Module container

Expand description

§APIs bridging OSTree and container images

This module contains APIs to bidirectionally map between a single OSTree commit and a container image wrapping it. Because container images are just layers of tarballs, this builds on the crate::tar module.

To emphasize this, the current high level model is that this is a one-to-one mapping - an ostree commit can be exported (wrapped) into a container image, which will have exactly one layer. Upon import back into an ostree repository, all container metadata except for its digested checksum will be discarded.

§Signatures

OSTree supports GPG and ed25519 signatures natively, and it’s expected by default that when booting from a fetched container image, one verifies ostree-level signatures. For ostree, a signing configuration is specified via an ostree remote. In order to pair this configuration together, this library defines a “URL-like” string schema:

ostree-remote-registry:<remotename>:<containerimage>

A concrete instantiation might be e.g.: ostree-remote-registry:fedora:quay.io/coreos/fedora-coreos:stable

To parse and generate these strings, see OstreeImageReference.

§Layering

A key feature of container images is support for layering. At the moment, support for this is planned but not implemented.

Modules§

deploy: Perform initial setup for a container image based system root
encapsulate 🔒: APIs for creating container images from OSTree commits
skopeo: Fork skopeo as a subprocess
store: APIs for storing (layered) container images as OSTree commits
unencapsulate 🔒: APIs for “unencapsulating” OSTree commits from container images
update_detachedmeta 🔒

Structs§

Config: Configuration for the generated container.
ExportOpts: Options controlling commit export into OCI
ImageReference: Combination of a remote image reference and transport.
Import: The result of an import operation
ManifestDiff: Represents the difference in layer/blob content between two OCI image manifests.
OstreeImageReference: Combination of a signature verification mechanism, and a standard container image reference.

Enums§

SignatureSource: Policy for signature verification.
Transport: A backend/transport for OCI/Docker images.

Constants§

BOOTC_LABEL: The label for bootc.
COMPONENT_SEPARATOR 🔒: The character we use to separate values in CONTENT_ANNOTATION.
CONTENT_ANNOTATION 🔒: The name of an annotation attached to a layer which names the packages/components which are part of it.
DIFFID_LABEL: The label which indicates where the ostree layers stop, and the derived ones start.
LABEL_VERSION: A commonly used pre-OCI label for versions.
LEGACY_VERSION_LABEL: The label which may be used in addition to the standard OCI label.
OSTREE_COMMIT_LABEL: The label injected into a container image that contains the ostree commit SHA-256.

Functions§

encapsulate: Given an OSTree repository and ref, generate a container image.
fetch_manifest: Download the manifest for a target image and its sha256 digest.
fetch_manifest_and_config: Download the manifest for a target image and its sha256 digest, as well as the image configuration.
labels_of 🔒: Convenience helper to return the labels, if present.
merge_default_container_proxy_opts: Apply default configuration for container image pulls to an existing configuration. For example, if authfile is not set, and auth_anonymous is false, and a global configuration file exists, it will be used.
merge_default_container_proxy_opts_with_isolation: Apply default configuration for container image pulls, with optional support for isolation as an unprivileged user.
unencapsulate: Fetch a container image and import its embedded OSTree commit.
update_detached_metadata: Given an OSTree container image reference, update the detached metadata (e.g. GPG signature) while preserving all other container image metadata.
version_for_config: Retrieve the version number from an image configuration.

Type Aliases§

Result 🔒: Our generic catchall fatal error, expected to be converted to a string to output to a terminal or logs.