toolbox: add support for multi-layered docker images

[oliwer]

Handle multi-layered Docker images correctly

This is intended to fix flatcar/Flatcar#465 and flatcar/Flatcar#508

Currently, toolbox assumes all Docker images are made of 1 layer : it puts the name of the layer tarball in a variable and passes it to tar. This fails if the images has multiple layers, as the variable contains several filenames.

This patch simply adds a for loop to extract each layer in sequence.

How to use

Run toolbox with a multi-layered docker image, like ubuntu-debootstrap:14.04.

Testing done

$ cat .toolboxrc
TOOLBOX_DOCKER_IMAGE=ubuntu-debootstrap
TOOLBOX_DOCKER_TAG=14.04
$ toolbox
14.04: Pulling from library/ubuntu-debootstrap
Image docker.io/library/ubuntu-debootstrap:14.04 uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
c02c7df4a131: Pull complete 
a3ed95caeb02: Pull complete 
Digest: sha256:b424724203198bdb60d79368bf967c71534dd25f2b7703021110f04e1a81b78c
Status: Downloaded newer image for ubuntu-debootstrap:14.04
docker.io/library/ubuntu-debootstrap:14.04
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/VERSION
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/json
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/layer.tar
898cb62b73684611dcb1f478fa1731683cabc30ddbdc692b0fb027b69cec1033.json
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/VERSION
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/json
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/layer.tar
manifest.json
...
Untagged: ubuntu-debootstrap:14.04
Untagged: ubuntu-debootstrap@sha256:b424724203198bdb60d79368bf967c71534dd25f2b7703021110f04e1a81b78c
Deleted: sha256:898cb62b73684611dcb1f478fa1731683cabc30ddbdc692b0fb027b69cec1033
Deleted: sha256:c05c8727aa340e50ec560afe8159ced1e88a461579d51fcde5b91f9e918817a6
Deleted: sha256:45befd8a8901eecc964f2c766a93cb8f0f49752a31db8db3af854798f75ebf8e
Spawning container odc-ubuntu-debootstrap-14.04 on /var/lib/toolbox/odc-ubuntu-debootstrap-14.04.
Press ^] three times within 1s to kill container.
root@ip-10-188-70-239:~#

[jepio]

Thanks for this contribution. I checked what happens when a layer removes a file:

• the original file is kept
• a "whiteout" file is created.

Might not cause any damage in practice but it's better to avoid it.

Do you think this could be rewritten to instead use docker export? I think approximately the following steps are necessary (excuse my bad variable naming):

containerref=$(docker create ${imageref})
docker export -o ${containerref}.tar ${containerref}
docker rm ${containerref}
tar xpvf ${containerref}.tar -C ${machinepath}

I also noticed that the resulting tarballs are not gzipped in either case, so we may as well drop that from the name.

[oliwer]

Good idea. It's much cleaner using docker export. It solved another bug at the same time, where toolbox would crash if there are multiple versions of an image installed.

I also modified the TOOLBOX_DOCKER_ARCHIVE case to support multiple layers. I tried to replace wget by a docker import, but this did not work well: the exported tarball seems corrupt and contains both layers and parts of the filesystem. I suspect that's because when doing docker create of the imported archive, I was forced to provide an initial command for the container. Anyway, for now the old method seems more reliable.

Btw, any reason why you used the -p flag for tar in your example?

[jepio]

@oliwer awesome; I didn't know about the TOOLBOX_DOCKER_ARCHIVE variable, but from searching the internet this appears to be something long obsolete (and that used a different tarball structure) so we can remove that branch all together. Let me know if you can still do that and i'll merge immediately after (I was gone a couple of days).

tar -p: i pass it out of habit, the -p preserves permissions but tar does that when run as root by default so there's no need for it here.

[oliwer]

Done! I also thought this was a weird feature.

I had to change an error message because the old one did not make sense anymore. Hopefully that's good enough.

[jepio]

Thanks!

Now what remains is updating the commit in the ebuild in flatcar-linux/coreos-overlay, would you want to do that? The files are here: https://github.com/flatcar-linux/coreos-overlay/tree/943ce52f94b140922e25559e774c6570c41ca577/app-admin/toolbox, the xxx-9999.ebuild needs changes and the xxx-r15.ebuild symlink needs to be renamed to xxx-r16.ebuild.

[oliwer]

Those filenames look weird... but sure, i'll open a PR.