From 8c339cf6ec05745975b56039e6309d4c531228cc Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Mon, 28 Oct 2024 20:21:34 +0100 Subject: [PATCH] hermetic: do "podman pull" instead of "podman pull" for bootstrap The previous `podman load` logic worked almost identically, but if we use `podman pull oci-archive:` instead, we may avoid the additional logic behind `skip_pull` (we simply always pull, even though we are offline). Also, we no longer have to hard-code the `bootstrap_image` to value which is not correct, IOW we no longer "pretend" we build from the original image (e.g., from 'registry.fedoraproject.org/fedora:rawhide') when we actually build from a re-imported bootstrap. And these are not 100% the same images: https://github.com/containers/podman/issues/18809 --- mock/py/mockbuild/buildroot.py | 5 ----- mock/py/mockbuild/config.py | 8 ++++---- mock/py/mockbuild/podman.py | 9 --------- 3 files changed, 4 insertions(+), 18 deletions(-) diff --git a/mock/py/mockbuild/buildroot.py b/mock/py/mockbuild/buildroot.py index 3643636c1..385b48455 100644 --- a/mock/py/mockbuild/buildroot.py +++ b/mock/py/mockbuild/buildroot.py @@ -277,11 +277,6 @@ def _fallback(message): self.chroot_image, podman.image_id) podman.tag_image() - if self.is_bootstrap and self.config["hermetic_build"]: - tarball = os.path.join(self.config["offline_local_repository"], - "bootstrap.tar") - podman.import_tarball(tarball) - digest_expected = self.config.get("image_assert_digest", None) if digest_expected: getLog().info("Checking image digest: %s", diff --git a/mock/py/mockbuild/config.py b/mock/py/mockbuild/config.py index 4056edfe7..0c540bc67 100644 --- a/mock/py/mockbuild/config.py +++ b/mock/py/mockbuild/config.py @@ -777,6 +777,10 @@ def process_hermetic_build_config(cmdline_opts, config_opts): f"The {repo_reference} doesn't seem to be a valid " "offline RPM repository (RPM metadata not found)") + # Use the offline image for bootstrapping. + bootstrap_tarball = os.path.join(final_offline_repo, "bootstrap.tar") + config_opts["bootstrap_image"] = f"oci-archive:{bootstrap_tarball}" + config_opts["offline_local_repository"] = final_offline_repo # We install all the packages at once (for now?). We could inherit the @@ -784,10 +788,6 @@ def process_hermetic_build_config(cmdline_opts, config_opts): # installation command - and we have no groups in the offline repo. config_opts["chroot_setup_cmd"] = "install *" - # The image needs to be prepared on host. Build-systems implementing SLSA 3 - # should make sure the config_opts["bootstrap_image"] is already downloaded. - config_opts["bootstrap_image_skip_pull"] = True - # With hermetic builds, we always assert that we are reproducing the build # with the same image. config_opts["bootstrap_image_assert_digest"] = data["bootstrap"]["image_digest"] diff --git a/mock/py/mockbuild/podman.py b/mock/py/mockbuild/podman.py index a1d714f7b..100c920bd 100644 --- a/mock/py/mockbuild/podman.py +++ b/mock/py/mockbuild/podman.py @@ -8,7 +8,6 @@ import backoff from mockbuild.trace_decorator import getLog, traceLog -from mockbuild import util class PodmanError(Exception): @@ -97,14 +96,6 @@ def tag_image(self): subprocess.run(cmd, env=self.buildroot.env, stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=True) - def import_tarball(self, tarball): - """ - Import tarball using podman into the local database. - """ - getLog().info("Loading container image from %s", tarball) - cmd = [self.podman_binary, "load", "-i", tarball] - util.do_with_status(cmd, env=self.buildroot.env) - def retry_image_pull(self, max_time): """ Try pulling the image multiple times """ @backoff.on_predicate(backoff.expo, lambda x: not x,