Cachi2 support for prefetching RPMs - design

[onosek]

Introduction

Containers want to install RPMs at build time. This is not possible when the build doesn’t have access to the negslirtwork (hermetic build). This feature is meant to enable such workflow.

The general idea is that the developer specifies ahead of time what RPMs they want to have available. In a step before the actual build, cachi2 takes this information, downloads all of the packages and prepares a repository that will be available during build.

Requirements

1. The solution MUST work for processing all required architectures in one process.
2. The solution MUST work without changes to RPM or package management tooling.
3. The solution SHOULD work for all RPM based distributions.
4. The solution SHOULDN’T require the maintainer to make significant changes to their Dockerfiles.
5. The solution SHOULD be able to propagate repoids for prefetched RPMs and modules to the container build.
   1. This will make sure the yum/dnf history command shows origin repositories correctly. This may be leveraged by user tools (e.g. Clair) to identify sources of the RPM content.
6. The solution MUST collect SRPMs for source container generation.
   1. Only applicable if the SRPMs were listed in the rpms.lock.yaml file.

Block schema

The image shows the main function blocks, input and outputs. In the first phase (MVP) only a subset of the whole functionality will be delivered. That means processing the lock file, and gathering (downloading) all required items (RPMs, source RPMs) into a directory structure that will represent input for a container build process. The basic fetch command will produce SBOM with metadata of fetched RPMs too.
As a next (optional) step, the other cachi2 command (generate-env or inject-files) will process the structure created in the previous step and will generate repositories and .repo file.

rpms.lock.yaml

Works as a configuration input file for prefetching. The format allows multiple architectures to be listed.

lockfileVersion: <version>
lockfileVendor: <vendor>
arches:
  - arch: <arch>
    packages:
      - repoid: <repoid>
        URL: <url>
        checksum: <method>:<digest>
        size: <size>
    source:
      - repoid: <repoid-source>
        URL: <url>
        checksum: <method>:<digest>
        size: <size>

or values are not mandatory - when not specified, a random repoid name is generated.
checksum key and are not mandatory either - when not specified, (S)RPM file verification won't be performed after download.

An example of the format follows.

lockfileVersion: 1
lockfileVendor: abcde
arches:
  - arch: x86_64
    packages:
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/l/libsodium-1.0.19-4.fc40.x86_64.rpm
        checksum: sha256:e8ec4a0e9b5e9246c661d5562fc692c697f6769846de718d3c8e0929dd5ae9de
        size: 178718
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-enhanced-9.1.113-1.fc41.x86_64.rpm
        checksum: sha256:dca5053a4ce789b8f70e063a45e9a7b512d8d8bf5baa8e265a7f5b9ce0c90412
        size: 1954810
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-data-9.1.113-1.fc41.noarch.rpm
        checksum: sha256:4d3169872508b93e8ce4d6d9b7fa5ab4177cd571258248138dc1b3c8477d5c36
        size: 23475
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/x/xxd-9.1.113-1.fc41.x86_64.rpm
        checksum: sha256:81fa409c8be8c125964787f93f13a4dc9d8f1667d8630cf8ba425ec1a266beca
        size: 37701
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-minimal-9.1.113-1.fc41.x86_64.rpm
        checksum: sha256:b31875f92a00b53432d3e46261d371e421814ff0ba62932e56490771d64787d7
        size: 823891
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-filesystem-9.1.113-1.fc41.noarch.rpm
        checksum: sha256:eaeaf2fefd929916e70e75cd2400a32e175d9f7025bcec208a70ab5055259914
        size: 18018
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/w/which-2.21-41.fc40.x86_64.rpm
        checksum: sha256:bd005b31a2d65a9f1e7ab9298eecab63a5536d67d714d29faa2a5bcddf44cd27
        size: 42442
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-common-9.1.113-1.fc41.x86_64.rpm
        checksum: sha256:ee5e2da2fb37d9fd10e4b529b8e17ae105ea885d955e227e20b61b8be3f30f82
        size: 7942116
      - repoid: fedora
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/g/gpm-libs-1.20.7-46.fc40.x86_64.rpm
        checksum: sha256:39558e6ac8a5686df32a166428cbd754059a31b3c824c8e34a6a72297075df10
        size: 20509
    source:
      - repoid: fedora-sources
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/source/tree/Packages/v/vim-9.1.113-1.fc41.src.rpm
        checksum: sha256:64938dc971a5aba5e5f94f431b4e17d8f0e10b0fbb19dec1ef7fdcef78dffea2
        size: 14674115
      - repoid: fedora-sources
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/source/tree/Packages/g/gpm-1.20.7-46.fc40.src.rpm
        checksum: sha256:0261bc3f223efbf6c374f7126161ffe5e6cb653393e72ec84b026c0ca82d046c
        size: 251673
      - repoid: fedora-sources
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/source/tree/Packages/w/which-2.21-41.fc40.src.rpm
        checksum: sha256:c4b994bfcd17e299dc5e21db8c5d6a1692a96728e745d8fd55d36f2f473c23bf
        size: 182501
      - repoid: fedora-sources
        url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/source/tree/Packages/l/libsodium-1.0.19-4.fc40.src.rpm
        checksum: sha256:31bb7b9ea83a26f0ff7333ac1016d73677ca5f93ba44016614dad477443d5985
        size: 1979932

Input

• The rpms lockfile
• Path for storing the output

Output

The given output path is populated with the following structure. The

<output>/deps/rpm/<arch>/<repoid>/*.rpm
<output>/deps/rpm/<arch>/<repoid-source>/*.src.rpm
<output>/deps/rpm/bom.json

"deps/rpm" part - this part of the path is for compatibility with other package manager modules cachi2 works with (for example "deps/npm").

The SBOM file format is CycloneDX and PURLs is generated as per specificiation
Example:

{
  'bomFormat': 'CycloneDX',
  'specVersion': '1.4',
  'version': 1,
  'metadata': {
    'tools': [
      {
        'vendor': 'red hat', 'name': 'cachi2'
      }]},
  'components': [
    {
      'name': 'gpm-libs',
      'purl': 'pkg:rpm/fedora%20project/[email protected]?arch=x86_64&download_url=https%3A//mirrors.nic.cz/pub/fedora/linux/releases/38/Everything/x86_64/os/Packages/g/gpm-libs-1.20.7-42.fc38.x86_64.rpm',
      'version': '1.20.7',
      'properties': [{'name': 'cachi2:found_by', 'value': 'cachi2'}],
      'type': 'library'
    },
    ...
    {
      'name': 'vim-filesystem',
      'purl': 'pkg:rpm/fedora%20project/[email protected]?arch=noarch&epoch=2&download_url=https%3A//mirrors.nic.cz/pub/fedora/linux/updates/38/Everything/x86_64/Packages/v/vim-filesystem-9.1.113-1.fc38.noarch.rpm',
      'version': '9.1.113',
      'properties': [{'name': 'cachi2:found_by', 'value': 'cachi2'}],
      'type': 'library'
    }],
}

The optional 2nd step will add metadata

<output>/deps/rpm/<arch>/repos.d/cachi2.repo
<output>/deps/rpm/<arch>/<repoid>/repodata/

Content of cachi2.repo file (with as many repositories included as used in the lockfile):

[<repoid>]
baseurl = file:///etc/yum.repos.d/<repoid>/

Note that the repo identifiers in the filesystem structure match the identifiers in the repo file, and come from the lockfile.
If wasn't specified, a random value is generated. And the section will additionally contain the key name with an additional comment.

The subdirectory for the corresponding architecture can be mounted into the build container to /etc/yum.repos.d/.

Benefits

• No modification of the Dockerfile is needed. When built without the pre-fetching, repositories which are configured in the base image would be used.
• No repodata is needed for the RPM packages on the input side, the user only needs to provide a list of URLs where packages are located and repoids under which the packages should appear in the container. This means that RPMs can be taken directly from artifact storage solutions without the need to create a repodata for them first. Cachi2 will take care of creating repodata for the build process.

Important things to keep in mind

• For RPMs Cachi2 doesn't work with repodata, it only downloads a list of URLs as listed in the rpms.lock.yaml file. Because of that, cachi2 cannot validate repodata signatures.
• For Modules, Cachi2 will likely need to access and understand the repodata. Modules are not just sets of RPMs, each module also contains several pieces of YAML metadata like modulemd chunk, module_defaults chunk and obsolete chunk. For the provenance reason it will be likely necessary for Cachi2 to obtain these metadata by itself directly from the repository with the module.
  • Note: A solution where these YAML chunks would be included into rpms.lock.yaml (by the CLI tool or the user) was also considered, however that would break the provenance chain as the user or the CLI tool could manipulate these chunks and thus we couldn’t claim that the module that got prepared by Cachi2 for the container build process is the same one as the one in the origin repository.

What about …

… handling dependencies

It doesn’t. Users are required to include all transitive dependencies in the rpms.lock.yaml file. Ideally, a tool would do this for them.

The prefetching step doesn’t really care about dependencies. It just downloads and prepares what it’s told to.

If there is a missing dependency, there will be a failure at build time.

If the lockfile lists additional packages, the build will not use them, so it’s just wasting time and bandwidth at the prefetching step (and possibly including irrelevant sources in source containers).

Authors

Author: lsedlar
Corrections and addons: tmlcoch, onosek

[ben-alkov]

Sign-offs

Reviewed

• @ben-alkov
• @brunoapimentel
• @ejegrova
• @eskultety
• @slimreaper35
• @taylormadore

Approved

• @ben-alkov
• @brunoapimentel
• @ejegrova
• @eskultety
• @slimreaper35
• @taylormadore

[taylormadore]

Is producing an SBOM for these fetched RPMs in-scope? Just asking because I don't see any mention of it

[eskultety]

On the other hand, repoid is supposed to match the repo where the package will come from.

repoid doesn't uniquely identify a package wrt/ its location (which was also my misunderstanding earlier), with repoid specifically the ID is arbitrary and what's worse it looks like cachi2 might generate one if repoid is missing (as it is proposed as optional).

[Tojaj]

Whatever. I'm just saying that repository_url pointing to an internal ephemeral location won't identify package location either.

[eskultety]

Whatever. I'm just saying that repository_url pointing to an internal ephemeral location won't identify package location either.

How so? it points exactly where the package was fetched from. The fact that it may point to an internal resource is out of scope of this project though, that's caller's responsibility to process the generated SBOM accordingly, including following any company security practices wrt/ not leaking such information, e.g. the lifetime of the SBOM might only be up until the point an analyzer tool verifies there's nothing else in the container image beyond what the SBOM claims it to be and then either the SBOM is discarded completely or further transformed to replace the internal resources with official pointers to publicly accessible repos, either way, it's beyond cachi2.

[Tojaj]

Ack, if there is a post-processing for SBOMs, then url may work. I assumed SBOMs are treated as immutable.

[eskultety]

Ack, if there is a post-processing for SBOMs, then url may work. I assumed SBOMs are treated as immutable.

Well, ideally they should be, but as you can clearly see there are limitations, IOW you either post-process it before publishing or you don't publish it at all, depends on the exact use case.

[eskultety]

lockfileVersion: 1
arches:

• arch: x86_64
  packages:
  • repoid: fedora
    url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/l/libsodium-1.0.19-4.fc40.x86_64.rpm
  • repoid: fedora
    url: https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os/Packages/v/vim-enhanced-9.1.083-1.fc40.x86_64.rpm
  • repoid: fedora

Are possible modifications discussed here: rpm-software-management/rpm#2908 (comment) going to be reflected in the lockfile format proposed here? I think it should be.

[Tojaj]

Based on recent discussions, wouldn't be better to stick to the current format where each package in the list of packages contains repoid (rather then grouping packages per repoid)?
I'm referring to the possibility of adoption of rpm-software-management/dnf5#833 format where list of packages is also "flat" and not grouped by repoids. Each package there is a dict with attributes like url, repoid, etc. which is pretty much what we have in the current format.
As the adoption of this TOML format is possible, sticking to the current format would make the future switch from this format to the TOML really straightforward.

[eskultety]

I'm referring to the possibility of adoption of rpm-software-management/dnf5#833 format where list of packages is also "flat" and not grouped by repoids. Each package there is a dict with attributes like url, repoid, etc. which is pretty much what we have in the current format.

Technically noone in the discussion went to such detail to even consider something else, in fact they didn't even agree on the very basis of the format. I'm only trying to declutter the format by decreasing redundant information to find the least common denominator to consolidate it.
That said, since rpm-software-management/dnf5#833 in its current shape is the closest match to what is being proposed I guess I won't stand in the way of using it as a guideline despite having my reservations, so @Tojaj you can consider a flat package list being okay with me for lockfileVersion: 1 (though I'd like to see it improved in future revisions, however that would mean more incompatible code for us :(, same for adopting TOML ).

[eskultety]

The need for output/<arch1>/cachi2.repo to me looks like very specific tailored to a single use case only. We should avoid tailoring the output favouring a single use case. In other words, I think it should be enough we produce the following part

output/<arch1>/<repoid>/repodata/
output/<arch1>/<repoid>/Packages/*.rpm
output/<arch1>/sources/*.src.rpm

and the rest is left to the caller. The reason for that is that by doing

[<repoid>]
baseurl = file:///etc/yum.repos.d/<repoid>/

and

The subdirectory for the corresponding architecture can be mounted into the build container to /etc/yum.repos.d/

Not only cachi2 mandates the repos to be exposed locally under /etc/ (implementation detail) we'd also be further defining the rest of the process in a supply chain pipeline, therefore it should IMO be caller's responsibility to consume the pre-fetched RPMs and repos created out of them so that it fits their specific need. I can imagine callers preferring to place the prefetched repos to a different volume and create the override .repo file to /etc/yum.repos.d/ on their own with more modifications than what could be produced by cachi2.

[Tojaj]

@eskultety I cannot comment on the first half as it's not me who defines scope of cachi2 vs rest of Konflux build process. Ralph or some other architects (?) will need to decide here.

About the createrepo question I'm not sure what you mean by achieve the same thing as it is asked here of cachi2? Createrepo doesn't download packages nor generates repofiles (if this was your question).
Createrepo generates repodata for list of packages packages - the list can be provided by pointing to a dir which createrepo will enumerate or by providing a file or command line option with paths to packages that should be included in repodata.

[eskultety]

Createrepo generates repodata for list of packages packages - the list can be provided by pointing to a dir which createrepo will enumerate or by providing a file or command line option with paths to packages that should be included in repodata.

@Tojaj this is what I wanted to know, so it's always just about metadata, that clarifies my createrepo question.

[eskultety]

@eskultety I cannot comment on the first half as it's not me who defines scope of cachi2 vs rest of Konflux build process. Ralph or some other architects (?) will need to decide here.

cachi2 is a tool not a direct Konflux component (or Konflux-only component, at least I'd like to treat it that way), so Konflux as a consumer of this feature would have to deal with this on their own. I truly don't like having this RPM feature tailored too much to the first consumer that comes and generating .repo files is part of it - like I said, fetching files, sure, creating actual repositories - not a fan but I guess I can live with that although I have a hunch at some point someone will want us to use some specific createrepo options in which case we'll know it was a bad idea in the first place to allow such a thing, but generating even the .repo descriptor files is stretching it a bit too far IMO.

[brunoapimentel]

In the current package managers workflow, users need to use a few commands in order to both prefetch and prepare the content to be used in the build. To illustrate:

# fetch the dependencies
cachi2 fetch-deps npm
# generate env variables that need to be used when performing the build/install comand (e.g. npm install)
cachi2 generate-env ./cachi2-output -o ./cachi2.env 
# modify the source files so that the package manager uses the packages from a local folder 
cachi2 inject-files ./cachi2-output

So I think createrepo and the repofile generation could also be offloaded to additional commands, keeping the prefetch focused, but also giving the easiness of use to users that indeed want to use these additional steps in the way we propose them. From what I understood, I don't think they fit into inject-files, so creating a new command might make more sense.

[eskultety]

So I think createrepo and the repofile generation could also be offloaded to additional commands, keeping the prefetch focused, but also giving the easiness of use to users that indeed want to use these additional steps in the way we propose them. From what I understood, I don't think they fit into inject-files, so creating a new command might make more sense.

My preference would still be inject-files and the reason is very simple: while the current description of the command seems like it doesn't suit the use case, it's just a matter of changing the doc string. If we create yet another command to just support a single package manager with this need (let's face it, it's going to be just RPM and then maybe DEB in some very distant future), it's going to be yet another command which will make it that bit harder to change anything on the CLI once it gets used in production. It also gives away the impression that we actually encourage such a swiss army knife design, whereas inject-files would give us a bit of wiggle room in that the command already exists and whatever change is going to be necessary for RPM, it would be internal implementation.
I know that backwards compatibility is overrated these days and we can change the CLI at will although that should also not mean that we add whatever is needed at a given moment to likely change it later.

[eskultety]

Cachi2 will take care of creating repodata for the build process.

This design doesn't factor in any potential GPG usage, does factoring it in change anything about this design? IOW to ensure a high level of SLSA in the secure supply chain we might want to be able signing the created repository and hence ensuring their integrity and authenticity for the rest of the steps in a pipeline for which supporting GPG might be suitable.

[lubomir]

Signatures of the RPMs themselves are not going to be altered in any way by this process. Whatever is using them downstream in the build process should verify their signatures (though this may need cooperation from the step that writes the repo file) in whatever way is appropriate.

Do you want cachi2 to sign the created repodata? I don't see any blocker for that in the proposal, though I would not put that in scope for the first proof-of-concept.

[eskultety]

I agree it's definitely out of scope for a POC, I just wanted to raise awareness of the issue and ideally make it part of the design, but mark it as a future extension should it make any kind of difference as far as the design goes (I don't know whether it does or not at this point just yet), I just wanted to make sure we know about it. As for the signing itself, I don't think we should sweep that possibility off the table, strictly from implementation POV that should be just one additional independent step.

[lubomir]

The first sentence is saying that there are no requirements on the URL for each RPM. It must point to the RPM. It does not have to point to a repository. It could just as well point to some generic artifact storage. The prefetching tool doesn't need any repodata to download individual RPMs.

As an example, you could replace the first URL in the initial example with https://kojipkgs.fedoraproject.org/packages/libsodium/1.0.19/4.fc40/data/signed/e99d6ad1/x86_64/libsodium-1.0.19-4.fc40.x86_64.rpm and nothing would change.

Module metadata is more complicated. There is no single file you could point the lockfile to in order to get full information about particular module (and only that module). Hence the possible need to actually understand the data more.

[eskultety]

okay, makes more sense now.

[eskultety]

For Modules, Cachi2 will likely need to access and understand the repodata. Modules are not just sets of RPMs, each module also contains several pieces of YAML metadata like modulemd chunk, module_defaults chunk and obsolete chunk. For the provenance reason it will be likely necessary for Cachi2 to obtain these metadata by itself directly from the repository with the module.

Note: A solution where these YAML chunks would be included into rpms.lock.yaml (by the CLI tool or the user) was also considered, however that would break the provenance chain as the user or the CLI tool could manipulate these chunks and thus we couldn’t claim that the module that got prepared by Cachi2 for the container build process is the same one as the one in the origin repository.

Can you elaborate some more on the modularity use case to get full picture of the ultimate future architecture?

[lubomir]

There is no design for the module part yet.

Here's a stream of rambling ideas: for modules you need RPMs and metadata. The RPMs I would expect to be handled by the existing proposal, there's nothing special about them that would prevent that.
The metadata are generally two YAML objects: ModuleStream and optional ModuleDefaults (there are also others, but shouldn't be needed for use case of building containers). As the note says, including them directly the lockfile is a no-go. They need to be downloaded from somewhere, but the big question is from where.

The content origin repository used by the (currently non-existing, not designed) tool that produces the lockfile would have a single YAML file in the repodata that contains all modular information for all modules. Maybe the lockfile could use this URL. Maybe the content could be used as a whole, or it could be somehow filtered to preserve only the needed objects..

