release: build OCI images with shell scripts

This avoids the need for buildah and skopeo for building releases.

Reviewed by:		cpersiva
MFC after:		1 day
Differential Revision:	https://reviews.freebsd.org/D48574

(cherry picked from commit e8a5b9fd73f4f437a03c85e7644daa55652e224b)

release/Makefile.oci

@@ -26,11 +26,7 @@ OCI_TARGETS+= container-image-${_IMG}.txz
 container-image-${_IMG}.txz: ${OCI_DEPS_${_IMG}}
 	# Adjust PATH so that we run pwd_mkdb from the bootstrap tools
 	env PATH=${OBJTOP}/tmp/legacy/bin:${PATH:Q} \
-	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG}
-	skopeo copy \
-		containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
-		oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
-	${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar > ${.OBJDIR}/container-image-${_IMG}.txz
+	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG} container-image-${_IMG}.txz
 .endfor
 
 oci-release: ${OCI_TARGETS}

release/release.sh

@@ -292,44 +292,6 @@ extra_chroot_setup() {
 		fi
 	fi
 
-	if [ ! -z "${WITH_OCIIMAGES}" ]; then
-		# Install buildah and skopeo from ports if the ports tree is available;
-		# otherwise install the pkg.
-		if [ -d ${CHROOTDIR}/usr/ports ]; then
-			# Trick the ports 'run-autotools-fixup' target to do the right
-			# thing.
-			_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
-			REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
-			BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
-			UNAME_r=${REVISION}-${BRANCH}
-			GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
-			GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
-			GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
-			GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
-			PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
-			PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
-			PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
-			for _PORT in sysutils/buildah sysutils/skopeo; do
-				eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS} make -C \
-				     /usr/ports/${_PORT} \
-				     FORCE_PKG_REGISTER=1 deinstall install clean distclean
-			done
-		else
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg install -y sysutils/buildah sysutils/skopeo
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg clean -y
-		fi
-		# Use the vfs storage driver so that this works whether or not
-		# the build directory is on ZFS. The images are small so the
-		# performance difference is negligible.
-		eval chroot ${CHROOTDIR} sed -I .bak -e '/^driver/s/zfs/vfs/' /usr/local/etc/containers/storage.conf
-		# Remove any stray images from previous builds
-		eval chroot ${CHROOTDIR} buildah rmi -af
-	fi
-
 	if [ ! -z "${EMBEDDEDPORTS}" ]; then
 		_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
 		REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)

release/scripts/make-oci-image.sh

@@ -7,21 +7,23 @@ rev=$1; shift
 branch=$1; shift
 arch=$1; shift
 image=$1; shift
+output=$1; shift
 
 major=${rev%.*}
 minor=${rev#*.}
 
 abi=FreeBSD:${major}:${arch}
+ver=${rev}-${branch}-${arch}
 
 echo "Building OCI freebsd${major}-${image} image for ${abi}"
 
 . ${curdir}/tools/oci-image-${image}.conf
 
-init_workdir() {
+init_repo() {
+	local workdir=$1; shift
 	local abi=$1; shift
-	local workdir=$(mktemp -d -t oci-images)
 
-	mkdir ${workdir}/repos
+	mkdir -p ${workdir}/repos
 	cat > ${workdir}/repos/base.conf <<EOF
 FreeBSD-base: {
   url: "file:///usr/obj/usr/src/repo/${abi}/latest"
@@ -30,13 +32,13 @@ FreeBSD-base: {
 }
 EOF
 	cp /etc/pkg/FreeBSD.conf ${workdir}/repos
-	echo ${workdir}
 }
 
+# Install packages using pkg(8) into a container with rootfs at $3
 install_packages() {
 	local abi=$1; shift
 	local workdir=$1; shift
-	local rootdir=$1; shift
+	local rootdir=${workdir}/rootfs
 	if [ ! -d ${rootdir}/usr/share/keys/pkg/trusted ]; then
 		mkdir -p ${rootdir}/usr/share/keys/pkg/trusted
 	fi
@@ -49,15 +51,94 @@ install_packages() {
 	rm -rf ${rootdir}/var/db/pkg/repos
 }
 
