From nobody Tue Mar  4 13:45:43 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z6cQJ24Sqz5pqts;
	Tue, 04 Mar 2025 13:45:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Z6cQH6PD8z3trZ;
	Tue, 04 Mar 2025 13:45:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1741095943;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WlbiLHKVFh0FvDl/zv8a5UUOrWEkaERBPlEufjbNY8o=;
	b=Ir0M7A6NNY2IbWIiLLAQe9vF8qXoHsiLfMlZqKe169yHhsNyXsxFydx3eb+kVPgLJvkUKv
	S69jnpskLjzHZHgqmwIw5RA0TMtCbROoN1Eht0Qs3R5ObaNnHVJ+cfj3cgOxwdRmyk8qVb
	wmgucEPc02h/pcINZlZOnEmVT9dDb6qGDegRkuiGjRZQmmGkvpFP+p1EH2G+NR1SdNH64f
	9vE6m+7pyeVYw5nvkUSsokVrcsiMgaSYPSA+GiIBJ5ixzWmoFKcWSA13db8ngozF4LAjVf
	IMzZmP1gbc/ohb5ahTvxI0efKbh+MZ+rJaUAUE27KMwF5jAR7Ar9zxBA1xcbrA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1741095943; a=rsa-sha256; cv=none;
	b=GCUaQEoo8LAoqRfmiPuW06vjOXW7bwICTIeLo1OqWtnCuNp3pSIYm7BDs9hj6SgXkbgNcw
	/j8Yh+VhZtcZaLoq4uVcTMcWRG08YDErqoQHEaHN8bLKaQm17BSfiMVilUpWB5AnWb6dNI
	C2Wx8P0G/R3yxQbxVr+9aKR2AkN4X3Vzv0fTjbE0IgTXxhdZFmNimgt4BNyD2iYCHkHs7A
	XoyJw1ZfXKGTjlqJE4GE7HHN91VjfXAAPTgfQ0GIM3UKRTLFAbnc5N2bg/yfVE8ZsvxGKW
	YxF5qBldid0tKUdaO7z9g6LScK3gnt5FxJnDZcITcYFYGdO9aPsDjfk8DelSEQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1741095943;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WlbiLHKVFh0FvDl/zv8a5UUOrWEkaERBPlEufjbNY8o=;
	b=ZUKnThTNvQJUrzn7lrHBn5SR7+F9CfwgR//iXumaB+jcmgztgA5JtEsjhQS67Li5zRxNGx
	uPQX9aJyDHm64sZOAXhznjwOwWPJWSRRYRm9ASoTxtPencGhONC0oDXB0rQVIXpIz7gCVp
	mLVTa0f7tCbWNQDm4HyC5CvTXlj9+XfcjU5dsMl2eGCYd7UFOU/w1ly4oM3FT4XEPj7kR2
	bwqj4SfI50aajCnmtW1ws5qlseJXLe5nMRuIPw6Y41JQOq1DYqBMkd859Xk9Z4GzueZP+Q
	J5QjtGWhNAzb0U4Qcg4sMJ55wwKPJxiARCqhIdHjexkXRnBVu2FJYOJRhyFVcQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Z6cQH5QxKz5Mq;
	Tue, 04 Mar 2025 13:45:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 524Djhsu023757;
	Tue, 4 Mar 2025 13:45:43 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 524Djh60023754;
	Tue, 4 Mar 2025 13:45:43 GMT
	(envelope-from git)
Date: Tue, 4 Mar 2025 13:45:43 GMT
Message-Id: <202503041345.524Djh60023754@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Doug Rabson <dfr@FreeBSD.org>
Subject: git: f60149306ccf - stable/14 - release: build OCI images
  with shell scripts
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: dfr
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: f60149306ccf784ddaa517132a8be47bb523984d
Auto-Submitted: auto-generated

The branch stable/14 has been updated by dfr:

URL: https://cgit.FreeBSD.org/src/commit/?id=f60149306ccf784ddaa517132a8be47bb523984d

commit f60149306ccf784ddaa517132a8be47bb523984d
Author:     Doug Rabson <dfr@FreeBSD.org>
AuthorDate: 2024-12-12 16:42:00 +0000
Commit:     Doug Rabson <dfr@FreeBSD.org>
CommitDate: 2025-03-04 09:46:03 +0000

    release: build OCI images with shell scripts
    
    This avoids the need for buildah and skopeo for building releases.
    
    Reviewed by:            cpersiva
    MFC after:              1 day
    Differential Revision:  https://reviews.freebsd.org/D48574
    
    (cherry picked from commit e8a5b9fd73f4f437a03c85e7644daa55652e224b)
---
 release/Makefile.oci                 |   6 +-
 release/release.sh                   |  38 -------------
 release/scripts/make-oci-image.sh    | 105 +++++++++++++++++++++++++++++++----
 release/tools/oci-image-dynamic.conf |   2 +-
 release/tools/oci-image-minimal.conf |   3 +-
 release/tools/oci-image-static.conf  |   3 +-
 6 files changed, 99 insertions(+), 58 deletions(-)

diff --git a/release/Makefile.oci b/release/Makefile.oci
index da35156c5a95..e4b5df580055 100644
--- a/release/Makefile.oci
+++ b/release/Makefile.oci
@@ -26,11 +26,7 @@ OCI_TARGETS+= container-image-${_IMG}.txz
 container-image-${_IMG}.txz: ${OCI_DEPS_${_IMG}}
 	# Adjust PATH so that we run pwd_mkdb from the bootstrap tools
 	env PATH=${OBJTOP}/tmp/legacy/bin:${PATH:Q} \
-	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG}
-	skopeo copy \
-		containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
-		oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
-	${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar > ${.OBJDIR}/container-image-${_IMG}.txz
+	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG} container-image-${_IMG}.txz
 .endfor
 
 oci-release: ${OCI_TARGETS}
diff --git a/release/release.sh b/release/release.sh
index d6752e016994..5a6de297f7a1 100755
--- a/release/release.sh
+++ b/release/release.sh
@@ -292,44 +292,6 @@ extra_chroot_setup() {
 		fi
 	fi
 
-	if [ ! -z "${WITH_OCIIMAGES}" ]; then
-		# Install buildah and skopeo from ports if the ports tree is available;
-		# otherwise install the pkg.
-		if [ -d ${CHROOTDIR}/usr/ports ]; then
-			# Trick the ports 'run-autotools-fixup' target to do the right
-			# thing.
-			_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
-			REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
-			BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
-			UNAME_r=${REVISION}-${BRANCH}
-			GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
-			GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
-			GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
-			GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
-			PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
-			PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
-			PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
-			for _PORT in sysutils/buildah sysutils/skopeo; do
-				eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS} make -C \
-				     /usr/ports/${_PORT} \
-				     FORCE_PKG_REGISTER=1 deinstall install clean distclean
-			done
-		else
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg install -y sysutils/buildah sysutils/skopeo
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg clean -y
-		fi
-		# Use the vfs storage driver so that this works whether or not
-		# the build directory is on ZFS. The images are small so the
-		# performance difference is negligible.
-		eval chroot ${CHROOTDIR} sed -I .bak -e '/^driver/s/zfs/vfs/' /usr/local/etc/containers/storage.conf
-		# Remove any stray images from previous builds
-		eval chroot ${CHROOTDIR} buildah rmi -af
-	fi
-
 	if [ ! -z "${EMBEDDEDPORTS}" ]; then
 		_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
 		REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
diff --git a/release/scripts/make-oci-image.sh b/release/scripts/make-oci-image.sh
index 6180ed9d53b4..0fd64602b403 100644
--- a/release/scripts/make-oci-image.sh
+++ b/release/scripts/make-oci-image.sh
@@ -7,21 +7,23 @@ rev=$1; shift
 branch=$1; shift
 arch=$1; shift
 image=$1; shift
+output=$1; shift
 
 major=${rev%.*}
 minor=${rev#*.}
 
 abi=FreeBSD:${major}:${arch}
+ver=${rev}-${branch}-${arch}
 
 echo "Building OCI freebsd${major}-${image} image for ${abi}"
 
 . ${curdir}/tools/oci-image-${image}.conf
 
-init_workdir() {
+init_repo() {
+	local workdir=$1; shift
 	local abi=$1; shift
-	local workdir=$(mktemp -d -t oci-images)
 
-	mkdir ${workdir}/repos
+	mkdir -p ${workdir}/repos
 	cat > ${workdir}/repos/base.conf <<EOF
 FreeBSD-base: {
   url: "file:///usr/obj/usr/src/repo/${abi}/latest"
@@ -30,13 +32,13 @@ FreeBSD-base: {
 }
 EOF
 	cp /etc/pkg/FreeBSD.conf ${workdir}/repos
-	echo ${workdir}
 }
 
+# Install packages using pkg(8) into a container with rootfs at $3
 install_packages() {
 	local abi=$1; shift
 	local workdir=$1; shift
-	local rootdir=$1; shift
+	local rootdir=${workdir}/rootfs
 	if [ ! -d ${rootdir}/usr/share/keys/pkg/trusted ]; then
 		mkdir -p ${rootdir}/usr/share/keys/pkg/trusted
 	fi
@@ -49,15 +51,94 @@ install_packages() {
 	rm -rf ${rootdir}/var/db/pkg/repos
 }
 
-workdir=$(init_workdir ${abi})
+set_cmd() {
+	local workdir=$1; shift
+	oci_cmd="$@"
+}
+
+# Convert FreeBSD architecture to OCI-style. See
+# https://github.com/containerd/platforms/blob/main/platforms.go for details
+normalize_arch() {
+	local arch=$1; shift
+	case ${arch} in
+		i386)
+		       arch=386
+		       ;;
+		aarch64)
+		       arch=arm64
+		       ;;
+		amd64) ;;
+		riscv64) ;;
+		*)
+			echo "Architecture ${arch} not supported for container images"
+			;;
+	esac
+	echo ${arch}
+}
+
+create_container() {
+	local workdir=$1; shift
+	local base_workdir=$1; shift
+	oci_cmd=
+	if [ -d ${workdir}/rootfs ]; then
+		chflags -R 0 ${workdir}/rootfs
+		rm -rf ${workdir}/rootfs
+	fi
+	mkdir -p ${workdir}/rootfs
+	if [ "${base_workdir}" != "" ]; then
+		tar -C ${workdir}/rootfs -xf ${base_workdir}/rootfs.tar.gz
+	fi
+}
+
+commit_container() {
+	local workdir=$1; shift
+	local image=$1; shift
+	local output=$1; shift
+
+	# Note: the diff_id (needed for image config) is the hash of the uncompressed tar
+	tar -C ${workdir}/rootfs --strip-components 1 -cf ${workdir}/rootfs.tar .
+	local diff_id=$(sha256 -q < ${workdir}/rootfs.tar)
+	gzip -f ${workdir}/rootfs.tar
+	local create_time=$(date -u +%Y-%m-%dT%TZ)
+	local root_hash=$(sha256 -q < ${workdir}/rootfs.tar.gz)
+	local root_size=$(stat -f %z ${workdir}/rootfs.tar.gz)
+
+	oci_arch=$(normalize_arch ${arch})
+
+	config=
+	if [ -n "${oci_cmd}" ]; then
+		config=",\"config\":{\"cmd\":[\"${oci_cmd}\"]}"
+	fi
+	echo "{\"created\":\"${create_time}\",\"architecture\":\"${oci_arch}\",\"os\":\"freebsd\"${config},\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:${diff_id}\"]},\"history\":[{\"created\":\"${create_time}\",\"created_by\":\"make-oci-image.sh\"}]}" > ${workdir}/config.json
+	local config_hash=$(sha256 -q < ${workdir}/config.json)
+	local config_size=$(stat -f %z ${workdir}/config.json)
+
+	echo "{\"schemaVersion\":2,\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"config\":{\"mediaType\":\"application/vnd.oci.image.config.v1+json\",\"digest\":\"sha256:${config_hash}\",\"size\":${config_size}},\"layers\":[{\"mediaType\":\"application/vnd.oci.image.layer.v1.tar+gzip\",\"digest\":\"sha256:${root_hash}\",\"size\":${root_size}}],\"annotations\":{}}" > ${workdir}/manifest.json
+	local manifest_hash=$(sha256 -q < ${workdir}/manifest.json)
+	local manifest_size=$(stat -f %z ${workdir}/manifest.json)
+
+	mkdir -p ${workdir}/oci/blobs/sha256
+	echo "{\"imageLayoutVersion\": \"1.0.0\"}" > ${workdir}/oci/oci-layout
+	echo "{\"schemaVersion\":2,\"manifests\":[{\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"digest\":\"sha256:${manifest_hash}\",\"size\":${manifest_size},\"annotations\":{\"org.opencontainers.image.ref.name\":\"freebsd-${image}:${ver}\"}}]}" > ${workdir}/oci/index.json
+	ln ${workdir}/rootfs.tar.gz ${workdir}/oci/blobs/sha256/${root_hash}
+	ln ${workdir}/config.json ${workdir}/oci/blobs/sha256/${config_hash}
+	ln ${workdir}/manifest.json ${workdir}/oci/blobs/sha256/${manifest_hash}
+
+	tar -C ${workdir}/oci --xz --strip-components 1 --no-read-sparse -a -cf ${output} .
+}
+
+# Prefix with "container-image-" so that we can create a unique work area under
+# ${.OBJDIR}. We can assume that make has set our working directory to
+# ${.OBJDIR}.
+workdir=${PWD}/container-image-${image}
+init_repo ${workdir} ${abi}
+
 if [ -n "${OCI_BASE_IMAGE}" ]; then
-	base_image=freebsd${major}-${OCI_BASE_IMAGE}
+	base_workdir=${PWD}/container-image-${OCI_BASE_IMAGE}
 else
-	base_image=scratch
+	base_workdir=
 fi
 
-c=$(buildah from --arch ${arch} ${base_image})
-m=$(buildah mount $c)
+create_container ${workdir} ${base_workdir}
 oci_image_build
-buildah unmount $c
-buildah commit --rm $c freebsd${major}-${image}:latest
+commit_container ${workdir} ${image} ${output}
diff --git a/release/tools/oci-image-dynamic.conf b/release/tools/oci-image-dynamic.conf
index b146ff2cf7c3..61cb90187764 100644
--- a/release/tools/oci-image-dynamic.conf
+++ b/release/tools/oci-image-dynamic.conf
@@ -7,5 +7,5 @@
 OCI_BASE_IMAGE=static
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m FreeBSD-clibs FreeBSD-openssl-lib
+	install_packages ${abi} ${workdir} FreeBSD-clibs FreeBSD-openssl-lib
 }
diff --git a/release/tools/oci-image-minimal.conf b/release/tools/oci-image-minimal.conf
index 82e2ce6a1bd3..93aad1e39250 100644
--- a/release/tools/oci-image-minimal.conf
+++ b/release/tools/oci-image-minimal.conf
@@ -8,7 +8,8 @@
 OCI_BASE_IMAGE=dynamic
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m \
+	set_cmd ${workdir} /bin/sh
+	install_packages ${abi} ${workdir} \
 			 FreeBSD-runtime \
 			 FreeBSD-certctl \
 			 FreeBSD-kerberos-lib \
diff --git a/release/tools/oci-image-static.conf b/release/tools/oci-image-static.conf
index 552328e66f3c..753a03af653b 100644
--- a/release/tools/oci-image-static.conf
+++ b/release/tools/oci-image-static.conf
@@ -8,12 +8,13 @@ OCI_BASE_IMAGE=
 
 oci_image_build() {
 	local srcdir=${curdir}/..
+	local m=${workdir}/rootfs
 	mtree -deU -p $m/ -f ${srcdir}/etc/mtree/BSD.root.dist > /dev/null
 	mtree -deU -p $m/var -f ${srcdir}/etc/mtree/BSD.var.dist > /dev/null
 	mtree -deU -p $m/usr -f ${srcdir}/etc/mtree/BSD.usr.dist > /dev/null
 	mtree -deU -p $m/usr/include -f ${srcdir}/etc/mtree/BSD.include.dist > /dev/null
 	mtree -deU -p $m/usr/lib -f ${srcdir}/etc/mtree/BSD.debug.dist > /dev/null
-	install_packages ${abi} ${workdir} $m FreeBSD-caroot FreeBSD-zoneinfo
+	install_packages ${abi} ${workdir} FreeBSD-caroot FreeBSD-zoneinfo
 	cp ${srcdir}/etc/master.passwd $m/etc
 	pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $?
 	cp ${srcdir}/etc/group $m/etc || return $?