bootc-image-builder icon indicating copy to clipboard operation
bootc-image-builder copied to clipboard
verified publisher icon osbuild

RFE: Allow passing a different container image ref to use inside the new image

Open richm opened this issue 1 year ago • 5 comments

The container image passed into the build may refer to a registry with a host or IP like this:

podman ... quay.io/centos-bootc/bootc-image-builder:latest --type qcow2 --config /config.json \
  --tls-verify=false "${registry_host_on_host}:5000/bootc-insights:latest"

where registry_host_on_host is the way the registry is resolved on the host. But there are cases where the host or IP used to resolve the registry from inside the running VM is different. it would be nice to have an option like

quay.io/centos-bootc/bootc-image-builder:latest --image-ref "${registry_host_from_inside_vm}:5000/bootc-insights:latest" "${registry_host_on_host}:5000/bootc-insights:latest"

richm avatar Mar 15 '24 18:03 richm

@cgwalters WDYT? Should we add such an arg?

ondrejbudai avatar Mar 18 '24 08:03 ondrejbudai

It would make sense to me for bib to offer a config knob that propagates --target-imageref indeed (this gets a bit...odd I guess of course because right now bib fetches to a cache and then uses that option on its own, but with the local storage I think that conceptually goes away?)

That said

--tls-verify=false

Is going to be a problem in general as we don't yet expose this on the bootc side (I think it's a really bad idea to do)...and the cases that want it usually are virtualized/local test cases that are often better done via fetching via non-network paths like virtiofs mounts.

It's similar to Anaconda fetching RPMs over plain http://; it's just a bad idea and we need to help people setup secure mechanisms. In the Anaconda case that usually means customizing the ISO config to inject e.g. custom CA certificates and the like.

cgwalters avatar Mar 18 '24 23:03 cgwalters

It would make sense to me for bib to offer a config knob that propagates --target-imageref indeed (this gets a bit...odd I guess of course because right now bib fetches to a cache and then uses that option on its own, but with the local storage I think that conceptually goes away?)

We currently don't use an osbuild cache for container images, everything goes via a container registry.

That said

--tls-verify=false

Is going to be a problem in general as we don't yet expose this on the bootc side (I think it's a really bad idea to do)...and the cases that want it usually are virtualized/local test cases that are often better done via fetching via non-network paths like virtiofs mounts.

That's true. :/

ondrejbudai avatar Mar 19 '24 13:03 ondrejbudai

I haven't tried it yet, but a simple workaround would be to define a host 'alias' for the registry hostname. e.g. on the host:

/etc/hosts
IP_ADDR_ON_HOST real_hostname .... registry_host

in the vm:

/etc/hosts
IP_ADDR_IN_VM real_hostname .... registry_host

Then you can pass in registry_host:5000/image-name:tag which will resolve correctly on both the host and from the VM.

I believe the /etc/hosts configuration can be done in the Containerfile for image-name:tag (assuming you know what IP_ADDR_IN_VM is ahead of time).

richm avatar Mar 20 '24 16:03 richm

This issue is stale because it had no activity for the past 365 days. Remove the "Stale" label or add a comment, otherwise this issue will be closed in 30 days.

github-actions[bot] avatar May 14 '25 04:05 github-actions[bot]

This issue was closed because it has been stalled for 365+30 days with no activity.

github-actions[bot] avatar Jun 13 '25 04:06 github-actions[bot]