oscontainer-deprecated-legacy-format: use runvm not nested containers

jmarrero · jmarrero · commit d4535356f289 · 2022-10-03T15:31:59.000-04:00
This also changes the push to create a oci-archive that will then be
pushed with `cosa push-container-manifest` by the pipeline.
diff --git a/src/build-legacy-oscontainer.sh b/src/build-legacy-oscontainer.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1091
+set -euo pipefail
+# Start VM and call buildah
+. /usr/lib/coreos-assembler/cmdlib.sh; prepare_build
+. /usr/lib/coreos-assembler/cmdlib.sh
+runvm -- /usr/lib/coreos-assembler/oscontainer-deprecated-legacy-format.py "$@"
diff --git a/src/cmd-upload-oscontainer-deprecated-legacy-format b/src/cmd-upload-oscontainer-deprecated-legacy-format
@@ -101,19 +101,24 @@ if args.arch_tag:
 # every time we want to poll.
 # TODO: Remove --from
 digestfile = "tmp/oscontainer-digest"
-# We need to pass the auth file from the unpriv user to the root process
-cosa_argv = ['sudo', '--preserve-env=container,DISABLE_TLS_VERIFICATION,SSL_CERT_DIR,SSL_CERT_FILE,REGISTRY_AUTH_FILE,OSCONTAINER_CERT_DIR']
-authfile = os.environ.get("REGISTRY_AUTH_FILE", os.path.expanduser('~/.docker/config.json'))
-if not os.path.isfile(authfile):
-    raise SystemExit(f"Missing {authfile}")
-os.environ['REGISTRY_AUTH_FILE'] = authfile
-cosa_argv.extend(['/usr/lib/coreos-assembler/oscontainer.py', '--workdir=./tmp', 'build',  f"--from={args.from_image}"])
+print("Entering vm to build oscontainer for build: {}".format(latest_build))
+arguments = ''
 for d in args.add_directory:
-    cosa_argv.append(f"--add-directory={d}")
-cosa_argv.append(f"--display-name={display_name}")
+    arguments = arguments + (f' --add-directory="{d}"')
+arguments = arguments + (f' --display-name="{display_name}"')
 if 'labeled-packages' in configyaml:
     pkgs = ' '.join(configyaml['labeled-packages'])
-    cosa_argv.append(f"--labeled-packages={pkgs}")
+    arguments = arguments + (f' --labeled-packages="{pkgs}"')
+if args.format is not None:
+    arguments = arguments + (f' --format="{args.format}"')
+
+cosa_argv = (['/usr/lib/coreos-assembler/build-legacy-oscontainer.sh', '--workdir=./tmp', 'build', f'--from={args.from_image}'])
+for d in args.add_directory:
+    cosa_argv.append(f'--add-directory="{d}"')
+cosa_argv.append(f'--display-name="{display_name}"')
+if 'labeled-packages' in configyaml:
+    pkgs = ' '.join(configyaml['labeled-packages'])
+    cosa_argv.append(f'--labeled-packages="{pkgs}"')
 if args.format is not None:
     cosa_argv.append(f'--format={args.format}')
 subprocess.check_call(cosa_argv +
diff --git a/src/cosalib/buildah.py b/src/cosalib/buildah.py
@@ -6,11 +6,11 @@
 
 def buildah_base_args(containers_storage=None):
     buildah_base_argv = ['buildah']
-    if containers_storage is not None:
-        buildah_base_argv.append(f"--root={containers_storage}")
     if os.environ.get('container') is not None:
         print("Using nested container mode due to container environment variable")
-        buildah_base_argv.extend(NESTED_BUILD_ARGS)
+        if containers_storage is not None:
+            buildah_base_argv.append(f"--root={containers_storage}")
+            buildah_base_argv.extend(NESTED_BUILD_ARGS)
     else:
         print("Skipping nested container mode")
     return buildah_base_argv
diff --git a/src/oscontainer-deprecated-legacy-format.py b/src/oscontainer-deprecated-legacy-format.py
@@ -207,19 +207,8 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
         subprocess.call(buildah_base_argv + ['rm', bid], stdout=subprocess.DEVNULL)
 
     if push:
-        print("Pushing container")
+        print("Pushing container to oci-archive")
         podCmd = buildah_base_argv + ['push']
-        if not tls_verify:
-            tls_arg = '--tls-verify=false'
-        else:
-            tls_arg = '--tls-verify'
-        podCmd.append(tls_arg)
-
-        if authfile != "":
-            podCmd.append("--authfile={}".format(authfile))
-
-        if cert_dir != "":
-            podCmd.append("--cert-dir={}".format(cert_dir))
 
         if digestfile is not None:
             podCmd.append(f'--digestfile={digestfile}')
@@ -229,6 +218,8 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
 
         podCmd.append(image_name_and_tag)
 
+        podCmd.append(f'oci-archive:{builddir}/{image_name_and_tag}')
+
         cmdlib.runcmd(podCmd)
     elif digestfile is not None:
         inspect = run_get_json(buildah_base_argv + ['inspect', image_name_and_tag])[0]
diff --git a/src/vmdeps.txt b/src/vmdeps.txt
@@ -20,6 +20,9 @@ selinux-policy selinux-policy-targeted policycoreutils
 # coreos-assembler
 python3 python3-gobject-base buildah podman skopeo iptables iptables-libs
 
+# legacy-oscontainer
+python3-pyyaml python3-botocore python3-flufl-lock python3-tenacity
+
 # luks
 cryptsetup
 # filesystems/storage
