From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Filip Schauer <f.schauer@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH container v3 04/13] add support for OCI images as container templates
Date: Thu, 10 Jul 2025 12:31:53 +0200 [thread overview]
Message-ID: <bdalgwsjctbflfmncmi3ropcmm5sjsyr2zd7d6t62fospz3a34@dtnqwtlwmhlu> (raw)
In-Reply-To: <20250709123435.64796-5-f.schauer@proxmox.com>
On Wed, Jul 09, 2025 at 02:34:21PM +0200, Filip Schauer wrote:
> This aims to add basic support for the Open Container Initiative image
> format according to the specification. [0]
>
> [0] https://github.com/opencontainers/image-spec/blob/main/spec.md
>
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
> This patch depends on changes made to proxmox-perl-rs in patch 03/13.
> Meaning that proxmox-perl-rs needs to be bumped and a dependency & build
> dependency to libpve-rs-perl needs to be added to debian/control.
>
> Changed since v2:
> * rebase onto newest master (5a8b3f962f16) and re-format with
> proxmox-perltidy
> * check whether archive is an OCI image before trying to parse it as one
>
> Changed since v1:
> * fix entrypoint command missing Cmd
> * set lxc.signal.halt according to StopSignal (Fixes container shutdown)
>
> src/PVE/API2/LXC.pm | 96 ++++++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 86 insertions(+), 10 deletions(-)
>
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index 28f7fdd..45c5cef 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -19,9 +19,11 @@ use PVE::Storage;
> use PVE::RESTHandler;
> use PVE::RPCEnvironment;
> use PVE::ReplicationConfig;
> +use PVE::RS::OCI;
> use PVE::LXC;
> use PVE::LXC::Create;
> use PVE::LXC::Migrate;
> +use PVE::LXC::Namespaces;
> use PVE::GuestHelpers;
> use PVE::VZDump::Plugin;
> use PVE::API2::LXC::Config;
> @@ -523,19 +525,93 @@ __PACKAGE__->register_method({
>
> eval {
> my $rootdir = PVE::LXC::mount_all($vmid, $storage_cfg, $conf, 1);
> + my $archivepath = PVE::Storage::abs_filesystem_path($storage_cfg, $archive);
^ This should probably not happen when $archive is '-'.
> $bwlimit = PVE::Storage::get_bandwidth_limit(
> 'restore', [keys %used_storages], $bwlimit,
> );
> - print "restoring '$archive' now..\n"
> - if $restore && $archive ne '-';
> - PVE::LXC::Create::restore_archive(
> - $storage_cfg,
> - $archive,
> - $rootdir,
> - $conf,
> - $ignore_unpack_errors,
> - $bwlimit,
> - );
> + my $is_oci = 0;
> +
> + if ($restore && $archive ne '-') {
> + print "restoring '$archive' now..\n";
> + } elsif ($archivepath =~ /\.tar$/) {
> + # Check whether archive is an OCI image
> + my $has_oci_layout = 0;
> + my $has_index_json = 0;
> + my $has_blobs = 0;
> + PVE::Tools::run_command(
> + ['tar', '-tf', $archivepath],
> + outfunc => sub {
> + my $line = shift;
> + $has_oci_layout = 1 if $line =~ /^oci-layout$/m;
> + $has_index_json = 1 if $line =~ /^index\.json$/m;
^ The above 2 comparisons can just use `eq` instead of regexes.
> + $has_blobs = 1 if $line =~ /^blobs\//m;
> + },
> + );
> +
> + $is_oci = 1 if $has_oci_layout && $has_index_json && $has_blobs;
> + }
> +
> + if ($is_oci) {
> + # Extract the OCI image
> + my ($id_map, undef, undef) = PVE::LXC::parse_id_maps($conf);
> + my $oci_config = PVE::LXC::Namespaces::run_in_userns(
> + sub {
> + PVE::RS::OCI::parse_and_extract_image(
> + $archivepath, $rootdir,
> + );
> + },
> + $id_map,
> + );
> +
> + # Set the entrypoint and arguments if specified by the OCI image
> + my @init_cmd = ();
> + push(@init_cmd, @{ $oci_config->{Entrypoint} })
> + if $oci_config->{Entrypoint};
> + push(@init_cmd, @{ $oci_config->{Cmd} }) if $oci_config->{Cmd};
> + if (@init_cmd) {
> + my $init_cmd_str = shift(@init_cmd);
> + if (@init_cmd) {
> + $init_cmd_str .= ' ';
> + $init_cmd_str .= join(
> + ' ',
> + map {
> + my $s = $_;
> + $s =~ s/"/\\"/g;
> + qq{"$_"}
> + } @init_cmd,
> + );
> + }
> + if ($init_cmd_str ne '/sbin/init') {
> + push @{ $conf->{lxc} }, ['lxc.init.cmd', $init_cmd_str];
> +
> + # An entrypoint other than /sbin/init breaks the tty console mode.
> + # This is fixed by setting cmode: console
> + $conf->{cmode} = 'console';
> + }
> + }
> +
> + push @{ $conf->{lxc} }, ['lxc.init.cwd', $oci_config->{WorkingDir}]
> + if ($oci_config->{WorkingDir});
> +
> + if (my $envs = $oci_config->{Env}) {
> + for my $env (@{$envs}) {
> + push @{ $conf->{lxc} }, ['lxc.environment', $env];
^ As mentioned in the lxcfs patch - we cannot do this.
We could copy a small statically linked executable which reads
environment and init.cmd from a file, uses `setenv(3)` for each variable
before running `execv(3) (place them in the container as /.pve.init and
/.pve.env for example)
> + }
> + }
> +
> + my $stop_signal = $oci_config->{StopSignal} // "SIGTERM";
> + push @{ $conf->{lxc} }, ['lxc.signal.halt', $stop_signal];
> + } else {
> + # Not an OCI image, so restore it as an LXC image instead
> + PVE::LXC::Create::restore_archive(
> + $storage_cfg,
> + $archive,
> + $rootdir,
> + $conf,
> + $ignore_unpack_errors,
> + $bwlimit,
> + );
> + }
>
> if ($restore) {
> print "merging backed-up and given configuration..\n";
> --
> 2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-07-10 10:31 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-09 12:34 [pve-devel] [PATCH container/docs/lxcfs/manager/proxmox{, -perl-rs}/storage v3 00/13] support " Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox v3 01/13] io: introduce RangeReader for bounded reads Filip Schauer
2025-07-10 6:04 ` Thomas Lamprecht
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox v3 02/13] add proxmox-oci crate Filip Schauer
2025-07-10 8:46 ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH proxmox-perl-rs v3 03/13] add Perl mapping for OCI container image parser/extractor Filip Schauer
2025-07-10 10:39 ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 04/13] add support for OCI images as container templates Filip Schauer
2025-07-10 10:31 ` Wolfgang Bumiller [this message]
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 05/13] config: add entrypoint parameter Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 06/13] configure static IP in LXC config for custom entrypoint Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 07/13] setup: debian: create /etc/network path if missing Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 08/13] setup: recursively mkdir /etc/systemd/{network, system-preset} Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH container v3 09/13] manage DHCP for containers with custom entrypoint Filip Schauer
2025-07-09 13:41 ` Filip Schauer
2025-07-10 10:34 ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH lxcfs v3 10/13] lxc.mount.hook: override env variables from container config Filip Schauer
2025-07-10 9:30 ` Wolfgang Bumiller
2025-07-09 12:34 ` [pve-devel] [PATCH storage v3 11/13] allow .tar container templates Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH manager v3 12/13] ui: storage upload: accept *.tar files as vztmpl Filip Schauer
2025-07-09 12:34 ` [pve-devel] [PATCH docs v3 13/13] ct: add OCI image docs Filip Schauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bdalgwsjctbflfmncmi3ropcmm5sjsyr2zd7d6t62fospz3a34@dtnqwtlwmhlu \
--to=w.bumiller@proxmox.com \
--cc=f.schauer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox