occystrap 0.4.0__py3-none-any.whl → 0.4.1__py3-none-any.whl

occystrap/outputs/docker.py

@@ -0,0 +1,137 @@
+# Load images into the local Docker or Podman daemon via the Docker Engine API.
+# This communicates over a Unix domain socket (default: /var/run/docker.sock).
+#
+# Docker Engine API documentation:
+# https://docs.docker.com/engine/api/
+#
+# Podman compatibility:
+# Podman provides a Docker-compatible API via podman.socket. Use the socket
+# option to point to the Podman socket:
+# - Rootful: /run/podman/podman.sock
+# - Rootless: /run/user/<uid>/podman/podman.sock
+# See: https://docs.podman.io/en/latest/markdown/podman-system-service.1.html
+#
+# The API accepts images in the same format as 'docker load', which is the
+# v1.2 tarball format that outputs/tarfile.py creates.
+
+import io
+import json
+import logging
+import os
+import tarfile
+import tempfile
+
+import requests_unixsocket
+
+from occystrap import constants
+from occystrap.outputs.base import ImageOutput
+
+
+LOG = logging.getLogger(__name__)
+LOG.setLevel(logging.INFO)
+
+DEFAULT_SOCKET_PATH = '/var/run/docker.sock'
+
+
+class DockerWriter(ImageOutput):
+    """Loads images into the local Docker daemon.
+
+    This output writer builds a v1.2 format tarball and loads it into
+    the Docker daemon using the POST /images/load API endpoint. This is
+    equivalent to running 'docker load'.
+
+    Uses USTAR format for the outer tarball which contains only short paths
+    (SHA256 hashes and small filenames), avoiding PAX extended headers.
+    """
+
+    def __init__(self, image, tag, socket_path=DEFAULT_SOCKET_PATH):
+        """Initialize the Docker writer.
+
+        Args:
+            image: The image name.
+            tag: The image tag.
+            socket_path: Path to the Docker socket (default: /var/run/docker.sock).
+        """
+        self.image = image
+        self.tag = tag
+        self.socket_path = socket_path
+        self._session = None
+
+        self._temp_file = tempfile.NamedTemporaryFile(delete=False)
+        self._image_tar = tarfile.open(fileobj=self._temp_file, mode='w',
+                                       format=tarfile.USTAR_FORMAT)
+
+        self._tar_manifest = [{
+            'Layers': [],
+            'RepoTags': ['%s:%s' % (self.image.split('/')[-1], self.tag)]
+        }]
+
+    def _get_session(self):
+        if self._session is None:
+            self._session = requests_unixsocket.Session()
+        return self._session
+
+    def _socket_url(self, path):
+        encoded_socket = self.socket_path.replace('/', '%2F')
+        return 'http+unix://%s%s' % (encoded_socket, path)
+
+    def fetch_callback(self, digest):
+        """Always fetch all layers."""
+        return True
+
+    def process_image_element(self, element_type, name, data):
+        """Process an image element, adding it to the tarball."""
+        if element_type == constants.CONFIG_FILE:
+            LOG.info('Adding config file to tarball')
+
+            ti = tarfile.TarInfo(name)
+            ti.size = len(data.read())
+            data.seek(0)
+            self._image_tar.addfile(ti, data)
+            self._tar_manifest[0]['Config'] = name
+
+        elif element_type == constants.IMAGE_LAYER:
+            LOG.info('Adding layer to tarball')
+
+            name += '/layer.tar'
+            ti = tarfile.TarInfo(name)
+            data.seek(0, os.SEEK_END)
+            ti.size = data.tell()
+            data.seek(0)
+            self._image_tar.addfile(ti, data)
+            self._tar_manifest[0]['Layers'].append(name)
+
+    def finalize(self):
+        """Write manifest and load the image into Docker."""
+        LOG.info('Writing manifest to tarball')
+        encoded_manifest = json.dumps(self._tar_manifest).encode('utf-8')
+        ti = tarfile.TarInfo('manifest.json')
+        ti.size = len(encoded_manifest)
+        self._image_tar.addfile(ti, io.BytesIO(encoded_manifest))
+        self._image_tar.close()
+
+        temp_path = self._temp_file.name
+        self._temp_file.close()
+
+        try:
+            LOG.info('Loading image into Docker daemon at %s' % self.socket_path)
+            session = self._get_session()
+            url = self._socket_url('/images/load')
+
+            with open(temp_path, 'rb') as f:
+                r = session.post(
+                    url,
+                    data=f,
+                    headers={'Content-Type': 'application/x-tar'}
+                )
+
+            if r.status_code != 200:
+                raise Exception(
+                    'Docker API error %d: %s' % (r.status_code, r.text))
+
+            LOG.info('Image loaded successfully: %s:%s'
+                     % (self.image, self.tag))
+
+        finally:
+            if os.path.exists(temp_path):
+                os.unlink(temp_path)

