Bundle container images with appliances

[agrare]

In order to run podman-based workers or built-in floe containers on appliances we have to be able to package docker images and deploy them on an appliance without requiring a podman pull at runtime.

One possibility is to package the images in an RPM that would podman load the image into a podman image registry.

It is simple to create alternate image registries by specifying an alternate graphRoot via --root when pulling or loading images.

Related:

• RPM build https://github.com/ManageIQ/manageiq-rpm_build/pull/455

[agrare]

It seems the image storage directory has to be owned by manageiq if we are going to run the containers as that user. I tried to have e.g. /var/lib/manageiq/containers/storage owned by root with runRoot and tmpDir pointing somewhere else, but podman always tries to create other files/directories in the main imagestore

TODO try additionalimagestores in /etc/containers/storage.conf, doesn't seem to work for non-root containers?

[agrare]

For building the RPM I tried using podman load in manageiq.spec.in but that fails due to UID/GID errors

+ podman load --root=/root/rpmbuild/BUILDROOT/manageiq-19.0.0-20240405144727.el9.x86_64/var/lib/manageiq/data/containers/storage --input manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest
time="2024-04-05T14:59:24Z" level=warning msg="Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user"
Getting image source signatures
Copying blob sha256:d858e3d4ed076bae0562df26c2c251d1140619a80531f5e6edf1b4b2af55cdb3
Copying blob sha256:4222f9694f4be6c22d86d8a24a6e26d49ed01d1c393bb053ea8003928635446a
Copying blob sha256:c0d7d10a1b4e234d1c9057f8f793cff397a738d3334d3d40b93519d9e81a25ee
Copying blob sha256:716476e198e5a004dab028219afa022f8d56cc497b4f92ee770c52b01d9b61e6
Copying blob sha256:048b0fef4f933bbe51ac1da3d7d93ed17f8bc3c46c05703f41a24f243da46a90
Copying blob sha256:39146e33ec19ce2b054da412b06ccc57e648f3078cdc01dfd1523b9cb22de066
Error: payload does not match any of the supported image formats:
 * oci: writing blob: adding layer with blob "sha256:d858e3d4ed076bae0562df26c2c251d1140619a80531f5e6edf1b4b2af55cdb3": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/shadow: invalid argument): exit status 1
 * oci-archive: creating temp directory: untarring file "/var/tmp/container_images_oci172047747": read /root/rpmbuild/BUILD/manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest: is a directory
 * docker-archive: detecting compression for file "manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest": detecting compression: read manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest: is a directory
 * dir: open manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest/manifest.json: no such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.LXgPB2 (%install)

And it doesn't seem possible to add subuid/subgid in the build container for podman to work properly.

++ whoami
+ echo root:100000:65536
++ whoami
+ echo root:100000:65536
+ podman system migrate
time="2024-04-05T15:30:43Z" level=error msg="running `/usr/bin/newuidmap 13160 0 0 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
error: Bad exit status from /var/tmp/rpm-tmp.vbVQ1m (%install)

We might need to package the .tar.gz files and podman load them at install time.

[Fryguy]

@bdunne Please also take a look here.