Skip to content

add oci pull to images#175

Open
mac641 wants to merge 19 commits intomasterfrom
oci-puller
Open

add oci pull to images#175
mac641 wants to merge 19 commits intomasterfrom
oci-puller

Conversation

@mac641
Copy link
Contributor

@mac641 mac641 commented Nov 14, 2025
edited
Loading

@mac641 mac641 requested a review from a team as a code owner November 14, 2025 14:27
@mac641
Copy link
Contributor Author

mac641 commented Nov 14, 2025

@majst01 okay, so this is what I came up with. Can you do a review, pls?

Besides, I'm wondering if it's suitable to retrieve the oci credentials from env vars. Can you help me out here?

@majst01
Copy link
Contributor

majst01 commented Nov 15, 2025

@majst01 okay, so this is what I came up with. Can you do a review, pls?

Besides, I'm wondering if it's suitable to retrieve the oci credentials from env vars. Can you help me out here?

The OCI creadentials should be passed as optional fields from the pixiecore to the metal-hammer:

https://github.com/metal-stack/metal-hammer/blob/master/cmd/pixie-client.go#L14

Ideally a slice of registryconfig which contains the registry url, the username and the password should come from pixiecore.

@mac641 mac641 mentioned this pull request Nov 18, 2025
Open
@mac641
Copy link
Contributor Author

mac641 commented Nov 19, 2025

@majst01 does this work? https://github.com/metal-stack/metal-hammer/pull/175/files#diff-cfcd5a78ad9476ee24d7680dd023e71136f329c771d76ae6837ba68320b6379cR37

what does machine.Allocation.Image.URL contain? Is it the full oci url or just the image name, e.g. debian:12?

@majst01
Copy link
Contributor

majst01 commented Nov 20, 2025

@majst01 does this work? https://github.com/metal-stack/metal-hammer/pull/175/files#diff-cfcd5a78ad9476ee24d7680dd023e71136f329c771d76ae6837ba68320b6379cR37

what does machine.Allocation.Image.URL contain? Is it the full oci url or just the image name, e.g. debian:12?

It contains the full URL as configured in the image

@mac641 mac641 force-pushed the oci-puller branch 3 times, most recently from 0bfe689 to 7052ccb Compare December 4, 2025 14:24
@mac641 mac641 mentioned this pull request Dec 11, 2025
Open
@mac641 mac641 force-pushed the oci-puller branch 7 times, most recently from ad2bb15 to 2506148 Compare January 16, 2026 11:51
@mac641 mac641 force-pushed the oci-puller branch 4 times, most recently from 2a95918 to b244121 Compare January 22, 2026 15:46
majst01
majst01 reviewed Jan 23, 2026
View reviewed changes
majst01
majst01 reviewed Jan 23, 2026
View reviewed changes
majst01
majst01 reviewed Jan 23, 2026
View reviewed changes
majst01
majst01 reviewed Jan 23, 2026
View reviewed changes
majst01
majst01 reviewed Jan 23, 2026
View reviewed changes
@Gerrit91 Gerrit91 moved this to In Progress in Development Jan 26, 2026
@mac641 mac641 force-pushed the oci-puller branch 5 times, most recently from 57274af to ffebda3 Compare January 28, 2026 14:15
mac641 added 2 commits January 28, 2026 15:21
@mac641
ci: separate oci-pull tests from legacy tests
83c016d 
since they're considered integration tests and can't be run inside
a docker container due to testcontainers-go
@mac641
refactor: address changes requested by @majst01
9036814
@mac641 mac641 requested a review from majst01 January 28, 2026 14:53
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
cmd/image/image.go
}

switch hdr.Typeflag {
case tar.TypeDir:
Copy link
Contributor

@majst01 majst01 Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsure if all cases are covered and or relevant.

Other pitfalls might be:

  • files with s-bit set
  • file modes of special files like /etc/shadow /etc/passwd etc.

This should be tested, at least manually, better would be with a automated test ?

majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
majst01
majst01 reviewed Jan 29, 2026
View reviewed changes
@mac641 mac641 self-assigned this Feb 10, 2026
@mac641
Copy link
Contributor Author

mac641 commented Feb 16, 2026

@majst01 So, I've been adding a couple of tests, mainly targeting s-bits and symlinks but it's impossible to test special files like /etc/shadow etc. without root permissions. I was considering an in-memory filesystem like afero as well but this would require dependency injection to work which would end up in a lot of refactoring. I think this is out-of-scope.
What do you think? Shall we skip the special files test? How would you tackle this problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@majst01 majst01 majst01 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mac641 mac641

Labels

None yet

Projects

Development
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mac641 @majst01