ociman 0.1.0

Unified API for OCI container runtimes (Docker, Podman)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

# ociman - OCI Manager

A Rust library providing a unified API for OCI container runtimes (Docker, Podman).

> **Status**: Pre-1.0 - exists to serve [mbj/mrs](https://github.com/mbj/mrs) monorepo, expect breaking changes without notice.

## Goals

- **Unified API**: Single interface for OCI-compliant container runtimes
- **Auto-detection**: Automatically detects available container runtime
- **Environment override**: Control backend selection via `OCIMAN_BACKEND` environment variable
- **Container lifecycle management**: Run, execute commands, inspect, and manage containers
- **Image building**: Build images from Dockerfiles or inline instructions
- **Content-based hashing**: Automatic tag generation based on SHA256 of build context/instructions for deterministic builds

## Executing Commands in Containers

Use `container.exec()` to run commands inside a running container:

```rust,ignore
// Simple command execution
container.exec("echo")
    .argument("hello")
    .status()?;

// Capture stdout
let output = container.exec("cat")
    .argument("/etc/os-release")
    .build()
    .capture_stdout()
    .string()?;

// With environment variables and stdin
let result = container.exec("psql")
    .argument("--dbname=mydb")
    .environment_variable(PG_PASSWORD, "secret")
    .stdin(b"SELECT 1;")
    .build()
    .capture_stdout()
    .bytes()?;
```

The `ExecCommand` builder focuses on container exec configuration. For stream capture,
use `.build()` to get a `cmd_proc::Command`, then use its stream methods.

## Content-Based Image Hashing

ociman supports automatic tag generation based on content hashing (SHA256). This ensures deterministic builds where the same content always produces the same image tag.

Benefits:
- **Deterministic**: Same content always produces the same tag
- **Automatic cache invalidation**: Content changes automatically produce a new tag
- **No manual tag management**: Hash is computed automatically
- **Reproducibility**: Easy to verify if an image matches its source

**Important**: Content-based hashing only captures the Dockerfile and build context, not the base images. Using unspecific tags like `FROM alpine:latest` reduces reproducibility since `latest` can point to different images over time. For fully reproducible builds, use specific base image digests:

```dockerfile
# Less reproducible - tag can change
FROM alpine:latest

# More reproducible - specific version tag
FROM alpine:3.19

# Most reproducible - pinned to specific digest
FROM alpine@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0
```