Merge pull request #431 from ajayvic/libvirt-imagepull-support

KATA-2987: Enable OCI image pull support for libvirt provider

Author: bpradipt

config/peerpods/podvm/Dockerfile.podvm-oci

@@ -0,0 +1,6 @@
+FROM scratch
+
+ARG PODVM_IMAGE_SRC
+ENV PODVM_IMAGE_PATH="/image/podvm.qcow2"
+
+COPY $PODVM_IMAGE_SRC $PODVM_IMAGE_PATH

config/peerpods/podvm/README.md

@@ -34,3 +34,35 @@ Now when you create a KataConfig with `enablePeerPods: true` with empty
 `AZURE_IMAGE_ID` or `AWS_AMI_ID` in `peer-pods-cm`, then depending on the cloud
 provider configured, the operator will create the pod VM image based on the
 provided config.
+
+## PodVM Image Upload Configuration
+
+The PodVM image can be embedded into a container image. This container image can then be unwrapped and uploaded to the libvirt volume specified in the `peer-pods-secret`. Please note that this feature is currently supported only for the libvirt provider.
+
+To create an OCI image with the PodVM image, you can use the `Dockerfile.podvm-oci` as follows:
+
+```bash
+docker build -t podvm-libvirt \
+    --build-arg PODVM_IMAGE_SRC=<podvm_image_source> \
+    -f Dockerfile.podvm-oci .
+```
+
+In this context, `PODVM_IMAGE_SRC` refers to the location of the `qcow2` image on the host. Optionally, you can also set `PODVM_IMAGE_PATH`, which is the path of the qcow2 image inside the container. This path will be used as `<image_path>` in the `PODVM_IMAGE_URI` as described below.
+
+`oci` is the only supported `image_repo_type` at present.
+
+Ensure that `PODVM_IMAGE_URI` is configured in the `libvirt-podvm-image-cm` in the following format:
+
+```bash
+PODVM_IMAGE_URI: "<image_repo_type>::<image_repo_url>:<image_tag>::<image_path>"
+```
+
+For example:
+
+```bash
+PODVM_IMAGE_URI: "oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm-390x.qcow2"
+```
+
+In this example, `<image_tag>` and `<image_path>` are optional. If not provided, the default values will be `<image_tag>`: `latest` and `<image_path>`: `/image/podvm.qcow2`.
+
+**Note:** When pulling container images from authenticated registries, make sure that the OpenShift `pull-secrets` are updated with the necessary registry credentials.

config/peerpods/podvm/lib.sh

@@ -240,11 +240,11 @@ function prepare_source_code() {
 
 }
 
-# Download and extract pause container image
+# Download and extract the pause container image
 # Accepts three arguments:
 # 1. pause_image_repo_url: The registry URL of the OCP pause image.
 # 2. pause_image_tag: The tag of the OCP pause image.
-# 2. auth_json_file (optional): Path to the registry secret file to use for downloading the image
+# 3. auth_json_file (optional): Path to the registry secret file to use for downloading the image
 function download_and_extract_pause_image() {
 
     # Set default values for the OCP pause image
@@ -266,20 +266,43 @@ function download_and_extract_pause_image() {
     mkdir -p "${pause_bundle}" ||
         error_exit "Failed to create the pause_bundle directory"
 
+    extract_container_image "${pause_image_repo_url}" "${pause_image_tag}" "${pause_src}" "${pause_bundle}" "${auth_json_file}"
+}
+
+# Function to download and extract a container image.
+# Accepts six arguments:
+# 1. container_image_repo_url: The registry URL of the source container image.
+# 2. image_tag: The tag of the source container image.
+# 3. dest_image: The destination image name. 
+# 4. destination_path: The destination path where the image is to be extracted.
+# 5. auth_json_file (optional): Path to the registry secret file to use for downloading the image.
+function extract_container_image() {
+
+    # Set the values required for the container image extraction.
+    container_image_repo_url="${1}"
+    image_tag="${2}"
+    dest_image="${3}"
+    destination_path="${4}"
+    auth_json_file="${5}"
+
+    # If arguments are not provided, exit the script with an error message
+    [[ $# -lt 4 ]] &&
+        error_exit "Usage: extract_container_image <container_image_repo_url> <image_tag> <dest_image> <destination_path> [registry_secret]"
+
     # Form the skopeo CLI. Add authfile if provided
-    if [[ -n "${3}" ]]; then
+    if [[ -n "${5}" ]]; then
         SKOPEO_CLI="skopeo copy --authfile ${auth_json_file}"
     else
         SKOPEO_CLI="skopeo copy"
     fi
 
-    # Download the pause image
-    $SKOPEO_CLI "docker://${pause_image_repo_url}:${pause_image_tag}" "oci:${pause_src}:${pause_image_tag}" ||
-        error_exit "Failed to download the pause image"
+    # Download the container image
+    $SKOPEO_CLI "docker://${container_image_repo_url}:${image_tag}" "oci:${dest_image}:${image_tag}" ||
+        error_exit "Failed to download the container image"
 
-    # Extract the pause image using umoci into pause_bundle directory
-    umoci unpack --rootless --image "${pause_src}:${pause_image_tag}" "${pause_bundle}" ||
-        error_exit "Failed to extract the pause image"
+    # Extract the container image using umoci into provided directory
+    umoci unpack --rootless --image "${dest_image}:${image_tag}" "${destination_path}" ||
+        error_exit "Failed to extract the container image"
 
 }
 
@@ -313,6 +336,40 @@ EOF
 
 }
 
+# Function to split image type, url and path from PODVM_IMAGE_URI for pre-built image scenario.
+function get_image_type_url_and_path() {
+
+    # Use pattern matching to split on '::' and then on ':', and capture output
+    if [[ $PODVM_IMAGE_URI =~ ^([^:]+)::([^:]+)(:([^:]+))?(::(.+))?$ ]]; then
+        PODVM_IMAGE_TYPE="${BASH_REMATCH[1]}"
+        PODVM_IMAGE_URL="${BASH_REMATCH[2]}"
+        PODVM_IMAGE_TAG="${BASH_REMATCH[4]}" # This will be empty if not present
+        PODVM_IMAGE_SRC_PATH="${BASH_REMATCH[6]}" # This will be empty if not present
+    fi
+
+    if [[ -z "${PODVM_IMAGE_TAG}" ]]; then
+        PODVM_IMAGE_TAG="latest"
+    fi
+
+    if [[ -z "${PODVM_IMAGE_SRC_PATH}" ]]; then
+        PODVM_IMAGE_SRC_PATH="/image/podvm.qcow2"
+    fi
+
+    export PODVM_IMAGE_TYPE PODVM_IMAGE_URL PODVM_IMAGE_TAG PODVM_IMAGE_SRC_PATH
+}
+
+# Function to validate the podvm image type.
+function validate_podvm_image() {
+    PODVM_IMAGE_PATH="${1}"
+
+    # Currently only qcow2 based PodVM images are supported for image upload.
+    if [[ "$(file -b $PODVM_IMAGE_PATH)" != *QCOW2* ]]; then
+        error_exit "PodVM image is not a valid qcow2, exiting."
+    fi
+
+    echo "Checksum of the PodVM image: $(sha256sum $PODVM_IMAGE_PATH)"
+}
+
 # Global variables
 
 # Set global variable for the source code directory

config/peerpods/podvm/libvirt-podvm-image-cm.yaml

@@ -25,4 +25,6 @@ data:
 
   # To Enable SE for IBM Z
   SE_BOOT: "true"
-  
+
+  # For Pre-built PodVM images.
+  PODVM_IMAGE_URI: "" # eg: oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm.qcow2

config/peerpods/podvm/libvirt-podvm-image-handler.sh

@@ -21,23 +21,72 @@ function verify_vars() {
 
     [[ -z "${ORG_ID}" ]] && error_exit "ORG_ID is not set"
     [[ -z "${ACTIVATION_KEY}" ]] && error_exit "ACTIVATION_KEY is not set"
-    [[ -z "${BASE_OS_VERSION}" ]] && error_exit "BASE_OS_VERSION is not set"
 
-    [[ -z "${PODVM_DISTRO}" ]] && error_exit "PODVM_DISTRO is not set"
+    if [[ "${IMAGE_TYPE}" == "operator-built" ]]; then
+        [[ -z "${BASE_OS_VERSION}" ]] && error_exit "BASE_OS_VERSION is not set"
 
-    [[ -z "${CAA_SRC}" ]] && error_exit "CAA_SRC is empty"
-    [[ -z "${CAA_REF}" ]] && error_exit "CAA_REF is empty"
+        [[ -z "${PODVM_DISTRO}" ]] && error_exit "PODVM_DISTRO is not set"
 
-    [[ -z "${REDHAT_OFFLINE_TOKEN}" ]] && error_exit "Redhat token is not set"
+        [[ -z "${CAA_SRC}" ]] && error_exit "CAA_SRC is empty"
+        [[ -z "${CAA_REF}" ]] && error_exit "CAA_REF is empty"
 
-    # Ensure booleans are set
-    [[ -z "${DOWNLOAD_SOURCES}" ]] && error_exit "DOWNLOAD_SOURCES is empty"
+        [[ -z "${REDHAT_OFFLINE_TOKEN}" ]] && error_exit "Redhat token is not set"
+
+        # Ensure booleans are set
+        [[ -z "${DOWNLOAD_SOURCES}" ]] && error_exit "DOWNLOAD_SOURCES is empty"
+    fi
 }
 
+# Function to create the libvirt image based on the type.
+function create_libvirt_image() {
+    # Based on the value of `IMAGE_TYPE` the image is either build from scratch or using the prebuilt artifact.
+    if [[ "${IMAGE_TYPE}" == "operator-built" ]]; then
+        create_libvirt_image_from_scratch
+    elif [[ "${IMAGE_TYPE}" == "pre-built" ]]; then
+        create_libvirt_image_from_prebuilt_artifact
+    fi
 
+}
 
-function create_libvirt_image() {
-    echo "Creating libvirt qcow2 image"
+# Function to create the libvirt image from a prebuilt artifact.
+function create_libvirt_image_from_prebuilt_artifact() {
+    echo "Pulling the podvm image from the provided path"
+    IMAGE_SRC="/tmp/image"
+    EXTRACTION_DESTINATION_PATH="/image"
+    IMAGE_REPO_AUTH_FILE="/tmp/regauth/auth.json"
+
+    get_image_type_url_and_path
+
+    case "${PODVM_IMAGE_TYPE}" in
+    oci)
+        echo "Extracting the Libvirt qcow2 image from the given path."
+
+        mkdir -p "${EXTRACTION_DESTINATION_PATH}" ||
+            error_exit "Failed to create the image directory"
+        
+        extract_container_image "${PODVM_IMAGE_URL}" "${PODVM_IMAGE_TAG}" "${IMAGE_SRC}" "${EXTRACTION_DESTINATION_PATH}" "${IMAGE_REPO_AUTH_FILE}"
+
+        # Form the path of the podvm qcow2 image.
+        PODVM_IMAGE_PATH="${EXTRACTION_DESTINATION_PATH}/rootfs${PODVM_IMAGE_SRC_PATH}"
+
+        # Check whether the podvm image is a valid qcow2 or not.
+        validate_podvm_image "${PODVM_IMAGE_PATH}"
+
+        # Upload the created qcow2 to the volume
+        upload_libvirt_image "${PODVM_IMAGE_PATH}"
+
+        # Add the libvirt_volume_name to peer-pods-cm configmap
+        add_libvirt_vol_to_peer_pods_cm
+        ;;
+    *)
+        error_exit "Currently only OCI image unpacking is supported, exiting."
+        ;;
+    esac
+}
+
+# Function to create the libvirt image from scratch.
+function create_libvirt_image_from_scratch() {
+    echo "Creating qcow2 image for libvirt provider from scratch"
 
     # If any error occurs, exit the script with an error message
 
@@ -59,11 +108,11 @@ function create_libvirt_image() {
 	    error_exit "Failed to change directory to "${CAA_SRC_DIR}"/podvm"
     LIBC=gnu make BINARIES= PAUSE_BUNDLE= image
 
-    export PODVM_IMAGE_PATH=/payload/podvm-libvirt.qcow2
+    PODVM_IMAGE_PATH=/payload/podvm-libvirt.qcow2
     cp -pr "${CAA_SRC_DIR}"/podvm/output/*.qcow2 "${PODVM_IMAGE_PATH}"
 
     # Upload the created qcow2 to the volume
-    upload_libvirt_image
+    upload_libvirt_image "${PODVM_IMAGE_PATH}"
 
     # Add the libvirt_volume_name to peer-pods-cm configmap
     add_libvirt_vol_to_peer_pods_cm
@@ -112,6 +161,8 @@ function download_rhel_kvm_guest_qcow2() {
 # Function to upload the qcow2 image to volume
 
 function upload_libvirt_image() {
+    PODVM_IMAGE_PATH="${1}"
+
     echo "LIBVIRT_VOL_NAME: "${LIBVIRT_VOL_NAME}"" && echo "LIBVIRT_POOL: "${LIBVIRT_POOL}"" && \
 	    echo "LIBVIRT_URI: "${LIBVIRT_URI}"" && echo "PODVM_IMAGE_PATH: "${PODVM_IMAGE_PATH}"" 
     echo "Starting to upload the image."
@@ -199,14 +250,18 @@ function install_packages(){
 
     install_binary_packages
 
-    #Install other libvirt specific binaries packages
+    # Install packages required for libvirt in addition to the binary packages.
     ARCH=$(uname -m)
     export ARCH
     if [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]]; then
-        subscription-manager register --org="${ORG_ID}" --activationkey="${ACTIVATION_KEY}"
+        subscription-manager register --org="${ORG_ID}" --activationkey="${ACTIVATION_KEY}" ||
+            error_exit "Failed to subscribe"
     fi
-    subscription-manager repos --enable codeready-builder-for-rhel-9-"${ARCH}"-rpms
-    dnf install -y gcc genisoimage qemu-kvm libvirt-client
+    
+    subscription-manager repos --enable codeready-builder-for-rhel-9-"${ARCH}"-rpms ||
+        error_exit "Failed to enable codeready-builder"
+
+    dnf install -y libvirt-client gcc file
 
     GO_VERSION="1.21.9"
     curl https://dl.google.com/go/go"${GO_VERSION}".linux-"${ARCH/x86_64/amd64}".tar.gz -o go"${GO_VERSION}".linux-"${ARCH/x86_64/amd64}".tar.gz && \
@@ -216,28 +271,35 @@ function install_packages(){
     export GOPATH="/src"
 
     if [ "${ARCH}" == "s390x" ]; then
-        # Build packer from source for s390x as there are no prebuilt binaries for the required packer version
-        PACKER_VERSION="v1.9.4"
-        git clone --depth 1 --single-branch https://github.com/hashicorp/packer.git -b "${PACKER_VERSION}"
-        cd packer
-        sed -i -- "s/ALL_XC_ARCH=.*/ALL_XC_ARCH=\"${ARCH}\"/g" scripts/build.sh
-	    sed -i -- "s/ALL_XC_OS=.*/ALL_XC_OS=\"Linux\"/g" scripts/build.sh
-        make bin && cp bin/packer /usr/local/bin/
-
         # Build umoci from source for s390x as there are no prebuilt binaries
         mkdir -p umoci
         git clone https://github.com/opencontainers/umoci.git
         cd umoci
         make
         cp -pr umoci /usr/local/bin/
     fi
+    
+    if [[ "${IMAGE_TYPE}" == "operator-built" ]]; then
+        dnf install -y genisoimage qemu-kvm
+
+        if [ "${ARCH}" == "s390x" ]; then
+            # Build packer from source for s390x as there are no prebuilt binaries for the required packer version
+            PACKER_VERSION="v1.9.4"
+            git clone --depth 1 --single-branch https://github.com/hashicorp/packer.git -b "${PACKER_VERSION}"
+            cd packer
+            sed -i -- "s/ALL_XC_ARCH=.*/ALL_XC_ARCH=\"${ARCH}\"/g" scripts/build.sh
+            sed -i -- "s/ALL_XC_OS=.*/ALL_XC_OS=\"Linux\"/g" scripts/build.sh
+            make bin && cp bin/packer /usr/local/bin/
+        fi
 
-    # set a correspond qemu-system-* named link to qemu-kvm
-    ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-system-"${ARCH}"
+        # set a correspond qemu-system-* named link to qemu-kvm
+        ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-system-"${ARCH}"
 
-    # Build cloud-utils package from source as prebuilt binary is not available
-    git clone https://github.com/canonical/cloud-utils
-    cd cloud-utils && make install
+        # Build cloud-utils package from source as prebuilt binary is not available
+        git clone https://github.com/canonical/cloud-utils
+        cd cloud-utils && make install
+    fi
+    
 
 }
 

config/peerpods/podvm/podvm-builder.sh

@@ -33,6 +33,23 @@ function check_peer_pods_cm_exists() {
   fi
 }
 
+# Function to check if the image should be built or use the pre-built artifact.
+function set_podvm_image_type() {
+    echo "Checking if PODVM_IMAGE_URI is set"
+
+    # If the value of the PODVM_IMAGE_URI is empty or not set, then build the image from scratch else use the prebuilt artifact.
+    if [[ -z "${PODVM_IMAGE_URI}" ]]; then
+      IMAGE_TYPE="operator-built"
+      echo "Initiating the operator to build the podvm image"
+    else
+      IMAGE_TYPE="pre-built"
+      echo "Initiating the operator to use the pre-built podvm image"
+    fi
+
+    export IMAGE_TYPE
+
+}
+
 # Function to create podvm image
 function create_podvm_image() {
   case "${CLOUD_PROVIDER}" in
@@ -278,6 +295,9 @@ function display_usage() {
   echo "Usage: $0 {create|delete [-f] [-g]|delete-gallery [-f]}"
 }
 
+# Set the PodVM image type based on the `PODVM_IMAGE_URI`
+set_podvm_image_type
+
 # Check if CLOUD_PROVIDER is set to azure or aws or libvirt
 # Install the required dependencies
 case "${CLOUD_PROVIDER}" in

config/peerpods/podvm/podvm-handling.md

@@ -133,3 +133,9 @@ delete the image gallery defined in the `IMAGE_GALLERY_NAME` key in
   configMap is updated with empty value (""). Also the annotations
   LATEST_AMI_ID (for AWS) or LATEST_IMAGE_ID and `IMAGE_GALLERY_NAME` (for
   Azure) are removed from the `peer-pods-cm` configMap
+
+## PodVM Image Upload flow via OSC operator
+
+* The code verifies all the required config parameters
+* Based on the `PODVM_IMAGE_URI` presence on the cloud provider specific configMap (eg: `libvirt-podvm-image-cm`), `IMAGE_TYPE` is set to either `operator-built` or `pre-built`.
+* Based on the `IMAGE_TYPE` it will invoke the create image from scratch for `operator-built` and pull an existing image if it's `pre-built`.