From c0029fda47761e5571020275a23e4e3334f98219 Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <2292245+fwilhe@users.noreply.github.com>
Date: Wed, 20 Nov 2024 11:00:31 +0100
Subject: [PATCH] Use new unbase_oci script (#57)

Simplify build pipeline by making use of the new features in unbase_oci as described in gardenlinux/gardenlinux#2476
---
 .github/workflows/ci.yaml |  5 ++-
 build_bare.sh             |  7 +---
 unbase_oci                | 74 +++++++++++++++++++++++++++++++++++----
 3 files changed, 73 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4a6ee49..ca46126 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -118,10 +118,13 @@ jobs:
           registry: ghcr.io
 
       - name: Build bare images
+        run: |
+          ./build_bare.sh
+
+      - name: Push bare images
         if: ${{ github.event_name != 'pull_request' }}
         id: bare
         run: |
-          ./build_bare.sh
           podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
           podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare
           echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT
diff --git a/build_bare.sh b/build_bare.sh
index 6e41826..f40cf70 100755
--- a/build_bare.sh
+++ b/build_bare.sh
@@ -7,15 +7,10 @@ build () {
     local ARCH="${1}"; shift
 
     SHA_GLVD=$(podman pull -q --arch="$ARCH" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG)
-    podman save --format oci-archive "$SHA_GLVD" > glvd-"$ARCH".oci
-
     SHA_GL=$(podman pull -q --arch="$ARCH" ghcr.io/gardenlinux/gardenlinux:1592)
-    podman save --format oci-archive "$SHA_GL" > gardenlinux-"$ARCH".oci
 
-    ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux-"$ARCH".oci glvd-"$ARCH".oci glvd_bare-"$ARCH".oci
+    ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree podman:"$SHA_GL" podman:"$SHA_GLVD" podman:ghcr.io/gardenlinux/glvd-api:latest-linux${ARCH}_bare
 
-    image="$(podman load < glvd_bare-"$ARCH".oci | awk '{ print $NF }')"
-    podman tag "$image" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG-linux"$ARCH"_bare
 }
 
 build amd64
diff --git a/unbase_oci b/unbase_oci
index f2634fc..7e300eb 100755
--- a/unbase_oci
+++ b/unbase_oci
@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=ghcr.io/gardenlinux/unbase_oci:8e33b68bf7b93d392fa8ef3248adb0a65d43c67a
+container_image=ghcr.io/gardenlinux/unbase_oci:50a92af51a5a357f6b93afbc1293124e24aed241
 container_engine=podman
 
 container_mount_opts=()
@@ -46,10 +46,72 @@ while [ $# -gt 0 ]; do
 	esac
 done
 
-container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")")
-[ "$1" = "$2" ] || container_mount_opts+=(-v "$(realpath "$2"):/mnt$(realpath "$2")")
-[ -e "$3" ] || touch "$3"
-container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")")
-args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")")
+tmp_files=()
+
+for key in base input output; do
+	if [[ "$1" == :* ]]; then
+		[[ "$value" =~ ^([a-z]+):(.*)$ ]]
+		prev_engine="${BASH_REMATCH[1]}"
+		prev_image="${BASH_REMATCH[2]}"
+		value="$prev_engine:${prev_image%:*}$1"
+	else
+		value="$1"
+	fi
+	shift
+	declare "${key}"="$value"
+	if [[ "$value" =~ ^([a-z]+):(.*)$ ]]; then
+		declare "${key}_container_engine"="${BASH_REMATCH[1]}"
+		declare "${key}_container_image"="${BASH_REMATCH[2]}"
+		tmp_file="$(mktemp)"
+		tmp_files+=("$tmp_file")
+		declare "${key}_file"="$tmp_file"
+	else
+		declare "${key}_container_engine"=""
+		declare "${key}_container_image"=""
+		declare "${key}_file"="$value"
+	fi
+done
+
+if [ "$base" = auto ]; then
+	[ -n "$input_container_engine" ] && [ -n "$input_container_image" ]
+	image="$input_container_image"
+	parent="$("$input_container_engine" image inspect "$image" | jq -r '.[0] | .Parent')"
+	repo_tag="null"
+	while [ "$repo_tag" == null ]; do
+		if [ -z "$parent" ]; then
+			echo "failed to auto determine base image" >&2
+			exit 1
+		fi
+		repo_tag="$("$input_container_engine" image inspect "$parent" | jq -r '.[0] | .RepoTags.[0]')"
+		parent="$("$input_container_engine" image inspect "$parent" | jq -r '.[0] | .Parent')"
+	done
+
+	echo "auto determined base image: $repo_tag"
+
+	base_container_engine="$input_container_engine"
+	base_container_image="$repo_tag"
+	tmp_file="$(mktemp)"
+	tmp_files+=("$tmp_file")
+	base_file="$tmp_file"
+fi
+
+[ -z "$base_container_engine" ] || "$base_container_engine" save --format oci-archive "$base_container_image" > "$base_file"
+[ -z "$input_container_engine" ] || "$input_container_engine" save --format oci-archive "$input_container_image" > "$input_file"
+
+container_mount_opts+=(-v "$(realpath "$base_file"):/mnt$(realpath "$base_file")")
+[ "$base_file" = "$input_file" ] || container_mount_opts+=(-v "$(realpath "$input_file"):/mnt$(realpath "$input_file")")
+[ -e "$output_file" ] || touch "$output_file"
+container_mount_opts+=(-v "$(realpath "$output_file"):/mnt$(realpath "$output_file")")
+args+=("/mnt$(realpath "$base_file")" "/mnt$(realpath "$input_file")" "/mnt$(realpath "$output_file")")
 
 "$container_engine" run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt label=disable --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"
+
+if [ -n "$output_container_engine" ]; then
+	image_id="$("$output_container_engine" load < "$output_file" | awk '{ print $NF }')"
+	"$output_container_engine" tag "$image_id" "$output_container_image"
+	echo "tagged $output_container_image -> $image_id"
+fi
+
+for tmp_file in "${tmp_files[@]}"; do
+	rm "$tmp_file"
+done