public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Filip Schauer <f.schauer@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH container v3 04/13] add support for OCI images as container templates
Date: Thu, 10 Jul 2025 12:31:53 +0200	[thread overview]
Message-ID: <bdalgwsjctbflfmncmi3ropcmm5sjsyr2zd7d6t62fospz3a34@dtnqwtlwmhlu> (raw)
In-Reply-To: <20250709123435.64796-5-f.schauer@proxmox.com>

On Wed, Jul 09, 2025 at 02:34:21PM +0200, Filip Schauer wrote:
> This aims to add basic support for the Open Container Initiative image
> format according to the specification. [0]
> 
> [0] https://github.com/opencontainers/image-spec/blob/main/spec.md
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
> This patch depends on changes made to proxmox-perl-rs in patch 03/13.
> Meaning that proxmox-perl-rs needs to be bumped and a dependency & build
> dependency to libpve-rs-perl needs to be added to debian/control.
> 
> Changed since v2:
> * rebase onto newest master (5a8b3f962f16) and re-format with
>   proxmox-perltidy
> * check whether archive is an OCI image before trying to parse it as one
> 
> Changed since v1:
> * fix entrypoint command missing Cmd
> * set lxc.signal.halt according to StopSignal (Fixes container shutdown)
> 
>  src/PVE/API2/LXC.pm | 96 ++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 86 insertions(+), 10 deletions(-)
> 
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index 28f7fdd..45c5cef 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -19,9 +19,11 @@ use PVE::Storage;
>  use PVE::RESTHandler;
>  use PVE::RPCEnvironment;
>  use PVE::ReplicationConfig;
> +use PVE::RS::OCI;
>  use PVE::LXC;
>  use PVE::LXC::Create;
>  use PVE::LXC::Migrate;
> +use PVE::LXC::Namespaces;
>  use PVE::GuestHelpers;
>  use PVE::VZDump::Plugin;
>  use PVE::API2::LXC::Config;
> @@ -523,19 +525,93 @@ __PACKAGE__->register_method({
>  
>                  eval {
>                      my $rootdir = PVE::LXC::mount_all($vmid, $storage_cfg, $conf, 1);
> +                    my $archivepath = PVE::Storage::abs_filesystem_path($storage_cfg, $archive);

^ This should probably not happen when $archive is '-'.

>                      $bwlimit = PVE::Storage::get_bandwidth_limit(
>                          'restore', [keys %used_storages], $bwlimit,
>                      );
> -                    print "restoring '$archive' now..\n"
> -                        if $restore && $archive ne '-';
> -                    PVE::LXC::Create::restore_archive(
> -                        $storage_cfg,
> -                        $archive,
> -                        $rootdir,
> -                        $conf,
> -                        $ignore_unpack_errors,
> -                        $bwlimit,
> -                    );
> +                    my $is_oci = 0;
> +
> +                    if ($restore && $archive ne '-') {
> +                        print "restoring '$archive' now..\n";
> +                    } elsif ($archivepath =~ /\.tar$/) {
> +                        # Check whether archive is an OCI image
> +                        my $has_oci_layout = 0;
> +                        my $has_index_json = 0;
> +                        my $has_blobs = 0;
> +                        PVE::Tools::run_command(
> +                            ['tar', '-tf', $archivepath],
> +                            outfunc => sub {
> +                                my $line = shift;
> +                                $has_oci_layout = 1 if $line =~ /^oci-layout$/m;
> +                                $has_index_json = 1 if $line =~ /^index\.json$/m;

^ The above 2 comparisons can just use `eq` instead of regexes.

> +                                $has_blobs = 1 if $line =~ /^blobs\//m;
> +                            },
> +                        );
> +
> +                        $is_oci = 1 if $has_oci_layout && $has_index_json && $has_blobs;
> +                    }
> +
> +                    if ($is_oci) {
> +                        # Extract the OCI image
> +                        my ($id_map, undef, undef) = PVE::LXC::parse_id_maps($conf);
> +                        my $oci_config = PVE::LXC::Namespaces::run_in_userns(
> +                            sub {
> +                                PVE::RS::OCI::parse_and_extract_image(
> +                                    $archivepath, $rootdir,
> +                                );
> +                            },
> +                            $id_map,
> +                        );
> +
> +                        # Set the entrypoint and arguments if specified by the OCI image
> +                        my @init_cmd = ();
> +                        push(@init_cmd, @{ $oci_config->{Entrypoint} })
> +                            if $oci_config->{Entrypoint};
> +                        push(@init_cmd, @{ $oci_config->{Cmd} }) if $oci_config->{Cmd};
> +                        if (@init_cmd) {
> +                            my $init_cmd_str = shift(@init_cmd);
> +                            if (@init_cmd) {
> +                                $init_cmd_str .= ' ';
> +                                $init_cmd_str .= join(
> +                                    ' ',
> +                                    map {
> +                                        my $s = $_;
> +                                        $s =~ s/"/\\"/g;
> +                                        qq{"$_"}
> +                                    } @init_cmd,
> +                                );
> +                            }
> +                            if ($init_cmd_str ne '/sbin/init') {
> +                                push @{ $conf->{lxc} }, ['lxc.init.cmd', $init_cmd_str];
> +
> +                                # An entrypoint other than /sbin/init breaks the tty console mode.
> +                                # This is fixed by setting cmode: console
> +                                $conf->{cmode} = 'console';
> +                            }
> +                        }
> +
> +                        push @{ $conf->{lxc} }, ['lxc.init.cwd', $oci_config->{WorkingDir}]
> +                            if ($oci_config->{WorkingDir});
> +
> +                        if (my $envs = $oci_config->{Env}) {
> +                            for my $env (@{$envs}) {
> +                                push @{ $conf->{lxc} }, ['lxc.environment', $env];

^ As mentioned in the lxcfs patch - we cannot do this.
We could copy a small statically linked executable which reads
environment and init.cmd from a file, uses `setenv(3)` for each variable
before running `execv(3) (place them in the container as /.pve.init and
/.pve.env for example)

> +                            }
> +                        }
> +
> +                        my $stop_signal = $oci_config->{StopSignal} // "SIGTERM";
> +                        push @{ $conf->{lxc} }, ['lxc.signal.halt', $stop_signal];
> +                    } else {
> +                        # Not an OCI image, so restore it as an LXC image instead
> +                        PVE::LXC::Create::restore_archive(
> +                            $storage_cfg,
> +                            $archive,
> +                            $rootdir,
> +                            $conf,
> +                            $ignore_unpack_errors,
> +                            $bwlimit,
> +                        );
> +                    }
>  
>                      if ($restore) {
>                          print "merging backed-up and given configuration..\n";
> -- 
> 2.47.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-07-10 10:31 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-09 12:34 [pve-devel] [PATCH container/docs/lxcfs/manager/proxmox{, -perl-rs}/storage v3 00/13] support " Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox v3 01/13] io: introduce RangeReader for bounded reads Filip Schauer
2025-07-10  6:04   ` Thomas Lamprecht
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox v3 02/13] add proxmox-oci crate Filip Schauer
2025-07-10  8:46   ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox-perl-rs v3 03/13] add Perl mapping for OCI container image parser/extractor Filip Schauer
2025-07-10 10:39   ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 04/13] add support for OCI images as container templates Filip Schauer
2025-07-10 10:31   ` Wolfgang Bumiller [this message]
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 05/13] config: add entrypoint parameter Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 06/13] configure static IP in LXC config for custom entrypoint Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 07/13] setup: debian: create /etc/network path if missing Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 08/13] setup: recursively mkdir /etc/systemd/{network, system-preset} Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 09/13] manage DHCP for containers with custom entrypoint Filip Schauer
2025-07-09 13:41   ` Filip Schauer
2025-07-10 10:34   ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH lxcfs v3 10/13] lxc.mount.hook: override env variables from container config Filip Schauer
2025-07-10  9:30   ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH storage v3 11/13] allow .tar container templates Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH manager v3 12/13] ui: storage upload: accept *.tar files as vztmpl Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH docs v3 13/13] ct: add OCI image docs Filip Schauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bdalgwsjctbflfmncmi3ropcmm5sjsyr2zd7d6t62fospz3a34@dtnqwtlwmhlu \
    --to=w.bumiller@proxmox.com \
    --cc=f.schauer@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal