Use the umoci Go package instead of the command

Makefile

@@ -95,6 +95,7 @@ ifneq "$(INCUS_OFFLINE)" ""
 endif
 	$(GO) get -t -v -u ./...
 	$(GO) get github.com/go-jose/go-jose/v4@v4.0.5
+	$(GO) get github.com/olekukonko/tablewriter@v0.0.5
 	$(GO) mod tidy --go=1.23.7
 	$(GO) get toolchain@none
 

client/oci_images.go

@@ -155,11 +155,6 @@ func (r *ProtocolOCI) GetImageFile(fingerprint string, req ImageFileRequest) (*I
 		return nil, fmt.Errorf("OCI image export currently requires root access")
 	}
 
-	_, err = exec.LookPath("umoci")
-	if err != nil {
-		return nil, fmt.Errorf("OCI container handling requires \"umoci\" be present on the system")
-	}
-
 	// Get some temporary storage.
 	ociPath, err := os.MkdirTemp("", "incus-oci-")
 	if err != nil {
@@ -183,6 +178,8 @@ func (r *ProtocolOCI) GetImageFile(fingerprint string, req ImageFileRequest) (*I
 		req.ProgressHandler(ioprogress.ProgressData{Text: "Retrieving OCI image from registry"})
 	}
 
+	imageTag := "latest"
+
 	stdout, _, err := subprocess.RunCommandSplit(
 		ctx,
 		env,
@@ -192,7 +189,7 @@ func (r *ProtocolOCI) GetImageFile(fingerprint string, req ImageFileRequest) (*I
 		"copy",
 		"--remove-signatures",
 		fmt.Sprintf("%s/%s", strings.Replace(r.httpHost, "https://", "docker://", 1), info.Alias),
-		fmt.Sprintf("oci:%s:latest", filepath.Join(ociPath, "oci")))
+		fmt.Sprintf("oci:%s:%s", filepath.Join(ociPath, "oci"), imageTag))
 	if err != nil {
 		logger.Debug("Error copying remote image to local", logger.Ctx{"image": info.Alias, "stdout": stdout, "stderr": err})
 		return nil, err
@@ -203,14 +200,9 @@ func (r *ProtocolOCI) GetImageFile(fingerprint string, req ImageFileRequest) (*I
 		req.ProgressHandler(ioprogress.ProgressData{Text: "Unpacking the OCI image"})
 	}
 
-	stdout, err = subprocess.RunCommand(
-		"umoci",
-		"unpack",
-		"--keep-dirlinks",
-		"--image", filepath.Join(ociPath, "oci"),
-		filepath.Join(ociPath, "image"))
+	err = unpackOCIImage(filepath.Join(ociPath, "oci"), imageTag, filepath.Join(ociPath, "image"))
 	if err != nil {
-		logger.Debug("Error unpacking OCI image", logger.Ctx{"image": filepath.Join(ociPath, "oci"), "stdout": stdout, "stderr": err})
+		logger.Debug("Error unpacking OCI image", logger.Ctx{"image": filepath.Join(ociPath, "oci"), "err": err})
 		return nil, err
 	}
 

client/oci_util.go

@@ -0,0 +1,11 @@
+//go:build !linux
+
+package incus
+
+import (
+	"fmt"
+)
+
+func unpackOCIImage(imagePath string, imageTag string, bundlePath string) error {
+	return fmt.Errorf("Platform isn't supported")
+}

client/oci_util_linux.go

@@ -0,0 +1,60 @@
+//go:build linux
+
+package incus
+
+import (
+	"fmt"
+
+	"github.com/apex/log"
+	"github.com/opencontainers/umoci"
+	"github.com/opencontainers/umoci/oci/cas/dir"
+	"github.com/opencontainers/umoci/oci/casext"
+	"github.com/opencontainers/umoci/oci/layer"
+
+	"github.com/lxc/incus/v6/shared/logger"
+)
+
+// Custom handler to intercept logs.
+type umociLogHandler struct {
+	Message string
+}
+
+// HandleLog implements a proxy between apex/log and our logger.
+func (h *umociLogHandler) HandleLog(e *log.Entry) error {
+	switch e.Level {
+	case log.DebugLevel:
+		logger.Debug(h.Message, logger.Ctx{"log": e.Message})
+	case log.InfoLevel:
+		logger.Info(h.Message, logger.Ctx{"log": e.Message})
+	case log.WarnLevel:
+		logger.Warn(h.Message, logger.Ctx{"log": e.Message})
+	case log.ErrorLevel:
+		logger.Error(h.Message, logger.Ctx{"log": e.Message})
+	case log.FatalLevel:
+		logger.Panic(h.Message, logger.Ctx{"log": e.Message})
+	default:
+		logger.Error("Unknown umoci log level", logger.Ctx{"log": e.Message})
+	}
+
+	return nil
+}
+
+func unpackOCIImage(imagePath string, imageTag string, bundlePath string) error {
+	// Set the custom handler
+	log.SetHandler(&umociLogHandler{Message: "Unpacking OCI image"})
+	defer log.SetHandler(nil)
+
+	var unpackOptions layer.UnpackOptions
+	unpackOptions.KeepDirlinks = true
+
+	// Get a reference to the CAS.
+	engine, err := dir.Open(imagePath)
+	if err != nil {
+		return fmt.Errorf("Open CAS: %w", err)
+	}
+
+	engineExt := casext.NewEngine(engine)
+	defer func() { _ = engine.Close() }()
+
+	return umoci.Unpack(engineExt, imageTag, bundlePath, unpackOptions)
+}

