support "plain" oscontainers

[cgwalters]

The ostree-repo-in-container model is simple to implement and easy to explain, but it can also be quite opaque to people, requiring anyone looking at to be an expert in both containers and ostree and RPM.

One thing we could do would be to do something "rojig" like - make the oscontainer just look like a regular container (perhaps with tweaks), and add the extra data into the container JSON - flatpak's OCI bits do something like this.

My main concern here is around SELinux and xattrs - while container images support this, since there's no other use case for shipping labels in container images, they may get corrupted/lost? But OTOH the whole Docker/OCI ecosystem relies utterly on shipping container images "pristine" because the checksum is over compressed data.

In theory this would let us support people doing in a Dockerfile:

FROM quay.io/openshift/machine-os-content
COPY /path/to/crio.rpm /tmp
RUN rpm -Uvh /tmp/crio.rpm

We'd just need to have rpm-ostree perform labeling for any unlabeled files...i.e. rather than having pivot/MCD pass the content of the filesystem to something more like ostree commit rather than just doing a pull.

[cgwalters]

Another option would be to have the MCD support layering RPMs included in the oscontainer (as well as unpacked filesystem trees). This would be pretty easy.

[cgwalters]

Another thing this would completely fix is people keep asking for a way to easily inspect the oscontainer (for e.g. security scanning). The fact that the RHCOS oscontainer is FROM scratch makes this much harder than it needs to be.

We recently merged changes into RHCOS to make the oscontainer be FROM registry.access.redhat.com/ubi8/ubi:latest which will at least allow it to be run: https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/928

See also coreos/coreos-assembler#1107 which is used for this.

We may backport this change to 4.5 if it works out well.

[cgwalters]

Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a pkglist.txt.

A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:

FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375
as oscontainer
FROM registry.fedoraproject.org/fedora:31
COPY --from=oscontainer /pkglist.txt /root
RUN cat /root/pkglist.txt

[cgwalters]

Also if we try to drive some of the container stuff into rpm-ostree, let's look at sharing code with flatpak flatpak/flatpak#3606

[ashcrow]

Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a pkglist.txt.

A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:

FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375
as oscontainer
FROM registry.fedoraproject.org/fedora:31
COPY --from=oscontainer /pkglist.txt /root
RUN cat /root/pkglist.txt

This is really close to what I have recommended in some threads as well. Only addition was a find call for sidecar rpms >> into pkglist and a sort as well 👍

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale