Make cosa build support building "ostree" artifact using podman/buildah

[PeaceRebel]

1. If --with-builda flag is passed or COREOS_ASSEMBLER_BUILD_WITH_BUILDAH=1, build ostree artifacts using buildah. Else, got the traditional way.
2. Copy source ociarchive in cosa import rather than importing layer by layer.
3. Force create buildid ref on importing ociarchive

Wants: coreos/fedora-coreos-config#3628 (optional, if de96356 is acceptable)

[gemini-code-assist]

Code Review

This pull request introduces support for building ostree artifacts using podman/buildah, gated by the COREOS_ASSEMBLER_BUILD_OCI environment variable. The changes also include optimizations for cosa import when dealing with oci-archives and a necessary adjustment to ostree ref creation. The implementation is solid, and I have a suggestion to enhance robustness in the modified code.

[jbtrystram]

Nice ! Minor comments.
It looks like the second commit message is missing a word?

[PeaceRebel]

I'm making another change here to build without the additional volume mounts. With that we can drophttps://github.com/coreos/fedora-coreos-config/pull/3628

[dustymabe]

I'm not sure this is needed. What we need to do is make our versions unique on every build. Right now it's just statically set.

So yeah. If you do consecutive container builds they are going to have conflicts, but we should make our tooling not have that problem.

[PeaceRebel]

I was getting conflict on the first build itself.

[dustymabe]

Weird.

[dustymabe]

Currently cosa build has some more behaviors than what this is reflecting.

You can:

1. cosa build -> generates ostree/qemu
2. cosa build ostree -> generates ostree
3. cosa build ostree qemu openstac -> generates ostree/qemu/openstack (I think)

I'm kind of of the opinion we should change existing cosa build to drop this extra functionality (and deal with the fallout in various CI locations) first to pave way for adding this new method of building, but without having to pollute this new method of building with some of the old cruft.

WDYT?

[dustymabe]

I'm making another change here to build without the additional volume mounts. With that we can drophttps://github.com/coreos/fedora-coreos-config/pull/3628

Sounds good. I'll review when you're ready

[PeaceRebel]

I'm making another change here to build without the additional volume mounts. With that we can drophttps://github.com/coreos/fedora-coreos-config/pull/3628

I have pushed it a separate commit here 9f09123
If this is good, I'll squash it.

[PeaceRebel]

Currently cosa build has some more behaviors than what this is reflecting.

You can:

1. `cosa build` -> generates ostree/qemu

2. `cosa build ostree` -> generates ostree

3. `cosa build ostree qemu openstac` -> generates ostree/qemu/openstack (I think)

I'm kind of of the opinion we should change existing cosa build to drop this extra functionality (and deal with the fallout in various CI locations) first to pave way for adding this new method of building, but without having to pollute this new method of building with some of the old cruft.

WDYT?

We can provide the same functionality with this new way. We can check if there are additional arguments except ostree & container and pass it on to the "old" script to generate other artifacts. Is that something we want?

[PeaceRebel]

/gemini review

[dustymabe]

/usr/lib/coreos-assembler/build-with-buildah.sh

I don't see this script added to this commit, but I will say at the same time that I did like it the way it was before with the entire command in this file :)

[PeaceRebel]

Ah. Missed it when I renamed it.

[PeaceRebel]

but I will say at the same time that I did like it the way it was before with the entire command in this file :)

The problem with those changes is that we might need to modify Containerfile to as you see in the related PR. This makes it the podman command from the Containerfiles's comments or the GH Actions to fails.

Is there any other way to run multiple command in the supermin vm?

[PeaceRebel]

Removed the script and added all command in the go file.

[gemini-code-assist]

Code Review

This pull request introduces a new build path for cosa build using buildah, triggered by a new --with-buildah flag or an environment variable. The changes include a new Go function to orchestrate the build, logic to switch to this new path, and an optimization for importing local OCI archives.

My review focuses on improving the Go code to follow language idioms and fixing a logic bug in how the new build path is triggered. The bug could cause command-line arguments to be silently ignored, leading to unexpected build behavior. The suggestions for the Go code aim to improve maintainability by using standard library functions for path manipulation.

[gemini-code-assist]

The current logic for determining whether to use the buildah path has a flaw. If the COREOS_ASSEMBLER_BUILD_WITH_BUILDAH environment variable is set to 1, mustBuildWithBuildah will return true even if other command-line arguments (like --force) are provided. These arguments are then silently ignored because buildWithBuildah() doesn't process them. This could lead to unexpected behavior.

The buildah path should only be taken if --with-buildah is the sole argument, or if the environment variable is set and no arguments are provided. This aligns with the help text that states 'Cannot be used with other options'.

Suggested change

	return (len(argv) == 1 && argv[0] == "--with-buildah") || (ok && mustEnvOption == "1")
	return (len(argv) == 1 && argv[0] == "--with-buildah") || (ok && mustEnvOption == "1" && len(argv) == 0)

[PeaceRebel]

I think this is ok. Ignoring.

[dustymabe]

We can provide the same functionality with this new way. We can check if there are additional arguments except ostree & container and pass it on to the "old" script to generate other artifacts. Is that something we want?

ehh. Like I said earlier, I actually think the existing behavior isn't ideal from a code organiziation perspective, but it is nice from a dev UX perspective.

If we did try to keep at least the current default behavior I certainly wouldn't call out to the existing cmd-build, but rather just run cmd-osbuild qemu here.

Again. I think we should bite the bullet and drop the current behavior IMO.

[jcapiitao]

/retest

[dustymabe]

so what's weird here is we are adding to the documentation to the cmd-build but this is an option src/cmd-build doesn't actually support.

--with-buildah is supported by cmd/build-container-native.go and switched on at the cmd/coreos-assembler.go level.

It's OK as a PoC to support it only in cmd/build-container-native.go but also what about all of these other options?

For example, --versionary is really useful in the context of making our versions unique on each build and --autolock=VERSION is required for both bodhi testing and downstream for RHCOS multi-arch builds.

I think more likely what we'd need to do is do away with the switch that happens in cmd/coreos-assembler.go and then just shell out here to cmd-supermin-run based on --with-buildah.

Of course, this could happen in a followup PR, but would probably be required before say we could switch any of our pipelines over to actually using this code.

[jlebon]

OK yeah, this is somewhat my fault. cmd-build is full of tricky bash code and I was hoping to avoid having to touch it at all by just making a separate e.g. cosa buildoci and intercepting early on in coreos-assembler.go whether to redirect cosa build to that instead based on the env var.

But... yes we need at least the versionary bits and the autolock stuff. The latter would be obsoleted longer term once we move to hermetic builds in Konflux.

The versionary bits happen quite early in cmd-build. We'd have to move up the autolock generation. And then cmd-build could just exec cosa buildoci [--version $VERSION] [--lockfile $AUTOLOCK]?

[jlebon]

Another big thing cmd-build does which is still relevant to the container native flow is change detection. But the way that should be implemented I think will look different (e.g. using hermetic builds + git, or having truly reproducible builds). There's also a lot of crud built up over the years in there (e.g. references of kickstart).

I think a goal once we've cut over is that cosa build is just a very minimal wrapper around podman build. Things that truly must happen in a "setup phase" (e.g. versionary) can be done there, but otherwise we should push all the complexity into the container build itself.