sources/skopeo: support specifying format

achilleas-k · achilleas-k · commit d2b4c3b8b3f7 · 2023-03-10T17:50:20.000+01:00
Support specifying the format of the local archive (or directory) for
the container.  The default is kept as docker-archive for backwards
compatibility.  The 'dir' format will be used to retain signatures and
manifests.
The oci-archive is also added for completeness.  It's the format that
the oci-archive stage produces, so it could be useful to support pulling
and storing this format in the future.

The remove-signatures option is kept only for the docker-archive format.

The final move (os.rename()) at the end of the fetch_one() method now
creates the checksum directory if it doesn't exist and moves the child
archive into it, adding to any existing archives that might exist in
other formats.

The archive name for the docker-archive format remains as
container-image.tar for backwards compatibility, though this can change
with minimal side effects.

Dropped the .tar suffix from the symlink in the skopeo stage since it's
not necessary and the target of the link might be a directory now.
diff --git a/sources/org.osbuild.skopeo b/sources/org.osbuild.skopeo
@@ -12,7 +12,7 @@ import sys
 import tempfile
 
 from osbuild import sources
-from osbuild.util import ctx
+from osbuild.util import containers, ctx
 
 SCHEMA = """
 "additionalProperties": false,
@@ -44,6 +44,12 @@ SCHEMA = """
               "tls-verify": {
                 "type": "boolean",
                 "description": "Require https (default true)."
+              },
+              "format": {
+                "type": "string",
+                "enum": ["docker-archive", "oci-archive", "dir"],
+                "description": "The storage format to use when copying to the osbuild store",
+                "default": "docker-archive"
               }
             }
           }
@@ -75,25 +81,27 @@ class SkopeoSource(sources.SourceService):
         digest = image["digest"]
         tls_verify = image.get("tls-verify", True)
 
+        # We use the docker format by default, not oci, because that is the default return image type of real world
+        # registries, allowing the image to get the same image if as if you did "podman pull" (rather than converting
+        # the image to oci format, changing the id).
+        # However, the docker format doesn't have support for signatures and doesn't retain manifests.
+        archive_format = image.get("format", "docker-archive")
+
         with tempfile.TemporaryDirectory(prefix="tmp-download-", dir=self.cache) as tmpdir:
             archive_dir = os.path.join(tmpdir, "container-archive")
             os.makedirs(archive_dir)
             os.chmod(archive_dir, 0o755)
-            archive_path = os.path.join(archive_dir, "container-image.tar")
 
             source = f"docker://{imagename}@{digest}"
 
-            # We use the docker format, not oci, because that is the
-            # default return image type of real world registries,
-            # allowing the image to get the same image id as if you
-            # did "podman pull" (rather than converting the image to
-            # oci format, changing the id)
-            destination = f"docker-archive:{archive_path}"
+            archive_name = containers.archive_name(archive_format)
+            destination = f"{archive_format}:{archive_dir}/{archive_name}"
 
             extra_args = []
 
-            # The archive format can't store signatures, but we still verify them during download
-            extra_args.append("--remove-signatures")
+            if archive_format == "docker-archive":
+                # The docker-archive format can't store signatures, but we still verify them during download
+                extra_args.append("--remove-signatures")
 
             if not tls_verify:
                 extra_args.append("--src-tls-verify=false")
@@ -111,12 +119,14 @@ class SkopeoSource(sources.SourceService):
                 raise RuntimeError(
                     f"Downloaded image {imagename}@{digest} has a id of {downloaded_id}, but expected {image_id}")
 
-            # Atomically move download dir into place on successful download
+            # Atomically move download archive into place on successful download
             with ctx.suppress_oserror(errno.ENOTEMPTY, errno.EEXIST):
-                os.rename(archive_dir, f"{self.cache}/{image_id}")
+                os.makedirs(f"{self.cache}/{image_id}", exist_ok=True)
+                os.rename(f"{archive_dir}/{archive_name}", f"{self.cache}/{image_id}/{archive_name}")
 
     def exists(self, checksum, desc):
-        return os.path.isfile(f"{self.cache}/{checksum}/container-image.tar")
+        archive_name = containers.archive_name(desc["image"].get("format", "docker-archive"))
+        return os.path.exists(f"{self.cache}/{checksum}/{archive_name}")
 
 
 def main():
diff --git a/stages/org.osbuild.skopeo b/stages/org.osbuild.skopeo
@@ -82,7 +82,7 @@ def main(inputs, output, options):
         # treats them special, like e.g. /some/path:tag, so we make a symlink to the real name
         # and pass the symlink name to skopeo to make it work with anything
         with tempfile.TemporaryDirectory() as tmpdir:
-            linkname = os.path.join(tmpdir, "image.tar")
+            linkname = os.path.join(tmpdir, "image")
             os.symlink(source, linkname)
 
             if container_format == "docker-archive":
