Skip to content

Adding container-storage as a provider for daemonless Podman and Buildah Support#635

Open
Bru456 wants to merge 4 commits into
anchore:mainfrom
Bru456:issue197/container-storage
Open

Adding container-storage as a provider for daemonless Podman and Buildah Support#635
Bru456 wants to merge 4 commits into
anchore:mainfrom
Bru456:issue197/container-storage

Conversation

@Bru456

@Bru456 Bru456 commented Jun 29, 2026

Copy link
Copy Markdown

Adding Podman daemonless and buildah support to stereoscope for issue #197 and Syft issue 2107: Add support for containers-storage backend for container images

This feature adds:

  • New provider containerstorage:
    • Takes the current user scope (root or user) to determine the container store and copies to a temporary docker archive via containers/image and delegates to the existing docker archive provider.
    • Ensures the tags, os, architecture, and variant is populated.
    • Graceful continuation on miss/unavailable store to allow auto detection to move to the next provider.
  • New source containers-storage to allow for either auto detection or explicit usage via --from containers-storage
  • Provider registration: inserted before OCI registry provider so flow is daemon -> containers-storage -> remote registry. Allowing locally built images to resolve before a remote pull.

Build

I have added a build tag to allow the inclusion of the new provider. It is excluded by default via a stub saying it hasn't been compiled in. tag: containers_image_openpgp.

Dependency management

Pulled in containers/image/v5 + containers/storage. Linux builds also use exclude_graphdriver_btrfs / exclude_graphdriver_devicemapper.
Pinned filepath-securejoin and selinux via go.mod replaces to resolve a conflict between containers/storage and containerd/hcsshim requirements.

Tests

New unit tests are in and passing.
Tested compiling for both Linux and non Linux builds and bundling this with a local copy of the latest Syft. Docker, Podman (daemon and daemonless) and buildah all working and creating consistent SBOMs. Compared with Syft v1.46.0
previous-syft-json-sboms.zip
and new version with stereoscope
new-syft-json-sboms.zip

Issues encountered and fixes

  • securejoin / selinux version conflict (Linux): containers/storage v1.59.1 calls root-level securejoin.OpenInRoot/Reopen, which only exist in filepath-securejoin v0.4.x. containerd v2 / hcsshim pull v0.6.0 (where those moved into pathrs-lite), and selinux v1.13.1 transitively drags in the newer requirement.
    • Fix: pin both back via replace (securejoin v0.4.1, selinux v1.12.0), which keeps both ecosystems building together.
  • Empty source.metadata (tags / os / architecture): the docker-archive copy is tagless, and the archive provider never sets os/arch.
    • Fix: gather tags from the store image's names and os/arch/variant from image inspect, and pass them through as additional metadata.
  • Downstream replace propagation: because Go doesn't inherit replace directives, the Syft consumer build initially failed on Linux.
    • Fix: documented the required pins and mirrored them in the consumer build.

bc209 added 4 commits June 29, 2026 13:51
…rage such as on podman and buildah. This is to implement issue anchore#197

Signed-off-by: Bruce Clark <bruce.clark@mandg.com>
Signed-off-by: Bruce Clark <bruce.clark@mandg.com>
…lity

Signed-off-by: Bruce Clark <bruce.clark@mandg.com>
Signed-off-by: Bruce Clark <bruce.clark@mandg.com>
@oss-housekeeper oss-housekeeper Bot added the dependencies dealing with project dependencies label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies dealing with project dependencies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants