[pve-devel] [PATCH container/proxmox{, -perl-rs}/storage 0/9] support OCI images as container templates

Christoph Heiss c.heiss at proxmox.com
Fri Jun 6 15:19:27 CEST 2025 

Tested this series a bit using the
`docker.io/library/nginx:mainline-{alpine,bookworm}` images, pulled &
exported using `podman`.

Came across the same Problem as Michael, that for `podman save` the
`--format=oci-archive` is required. According to podman-save(1), the
default format is "docker-archive":

  "A tar archive interoperable with docker load(1) (the default)"

Probably the old, Docker-specific image format version? Might make sense
to support that too, if it isn't too different.

The nginx image, both -alpine and -bookworm, fail to start with:

lxc-info: 103: ../src/lxc/af_unix.c: lxc_abstract_unix_recv_fds_iov: 218 Connection reset by peer - Failed to receive response
lxc-info: 103: ../src/lxc/commands.c: lxc_cmd_rsp_recv_fds: 128 Failed to receive file descriptors for command "get_init_pid"

Not sure what's going on there.

Tested further with `ghcr.io/dani-garcia/vaultwarden:1.34.1-alpine`,
that worked w/o problem, being able to access the application on port 80
afterwards.

---

Also, as talked off-list, I sent a debcargo-conf patch for packaging the
`oci-spec` crate [0]. This is only for Trixie (for now), as packaging
for Bookworm would require backporting some dependent crate updates. And
I'm not sure if it's worth seeing the upcoming Trixie release.

But building it on Bookworm also works if you build the `darling`,
`derive-builder`, `strsim` and `zstd-sys` crates too - YMMV tho :^)

[0] https://lore.proxmox.com/pve-devel/20250606103719.533030-2-c.heiss@proxmox.com/

On Tue May 20, 2025 at 2:42 PM CEST, Filip Schauer wrote:
> Add basic support for OCI (Open Container Initiative) images [0] as
> container templates.
>
> An OCI image can be for example obtained from Docker Hub:
>
> ```
> $ docker pull httpd
> $ docker save httpd > httpd.tar
> ```
>
> The tarball can be uploaded to a storage as a container template and
> then used during container creation. It is automatically detected that
> the container template is an OCI image. The resulting container still
> uses the existing LXC framework.
>
> # Dependencies:
>
> Since the `oci-spec` crate is not in any Debian repository at the time
> of writing, it needs to be downloaded from crates.io, in order to be
> able to build `proxmox-oci`.
>
> Here is a little script to download the `oci-spec` crate along with its
> dependencies:
>
> ```sh
> download_crate() {
>     CRATE_NAME=$1
>     CRATE_VERSION=$2
>     CRATE_SHA256=$3
>
>     wget https://crates.io/api/v1/crates/$CRATE_NAME/$CRATE_VERSION/download
>
>     COMPUTED_SHA256=$(sha256sum download | awk '{ print $1 }')
>     if [ "$COMPUTED_SHA256" != "$CRATE_SHA256" ]; then
>         echo "Checksum mismatch"; exit 1
>     fi
>
>     tar -xf download
>     rm download
>     mv $CRATE_NAME-$CRATE_VERSION /usr/share/cargo/registry/
>     echo "{\"package\":\"$CRATE_SHA256\",\"files\":{}}" > /usr/share/cargo/registry/$CRATE_NAME-$CRATE_VERSION/.cargo-checksum.json
> }
>
> download_crate strsim 0.11.1 7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f
> download_crate ident_case 1.0.1 b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39
> download_crate darling_macro 0.20.11 fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead
> download_crate darling_core 0.20.11 0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e
> download_crate darling 0.20.11 fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee
> download_crate proc-macro-error-attr2 2.0.0 96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5
> download_crate derive_builder_core 0.20.2 2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8
> download_crate thiserror-impl 2.0.0 22efd00f33f93fa62848a7cab956c3d38c8d43095efda1decfc2b3a5dc0b8972
> download_crate rustversion 1.0.20 eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2
> download_crate heck 0.5.0 2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea
> download_crate proc-macro-error2 2.0.1 11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802
> download_crate derive_builder_macro 0.20.2 ab63b0e2bf4d5928aff72e83a7dace85d7bba5fe12dcc3c5a572d78caffd3f3c
> download_crate thiserror 2.0.0 15291287e9bff1bc6f9ff3409ed9af665bec7a5fc8ac079ea96be07bca0e2668
> download_crate strum_macros 0.27.1 c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8
> download_crate strum 0.27.1 f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32
> download_crate getset 0.1.5 f3586f256131df87204eb733da72e3d3eb4f343c639f4b7be279ac7c48baeafe
> download_crate derive_builder 0.20.2 507dfb09ea8b7fa618fcf76e953f4f5e192547945816d5358edffe39f6f94947
> download_crate oci-spec 0.8.1 57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33
> ```
>
> Since librust-oci-spec-dev is in the proxmox-oci/debian/control file, a
> dummy package needs to be installed, so dpkg-checkbuilddeps does not
> complain.
>
> dummy_librust_oci_spec.equivs:
>
> ```
> Package: librust-oci-spec-dev
> Version: 0.8.1
> Provides: librust-oci-spec-0.8+default-dev (= 0.8.1-1)
> ```
>
> ```
> $ equivs-build dummy_librust_oci_spec.equivs
> $ dpkg -i ./librust-oci-spec-dev_0.8.1_all.deb
> ```
>
> # Build & install order:
>
> 1. proxmox
> 2. proxmox-perl-rs
> 3. pve-container
> *  pve-storage (no particular order there)
>
> [0] https://github.com/opencontainers/image-spec/blob/main/spec.md
>
> proxmox:
>
> Filip Schauer (1):
>   add proxmox-oci crate
>
>  Cargo.toml                       |   1 +
>  proxmox-oci/Cargo.toml           |  21 ++++
>  proxmox-oci/debian/changelog     |   5 +
>  proxmox-oci/debian/control       |  45 ++++++++
>  proxmox-oci/debian/debcargo.toml |   7 ++
>  proxmox-oci/src/lib.rs           | 165 +++++++++++++++++++++++++++++
>  proxmox-oci/src/oci_tar_image.rs | 173 +++++++++++++++++++++++++++++++
>  7 files changed, 417 insertions(+)
>  create mode 100644 proxmox-oci/Cargo.toml
>  create mode 100644 proxmox-oci/debian/changelog
>  create mode 100644 proxmox-oci/debian/control
>  create mode 100644 proxmox-oci/debian/debcargo.toml
>  create mode 100644 proxmox-oci/src/lib.rs
>  create mode 100644 proxmox-oci/src/oci_tar_image.rs
>
>
> proxmox-perl-rs:
>
> Filip Schauer (1):
>   add Perl mapping for OCI container image parser
>
>  pve-rs/Cargo.toml |  2 ++
>  pve-rs/Makefile   |  1 +
>  pve-rs/src/lib.rs |  1 +
>  pve-rs/src/oci.rs | 20 ++++++++++++++++++++
>  4 files changed, 24 insertions(+)
>  create mode 100644 pve-rs/src/oci.rs
>
>
> pve-storage:
>
> Filip Schauer (1):
>   allow .tar container templates
>
>  src/PVE/Storage.pm        | 2 +-
>  src/PVE/Storage/Plugin.pm | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
>
> pve-container:
>
> Filip Schauer (6):
>   config: whitelist lxc.init.cwd
>   add support for OCI images as container templates
>   config: add entrypoint parameter
>   configure static IP in LXC config for custom entrypoint
>   setup: debian: create /etc/network path if missing
>   manage DHCP for containers with custom entrypoint
>
>  src/PVE/API2/LXC.pm         | 53 ++++++++++++++++++++--
>  src/PVE/LXC.pm              | 88 ++++++++++++++++++++++++++++++++++---
>  src/PVE/LXC/Config.pm       | 19 +++++++-
>  src/PVE/LXC/Setup/Debian.pm |  1 +
>  4 files changed, 152 insertions(+), 9 deletions(-)
>
>
> Summary over all repositories:
>   17 files changed, 595 insertions(+), 11 deletions(-)

More information about the pve-devel mailing list