[pve-devel] [PATCH container/proxmox{, -perl-rs}/storage 0/9] support OCI images as container templates

Michael Köppl m.koeppl at proxmox.com
Mon Jun 2 18:26:49 CEST 2025 

Thanks for tackling this! I tested setting up containers based on
various OCI images. Apart from the UI not allowing upload of .tar files
(see my comment on the pve-storage patch), the uploading worked as
expected. I encountered some problems with various images during my
testing. I used docker save to get the .tar files (as per your example).
Tested the following with that setup:

- httpd image (as per your example): worked as expected, was able to
reach the httpd "It works!" page
- redis:latest: connection reset by peer on start, fails to start
- debian:bookworm: `sync_wait: 34 An error occurred in another process
(expected sequence number 7)` on start
- alpine:latest: worked as expected, landed in shell
- fedora:latest: unable to open file
'/etc/systemd/system-preset/00-pve.preset.tmp.85271' - No such file or
directory on create, cannot create container
- ubuntu:latest: `unable to open file
'/etc/systemd/network/eth0.network.tmp.89496' - No such file or directory`
- Supplying an SSH key does not seem to work (tested with alpine OCI image)
- Images with a CMD in their Dockerfile that does not call a shell (i.e.
last line is not CMD ["/bin/bash"]) will not display anything in the
console view. This is not unexpected, but UX-wise it might make sense to
inform users about this in some way (maybe by disabling the console view
and displaying an informational message)

I also tested with .tar files created by podman. Those only worked when
created with --format=oci-archive, otherwise os-release and architecture
can seemingly not be detected during startup, falling back to
'unmanaged' and 'amd64'. Might be worth mentioning in future
documentation for this feature.

On 5/20/25 14:42, Filip Schauer wrote:
> Add basic support for OCI (Open Container Initiative) images [0] as
> container templates.
> 
> An OCI image can be for example obtained from Docker Hub:
> 
> ```
> $ docker pull httpd
> $ docker save httpd > httpd.tar
> ```
> 
> The tarball can be uploaded to a storage as a container template and
> then used during container creation. It is automatically detected that
> the container template is an OCI image. The resulting container still
> uses the existing LXC framework.
> 
> # Dependencies:
> 
> Since the `oci-spec` crate is not in any Debian repository at the time
> of writing, it needs to be downloaded from crates.io, in order to be
> able to build `proxmox-oci`.
> 
> Here is a little script to download the `oci-spec` crate along with its
> dependencies:
> 
> ```sh
> download_crate() {
>     CRATE_NAME=$1
>     CRATE_VERSION=$2
>     CRATE_SHA256=$3
> 
>     wget https://crates.io/api/v1/crates/$CRATE_NAME/$CRATE_VERSION/download
> 
>     COMPUTED_SHA256=$(sha256sum download | awk '{ print $1 }')
>     if [ "$COMPUTED_SHA256" != "$CRATE_SHA256" ]; then
>         echo "Checksum mismatch"; exit 1
>     fi
> 
>     tar -xf download
>     rm download
>     mv $CRATE_NAME-$CRATE_VERSION /usr/share/cargo/registry/
>     echo "{\"package\":\"$CRATE_SHA256\",\"files\":{}}" > /usr/share/cargo/registry/$CRATE_NAME-$CRATE_VERSION/.cargo-checksum.json
> }
> 
> download_crate strsim 0.11.1 7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f
> download_crate ident_case 1.0.1 b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39
> download_crate darling_macro 0.20.11 fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead
> download_crate darling_core 0.20.11 0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e
> download_crate darling 0.20.11 fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee
> download_crate proc-macro-error-attr2 2.0.0 96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5
> download_crate derive_builder_core 0.20.2 2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8
> download_crate thiserror-impl 2.0.0 22efd00f33f93fa62848a7cab956c3d38c8d43095efda1decfc2b3a5dc0b8972
> download_crate rustversion 1.0.20 eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2
> download_crate heck 0.5.0 2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea
> download_crate proc-macro-error2 2.0.1 11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802
> download_crate derive_builder_macro 0.20.2 ab63b0e2bf4d5928aff72e83a7dace85d7bba5fe12dcc3c5a572d78caffd3f3c
> download_crate thiserror 2.0.0 15291287e9bff1bc6f9ff3409ed9af665bec7a5fc8ac079ea96be07bca0e2668
> download_crate strum_macros 0.27.1 c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8
> download_crate strum 0.27.1 f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32
> download_crate getset 0.1.5 f3586f256131df87204eb733da72e3d3eb4f343c639f4b7be279ac7c48baeafe
> download_crate derive_builder 0.20.2 507dfb09ea8b7fa618fcf76e953f4f5e192547945816d5358edffe39f6f94947
> download_crate oci-spec 0.8.1 57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33
> ```
> 
> Since librust-oci-spec-dev is in the proxmox-oci/debian/control file, a
> dummy package needs to be installed, so dpkg-checkbuilddeps does not
> complain.
> 
> dummy_librust_oci_spec.equivs:
> 
> ```
> Package: librust-oci-spec-dev
> Version: 0.8.1
> Provides: librust-oci-spec-0.8+default-dev (= 0.8.1-1)
> ```
> 
> ```
> $ equivs-build dummy_librust_oci_spec.equivs
> $ dpkg -i ./librust-oci-spec-dev_0.8.1_all.deb
> ```
> 
> # Build & install order:
> 
> 1. proxmox
> 2. proxmox-perl-rs
> 3. pve-container
> *  pve-storage (no particular order there)
> 
> [0] https://github.com/opencontainers/image-spec/blob/main/spec.md
> 
> proxmox:
> 
> Filip Schauer (1):
>   add proxmox-oci crate
> 
>  Cargo.toml                       |   1 +
>  proxmox-oci/Cargo.toml           |  21 ++++
>  proxmox-oci/debian/changelog     |   5 +
>  proxmox-oci/debian/control       |  45 ++++++++
>  proxmox-oci/debian/debcargo.toml |   7 ++
>  proxmox-oci/src/lib.rs           | 165 +++++++++++++++++++++++++++++
>  proxmox-oci/src/oci_tar_image.rs | 173 +++++++++++++++++++++++++++++++
>  7 files changed, 417 insertions(+)
>  create mode 100644 proxmox-oci/Cargo.toml
>  create mode 100644 proxmox-oci/debian/changelog
>  create mode 100644 proxmox-oci/debian/control
>  create mode 100644 proxmox-oci/debian/debcargo.toml
>  create mode 100644 proxmox-oci/src/lib.rs
>  create mode 100644 proxmox-oci/src/oci_tar_image.rs
> 
> 
> proxmox-perl-rs:
> 
> Filip Schauer (1):
>   add Perl mapping for OCI container image parser
> 
>  pve-rs/Cargo.toml |  2 ++
>  pve-rs/Makefile   |  1 +
>  pve-rs/src/lib.rs |  1 +
>  pve-rs/src/oci.rs | 20 ++++++++++++++++++++
>  4 files changed, 24 insertions(+)
>  create mode 100644 pve-rs/src/oci.rs
> 
> 
> pve-storage:
> 
> Filip Schauer (1):
>   allow .tar container templates
> 
>  src/PVE/Storage.pm        | 2 +-
>  src/PVE/Storage/Plugin.pm | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> pve-container:
> 
> Filip Schauer (6):
>   config: whitelist lxc.init.cwd
>   add support for OCI images as container templates
>   config: add entrypoint parameter
>   configure static IP in LXC config for custom entrypoint
>   setup: debian: create /etc/network path if missing
>   manage DHCP for containers with custom entrypoint
> 
>  src/PVE/API2/LXC.pm         | 53 ++++++++++++++++++++--
>  src/PVE/LXC.pm              | 88 ++++++++++++++++++++++++++++++++++---
>  src/PVE/LXC/Config.pm       | 19 +++++++-
>  src/PVE/LXC/Setup/Debian.pm |  1 +
>  4 files changed, 152 insertions(+), 9 deletions(-)
> 
> 
> Summary over all repositories:
>   17 files changed, 595 insertions(+), 11 deletions(-)
>

More information about the pve-devel mailing list