occystrap/{output_mounts.py → outputs/mounts.py}

@@ -7,13 +7,14 @@ import tarfile
 from occystrap import common
 from occystrap import constants
 from occystrap import util
+from occystrap.outputs.base import ImageOutput
 
 
 LOG = logging.getLogger(__name__)
 LOG.setLevel(logging.INFO)
 
 
-class MountWriter(object):
+class MountWriter(ImageOutput):
     def __init__(self, image, tag, image_path):
         self.image = image
         self.tag = tag

occystrap/{output_ocibundle.py → outputs/ocibundle.py}

@@ -8,7 +8,7 @@ import shutil
 
 from occystrap.constants import RUNC_SPEC_TEMPLATE
 from occystrap import common
-from occystrap.output_directory import DirWriter
+from occystrap.outputs.directory import DirWriter
 
 
 LOG = logging.getLogger(__name__)

occystrap/outputs/registry.py

@@ -0,0 +1,240 @@
+# Push images to a Docker/OCI registry via the Docker Registry HTTP API V2.
+#
+# Docker Registry API documentation:
+# https://docs.docker.com/registry/spec/api/
+#
+# OCI Distribution Spec:
+# https://github.com/opencontainers/distribution-spec/blob/main/spec.md
+#
+# The push process:
+# 1. For each layer blob:
+#    a. Check if blob exists: HEAD /v2/<name>/blobs/<digest>
+#    b. If not, initiate upload: POST /v2/<name>/blobs/uploads/
+#    c. Upload blob: PUT <location>?digest=<digest>
+# 2. Upload config blob (same as layer)
+# 3. Push manifest: PUT /v2/<name>/manifests/<tag>
+
+import gzip
+import hashlib
+import io
+import json
+import logging
+import re
+
+import requests
+
+from occystrap import constants
+from occystrap.outputs.base import ImageOutput
+from occystrap import util
+
+
+LOG = logging.getLogger(__name__)
+LOG.setLevel(logging.INFO)
+
+
+class RegistryWriter(ImageOutput):
+    """Pushes images to a Docker/OCI registry.
+
+    This output writer uploads image layers and config to a registry
+    using the Docker Registry HTTP API V2, then pushes a manifest to
+    make the image available.
+    """
+
+    def __init__(self, registry, image, tag, secure=True,
+                 username=None, password=None):
+        """Initialize the registry writer.
+
+        Args:
+            registry: Registry hostname (e.g., 'docker.io', 'ghcr.io').
+            image: Image name/path (e.g., 'library/busybox', 'myuser/myimage').
+            tag: Image tag (e.g., 'latest', 'v1.0').
+            secure: If True, use HTTPS (default). If False, use HTTP.
+            username: Username for authentication (optional).
+            password: Password/token for authentication (optional).
+        """
+        self.registry = registry
+        self.image = image
+        self.tag = tag
+        self.secure = secure
+        self.username = username
+        self.password = password
+
+        self._cached_auth = None
+        self._moniker = 'https' if secure else 'http'
+
+        self._config_digest = None
+        self._config_size = None
+        self._layers = []
+
+    def _request(self, method, url, headers=None, data=None, stream=False):
+        """Make an authenticated request to the registry."""
+        if not headers:
+            headers = {}
+
+        headers['User-Agent'] = util.get_user_agent()
+
+        if self._cached_auth:
+            headers['Authorization'] = 'Bearer %s' % self._cached_auth
+
+        r = requests.request(method, url, headers=headers, data=data,
+                             stream=stream)
+
+        if r.status_code == 401:
+            auth_header = r.headers.get('Www-Authenticate', '')
+            auth_re = re.compile(r'Bearer realm="([^"]*)",service="([^"]*)"')
+            m = auth_re.match(auth_header)
+            if m:
+                scope = 'repository:%s:pull,push' % self.image
+                auth_url = '%s?service=%s&scope=%s' % (m.group(1), m.group(2),
+                                                       scope)
+                if self.username and self.password:
+                    auth_r = requests.get(auth_url,
+                                          auth=(self.username, self.password))
+                else:
+                    auth_r = requests.get(auth_url)
+
+                if auth_r.status_code == 200:
+                    token = auth_r.json().get('token')
+                    self._cached_auth = token
+                    headers['Authorization'] = 'Bearer %s' % token
+
+                    r = requests.request(method, url, headers=headers,
+                                         data=data, stream=stream)
+
+        return r
+
+    def _blob_exists(self, digest):
+        """Check if a blob already exists in the registry."""
+        url = '%s://%s/v2/%s/blobs/%s' % (self._moniker, self.registry,
+                                          self.image, digest)
+        r = self._request('HEAD', url)
+        return r.status_code == 200
+
+    def _upload_blob(self, digest, data, size):
+        """Upload a blob to the registry.
+
+        Args:
+            digest: The sha256 digest of the blob (e.g., 'sha256:abc123...').
+            data: File-like object containing the blob data.
+            size: Size of the blob in bytes.
+        """
+        if self._blob_exists(digest):
+            LOG.info('Blob %s already exists, skipping upload' % digest[:19])
+            return
+
+        LOG.info('Uploading blob %s (%d bytes)' % (digest[:19], size))
+
+        url = '%s://%s/v2/%s/blobs/uploads/' % (self._moniker, self.registry,
+                                                self.image)
+        r = self._request('POST', url)
+
+        if r.status_code not in (200, 202):
+            raise Exception('Failed to initiate blob upload: %d %s'
+                            % (r.status_code, r.text))
+
+        location = r.headers.get('Location')
+        if not location:
+            raise Exception('No Location header in upload response')
+
+        if not location.startswith('http'):
+            location = '%s://%s%s' % (self._moniker, self.registry, location)
+
+        if '?' in location:
+            upload_url = '%s&digest=%s' % (location, digest)
+        else:
+            upload_url = '%s?digest=%s' % (location, digest)
+
+        data.seek(0)
+        r = self._request('PUT', upload_url,
+                          headers={'Content-Type': 'application/octet-stream',
+                                   'Content-Length': str(size)},
+                          data=data)
+
+        if r.status_code not in (200, 201, 202):
+            raise Exception('Failed to upload blob: %d %s'
+                            % (r.status_code, r.text))
+
+        LOG.info('Blob uploaded successfully')
+
+    def fetch_callback(self, digest):
+        """Always fetch all layers for pushing."""
+        return True
+
+    def process_image_element(self, element_type, name, data):
+        """Process an image element, uploading it to the registry."""
+        if element_type == constants.CONFIG_FILE and data is not None:
+            LOG.info('Processing config file')
+
+            data.seek(0)
+            config_data = data.read()
+
+            h = hashlib.sha256()
+            h.update(config_data)
+            self._config_digest = 'sha256:%s' % h.hexdigest()
+            self._config_size = len(config_data)
+
+            self._upload_blob(self._config_digest, io.BytesIO(config_data),
+                              self._config_size)
+
+        elif element_type == constants.IMAGE_LAYER and data is not None:
+            LOG.info('Processing layer %s' % name)
+
+            data.seek(0)
+            layer_data = data.read()
+
+            compressed = io.BytesIO()
+            with gzip.GzipFile(fileobj=compressed, mode='wb') as gz:
+                gz.write(layer_data)
+            compressed.seek(0)
+            compressed_data = compressed.read()
+
+            h = hashlib.sha256()
+            h.update(compressed_data)
+            layer_digest = 'sha256:%s' % h.hexdigest()
+            layer_size = len(compressed_data)
+
+            self._upload_blob(layer_digest, io.BytesIO(compressed_data),
+                              layer_size)
+
+            self._layers.append({
+                'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip',
+                'size': layer_size,
+                'digest': layer_digest
+            })
+
+    def finalize(self):
+        """Push the image manifest to the registry."""
+        if not self._config_digest:
+            raise Exception('No config file was processed')
+
+        LOG.info('Pushing manifest for %s:%s' % (self.image, self.tag))
+
+        manifest = {
+            'schemaVersion': 2,
+            'mediaType': 'application/vnd.docker.distribution.manifest.v2+json',
+            'config': {
+                'mediaType': 'application/vnd.docker.container.image.v1+json',
+                'size': self._config_size,
+                'digest': self._config_digest
+            },
+            'layers': self._layers
+        }
+
+        manifest_json = json.dumps(manifest, separators=(',', ':'))
+
+        url = '%s://%s/v2/%s/manifests/%s' % (self._moniker, self.registry,
+                                              self.image, self.tag)
+        r = self._request(
+            'PUT', url,
+            headers={
+                'Content-Type':
+                    'application/vnd.docker.distribution.manifest.v2+json'
+            },
+            data=manifest_json.encode('utf-8'))
+
+        if r.status_code not in (200, 201, 202):
+            raise Exception('Failed to push manifest: %d %s'
+                            % (r.status_code, r.text))
+
+        LOG.info('Image pushed successfully: %s/%s:%s'
+                 % (self.registry, self.image, self.tag))

