | ||
pub async fn import(mut self, import: PreparedImport) -> Result<CompletedImport> { | ||
// First download the base image (if necessary) - we need the SELinux policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like a reasonable constraint, at least as a start. I do hope we don't get any usecase going against this, in the future.
OK, though since this is all experimental, not critical path stuff we can always do post-merge fixups! |
tests: Use --no-bindings for base commit
Since we're not meaning to fetch this via libostree, using
bindings inhibits native pulls for forthcoming
container copy
work.
Add a new container/store module
The initial scope of this project was just "encapsulating" ostree
commits in containers.
However, when doing that a very, very natural question arises:
Why not support deriving from that base image container, and
have the tooling natively support importing it?
This initial prototype code implements that. Here, we still use
the
tar::import
path for the base image - we expect it to havea pre-generated ostree commit.
This new
container::store
module processes layered images andgenerates (client side) ostree commits from the tar layers.
There's a whole lot of new infrastructure we need around mapping
ostree refs to blobs and images, etc.