def oscontainer_build(containers_storage, tmpdir, src, ref, image_name_and_tag, base_image, push=False, tls_verify=True, add_directories=[], cert_dir="", authfile="", digestfile=None, display_name=None, labeled_pkgs=[]): r = OSTree.Repo.new(Gio.File.new_for_path(src)) r.open(None) [_, rev] = r.resolve_rev(ref, True) if ref != rev: print("Resolved {} = {}".format(ref, rev)) [_, ostree_commit, _] = r.load_commit(rev) ostree_commitmeta = ostree_commit.get_child_value(0) versionv = ostree_commitmeta.lookup_value( "version", GLib.VariantType.new("s")) if versionv: ostree_version = versionv.get_string() else: ostree_version = None podman_base_argv = ['podman'] buildah_base_argv = ['buildah'] if containers_storage is not None: podman_base_argv.append(f"--root={containers_storage}") buildah_base_argv.append(f"--root={containers_storage}") if os.environ.get('container') is not None: print("Using nested container mode due to container environment variable") podman_base_argv.extend(NESTED_BUILD_ARGS) buildah_base_argv.extend(NESTED_BUILD_ARGS) else: print("Skipping nested container mode") # In general, we just stick with the default tmpdir set up. But if a # workdir is provided, then we want to be sure that all the heavy I/O work # that happens stays in there since e.g. we might be inside a tiny supermin # appliance. if tmpdir is not None: os.environ['TMPDIR'] = tmpdir bid = run_get_string(buildah_base_argv + ['from', base_image]) mnt = run_get_string(buildah_base_argv + ['mount', bid]) try: dest_repo = os.path.join(mnt, 'srv/repo') subprocess.check_call(['mkdir', '-p', dest_repo]) subprocess.check_call([ "ostree", "--repo=" + dest_repo, "init", "--mode=archive"]) # Note that oscontainers don't have refs; we also disable fsync # because the repo will be put into a container image and the build # process should handle its own fsync (or choose not to). print("Copying ostree commit into container: {} ...".format(rev)) run_verbose(["ostree", "--repo=" + dest_repo, "pull-local", "--disable-fsync", src, rev]) for d in add_directories: with os.scandir(d) as it: for entry in it: dest = os.path.join(mnt, entry.name) subprocess.check_call(['/usr/lib/coreos-assembler/cp-reflink', entry.path, dest]) print(f"Copied in content from: {d}") # We use /noentry to trick `podman create` into not erroring out # on a container with no cmd/entrypoint. It won't actually be run. config = ['--entrypoint', '["/noentry"]', '-l', OSCONTAINER_COMMIT_LABEL + '=' + rev] if ostree_version is not None: config += ['-l', 'version=' + ostree_version] base_pkgs = RpmOstree.db_query_all(r, rev, None) for pkg in base_pkgs: name = pkg.get_name() if name in labeled_pkgs: config += ['-l', f"com.coreos.rpm.{name}={pkg.get_evr()}.{pkg.get_arch()}"] # Generate pkglist.txt in to the oscontainer at / pkg_list_dest = os.path.join(mnt, 'pkglist.txt') # should already be sorted, but just re-sort to be sure nevras = sorted([pkg.get_nevra() for pkg in base_pkgs]) with open(pkg_list_dest, 'w') as f: for nevra in nevras: f.write(nevra) f.write('\n') meta = {} builddir = None if os.path.isfile('builds/builds.json'): with open('builds/builds.json') as fb: builds = json.load(fb)['builds'] latest_build = builds[0]['id'] arch = cmdlib.get_basearch() builddir = f"builds/{latest_build}/{arch}" metapath = f"{builddir}/meta.json" with open(metapath) as f: meta = json.load(f) rhcos_commit = meta['coreos-assembler.container-config-git']['commit'] imagegit = meta.get('coreos-assembler.container-image-git') if imagegit is not None: cosa_commit = imagegit['commit'] config += ['-l', f"com.coreos.coreos-assembler-commit={cosa_commit}"] config += ['-l', f"com.coreos.redhat-coreos-commit={rhcos_commit}"] if 'extensions' in meta: tarball = os.path.abspath(os.path.join(builddir, meta['extensions']['path'])) dest_dir = os.path.join(mnt, 'extensions') os.makedirs(dest_dir, exist_ok=True) run_verbose(["tar", "-xf", tarball], cwd=dest_dir) with open(os.path.join(dest_dir, 'extensions.json')) as f: extensions = json.load(f) extensions_label = ';'.join([ext for (ext, obj) in extensions['extensions'].items() if obj.get('kind', 'os-extension') == 'os-extension']) config += ['-l', f"com.coreos.os-extensions={extensions_label}"] for pkgname in meta['extensions']['manifest']: if pkgname in labeled_pkgs: evra = meta['extensions']['manifest'][pkgname] config += ['-l', f"com.coreos.rpm.{pkgname}={evra}"] if display_name is not None: config += ['-l', 'io.openshift.build.version-display-names=machine-os=' + display_name, '-l', 'io.openshift.build.versions=machine-os=' + ostree_version] run_verbose(buildah_base_argv + ['config'] + config + [bid]) print("Committing container...") iid = run_get_string(buildah_base_argv + ['commit', bid, image_name_and_tag]) print("{} {}".format(image_name_and_tag, iid)) finally: subprocess.call(buildah_base_argv + ['umount', bid], stdout=subprocess.DEVNULL) subprocess.call(buildah_base_argv + ['rm', bid], stdout=subprocess.DEVNULL) if push: print("Pushing container") podCmd = podman_base_argv + ['push'] if not tls_verify: tls_arg = '--tls-verify=false' else: tls_arg = '--tls-verify' podCmd.append(tls_arg) if authfile != "": podCmd.append("--authfile={}".format(authfile)) if cert_dir != "": podCmd.append("--cert-dir={}".format(cert_dir)) podCmd.append(image_name_and_tag) if digestfile is not None: podCmd.append(f'--digestfile={digestfile}') run_verbose(podCmd) elif digestfile is not None: inspect = run_get_json(podman_base_argv + ['inspect', image_name_and_tag])[0] with open(digestfile, 'w') as f: f.write(inspect['Digest'])
#!/usr/bin/env python import sys from gi.repository import Gio, OSTree, RpmOstree repopath, ref = sys.argv[1:3] r = OSTree.Repo.new(Gio.File.new_for_path(repopath)) r.open(None) qr = RpmOstree.db_query_all(r, ref, None) print "Package list: " for p in qr: print p.get_nevra() _,removed,added,modold,modnew = RpmOstree.db_diff(r, ref + '^', ref, None) for p in removed: print "D " + p.get_nevra() for p in added: print "A " + p.get_nevra() for o,n in zip(modold, modnew): print "M {0} {1} -> {2}".format(o.get_name(), o.get_evr(), n.get_evr())
#!/usr/bin/env python import sys from gi.repository import Gio, OSTree, RpmOstree repopath, ref = sys.argv[1:3] r = OSTree.Repo.new(Gio.File.new_for_path(repopath)) r.open(None) qr = RpmOstree.db_query_all(r, ref, None) print "Package list: " for p in qr: print p.get_nevra() _, removed, added, modold, modnew = RpmOstree.db_diff(r, ref + '^', ref, None) for p in removed: print "D " + p.get_nevra() for p in added: print "A " + p.get_nevra() for o, n in zip(modold, modnew): print "M {0} {1} -> {2}".format(o.get_name(), o.get_evr(), n.get_evr())
def oscontainer_build(containers_storage, src, ref, image_name_and_tag, base_image, push=False, tls_verify=True, cert_dir="", authfile="", inspect_out=None): r = OSTree.Repo.new(Gio.File.new_for_path(src)) r.open(None) [_, rev] = r.resolve_rev(ref, True) if ref != rev: print("Resolved {} = {}".format(ref, rev)) [_, ostree_commit, _] = r.load_commit(rev) ostree_commitmeta = ostree_commit.get_child_value(0) versionv = ostree_commitmeta.lookup_value("version", GLib.VariantType.new("s")) if versionv: ostree_version = versionv.get_string() else: ostree_version = None rootarg = '--root=' + containers_storage bid = run_get_string(['buildah', rootarg, 'from', base_image]) mnt = run_get_string(['buildah', rootarg, 'mount', bid]) try: dest_repo = os.path.join(mnt, 'srv/repo') subprocess.check_call(['mkdir', '-p', dest_repo]) subprocess.check_call( ["ostree", "--repo=" + dest_repo, "init", "--mode=archive"]) # Note that oscontainers don't have refs print("Copying ostree commit into container: {} ...".format(rev)) run_verbose(["ostree", "--repo=" + dest_repo, "pull-local", src, rev]) # Generate pkglist.txt in to the oscontainer at / pkg_list_dest = os.path.join(mnt, 'pkglist.txt') pkgs = RpmOstree.db_query_all(r, rev, None) # should already be sorted, but just re-sort to be sure nevras = sorted([pkg.get_nevra() for pkg in pkgs]) with open(pkg_list_dest, 'w') as f: for nevra in nevras: f.write(nevra) f.write('\n') # We use /noentry to trick `podman create` into not erroring out # on a container with no cmd/entrypoint. It won't actually be run. config = [ '--entrypoint', '["/noentry"]', '-l', OSCONTAINER_COMMIT_LABEL + '=' + rev ] if ostree_version is not None: config += ['-l', 'version=' + ostree_version] run_verbose(['buildah', rootarg, 'config'] + config + [bid]) print("Committing container...") iid = run_get_string( ['buildah', rootarg, 'commit', bid, image_name_and_tag]) print("{} {}".format(image_name_and_tag, iid)) finally: subprocess.call(['buildah', rootarg, 'umount', bid], stdout=subprocess.DEVNULL) subprocess.call(['buildah', rootarg, 'rm', bid], stdout=subprocess.DEVNULL) if push: print("Pushing container") podCmd = ['podman', rootarg, 'push'] if not tls_verify: tls_arg = '--tls-verify=false' else: tls_arg = '--tls-verify' podCmd.append(tls_arg) if authfile != "": podCmd.append("--authfile={}".format(authfile)) if cert_dir != "": podCmd.append("--cert-dir={}".format(cert_dir)) podCmd.append(image_name_and_tag) run_verbose(podCmd) skopeoCmd = ['skopeo', 'inspect'] if authfile != "": skopeoCmd.append("--authfile={}".format(authfile)) skopeoCmd.append("docker://" + image_name_and_tag) inspect = run_get_json_retry(skopeoCmd) else: inspect = run_get_json( ['podman', rootarg, 'inspect', image_name_and_tag])[0] if inspect_out is not None: with open(inspect_out, 'w') as f: json.dump(inspect, f)