Add support for creating toolboxes from Containerfile

[wbrawner]

This adds a new flag to toolbox create, -f, --file, which allows the user to create a toolbox from the given Containerfile. If --image is provided, then that is the name that is used to tag the container. If --container is provided, then that is used as the name of the newly created container. If either of those parameters are absent, then the name of the current directory is used in its place. I used the following Containerfile to test this, which installs the dependencies needed to build toolbox:

Containerfile

FROM registry.fedoraproject.org/fedora-toolbox:39
ENV NAME=toolbox-dev VERSION=39

LABEL com.github.containers.toolbox=true \

com.redhat.component="$NAME" \

name="$NAME" \

version="$VERSION" \

usage="This is a toolbox development container" \

summary="Container used for development of the toolbox tool itself" \

maintainer="William Brawner [email protected]"
RUN dnf install -y golang \

clang \

meson \

ninja-build \

go-md2man \

shadow-utils-subid-devel

Of note with this is I found that using registry.fedoraproject.org/fedora instead of registry.fedoraproject.org/fedora-toolbox led to errors in toolbox initialization. Should we attempt to detect this and print a warning to the user to ensure they have the necessary packages installed in order for toolbox to work?

This closes #1397.

[softwarefactory-project-zuul]

Build failed.
https://softwarefactory-project.io/zuul/t/local/buildset/c8315bde6f2742bcaf9f20717bbfd9ad

❌ unit-test FAILURE in 8m 55s
❌ unit-test-migration-path-for-coreos-toolbox RETRY_LIMIT in 2m 46s
❌ unit-test-restricted FAILURE in 8m 03s
✔️ system-test-fedora-rawhide SUCCESS in 30m 36s
✔️ system-test-fedora-39 SUCCESS in 32m 00s
✔️ system-test-fedora-38 SUCCESS in 29m 20s
✔️ system-test-fedora-37 SUCCESS in 37m 02s

[debarshiray]

Thanks for working on this! I like the idea of re-using the --image flag to name the image that was just built.

I left some comments on #1397 about some high level questions.

[debarshiray]

I wish podman build would have a separate exit code for this. Even if the file exists here, there's no guarantee that it wouldn't disappear underneath us before the build starts. Filesystems are inherently racy.

[HarryMichal]

I see a potential solution. Copy the contents of the file to a temporary location or into a buffer and pass that to podman build instead.

[debarshiray]

Yes. I fiddled with podman build a bit more today. This works:

$ cat /path/to/build/context/Containerfile | podman build --file - /path/to/build/context

We could try to spot the Containerfile in the build context, then open it to get a io.Reader and feed it to shell.Run(...) as stdin when invoking podman build ....

It's worth bearing in mind that podman build supports specifying the build context directory as a HTTP URL of an archive, Git repository or a Containerfile, Containerfile.in that's supposed to be pre-processed by cpp(1), multiple Containerfiles and build contexts through a mix of --file, --build-context options and a [context] argument, etc..

Reading the code of the BuildDockerfiles() function in github.com/containers/buildah/imagebuildah, TempDirForURL() function in github.com/containers/buildah/define, and the podman build code leading up to them, I think we should only support a simple subset of what podman build offers. It will help us avoid fronting the entire podman build CLI in toolbox create, keep our error handling clean, and avoid race conditions that could lead to future (including security) bugs.

So, I propose supporting only a single build context that should contain a Container/Dockerfile. Supporting HTTP URLs for the context looks simple enough, but we should avoid the rest.

[debarshiray]

As a consequence of that, I think we should change --file to --image-build-context.

[debarshiray]

go fmt is unhappy about this line ...

[debarshiray]

... and this one.

[wbrawner]

I'm afraid I don't really have the time or inclination to work on this anymore, so I'll close this PR. Thank you!