occystrap/{output_tarfile.py → outputs/tarfile.py}

@@ -5,18 +5,33 @@ import os
 import tarfile
 
 from occystrap import constants
+from occystrap.outputs.base import ImageOutput
 
 
 LOG = logging.getLogger(__name__)
 LOG.setLevel(logging.INFO)
 
 
-class TarWriter(object):
+# This code creates v1.2 format image tarballs.
+# v1.2 is documented at https://github.com/moby/docker-image-spec/blob/v1.2.0/v1.2.md
+# v2 is documented at https://github.com/opencontainers/image-spec/blob/main/
+
+class TarWriter(ImageOutput):
+    """Creates docker-loadable tarballs in v1.2 format.
+
+    To normalize timestamps for reproducible builds, use the
+    TimestampNormalizer filter before this output.
+
+    Uses USTAR format for the outer tarball which contains only short paths
+    (SHA256 hashes and small filenames), avoiding PAX extended headers.
+    """
+
     def __init__(self, image, tag, image_path):
         self.image = image
         self.tag = tag
         self.image_path = image_path
-        self.image_tar = tarfile.open(image_path, 'w')
+        self.image_tar = tarfile.open(image_path, 'w',
+                                      format=tarfile.USTAR_FORMAT)
 
         self.tar_manifest = [{
             'Layers': [],
@@ -53,3 +68,4 @@ class TarWriter(object):
         ti = tarfile.TarInfo('manifest.json')
         ti.size = len(encoded_manifest)
         self.image_tar.addfile(ti, io.BytesIO(encoded_manifest))
+        self.image_tar.close()