create-legacy-oscontainer: use runvm not nested containers

jmarrero · jmarrero · commit fcaa8771ab5a · 2022-10-11T16:37:31.000-04:00
This also changes the push to create a oci-archive that will
be pushed with `cosa push-container-manifest` by the pipeline.
Renamed upload-oscontainer to create-legacy-oscontainer
as the behavior has changed. The argument `--name` is not
required anymore, before it was being used to pass a repository
now it reads the name from the meta.json by default.
diff --git a/cmd/coreos-assembler.go b/cmd/coreos-assembler.go
@@ -13,7 +13,7 @@ import (
 
 // commands we'd expect to use in the local dev path
 var buildCommands = []string{"init", "fetch", "build", "run", "prune", "clean", "list"}
-var advancedBuildCommands = []string{"buildfetch", "buildupload", "oc-adm-release", "push-container", "upload-oscontainer", "buildextend-extensions"}
+var advancedBuildCommands = []string{"buildfetch", "buildupload", "oc-adm-release", "push-container", "create-legacy-oscontainer", "buildextend-extensions"}
 var buildextendCommands = []string{"aliyun", "aws", "azure", "digitalocean", "exoscale", "gcp", "ibmcloud", "kubevirt", "live", "metal", "metal4k", "nutanix", "openstack", "qemu", "secex", "virtualbox", "vmware", "vultr"}
 var utilityCommands = []string{"aws-replicate", "build-extensions-container", "compress", "generate-hashlist", "koji-upload", "kola", "push-container-manifest", "remote-build-container", "remote-prune", "remote-session", "sign", "update-variant"}
 var otherCommands = []string{"shell", "meta"}
diff --git a/docs/cosa.md b/docs/cosa.md
@@ -71,4 +71,4 @@ Those less commonly used commands are listed here:
 | [supermin-shell](https://github.com/coreos/coreos-assembler/blob/main/src/cmd-supermin-shell) | Get a supermin shell
 | [tag](https://github.com/coreos/coreos-assembler/blob/main/src/cmd-tag) | Operate on the tags in `builds.json`
 | [test-coreos-installer](https://github.com/coreos/coreos-assembler/blob/main/src/cmd-test-coreos-installer) | Automate an end-to-end run of coreos-installer with the metal image
-| [upload-oscontainer](https://github.com/coreos/coreos-assembler/blob/main/src/cmd-upload-oscontainer) | Upload an oscontainer (historical wrapper for `cosa oscontainer`)
+| [create-legacy-oscontainer](https://github.com/coreos/coreos-assembler/blob/main/src/cmd-create-legacy-oscontainer) | Create an oscontainer oci-archive (historical wrapper for `cosa oscontainer`)
diff --git a/gangplank/internal/ocp/worker.go b/gangplank/internal/ocp/worker.go
@@ -394,7 +394,7 @@ func pushOstreeToRegistry(ctx ClusterContext, push *spec.Registry, build *cosa.B
 
 	// pushArgs invokes cosa upload code which creates a named tag
 	pushArgs := []string{
-		"/usr/bin/coreos-assembler", "upload-oscontainer",
+		"/usr/bin/coreos-assembler", "create-legacy-oscontainer",
 		fmt.Sprintf("--name=%s", pushPath),
 	}
 	// copy the pushed image to the expected tag
diff --git a/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/build.go b/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/build.go
diff --git a/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/cosa_v1.go b/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/cosa_v1.go
diff --git a/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/schema_doc.go b/mantle/vendor/github.com/coreos/coreos-assembler/pkg/builds/schema_doc.go
diff --git a/pkg/builds/cosa_v1.go b/pkg/builds/cosa_v1.go
@@ -1,7 +1,7 @@
 package builds
 
 // generated by 'make schema'
-// source hash: 144450d458f89f637ca487d353af3dfd60096ddbf3179da8e2b42b2bd2d0a6eb
+// source hash: 3508b2f150e72b8e24151d870789809cf4070cec6b4716966a4e8bc585e0c5f1
 
 type AdvisoryDiff []AdvisoryDiffItems
 
@@ -101,6 +101,7 @@ type BuildArtifacts struct {
 	Iso                 *Artifact `json:"iso,omitempty"`
 	Kernel              *Artifact `json:"kernel,omitempty"`
 	KubeVirt            *Artifact `json:"kubevirt,omitempty"`
+	LegacyOscontainer   *Artifact `json:"legacy-oscontainer,omitempty"`
 	LiveInitramfs       *Artifact `json:"live-initramfs,omitempty"`
 	LiveIso             *Artifact `json:"live-iso,omitempty"`
 	LiveKernel          *Artifact `json:"live-kernel,omitempty"`
diff --git a/pkg/builds/schema_doc.go b/pkg/builds/schema_doc.go
@@ -1,5 +1,5 @@
 // Generated by ./generate-schema.sh
-// Source hash: 144450d458f89f637ca487d353af3dfd60096ddbf3179da8e2b42b2bd2d0a6eb
+// Source hash: 3508b2f150e72b8e24151d870789809cf4070cec6b4716966a4e8bc585e0c5f1
 // DO NOT EDIT
 
 package builds
@@ -446,6 +446,7 @@ var generatedSchemaJSON = `{
         "digitalocean",
         "exoscale",
         "extensions-container",
+        "legacy-oscontainer",
         "gcp",
         "kubevirt",
         "ibmcloud",
@@ -492,6 +493,12 @@ var generatedSchemaJSON = `{
           "title": "extensions-container",
           "$ref": "#/definitions/artifact"
         },
+        "legacy-oscontainer": {
+          "$id": "#/properties/images/properties/legacy-oscontainer",
+          "type": "object",
+          "title": "legacy-oscontainer",
+          "$ref": "#/definitions/artifact"
+        },
         "qemu": {
           "$id": "#/properties/images/properties/qemu",
           "type": "object",
diff --git a/src/build-legacy-oscontainer.sh b/src/build-legacy-oscontainer.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1091
+set -euo pipefail
+# Start VM and call buildah
+. /usr/lib/coreos-assembler/cmdlib.sh
+prepare_build
+runvm -- /usr/lib/coreos-assembler/oscontainer-deprecated-legacy-format.py "$@"
diff --git a/src/cmd-create-legacy-oscontainer b/src/cmd-create-legacy-oscontainer
@@ -12,24 +12,13 @@ import os
 import shutil
 import subprocess
 import sys
+from cosalib.cmdlib import sha256sum_file
 
 cosa_dir = os.path.dirname(os.path.abspath(__file__))
 sys.path.insert(0, cosa_dir)
 
 from cosalib import cmdlib
 
-parser = argparse.ArgumentParser()
-parser.add_argument("--arch-tag", help="append arch name to push tag",
-                    action='store_true')
-parser.add_argument("--name", help="oscontainer name",
-                    action='store', required=True)
-parser.add_argument("--from", help="Base image", default='scratch',
-                    dest='from_image')
-parser.add_argument("--format", help="Format to use for push")
-parser.add_argument("--add-directory", help="Copy in all content from referenced directory DIR",
-                    metavar='DIR', action='append', default=[])
-
-args = parser.parse_args()
 
 with open('builds/builds.json') as f:
     builds = json.load(f)['builds']
@@ -43,6 +32,20 @@ metapath = f"{latest_build_path}/meta.json"
 with open(metapath) as f:
     meta = json.load(f)
 
+name = meta['name'] + '-' + meta['buildid'] + '-oscontainer.' + arch + '.ociarchive'
+parser = argparse.ArgumentParser()
+parser.add_argument("--arch-tag", help="append arch name to push tag",
+                    action='store_true')
+parser.add_argument("--name", help="oscontainer name",
+                    action='store', default=f'{name}')
+parser.add_argument("--from", help="Base image", default='scratch',
+                    dest='from_image')
+parser.add_argument("--format", help="Format to use for push")
+parser.add_argument("--add-directory", help="Copy in all content from referenced directory DIR",
+                    metavar='DIR', action='append', default=[])
+
+args = parser.parse_args()
+
 # for backcompat, we auto-build extensions if they're missing
 if os.path.exists('src/config/extensions.yaml'):
     if 'extensions' not in meta:
@@ -101,19 +104,15 @@ if args.arch_tag:
 # every time we want to poll.
 # TODO: Remove --from
 digestfile = "tmp/oscontainer-digest"
-# We need to pass the auth file from the unpriv user to the root process
-cosa_argv = ['sudo', '--preserve-env=container,DISABLE_TLS_VERIFICATION,SSL_CERT_DIR,SSL_CERT_FILE,REGISTRY_AUTH_FILE,OSCONTAINER_CERT_DIR']
-authfile = os.environ.get("REGISTRY_AUTH_FILE", os.path.expanduser('~/.docker/config.json'))
-if not os.path.isfile(authfile):
-    raise SystemExit(f"Missing {authfile}")
-os.environ['REGISTRY_AUTH_FILE'] = authfile
-cosa_argv.extend(['/usr/lib/coreos-assembler/oscontainer.py', '--workdir=./tmp', 'build',  f"--from={args.from_image}"])
+print("Entering vm to build oscontainer for build: {}".format(latest_build))
+
+cosa_argv = (['/usr/lib/coreos-assembler/build-legacy-oscontainer.sh', '--workdir=./tmp', 'build', f'--from={args.from_image}'])
 for d in args.add_directory:
-    cosa_argv.append(f"--add-directory={d}")
-cosa_argv.append(f"--display-name={display_name}")
+    cosa_argv.append(f'--add-directory="{d}"')
+cosa_argv.append(f'--display-name="{display_name}"')
 if 'labeled-packages' in configyaml:
     pkgs = ' '.join(configyaml['labeled-packages'])
-    cosa_argv.append(f"--labeled-packages={pkgs}")
+    cosa_argv.append(f'--labeled-packages="{pkgs}"')
 if args.format is not None:
     cosa_argv.append(f'--format={args.format}')
 subprocess.check_call(cosa_argv +
@@ -122,12 +121,12 @@ subprocess.check_call(cosa_argv +
         meta['ostree-commit'],
         osc_name_and_tag])
 