-workdir=$(init_workdir ${abi})
+set_cmd() {
+	local workdir=$1; shift
+	oci_cmd="$@"
+}
+
+# Convert FreeBSD architecture to OCI-style. See
+# https://github.com/containerd/platforms/blob/main/platforms.go for details
+normalize_arch() {
+	local arch=$1; shift
+	case ${arch} in
+		i386)
+		       arch=386
+		       ;;
+		aarch64)
+		       arch=arm64
+		       ;;
+		amd64) ;;
+		riscv64) ;;
+		*)
+			echo "Architecture ${arch} not supported for container images"
+			;;
+	esac
+	echo ${arch}
+}
+
+create_container() {
+	local workdir=$1; shift
+	local base_workdir=$1; shift
+	oci_cmd=
+	if [ -d ${workdir}/rootfs ]; then
+		chflags -R 0 ${workdir}/rootfs
+		rm -rf ${workdir}/rootfs
+	fi
+	mkdir -p ${workdir}/rootfs
+	if [ "${base_workdir}" != "" ]; then
+		tar -C ${workdir}/rootfs -xf ${base_workdir}/rootfs.tar.gz
+	fi
+}
+
+commit_container() {
+	local workdir=$1; shift
+	local image=$1; shift
+	local output=$1; shift
+
+	# Note: the diff_id (needed for image config) is the hash of the uncompressed tar
+	tar -C ${workdir}/rootfs --strip-components 1 -cf ${workdir}/rootfs.tar .
+	local diff_id=$(sha256 -q < ${workdir}/rootfs.tar)
+	gzip -f ${workdir}/rootfs.tar
+	local create_time=$(date -u +%Y-%m-%dT%TZ)
+	local root_hash=$(sha256 -q < ${workdir}/rootfs.tar.gz)
+	local root_size=$(stat -f %z ${workdir}/rootfs.tar.gz)
+
+	oci_arch=$(normalize_arch ${arch})
+
+	config=
+	if [ -n "${oci_cmd}" ]; then
+		config=",\"config\":{\"cmd\":[\"${oci_cmd}\"]}"
+	fi
+	echo "{\"created\":\"${create_time}\",\"architecture\":\"${oci_arch}\",\"os\":\"freebsd\"${config},\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:${diff_id}\"]},\"history\":[{\"created\":\"${create_time}\",\"created_by\":\"make-oci-image.sh\"}]}" > ${workdir}/config.json
+	local config_hash=$(sha256 -q < ${workdir}/config.json)
+	local config_size=$(stat -f %z ${workdir}/config.json)
+
+	echo "{\"schemaVersion\":2,\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"config\":{\"mediaType\":\"application/vnd.oci.image.config.v1+json\",\"digest\":\"sha256:${config_hash}\",\"size\":${config_size}},\"layers\":[{\"mediaType\":\"application/vnd.oci.image.layer.v1.tar+gzip\",\"digest\":\"sha256:${root_hash}\",\"size\":${root_size}}],\"annotations\":{}}" > ${workdir}/manifest.json
+	local manifest_hash=$(sha256 -q < ${workdir}/manifest.json)
+	local manifest_size=$(stat -f %z ${workdir}/manifest.json)
+
+	mkdir -p ${workdir}/oci/blobs/sha256
+	echo "{\"imageLayoutVersion\": \"1.0.0\"}" > ${workdir}/oci/oci-layout
+	echo "{\"schemaVersion\":2,\"manifests\":[{\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"digest\":\"sha256:${manifest_hash}\",\"size\":${manifest_size},\"annotations\":{\"org.opencontainers.image.ref.name\":\"freebsd-${image}:${ver}\"}}]}" > ${workdir}/oci/index.json
+	ln ${workdir}/rootfs.tar.gz ${workdir}/oci/blobs/sha256/${root_hash}
+	ln ${workdir}/config.json ${workdir}/oci/blobs/sha256/${config_hash}
+	ln ${workdir}/manifest.json ${workdir}/oci/blobs/sha256/${manifest_hash}
+
+	tar -C ${workdir}/oci --xz --strip-components 1 --no-read-sparse -a -cf ${output} .
+}
+
+# Prefix with "container-image-" so that we can create a unique work area under
+# ${.OBJDIR}. We can assume that make has set our working directory to
+# ${.OBJDIR}.
+workdir=${PWD}/container-image-${image}
+init_repo ${workdir} ${abi}
+
 if [ -n "${OCI_BASE_IMAGE}" ]; then
-	base_image=freebsd${major}-${OCI_BASE_IMAGE}
+	base_workdir=${PWD}/container-image-${OCI_BASE_IMAGE}
 else
-	base_image=scratch
+	base_workdir=
 fi
 
-c=$(buildah from --arch ${arch} ${base_image})
-m=$(buildah mount $c)
+create_container ${workdir} ${base_workdir}
 oci_image_build
-buildah unmount $c
-buildah commit --rm $c freebsd${major}-${image}:latest
+commit_container ${workdir} ${image} ${output}

release/tools/oci-image-dynamic.conf

@@ -7,5 +7,5 @@
 OCI_BASE_IMAGE=static
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m FreeBSD-clibs FreeBSD-openssl-lib
+	install_packages ${abi} ${workdir} FreeBSD-clibs FreeBSD-openssl-lib
 }

release/tools/oci-image-minimal.conf

@@ -8,7 +8,8 @@
 OCI_BASE_IMAGE=dynamic
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m \
+	set_cmd ${workdir} /bin/sh
+	install_packages ${abi} ${workdir} \
 			 FreeBSD-runtime \
 			 FreeBSD-certctl \
 			 FreeBSD-kerberos-lib \

release/tools/oci-image-static.conf

@@ -8,12 +8,13 @@ OCI_BASE_IMAGE=
 
 oci_image_build() {
 	local srcdir=${curdir}/..
+	local m=${workdir}/rootfs
 	mtree -deU -p $m/ -f ${srcdir}/etc/mtree/BSD.root.dist > /dev/null
 	mtree -deU -p $m/var -f ${srcdir}/etc/mtree/BSD.var.dist > /dev/null
 	mtree -deU -p $m/usr -f ${srcdir}/etc/mtree/BSD.usr.dist > /dev/null
 	mtree -deU -p $m/usr/include -f ${srcdir}/etc/mtree/BSD.include.dist > /dev/null
 	mtree -deU -p $m/usr/lib -f ${srcdir}/etc/mtree/BSD.debug.dist > /dev/null
-	install_packages ${abi} ${workdir} $m FreeBSD-caroot FreeBSD-zoneinfo
+	install_packages ${abi} ${workdir} FreeBSD-caroot FreeBSD-zoneinfo
 	cp ${srcdir}/etc/master.passwd $m/etc
 	pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $?
 	cp ${srcdir}/etc/group $m/etc || return $?