Add initial support to interact with a local podman installation

Signed-off-by: Tobias Wolf <[email protected]>

Author: NotTheEvilOne

poetry.lock

@@ -10,12 +10,13 @@ packages = [{ include = "gardenlinux", from = "src" }]
 [tool.poetry.dependencies]
 python = "^3.13"
 apt-repo = "^0.5"
-boto3 = "^1.40.30"
+boto3 = "^1.40.43"
 click = "^8.2.1"
-cryptography = "^46.0.1"
+cryptography = "^46.0.2"
 jsonschema = "^4.25.1"
 networkx = "^3.5"
 oras = "^0.2.38"
+podman = "^5.6.0"
 pygit2 = "^1.18.2"
 pygments = "^2.19.2"
 PyYAML = "^6.0.2"
@@ -24,13 +25,13 @@ gitpython = "^3.1.45"
 [tool.poetry.group.dev.dependencies]
 bandit = "^1.8.6"
 black = "^25.1.0"
+isort = "^7.0.0"
 moto = "^5.1.12"
+pyright = "^1.1.406"
 python-dotenv = "^1.1.1"
 pytest = "^8.4.1"
 pytest-cov = "^7.0.0"
-isort = "^7.0.0"
 requests-mock = "^1.12.1"
-pyright = "^1.1.403"
 
 [tool.poetry.group.docs.dependencies]
 sphinx-rtd-theme = "^3.0.2"

pyproject.toml

@@ -159,13 +159,15 @@
 
 S3_DOWNLOADS_DIR = Path(os.path.dirname(__file__)) / ".." / "s3_downloads"
 
+GL_DEB_REPO_BASE_URL = "https://packages.gardenlinux.io/gardenlinux"
 GLVD_BASE_URL = (
     "https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1"
 )
-GL_DEB_REPO_BASE_URL = "https://packages.gardenlinux.io/gardenlinux"
 
 GARDENLINUX_GITHUB_RELEASE_BUCKET_NAME = "gardenlinux-github-releases"
 
+PODMAN_CONNECTION_MAX_IDLE_SECONDS = 3
+
 # https://github.com/gardenlinux/gardenlinux/issues/3044
 # Empty string is the 'legacy' variant with traditional root fs and still needed/supported
 IMAGE_VARIANTS = ["", "_usi", "_tpm2_trustedboot"]

src/gardenlinux/constants.py

@@ -9,5 +9,6 @@
 from .index import Index
 from .layer import Layer
 from .manifest import Manifest
+from .podman import Podman
 
-__all__ = ["Container", "ImageManifest", "Index", "Layer", "Manifest"]
+__all__ = ["Container", "ImageManifest", "Index", "Layer", "Manifest", "Podman"]

src/gardenlinux/oci/__init__.py

@@ -4,12 +4,14 @@
 gl-oci main entrypoint
 """
 