doc/requirements.md

@@ -38,8 +38,8 @@ LXCFS is strongly recommended to properly report resource consumption inside the
 
 ## OCI
 
-To run OCI containers, Incus currently rely on both `skopeo` and `umoci`.
-Both tools should be available in the user's `PATH`.
+To run OCI containers, Incus currently rely on `skopeo`.
+`skopeo` should be available in the user's `PATH`.
 
 ## QEMU
 

go.mod

@@ -5,6 +5,7 @@ go 1.23.7
 require (
 	github.com/LINBIT/golinstor v0.55.0
 	github.com/adhocore/gronx v1.19.6
+	github.com/apex/log v1.9.0
 	github.com/armon/go-proxyproto v0.1.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/checkpoint-restore/go-criu/v6 v6.3.0
@@ -34,13 +35,14 @@ require (
 	github.com/mdlayher/ndp v1.1.0
 	github.com/mdlayher/netx v0.0.0-20230430222610-7e21880baee8
 	github.com/mdlayher/vsock v1.2.1
-	github.com/miekg/dns v1.1.65
-	github.com/minio/minio-go/v7 v7.0.91
+	github.com/miekg/dns v1.1.66
+	github.com/minio/minio-go/v7 v7.0.92
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/opencontainers/runtime-spec v1.2.1
+	github.com/opencontainers/umoci v0.5.0
 	github.com/openfga/go-sdk v0.7.1
-	github.com/osrg/gobgp/v3 v3.36.0
+	github.com/osrg/gobgp/v3 v3.37.0
 	github.com/ovn-org/libovsdb v0.7.0
 	github.com/pierrec/lz4/v4 v4.1.22
 	github.com/pkg/sftp v1.13.9
@@ -49,7 +51,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
-	github.com/vishvananda/netlink v1.3.0
+	github.com/vishvananda/netlink v1.3.1
 	github.com/zitadel/oidc/v3 v3.38.1
 	go.starlark.net v0.0.0-20250417143717-f57e51f710eb
 	golang.org/x/crypto v0.38.0
@@ -66,16 +68,20 @@ require (
 )
 
 require (
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/Rican7/retry v0.3.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
 	github.com/cenkalti/hub v1.0.2 // indirect
 	github.com/cenkalti/rpc2 v1.0.4 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da // indirect
-	github.com/digitalocean/go-libvirt v0.0.0-20250417173424-a6a66ef779d6 // indirect
+	github.com/digitalocean/go-libvirt v0.0.0-20250512231903-57024326652b // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/donovanhide/eventsource v0.0.0-20210830082556-c59027999da0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/eapache/channels v1.1.0 // indirect
@@ -94,6 +100,7 @@ require (
 	github.com/k-sone/critbitgo v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -103,17 +110,23 @@ require (
 	github.com/minio/crc64nvme v1.0.2 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/muhlemmer/httpforwarded v0.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/common v0.64.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rootless-containers/proto/go-proto v0.0.0-20230421021042-4cd87ebadd67 // indirect
 	github.com/rs/cors v1.11.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -123,20 +136,23 @@ require (
 	github.com/spf13/cast v1.8.0 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
+	github.com/urfave/cli v1.22.16 // indirect
+	github.com/vbatts/go-mtree v0.5.4 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/zitadel/logging v0.6.2 // indirect
 	github.com/zitadel/schema v1.3.1 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
+	google.golang.org/grpc v1.72.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	moul.io/http2curl/v2 v2.3.0 // indirect
 )