-with open(digestfile) as f:
-    osc_digest = f.read().strip()
-
 # Inject the oscontainer with SHA256 into the build metadata
-meta['oscontainer'] = {'image': args.name,
-                       'digest': osc_digest}
+oci_archive = f"{latest_build_path}/{args.name}"
+meta['images']['legacy-oscontainer'] = {'path': args.name,
+                                        'sha256': sha256sum_file(oci_archive),
+                                        'size': os.path.getsize(oci_archive),
+                                        "skip-compression": True}
 metapath_new = f"{metapath}.new"
 with open(metapath_new, 'w') as f:
     json.dump(meta, f, sort_keys=True)
diff --git a/src/cmd-push-container b/src/cmd-push-container
@@ -1,6 +1,6 @@
 #!/usr/bin/python3 -u
 # Upload the container to a registry.  Note this
-# is distinct from `upload-oscontainer` which
+# is distinct from `create-legacy-oscontainer` which
 # only applies to (hopefully soon only older)
 # versions of RHCOS but not FCOS.
 
diff --git a/src/cmd-upload-oscontainer b/src/cmd-upload-oscontainer
diff --git a/src/oscontainer-deprecated-legacy-format.py b/src/oscontainer-deprecated-legacy-format.py
@@ -108,7 +108,7 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
     else:
         ostree_version = None
 
-    buildah_base_argv = buildah_base_args(containers_storage)
+    buildah_base_argv = buildah_base_args(None)
 
     # In general, we just stick with the default tmpdir set up. But if a
     # workdir is provided, then we want to be sure that all the heavy I/O work
@@ -207,28 +207,25 @@ def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag,
         subprocess.call(buildah_base_argv + ['rm', bid], stdout=subprocess.DEVNULL)
 
     if push:
-        print("Pushing container")
+        print("Saving container to oci-archive")
         podCmd = buildah_base_argv + ['push']
-        if not tls_verify:
-            tls_arg = '--tls-verify=false'
-        else:
-            tls_arg = '--tls-verify'
-        podCmd.append(tls_arg)
-
-        if authfile != "":
-            podCmd.append("--authfile={}".format(authfile))
-
-        if cert_dir != "":
-            podCmd.append("--cert-dir={}".format(cert_dir))
 
         if digestfile is not None:
             podCmd.append(f'--digestfile={digestfile}')
 
         if pushformat is not None:
             podCmd.append(f'--format={pushformat}')
 
+        # Historically upload-oscontainer would require --name which was in our
+        # pipeline a repository URL. Going forward create-legacy-oscontainer
+        # just creates an oci-archive and a url is not a valid name/tag combination.
+        if '/' in image_name_and_tag:
+            image_name_and_tag = image_name_and_tag.rsplit('/', 1)[1]
+
         podCmd.append(image_name_and_tag)
 
+        podCmd.append(f'oci-archive:{builddir}/{image_name_and_tag}')
+
         cmdlib.runcmd(podCmd)
     elif digestfile is not None:
         inspect = run_get_json(buildah_base_argv + ['inspect', image_name_and_tag])[0]
diff --git a/src/v1.json b/src/v1.json
@@ -440,6 +440,7 @@
         "digitalocean",
         "exoscale",
         "extensions-container",
+        "legacy-oscontainer",
         "gcp",
         "kubevirt",
         "ibmcloud",
@@ -486,6 +487,12 @@
           "title": "extensions-container",
           "$ref": "#/definitions/artifact"
         },
+        "legacy-oscontainer": {
+          "$id": "#/properties/images/properties/legacy-oscontainer",
+          "type": "object",
+          "title": "legacy-oscontainer",
+          "$ref": "#/definitions/artifact"
+        },
         "qemu": {
           "$id": "#/properties/images/properties/qemu",
           "type": "object",
@@ -970,4 +977,4 @@
       "$ref": "#/definitions/image"
     }
   }
-}
+}
diff --git a/src/vmdeps.txt b/src/vmdeps.txt
@@ -20,6 +20,9 @@ selinux-policy selinux-policy-targeted policycoreutils
 # coreos-assembler
 python3 python3-gobject-base buildah podman skopeo iptables iptables-libs
 
+# legacy-oscontainer
+python3-pyyaml python3-botocore python3-flufl-lock python3-tenacity
+
 # luks
 cryptsetup
 # filesystems/storage

Original file line number	Diff line number	Diff line change
`@@ -394,7 +394,7 @@ func pushOstreeToRegistry(ctx ClusterContext, push spec.Registry, build cosa.B`
`394`	`394`
`395`	`395`	`// pushArgs invokes cosa upload code which creates a named tag`
`396`	`396`	`pushArgs := []string{`
`397`		`- "/usr/bin/coreos-assembler", "upload-oscontainer",`
	`397`	`+ "/usr/bin/coreos-assembler", "create-legacy-oscontainer",`
`398`	`398`	`fmt.Sprintf("--name=%s", pushPath),`
`399`	`399`	`}`
`400`	`400`	`// copy the pushed image to the expected tag`