ostree: new transport

[giuseppe]

skopeo copy docker://busybox ostree:foo:latest@/ostree/repo

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

[mtrmac]

Thanks!

From a very quick first pass, this looks pretty good. Figuring out what is the canonical reference form and the namespace hierarchy, if any, is the major outstanding design work. Other than that, just a handful of small nits.

[mtrmac]

Isn’t there a native method to get the hex value without the algorithm ID? And this does need a check that the hash actually uses SHA256.

[mtrmac]

Also note that the input digest may be nil. An initial implementation may just fail in that case, fully general would be to create a temporary file, and use the computedDigest value.

[mtrmac]

Isn’t there a native method to get the hex value without the algorithm ID?

That’ method is .Hex() already, actually. So, that strings.Replace() should never be needed AFAICT; if it is, something is going wrong elsewhere.

[mtrmac]

(I’m sorry, this has been addressed already.)

[mtrmac]

Should this use computedDigest instead of inputInfo.Digest, which may be unknown?

(Also, this mentions a digest of the same object three times, is that truly necessary?)

[mtrmac]

(Just to be sure, is the untarred filesystem at destinationPath supposed to exist after this command returns, or is it supposed to be temporary?)

[mtrmac]

Ah, it is deleted in .Commit. A comment to that effect here would be nice.

[mtrmac]

Silently ignoring failures seems unsafe

[giuseppe]

I added a comment here, if blob is not in d.blobs then it means the layer was already present and we don't need to import it.

[mtrmac]

There isn’t any check to ensure that the layer was already present. It might also just not have been uploaded, perhaps because the caller is doing it wrong.

But, ultimately, the caller is free to upload a broken image and does not have to be told that it is incomplete, so, this works.

[mtrmac]

The two paths in importBlob, based on isTar, are so different, and each is called exactly once with a constant value of isTar; it might be cleaner to just have two functions (importLayer, importConfig?).

[mtrmac]

Given this, it might be simpler to just fail in NewImageSource.

[runcom]

We could get rid of this altogether I guess (the whole ostree src)

[mtrmac]

Conventionally we use NewReference for calls from Go code which knows the native values, passed as separate parameters, and ParseReference for calls which get a single user-specified string input and parse it into the native Go values.

[mtrmac]

It would be fine (and perhaps preferable) to only store the real values of the components of the reference (repo, image) and not the original string.

[mtrmac]

PolicyConfigurationIdentity really should be in a “canonical” form, and fully explicit (in particular dealing with the @/ostree/repo defaulting.

[mtrmac]

This does not really make sense; for whatever@/my/repo this would return whatever@/my, whatever@.

Designing the hierarchy here so that it makes sense for uses is basically the major outstanding action item for ostreeReference/ostreeTransport. (It would be possible to not have any parent namespaces, only a PolicyConfigurationIdentity.)

[giuseppe]

I added a fixup comment ⬆️ to address all your comments. PutBlob handles also the case when the input digest is nil

[giuseppe]

@mtrmac @runcom is there any other change to address before it could be merged?

I am not 100% happy with using the cli of OSTree, I'll probably rework this in future to use the golang bindings (the golang bindings are not yet stable AFAIK)

[runcom]

We're duplicating this too many. Worth using the official image-spec descriptor type

[giuseppe]

I added a new commit to export Descriptor and use it

[runcom]

We could get rid of this altogether I guess (the whole ostree src)

[mtrmac]

There are different descriptor schemas, and more importantly semantics / content expectations, in various formats (e.g. OCI expects different MediaType values). Name this perhaps Schema2Descriptor, please, to make it clear this is format-specific.

[mtrmac]

I am not thrilled about exporting the entire implementation of the private genericManifest interface. Could this type be split into public a pure JSON-marhsallable data structure with no methods, and a private type implementing genericManifest, probably embedding that pure data structure?

[runcom]

haven't fully looked at the code, but why do we need this type to be exported at all? is it because ostree pkg needs it? we could move this under manifest/ I guess

[giuseppe]

@runcom yes, I am exporting this type so that it could be used by OSTree, as it needs to parse the manifest to get the config and the layers

[runcom]

Ack, we'll, maybe we really need to export those in the manifest pkg (not as part of this PR). @mtrmac wdyt?

[giuseppe]

@runcom is it then fine if I drop the second patch from this PR and leave the OSTree refactoring for later?

[mtrmac]

Having a single schema2 data structure in the manifest package, used by all of docker/daemon, docker_schema1.go, docker_schema2.go, and the autodetection in manifest/manifest.go, does sound great.

[mtrmac]

(This can be a separate PR, but if we are doing this, let’s actually do that instead of making the image/docker_schema2.go version public now.)

[mtrmac]

(I’m sorry, this has been addressed already.)

