oscontainer-deprecated-legacy-format: use runvm not nested containers

This also changes the push to create a oci-archive that will then be
pushed with `cosa push-container-manifest` by the pipeline.

Author: jmarrero

src/build-legacy-oscontainer.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1091
+set -euo pipefail
+# Start VM and call buildah
+. /usr/lib/coreos-assembler/cmdlib.sh; prepare_build
+. /usr/lib/coreos-assembler/cmdlib.sh
+runvm -- /usr/lib/coreos-assembler/oscontainer-deprecated-legacy-format.py "$@"

src/cmd-upload-oscontainer-deprecated-legacy-format

@@ -101,19 +101,24 @@ if args.arch_tag:
 # every time we want to poll.
 # TODO: Remove --from
 digestfile = "tmp/oscontainer-digest"
-# We need to pass the auth file from the unpriv user to the root process
-cosa_argv = ['sudo', '--preserve-env=container,DISABLE_TLS_VERIFICATION,SSL_CERT_DIR,SSL_CERT_FILE,REGISTRY_AUTH_FILE,OSCONTAINER_CERT_DIR']
-authfile = os.environ.get("REGISTRY_AUTH_FILE", os.path.expanduser('~/.docker/config.json'))
-if not os.path.isfile(authfile):
-    raise SystemExit(f"Missing {authfile}")
-os.environ['REGISTRY_AUTH_FILE'] = authfile
-cosa_argv.extend(['/usr/lib/coreos-assembler/oscontainer.py', '--workdir=./tmp', 'build',  f"--from={args.from_image}"])
+print("Entering vm to build oscontainer for build: {}".format(latest_build))
+arguments = ''
 for d in args.add_directory:
-    cosa_argv.append(f"--add-directory={d}")
-cosa_argv.append(f"--display-name={display_name}")
+    arguments = arguments + (f' --add-directory="{d}"')
+arguments = arguments + (f' --display-name="{display_name}"')
 if 'labeled-packages' in configyaml:
     pkgs = ' '.join(configyaml['labeled-packages'])
-    cosa_argv.append(f"--labeled-packages={pkgs}")
+    arguments = arguments + (f' --labeled-packages="{pkgs}"')
+if args.format is not None:
+    arguments = arguments + (f' --format="{args.format}"')
+
+cosa_argv = (['/usr/lib/coreos-assembler/build-legacy-oscontainer.sh', '--workdir=./tmp', 'build', f'--from={args.from_image}'])
+for d in args.add_directory:
+    cosa_argv.append(f'--add-directory="{d}"')
+cosa_argv.append(f'--display-name="{display_name}"')
+if 'labeled-packages' in configyaml:
+    pkgs = ' '.join(configyaml['labeled-packages'])
+    cosa_argv.append(f'--labeled-packages="{pkgs}"')
 if args.format is not None:
     cosa_argv.append(f'--format={args.format}')
 subprocess.check_call(cosa_argv +

src/oscontainer-deprecated-legacy-format.py

@@ -20,9 +20,6 @@
 import shutil
 import subprocess
 from cosalib import cmdlib
-from cosalib.buildah import (
-    buildah_base_args
-)
 
 OSCONTAINER_COMMIT_LABEL = 'com.coreos.ostree-commit'
 
@@ -108,7 +105,7 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
     else:
         ostree_version = None
 
-    buildah_base_argv = buildah_base_args(containers_storage)
+    buildah_base_argv = ['buildah']
 
     # In general, we just stick with the default tmpdir set up. But if a
     # workdir is provided, then we want to be sure that all the heavy I/O work
@@ -207,19 +204,8 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
         subprocess.call(buildah_base_argv + ['rm', bid], stdout=subprocess.DEVNULL)
 
     if push:
-        print("Pushing container")
+        print("Pushing container to oci-archive")
         podCmd = buildah_base_argv + ['push']
-        if not tls_verify:
-            tls_arg = '--tls-verify=false'
-        else:
-            tls_arg = '--tls-verify'
-        podCmd.append(tls_arg)
-
-        if authfile != "":
-            podCmd.append("--authfile={}".format(authfile))
-
-        if cert_dir != "":
-            podCmd.append("--cert-dir={}".format(cert_dir))
 
         if digestfile is not None:
             podCmd.append(f'--digestfile={digestfile}')
@@ -229,6 +215,8 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
 
         podCmd.append(image_name_and_tag)
 
+        podCmd.append(f'oci-archive:{builddir}/{image_name_and_tag}')
+
         cmdlib.runcmd(podCmd)
     elif digestfile is not None:
         inspect = run_get_json(buildah_base_argv + ['inspect', image_name_and_tag])[0]

src/vmdeps.txt

@@ -20,6 +20,9 @@ selinux-policy selinux-policy-targeted policycoreutils
 # coreos-assembler
 python3 python3-gobject-base buildah podman skopeo iptables iptables-libs
 
+# legacy-oscontainer
+python3-pyyaml python3-botocore python3-flufl-lock python3-tenacity
+
 # luks
 cryptsetup
 # filesystems/storage