Skip to content

store: Support importing images without /ostree#887

Merged
cgwalters merged 1 commit intobootc-dev:mainfrom
cgwalters:drop-ostree-requirement
Nov 9, 2024
Merged

store: Support importing images without /ostree#887
cgwalters merged 1 commit intobootc-dev:mainfrom
cgwalters:drop-ostree-requirement

Conversation

@cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Nov 8, 2024

A sticking point keeping ostree in the picture here for containers was SELinux handling. When we started this effort I'd feared rewriting.

But recently we changed things such that we label derived images using the policy from the final root.

This is a relatively small change in code size and complexity, that allows us to import images that don't have "ostree stuff" in them at all, i.e. there's no /ostree/repo/objects.

The advantage here is that this significantly simplifies constructing base images.

The main disadvantage today for people who build images this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to rework things such that we support security.selinux for example as native xattrs in the tar stream.

@cgwalters
store: Support importing images without /ostree
1770055 
A sticking point keeping ostree in the picture here for
containers was SELinux handling. When we started this
effort I'd feared rewriting.

But recently we changed things such that we label derived images
using the policy from the final root.

This is a relatively small change in code size and complexity,
that allows us to import images that don't have "ostree stuff"
in them at all, i.e. there's no `/ostree/repo/objects`.

The advantage here is that this significantly simplifies
constructing base images.

The main disadvantage today for people who build images
this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to
rework things such that we support `security.selinux` for example
as native xattrs in the tar stream.

Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters cgwalters mentioned this pull request Nov 8, 2024
Open
@cgwalters
Copy link
Collaborator Author

cgwalters commented Nov 8, 2024

This was migrated from ostreedev/ostree-rs-ext#674 btw.

@cgwalters cgwalters mentioned this pull request Nov 8, 2024
Open
jmarrero
jmarrero approved these changes Nov 9, 2024
View reviewed changes
Copy link
Contributor

@jmarrero jmarrero left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

if I understand correctly, there is still a requirement then for the container image to be composefs not just any image can be used? Or any image like ubi could end up being used here?

@cgwalters
Copy link
Collaborator Author

cgwalters commented Nov 9, 2024

if I understand correctly, there is still a requirement then for the container image to be composefs not just any image can be used? Or any image like ubi could end up being used here?

composefs is something we generate client side; it's not directly related except in that today one needs to explicitly turn on ostree-composefs in the container image's content.

Or any image like ubi could end up being used here?

See https://gitlab.com/fedora/bootc/tracker/-/issues/32#note_2201993683 - so yes, one could derive from ubi too.

@cgwalters cgwalters merged commit c49ccec into bootc-dev:main Nov 9, 2024
@cgwalters
Copy link
Collaborator Author

cgwalters commented Dec 11, 2024
edited
Loading

I was asked about this PR recently, and just to clarify: I'd consider this PR "supported" in the sense that we will absolutely fix any bugs that arise, and we do have some tests, but it's just less battle tested than the previous path.

At some point we will probably try to change fedora-bootc to do this by default, but we have to be really cautious because we need to support people upgrading from old systems where the bootc won't support this.

So the overall goal is basically:

  • Make it easier to onboard fresh new base images without /ostree stuff that don't have backcompat concerns
  • Let this support trickle back into existing systems using bootc and test it out more, planning to rework to a new image format when we're confident most systems-being-upgraded-from have the support

(This issue also touches on #640 in that in theory it could help us get out of these bootstrap requirements; the bootc-in-target could handle any fixups)

@cgwalters cgwalters mentioned this pull request Jan 21, 2025
Closed
@frap129 frap129 mentioned this pull request Feb 6, 2025
Open
@cgwalters
Copy link
Collaborator Author

cgwalters commented Mar 20, 2025

To extend the previous comment, we now test the "no ostree in container" flow pretty well too in various places, it's the default output of the https://docs.fedoraproject.org/en-US/bootc/building-custom-base/ flow.

This was referenced May 8, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmarrero jmarrero jmarrero approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cgwalters @jmarrero