Module ostree_ext::container

APIs bridging OSTree and container images

This module contains APIs to bidirectionally map between a single OSTree commit and a container image wrapping it. Because container images are just layers of tarballs, this builds on the crate::tar module.

To emphasize this, the current high level model is that this is a one-to-one mapping - an ostree commit can be exported (wrapped) into a container image, which will have exactly one layer. Upon import back into an ostree repository, all container metadata except for its digested checksum will be discarded.

Signatures

OSTree supports GPG and ed25519 signatures natively, and it’s expected by default that when booting from a fetched container image, one verifies ostree-level signatures. For ostree, a signing configuration is specified via an ostree remote. In order to pair this configuration together, this library defines a “URL-like” string schema:

ostree-remote-registry:<remotename>:<containerimage>

A concrete instantiation might be e.g.: ostree-remote-registry:fedora:quay.io/coreos/fedora-coreos:stable

To parse and generate these strings, see OstreeImageReference.

Layering

A key feature of container images is support for layering. At the moment, support for this is planned but not implemented.

Modules

• deploy
  Perform initial setup for a container image based system root
• store
  APIs for storing (layered) container images as OSTree commits

Structs

• Config
  Configuration for the generated container.
• ExportOpts
  Options controlling commit export into OCI
• ImageReference
  Combination of a remote image reference and transport.
• Import
  The result of an import operation
• ManifestDiff
  Represents the difference in layer/blob content between two OCI image manifests.
• OstreeImageReference
  Combination of a signature verification mechanism, and a standard container image reference.

Enums

• SignatureSource
  Policy for signature verification.
• Transport
  A backend/transport for OCI/Docker images.

Constants

• DIFFID_LABEL
  The label which indicates where the ostree layers stop, and the derived ones start.
• LABEL_VERSION
  A commonly used pre-OCI label for versions.
• LEGACY_VERSION_LABEL
  The label which may be used in addition to the standard OCI label.
• OSTREE_COMMIT_LABEL
  The label injected into a container image that contains the ostree commit SHA-256.

Functions

• encapsulate
  Given an OSTree repository and ref, generate a container image.
• fetch_manifest
  Download the manifest for a target image and its sha256 digest.
• fetch_manifest_and_config
  Download the manifest for a target image and its sha256 digest, as well as the image configuration.
• merge_default_container_proxy_opts
  Apply default configuration for container image pulls to an existing configuration. For example, if authfile is not set, and auth_anonymous is false, and a global configuration file exists, it will be used.
• merge_default_container_proxy_opts_with_isolation
  Apply default configuration for container image pulls, with optional support for isolation as an unprivileged user.
• unencapsulate
  Fetch a container image and import its embedded OSTree commit.
• update_detached_metadata
  Given an OSTree container image reference, update the detached metadata (e.g. GPG signature) while preserving all other container image metadata.
• version_for_config
  Retrieve the version number from an image configuration.