Add a new container/store module

[cgwalters]

tests: Use --no-bindings for base commit

Since we're not meaning to fetch this via libostree, using
bindings inhibits native pulls for forthcoming container copy
work.

---

Add a new container/store module

The initial scope of this project was just "encapsulating" ostree
commits in containers.

However, when doing that a very, very natural question arises:
Why not support deriving from that base image container, and
have the tooling natively support importing it?

This initial prototype code implements that. Here, we still use
the tar::import path for the base image - we expect it to have
a pre-generated ostree commit.

This new container::store module processes layered images and
generates (client side) ostree commits from the tar layers.

There's a whole lot of new infrastructure we need around mapping
ostree refs to blobs and images, etc.

---

[cgwalters]

This will close #12 once it has more tests and validation.

[cgwalters]

Open design question: right now I'm trying to strongly differentiate non-layered (i.e. pure ostree encapsulation, ideally GPG signed) from layered (from e.g. Dockerfile style build). But, does that make sense? Should we have a --layered option, or should we just drop the distinction and automatically apply a layered container if we're pointed at one?

[cgwalters]

Rebased 🏄 - now depends on #102

And when I tried this in the real world, I hit error: Preparing /etc: Tree contains both /etc and /usr/etc precisely because containers/buildah#3523

[root@cosa-devsh ~]# ostree ls d799d4ce5c3184774d6e73767d9fbb2e26b9d11d8669b252a70d616d44a791c5 /etc
d00755 0 0      0 /etc
-00700 0 0      0 /etc/resolv.conf
[root@cosa-devsh ~]# 

So we need to teach our tar importer to drop that junk.

[cgwalters]

OK upgrades don't work yet, we're not storing tags correctly.

[cgwalters]

OK upgrades don't work yet, we're not storing tags correctly.

Fixed

[cgwalters]

Trying to use this to deploy the initial container, we also need a copy API I think so we can schlep the already-downloaded container from the cosa side into the VM without re-pulling.

This also ties into #115

[cgwalters]

OK lifting draft on this. There's a huge amount of stuff left to do, but I think iterating on main will be better than having this sit in a PR.

[lucab]

LGTM, though I think @travier was going through reviewing this right now too, so could wait a bit before merging.

[lucab]

I do understand the problem behind this, but I'm a bit less sure about the nuances/ramifications of it.
Are ref-bindings going to be problematic in the general case when we try to unencapsulate/import arbitrary commits built from an existing pipeline we don't control (yocto/endless/etc)?

[lucab]

Just a general note that this module has a bunch of for loops where the inner body is already fully async, but the current await arrangement follows head-of-line blocking. Those should be easy places where to win some speedup through concurrency, it would be good to mark them with clear TODO or XXX comments.

[cgwalters]

Yeah, though as https://docs.rs/tokio/1/tokio/task/fn.spawn_blocking.html says we should probably use rayon inside loops.

I haven't investigated that.

[lucab]

This seems like a reasonable constraint, at least as a start. I do hope we don't get any usecase going against this, in the future.

[cgwalters]

I think @travier was going through reviewing this right now too, so could wait a bit before merging.

OK, though since this is all experimental, not critical path stuff we can always do post-merge fixups!