[mtrmac]

d.manifest is already a string, no need to cast it here. (Or perhaps make d.manifest a []byte, which is more natural, and keep the cast here. Either works.

[mtrmac]

There isn’t any check to ensure that the layer was already present. It might also just not have been uploaded, perhaps because the caller is doing it wrong.

But, ultimately, the caller is free to upload a broken image and does not have to be told that it is incomplete, so, this works.

[mtrmac]

Thanks for the updates. This is a fairly detailed look, i.e. hopefully no big surprises outstanding.

The reference naming and policy identity, in particular the treatment of .repo, remain the major outstanding point.

[mtrmac]

return nil, errors.New("Reading ostree: images is currently not supported")

or something like that, please, to keep the contract. Silently returning nil would cause the caller to crash.

[mtrmac]

This is now unused.

[mtrmac]

AFAICS repo is only used in PolicyConfigurationIdentity, in particular it does not affect the filesystem paths and it is not passed to the ostree subprocesses at all. What is it supposed to affect?

[giuseppe]

thanks for the catch, repo must be passed to each invocation of ostree, as --repo=$REPO

[mtrmac]

Move this check one line up.

[mtrmac]

Should this return ref.image? That would allow creating signatures when copying to ostree:.

[mtrmac]

So, all of encodeOStreeRef(d.ref.image.String()) is a temporary directory until commit. (Abstracting from its location), shouldn’t it actually be deleted in ostreeImageDestination.Close, so that the data does not lay around if the caller aborts and never calls Commit?

[mtrmac]

ping?

[mtrmac]

This is still outstanding AFAICS

[mtrmac]

Actually, is there a benefit to deferring the import to this point at all? PutBlob could store the data directly, perhaps without an on-disk temporary copy of the tarball sized in hundreds of megabytes. I suppose the difficulty would be in differentiating layer tarballs and the config?

This does work fine, just a suggestion to consider whether that makes sense.

[giuseppe]

yes, I was storing the file immediately before, but then I changed to do it here as we know what must be stored as a tarball and what instead in the metadata. We could try to detect if the file is a .tar in the PutBlob function, but I think doing it here is cleaner (at the expense of keeping them)

[mtrmac]

(Due to the impact on signatures we generally want as close to 100% code coverage for the ImageTransport and ImageReference implementations as possible, but that will obviously wait until the formats and semantics are nailed down—and I can write that.)

[mtrmac]

Still outstanding. I’ll take a stab at this.

[mtrmac]

… not yet, this is blocked on the repo/image hierarchy and naming decision.

[giuseppe]

I pushed a new version. I changed the repo/image hierarchy separator to be ':' as I found '@' to be confusing (we already use @ for "image@repo")

[mtrmac]

This is unused.

[mtrmac]

This is always called as encodeOStreeRef(ref.image.String()). It seems that this should be a method on ImageReference, like e.g. manifestPath below.

[mtrmac]

(Making encodeOSTreeRef a method the way manifestPath would be more consistent, but this does work fine.)

[mtrmac]

BTW ostree seems to also accept separate parameters without the =e.g. […, "--repo, d.ref.repo, …]. That would allow getting rid of all of these fmt.Sprintf` calls.

[mtrmac]

I know very little about ostree; is there anywhere I can read up on this issue?

What you seem to be saying is that at the time of storing an image into the ostree repo, the writer must use the “correct” SELinux types, but the writer does not know where the reader will check out the image, .e. the writer can not know what the “correct” types are?! If so, how is atomic better positioned to know this?

[giuseppe]

atomic knows where the files will be checked out since checkout_path can be overriden in the atomic.conf file.

When we commit a directory to OSTree, OSTree stores each file by its checksum, the checksum includes also the xattrs of the file, this is why we need to store it with the correct SELinux labels. When we extract the .tar of a layer, we need to do that to a directory where we know it will get the right SELinux labels.

We could use /var/lib/containers/atomic for the temporary directory (as this directory is used in containers-selinux) fo files to get the right labels, but I'd prefer that we are not going to hardcode this path in containers/image as well: 1) the atomic tool will still be the owner of that directory and its subdirectories 2) keep the freedom to change it (if necessary) from atomic and containers-selinux only.

@rhatdan what do you think of this?

Using the current working directory seemed like a good compromise to me, otherwise, should we introduce an environment variable to decide where to keep temporary files?

[rhatdan]

I think we might be conflating two different concepts here. OSTRee used for the atomic host so that paths like /usr/bin/docker is labeled container_runtime_t, versus paths in a container for a system container, which probably have no label associated with them. Their is nothing in an OCI image to identify the label of a file path. Pretty much we treat the entire content of a container as a single label
usually something that looks like system_u:object_r:container_file_t:s0:c1,c2.

In the case of system containers it will just be the default label of /var/lib/containers.

[giuseppe]

@rhatdan yes, exactly it will be the label of /var/lib/containers. The decision here to take is to leave to atomic the goal of creating the correct temporary directory and run skopeo from there, or manage the temporary directory from containers/image itself.

non root users can also pull images to their OSTree repository, not shared with the system. So we will have to handle this case as well, as these users have no write access to /var/lib/containers. There is already the logic in atomic to do this, I'd prefer to leave it there and run skopeo in the correct location instead of duplicating and maintaining this logic here as well.

@mtrmac is fine to keep creating the tmp files in the current working directory or is it a blocker? Would an environment variable work fine?

[rhatdan]

I think the higher level concepts should stay in atomic command and just use PWD for tmp files.

[mtrmac]

The decision here to take is to leave to atomic the goal of creating the correct temporary directory and run skopeo from there, or manage the temporary directory from containers/image itself.

To step back here, I think containers/image should ideally work stand-alone without the caller having to care about implementation details of the individual transports.

atomic very likely won’t remain the only caller forever: e.g. if we ever set up cri-o to use ostree, we will need this to work without running an atomic command, and it would be nice if cri-o didn’t have to know anything about the ostree implementation details. And it is pretty much a non-starter for a long-running daemon like cri-o to modify per-process (not even per-thread!) global state like the current working directory or environment variables.

If the only cost of this were having to parse atomic.conf in ostreeImageDestination, that seems very much worth it to me.

---

Using the current working directory seemed like a good compromise to me,

This can fail pretty horribly in general; it does not even have to be writable! It may be on a tmpfs and cause the machine run out of memory.

otherwise, should we introduce an environment variable to decide where to keep temporary files?

We have the types.SystemContext mechanism for passing transport-specific options and overrides, and that would be more suitable than per-process environment variables.

---

My preference would be (but I may very well be misunderstanding the problem) to get the temporary directory path by:

1. (Optionally) first checking types.SystemContext.OSTreeTemporaryPath, if it is defined. (Or should that be OSTreeSELinuxContext, to be explicit about what we care about instead of indirectly expressing this as paths?)
2. Otherwise, if defined and available, parse atomic.conf for the checkout_path value.
3. Otherwise use a hard-coded default.

OTOH if you want to keep the current behavior, extracting directly into a temporary directory, I can live with this being an atomic-specific hack slightly less horrible than skopeo layers extracting data into the current directory, which is also an atomic-specific hack; at least we would get the signature support, and hopefully we can improve on this later.

[mtrmac]

OTOH if you want to keep the current behavior, extracting directly into a temporary directory, I can live with this being an atomic-specific hack slightly less horrible than skopeo layers extracting data into the current directory, which is also an atomic-specific hack; at least we would get the signature support, and hopefully we can improve on this later.

This would, at the very least, need a very explicit documentation about this behavior and the expectations on the caller somewhere.

[giuseppe]

@mtrmac, I agree that using the CWD probably is not the best thing to do when using containers/image as a library. I was looking at it only as a replacement for the current skopeo layers. I am fine to change this, just one question, in atomic we will still use Skopeo as a CLI tool, not like a library.

How to specify the backend specific data (types.SystemContext) when using skopeo copy?

[mtrmac]

For skopeo copy it would be a new command-line option, the way SignBy or RemoveSignatures are now.

(As I said above, I can live with using the current working directory, it is still an improvement; just not nearly as big as I’d like.)

[giuseppe]

I added `tmpDirPath' to SystemContext and I use this directory for the temporary files

[giuseppe]

@mtrmac @runcom is this fine to go? I'll start working on the Skopeo changes as soon as it is merged

[giuseppe]

@mtrmac I've cherry picked your commit and done some changes to it

[giuseppe]

I rebased the patch on top of origin/master, but I am seeing some regressions in the Makefile, I opened a separate PR:

#242

[giuseppe]

@mitr is the last version better?

I've opened a WIP PR for Skopeo to add the other bits there:

containers/skopeo#314

[giuseppe]

ping

[giuseppe]

any update on this? @runcom @rhatdan @mtrmac

[rhatdan]

@runcom @mtrmac Can we get this reviewed again?

[mtrmac]

(Notes to self, please ignore.

If I am reading Atomic/syscontainers.py:SystemContainers.{_encode_to_ostree_ref,_convert_to_skopeo} correctly, atomic is currently treating the various Docker-equivalent busybox strings as equivalent for source pulling, and therefore signature verification (not explicitly, but because skopeo… docker://does), but distinct for destination ostree storage (except for adding a default :latest tag). Is there a semantic commitment or merely an UI which mixes two namespaces into a single string?

Also, _encode_to_ostree_ref seems to care about registries but it does not, really, in an observable way; it splits the registry part of a string, if any, but then reconstitutes it into the original form.

What/who ultimately “owns” the OStree ociimage/ (syscontainers.py:OSTREE_OCIIMAGE_PREFIX) namespace and defines the rules?)

[mtrmac]

for signing we should use the same semantics of Docker, since that is the semantic we follow for pulling an image anyway. The extra code that caused confusion was related only to how the image is stored in OSTree itself. This part might change in future and work as Docker, but we will need to sync with atomic so for now I've left the same logic of how "atomic pull --storage ostree" works today. I hope the new version is cleaner as I've moved the OSTree specific bits to their own function.

I can’t quite wrap my head around this, the way I understand it. It’s not really possible for the busybox and docker.io/library/busybox:latest strings to be equivalent for purposes of signature verification, but distinct for purposes of image storage / referring to images locally. If the images are different then their signatures should not be substituable.

---

@giuseppe Reading through syscontainers.py and the surrounding ecosystem, my best guess at the intended interpretation is that for ostree OCI, the references are (a sequence of /-separated fragments, with a mandatory :tag trailer) mapped using _$hex$hex escape mechanism into a single libOSTree fragment (i.e. there are no further OSTree-visible / separators).

Within the above, the only normalization / equivalence classes are formed by the implied :latest suffix. Is that correct?

Also, the namespace used here is intentionally using this encoding and hiding it from the user, i.e. there is no desire to expose all libOSTree names (e.g. those without the ociimages/ prefix in branch name, or those not using the _$hex$hex escaping). Presumably only images using the ociimages/$encoded form are expected to contain the required docker.manifest etc. annotations, so exposing the full libOSTree namespace would not actually be desirable. Is that correct?

Within this context, while (atomic pull $foo) uses $foo for both pulling from registries (using docker/distribution canonicalization, with either the docker.io defaulting, or the atomic repository search semantics) and into libOSTree ociimages/$encoded (using no repository canonicalization, only the :latest default tag), my best guess is that this should be treated as an UI matter (providing a convenient(?) shortcut for the user using a single string for both services), not as a claim that the two services use an equivalent namespace with equivalent rules. That’s at least a possible way to solve the “is equivalent/is not equivalent, at the same time” conundrum. Is that a reasonable way to think about this, or is the intent different?

If so, I can try updating the code in that direction.

---

[Not getting at all into the details of how long names are allowed to be and what are the exact allowed characters in various components and so on; given things like if len(branch_id) == 64 when interpreting existing branches, while not caring about that at all when creating new branches, it’s just not worth it to try to get a precise spec before this PR is finalized. Let’s just do something and either expanding or restricting these details can happen later as bug reports, inevitably, come in.]

[giuseppe]

Yes exactly, we don't want to expose all the OSTree branches as references that are not under the 'ociimage/' namespace. Images that are not ociimage/ are neither OCI layers nor storing the manifest metadata which is needed to recreate the image from its layers. We must handle only the references that are under 'ociimage/'.

Under ociimage/ we maintain both the metadata for the images (where we just store the manifest info), and the OCI layers that are in the form ociimage/$checksum. The mangling used on the image names is needed to circumvent a limitation in the branch names allowed by OSTree).

We actually store and use the full name of the image because we want to be able to use system containers also when the local Docker engine is not running, so we are not using the atomic search semantic. We can change this in future, as long as we keep the ability of running without requiring Docker.

[mtrmac]

@giuseppe Please take a look at https://github.com/mtrmac/image/tree/ostree-not-dockerlike (built on top of your work, rebased. See the commit messages of the individual commits for more details on what/why; then they can all be squashed.

Does this make sense, and correspond to what you want the semantics to be?

(Warning: Completely untested apart from tests passing.)

[giuseppe]

@mtrmac thanks for the extra patches! I've tested them with Skopeo and everything seems to work fine. I've only added one patch to correctly register the OSTree transport.

[mtrmac]

I've only added one patch to correctly register the OSTree transport.

What the… I did notice that you have added the registration in your latest branch, and I remember quite strongly starting the work in that branch (and the presence of ostreeBranchForImage does suggest it’s the latest variant or something very close). I’m afraid I have deleted my WIP branches already, so I have absolutely no idea what I have done to screw this up. Anyway, if this works for you, great.

@runcom PTAL.

[runcom]

LGTM

[mtrmac]

🎉 @giuseppe Please squash the commits and let’s merge this.

[giuseppe]

@mtrmac sure, do you prefer a single commit or any other preference?

[mtrmac]

One commit would work just fine; I don’t know whether there is any other split you may wish to preserve.

[giuseppe]

I've squashed all the commits into a single one ⬆️

[mtrmac]

👍

[runcom]

needs rebase already :(

[rhatdan]

Awesome work.