Skip to content

add oci pull to images#175

Draft
mac641 wants to merge 23 commits intomasterfrom
oci-puller
Draft

add oci pull to images#175
mac641 wants to merge 23 commits intomasterfrom
oci-puller

Conversation

@mac641
Copy link
Copy Markdown
Contributor

@mac641 mac641 commented Nov 14, 2025
edited
Loading

@mac641 mac641 requested a review from a team as a code owner November 14, 2025 14:27
@mac641
Copy link
Copy Markdown
Contributor Author

mac641 commented Nov 14, 2025

@majst01 okay, so this is what I came up with. Can you do a review, pls?

Besides, I'm wondering if it's suitable to retrieve the oci credentials from env vars. Can you help me out here?

@majst01
Copy link
Copy Markdown
Contributor

majst01 commented Nov 15, 2025

@majst01 okay, so this is what I came up with. Can you do a review, pls?

Besides, I'm wondering if it's suitable to retrieve the oci credentials from env vars. Can you help me out here?

The OCI creadentials should be passed as optional fields from the pixiecore to the metal-hammer:

https://github.com/metal-stack/metal-hammer/blob/master/cmd/pixie-client.go#L14

Ideally a slice of registryconfig which contains the registry url, the username and the password should come from pixiecore.

@mac641 mac641 mentioned this pull request Nov 18, 2025
Open
@mac641
Copy link
Copy Markdown
Contributor Author

mac641 commented Nov 19, 2025

@majst01 does this work? https://github.com/metal-stack/metal-hammer/pull/175/files#diff-cfcd5a78ad9476ee24d7680dd023e71136f329c771d76ae6837ba68320b6379cR37

what does machine.Allocation.Image.URL contain? Is it the full oci url or just the image name, e.g. debian:12?

@majst01
Copy link
Copy Markdown
Contributor

majst01 commented Nov 20, 2025

@majst01 does this work? https://github.com/metal-stack/metal-hammer/pull/175/files#diff-cfcd5a78ad9476ee24d7680dd023e71136f329c771d76ae6837ba68320b6379cR37

what does machine.Allocation.Image.URL contain? Is it the full oci url or just the image name, e.g. debian:12?

It contains the full URL as configured in the image

@mac641 mac641 force-pushed the oci-puller branch 3 times, most recently from 0bfe689 to 7052ccb Compare December 4, 2025 14:24
@mac641 mac641 mentioned this pull request Dec 11, 2025
Open
@mac641 mac641 force-pushed the oci-puller branch 7 times, most recently from ad2bb15 to 2506148 Compare January 16, 2026 11:51
@mac641 mac641 force-pushed the oci-puller branch 2 times, most recently from 57274af to ffebda3 Compare January 28, 2026 14:15
mac641 added 2 commits January 28, 2026 15:21
@mac641
ci: separate oci-pull tests from legacy tests
83c016d 
since they're considered integration tests and can't be run inside
a docker container due to testcontainers-go
@mac641
refactor: address changes requested by @majst01
9036814
@mac641 mac641 requested a review from majst01 January 28, 2026 14:53
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
Comment thread cmd/image/image.go
}

switch hdr.Typeflag {
case tar.TypeDir:
Copy link
Copy Markdown
Contributor

@majst01 majst01 Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsure if all cases are covered and or relevant.

Other pitfalls might be:

  • files with s-bit set
  • file modes of special files like /etc/shadow /etc/passwd etc.

This should be tested, at least manually, better would be with a automated test ?

majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
Comment thread cmd/image/image_integration_test.go Outdated
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
Comment thread cmd/image/image_integration_test.go Outdated
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
Comment thread cmd/image/image_integration_test.go Outdated
@mac641 mac641 self-assigned this Feb 10, 2026
@mac641
Copy link
Copy Markdown
Contributor Author

mac641 commented Feb 16, 2026

@majst01 So, I've been adding a couple of tests, mainly targeting s-bits and symlinks but it's impossible to test special files like /etc/shadow etc. without root permissions. I was considering an in-memory filesystem like afero as well but this would require dependency injection to work which would end up in a lot of refactoring. I think this is out-of-scope.
What do you think? Shall we skip the special files test? How would you tackle this problem?

@iljarotar iljarotar requested a review from vknabel March 23, 2026 13:17
@mac641 mac641 mentioned this pull request Mar 23, 2026
Open
vknabel
vknabel reviewed Apr 2, 2026
View reviewed changes
Comment thread cmd/image/image.go Outdated
Comment thread cmd/image/image.go Outdated
Comment on lines +40 to +41
i.log.Info("log image ref without oci prefix", "imageRefWithoutOciPrefix", imageRefWithoutOciPrefix)
// Parse the image reference (e.g., docker.io/library/alpine:latest)
Copy link
Copy Markdown

@vknabel vknabel Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
i.log.Info("log image ref without oci prefix", "imageRefWithoutOciPrefix", imageRefWithoutOciPrefix)
// Parse the image reference (e.g., docker.io/library/alpine:latest)

I think the comment and the log message aren't needed here.

Copy link
Copy Markdown
Contributor Author

@mac641 mac641 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just for testing in the mini-lab. I'd rather keep it until this works but you're right, we don't need in the end.

Comment thread cmd/image/image.go Outdated
Comment thread cmd/install.go
err = img.NewImage(h.log).Burn(h.chrootPrefix, image, h.osImageDestination)
if err != nil {
return nil, err
h.log.Info("log oci config", "ociConfig", ociConfig)
Copy link
Copy Markdown

@vknabel vknabel Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either remove log or rephrase

Copy link
Copy Markdown
Contributor Author

@mac641 mac641 Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also just for testing in the mini-lab. I'll add a TODO comment two both log statements in order to remove it before merging.

Comment thread cmd/image/image_test.go
})
}

// TODO: consider character and block devices -> skipped for now due to root permissions
Copy link
Copy Markdown

@vknabel vknabel Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that a potential afero refactoring is out of scope for this PR. But I think it would be nice to do (I'm not a maintainer though).
These (and the above FIXME and similar cases) would be really important.

Copy link
Copy Markdown
Contributor Author

@mac641 mac641 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@majst01 what are your thoughts about this?

@mac641 mac641 marked this pull request as draft April 8, 2026 07:56
@vknabel vknabel added the triage This should be talked about in the next planning. label Apr 20, 2026
@Gerrit91 Gerrit91 moved this from In Progress to Upcoming in Development Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@majst01 majst01 majst01 left review comments

@vknabel vknabel vknabel left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

triage This should be talked about in the next planning.

Projects

Development
Status: Upcoming

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mac641 @majst01 @vknabel @Gerrit91