+import json
 import os
 
 import click
 from pygments.lexer import default
 
 from .container import Container
+from .podman import Podman
 
 
 @click.group()
@@ -27,41 +29,132 @@ def cli():
 @click.option(
     "--container",
     required=True,
+    help="Container Name",
+)
+@click.option(
+    "--tag",
+    required=True,
+    help="OCI tag of image",
+)
+@click.option(
+    "--dir",
+    "directory",
+    required=True,
     type=click.Path(),
+    help="Path to the build Containerfile",
+)
+@click.option(
+    "--additional_tag",
+    required=False,
+    multiple=True,
+    help="Additional tag to push the manifest with",
+)
+@click.option(
+    "--build_arg",
+    required=False,
+    default=[],
+    multiple=True,
+    help="Additional build args for Containerfile",
+)
+@click.option(
+    "--oci_archive",
+    required=False,
+    help="Write build result to the OCI archive path and file name",
+)
+def build_container(container, tag, directory, additional_tag, build_arg, oci_archive):
+    """
+    Build an OCI container based on the defined `Containerfile`.
+
+    :since: 0.11.0
+    """
+
+    podman = Podman()
+
+    if oci_archive is None:
+        image_id = podman.build(
+            directory,
+            oci_tag=f"{container}:{tag}",
+            build_args=Podman.parse_build_args_list(build_arg),
+        )
+    else:
+        build_result_data = podman.build_and_save_oci_archive(
+            directory,
+            oci_archive,
+            oci_tag=f"{container}:{tag}",
+            build_args=Podman.parse_build_args_list(build_arg),
+        )
+
+        _, image_id = build_result_data.popitem()
+
+    if additional_tag is not None:
+        podman.tag_list(
+            image_id, Podman.get_container_tag_list(container, additional_tag)
+        )
+
+    print(image_id)
+
+
+@cli.command()
+@click.option(
+    "--container",
+    required=True,
     help="Container Name",
 )
 @click.option(
-    "--cname", required=True, type=click.Path(), help="Canonical Name of Image"
+    "--tag",
+    required=False,
+    help="OCI tag of image",
+)
+def push_container(container, tag):
+    """
+    Push to an OCI registry.
+
+    :since: 0.11.0
+    """
+
+    Podman().push(container, oci_tag=tag)
+
+
+@cli.command()
+@click.option(
+    "--container",
+    required=True,
+    help="Container Name",
 )
+@click.option("--cname", required=True, help="Canonical Name of Image")
 @click.option(
     "--arch",
     required=False,
-    type=click.Path(),
     default=None,
     help="Target Image CPU Architecture",
 )
 @click.option(
     "--version",
     required=False,
-    type=click.Path(),
     default=None,
     help="Version of image",
 )
 @click.option(
     "--commit",
     required=False,
-    type=click.Path(),
     default=None,
     help="Commit of image",
 )
-@click.option("--dir", "directory", required=True, help="path to the build artifacts")
+@click.option(
+    "--dir",
+    "directory",
+    required=True,
+    type=click.Path(),
+    help="path to the build artifacts",
+)
 @click.option(
     "--cosign_file",
     required=False,
     help="A file where the pushed manifests digests is written to. The content can be used by an external tool (e.g. cosign) to sign the manifests contents",
 )
 @click.option(
     "--manifest_file",
+    type=click.Path(),
     default="manifests/manifest.json",
     help="A file where the index entry for the pushed manifest is written to.",
 )
@@ -113,34 +206,29 @@ def push_manifest(
 @click.option(
     "--container",
     required=True,
-    type=click.Path(),
     help="Container Name",
 )
 @click.option(
     "--cname",
     required=False,
-    type=click.Path(),
     default=None,
     help="Canonical Name of Image",
 )
 @click.option(
     "--arch",
     required=False,
-    type=click.Path(),
     default=None,
     help="Target Image CPU Architecture",
 )
 @click.option(
     "--version",
     required=False,
-    type=click.Path(),
     default=None,
     help="Version of image",
 )
 @click.option(
     "--commit",
     required=False,
-    type=click.Path(),
     default=None,
     help="Commit of image",
 )
@@ -155,15 +243,7 @@ def push_manifest(
     multiple=True,
     help="Tag to push the manifest with",
 )
-def push_manifest_tags(
-    container,
-    cname,
-    arch,
-    version,
-    commit,
-    insecure,
-    tag,
-):
+def push_manifest_tags(container, cname, arch, version, commit, insecure, tag):
     """
     Push artifacts and the manifest from a directory to a registry.
 
@@ -182,20 +262,64 @@ def push_manifest_tags(
 @cli.command()
 @click.option(
     "--container",
-    "container",
+    required=True,
+    help="Container Name",
+)
+@click.option(
+    "--tag",
+    required=False,
+    help="OCI tag of image",
+)
+@click.option(
+    "--oci_archive",
+    required=False,
+    help="Write build result to the OCI archive path and file name",
+)
+def save_container(container, tag, oci_archive):
+    """
+    Push to an OCI registry.
+
+    :since: 0.11.0
+    """
+
+    Podman().save_oci_archive(container, oci_archive, oci_tag=tag)
+
+
+@cli.command()
+@click.option(
+    "--dir",
+    "directory",
     required=True,
     type=click.Path(),
+    help="path to the build artifacts",
+)
+def load_oci_archives_from_directory(directory):
+    """
+    Push to an OCI registry.
+
+    :since: 0.11.0
+    """
+
+    result = Podman().load_oci_archives_from_directory(directory)
+    print(json.dumps(result))
+
+
+@cli.command()
+@click.option(
+    "--container",
+    "container",
+    required=True,
     help="Container Name",
 )
 @click.option(
     "--version",
     "version",
     required=True,
-    type=click.Path(),
     help="Version of image",
 )
 @click.option(
     "--manifest_folder",
+    type=click.Path(),
     default="manifests",
     help="A folder where the index entries are read from.",
 )