hermetic: do "podman pull" instead of "podman pull" for bootstrap

The previous `podman load` logic worked almost identically, but if we
use `podman pull oci-archive:<tarball>` instead, we may avoid the
additional logic behind `skip_pull` (we simply always pull, even though
we are offline).

Also, we no longer have to hard-code the `bootstrap_image` to value
which is not correct, IOW we no longer "pretend" we build from the
original image (e.g., from 'registry.fedoraproject.org/fedora:rawhide')
when we actually build from a re-imported bootstrap.  And these are not
100% the same images: containers/podman#18809

mock/py/mockbuild/buildroot.py

@@ -277,11 +277,6 @@ def _fallback(message):
                                   self.chroot_image, podman.image_id)
                 podman.tag_image()
 
-                if self.is_bootstrap and self.config["hermetic_build"]:
-                    tarball = os.path.join(self.config["offline_local_repository"],
-                                           "bootstrap.tar")
-                    podman.import_tarball(tarball)
-
                 digest_expected = self.config.get("image_assert_digest", None)
                 if digest_expected:
                     getLog().info("Checking image digest: %s",

mock/py/mockbuild/config.py

@@ -777,17 +777,17 @@ def process_hermetic_build_config(cmdline_opts, config_opts):
             f"The {repo_reference} doesn't seem to be a valid "
             "offline RPM repository (RPM metadata not found)")
 
+    # Use the offline image for bootstrapping.
+    bootstrap_tarball = os.path.join(final_offline_repo, "bootstrap.tar")
+    config_opts["bootstrap_image"] = f"oci-archive:{bootstrap_tarball}"
+
     config_opts["offline_local_repository"] = final_offline_repo
 
     # We install all the packages at once (for now?).  We could inherit the
     # command from the previous "online" run, but it often employs a group
     # installation command - and we have no groups in the offline repo.
     config_opts["chroot_setup_cmd"] = "install *"
 
-    # The image needs to be prepared on host.  Build-systems implementing SLSA 3
-    # should make sure the config_opts["bootstrap_image"] is already downloaded.
-    config_opts["bootstrap_image_skip_pull"] = True
-
     # With hermetic builds, we always assert that we are reproducing the build
     # with the same image.
     config_opts["bootstrap_image_assert_digest"] = data["bootstrap"]["image_digest"]

mock/py/mockbuild/podman.py

@@ -8,7 +8,6 @@
 
 import backoff
 from mockbuild.trace_decorator import getLog, traceLog
-from mockbuild import util
 
 
 class PodmanError(Exception):
@@ -97,14 +96,6 @@ def tag_image(self):
         subprocess.run(cmd, env=self.buildroot.env, stdout=subprocess.PIPE,
                        stderr=subprocess.PIPE, check=True)
 
-    def import_tarball(self, tarball):
-        """
-        Import tarball using podman into the local database.
-        """
-        getLog().info("Loading container image from %s", tarball)
-        cmd = [self.podman_binary, "load", "-i", tarball]
-        util.do_with_status(cmd, env=self.buildroot.env)
-
     def retry_image_pull(self, max_time):
         """ Try pulling the image multiple times """
         @backoff.on_predicate(backoff.expo, lambda x: not x,