A different option would be to somehow find the files in another storage where there's single YAML document per file. This could be done for ModuleStreams by by looking them up in MBS. I don't know of a reasonable way to find the source of Defaults though.

[eskultety]

output/<arch1>/cachi2.repo
output/<arch1>/<repoid>/repodata/
output/<arch1>/<repoid>/Packages/*.rpm
output/<arch1>/sources/*.src.rpm

Sources are arch independent, shouldn't they be under output/sources/<repoid>/Packages/*src.rpm instead?

[eskultety]

Do you think it's better to provide separate source container builds for each architecture requested by user?

No, I don't think we should do this.

@Tojaj so if IIUC given that there's only ever a single source container for all arches it is hence unacceptable for the pipeline process to invoke cachi2 multiple times with multiple different lockfiles?

[Tojaj]

@eskultety the current format allows you to have sepearate lockfiles if you want to.

I propose to opt to a single file by default for cachi2, as I'm not aware of any content production process that would benefit from multiple files (that brings risk of inconsistency). On the other hand I'm aware that production processes for Containers, RPMs, ISOs, VHD, AMIs, QCOW2s, etc. that we produce en masse would all benefit from a single file and its inherently guaranteed consistency of package set and package versions between arches. (I mentioned examples here rpm-software-management/dnf5#833 (comment))

Cachi2 support for multiple lock files can be always added when there is a real use-case for that. YAGNI. I don't see any blocker for supporting both scenarios.

it is hence unacceptable for the pipeline process to invoke cachi2 multiple times with multiple different lockfiles
Hm, I didn't say that.

[eskultety]

On the other hand I'm aware that production processes for Containers, RPMs, ISOs, VHD, AMIs, QCOW2s, etc. that we produce en masse would all benefit from a single file

Well, that however doesn't mean it should be ^this lockfile, rather a template file that needs to be both a single file and what is actually maintained in each project, I think having a parametrized template lockfile is much easier to maintain long term, and you also don't have any consistency problems, everything is perfectly consistent.

[Tojaj]

I honestly don't understand this comment.

You know that there will be a tooling to generate this lock files we discuss here from a template in files that are significantly shorter. These are not presented here as they don't fall under cachi2, but will be discussed during implementation of the CLI tool that will be processing them. That said, can you elaborate more on what are you talking about here?

[eskultety]

Sure.

You said:

I propose to opt to a single file by default for cachi2, as I'm not aware of any content production process that would benefit from multiple files (that brings risk of inconsistency).

The risk of inconsistency only exists if there's another external factor to the lockfile maintenance and that could be either human factor or a process that generates the lockfile. If we can agree on the base premise that what you're propose here simply isn't going to be the file than anyone wished to maintain manually, then generation of this file is the only actor where the inconsistency (i.e. a bug) can stem from. So, in that case, if a a generating program can easily generate a correct fully exploded lockfile as proposed here with a list of architectures included, it can easily generate one per architecture and remain perfectly consistent, so what you're describing seems like a complete non-issue to me.

You then continue

On the other hand I'm aware that production processes for Containers, RPMs, ISOs, VHD, AMIs, QCOW2s, etc. that we produce en masse would all benefit from a single file and its inherently guaranteed consistency of package set and package versions between arches.

You say that all services would all benefit from a single file. My question is what is that single file? Because all those services you mentioned are pretty much fully automated, so existence of a single lockfile containing all architectures vs having one per-architecture shouldn't play any role in an automated environment, especially apparently since the plan has been to generate the proposed lockfile (out of scope for cachi2) all along. To me your argument about the importance of a single file only makes sense when we start talking about the actual origin, template (or source if you will) for the lockfile format you're proposing here in this discussion that someone somewhere will have to maintain in order to generate this lockfile for the supply chain pipeline.
However, I have my doubts whether this format as being proposed here is just that, simply given by its nature of having everything resolved and so a fully exploded YAML would turn into a maintenance nightmare at some point quite easily.

Note that I haven't even hinted at any discussion about a template file being already in works, I only pitched the general idea of a generating template file being the ONLY source of truth for these lockfile solely based on my reasoning (and understanding) above, i.e. maintenance of the input file (whichever is going to be the one). My motivation here is to keep the file as lean as possible and I somehow cannot wrap my head around the need to specify multiple architectures in a single file and jumping over a few more hoops rather than keeping the file simple and more straightforward for the price of a potential (although marginal) performance penalty for the whole supply chain pipeline. Despite your earlier claim that your proposed format doesn't prevent anyone to specify a single arch, while true, my impression is that while there is a small penalty for generating per-arch lockfiles this format as is is both a bit harder to process and definitely harder to maintain whoever ends up dealing with it.

[onosek]

I updated the lockfile format with items checksum and (file) size. There is also an expansion in the header (two new records: lockfileVendor and lockfileType - that distinguishes between rpms.in.yaml and rpms.lock.yaml).

[eskultety]

lockfileType - that distinguishes between rpms.in.yaml and rpms.lock.yaml)

What's the point of this field, cachi2 won't process rpms.in.yaml and for every other tool it should be clear from the extension and the file structure itself to distinguish between them. IOW if you provide cachi2 a lockfile with structure conforming to the one proposed and likely the one implemented but you put lockfileType: in in it, cachi2 would happily digest it and do its thing since it could parse the file just fine and the field would be ignored, thus rendering this particular information redundant.

[onosek]

I am opening a new thread here to find out what is the blocker for the design to be approved.

[eskultety]

@onosek from my perspective it would be to get some final conclusion on the need of the multiarch list spec design in the format and what the requirements on cachi2 are when it comes to invoking createrepo.

[eskultety]

@onosek I'd almost forget (thanks @brunoapimentel for reminding me), SBOM content needs to be part of the design as well, we touched it in the discussion, but to avoid any misunderstanding we'll need SBOM too.

[brunoapimentel]

Erik also mentioned that repoid is a key that is not mandatory (or I got that wrong, sorry). But that made me think that it might be worth adding a brief list with all the attributes for the lockfile, showing in each of them if they're mandatory, the expected data type and any other constraint that we're predicting.

[brunoapimentel]

I know the tool to generate the lockfile is out of scope, but would there be a way to tell if the content of sources actually match the .rpm files that are listed in the lockfile? And how much do we care about this accuracy?

The reason I'm asking this is because, in our current pipeline, this is an important matter, to the point that pre-compiled binaries for languages such as Python are completely forbidden, and compilation must be done from sources during build time.

[j-mracek]

May I ask you why you want to use SRPM and binary RPM matching for content verification? If signature verification is not enough then we have a problem because we depend on that a lot. It is important to ensure that downloaded file has correct checksum. But if someone replace the file then it can also modify checksum in manifesto. It is important to ensure that RPM verifies signature when they get installed.
Note: SRPM is arch specific, but we keep only SRPM from one build and random architecture. SRPM spec already contains expanded macros therefore it might create a difference. Rebuild of SRPM might result in a different binary RPM also due to different versions of required packages on the system.

[brunoapimentel]

Thanks for the clarification. I believe the case of Python wheels are different, since we're pulling them from PyPI and have no other means to verify that the source distribution actually matches the content of the wheel. If we believe that trusting the signatures is enough, I'm fine with it, I just think it needs to be a explict decision, maybe have a small section about it in the design.

Some follow up questions:

• should we limit the origins of signatures to a limited group we trust (and make it configurable)?
• is it worth matching the SRPM listed in the RPM header during the prefetch to be sure the lockfile was properly generated?

[eskultety]

should we limit the origins of signatures to a limited group we trust (and make it configurable)?

As for RPMs, the builder container's should have the RPM database properly populated so every package will be implicitly verified before its installation, so any 3rd party package would fail installation unless the the corresponding GPG public key is baked into the builder container. So, I wonder what added value we'd add by checking the signatures 1 step ahead, provided checksum verification is in place?

As for SRPMs, I imagine the story would be the same. Note that both the lockfile and a set of GPG public keys is input to cachi2 (likely coming from a single source) so it could be all compromised and so we'd have no way of verifying it, essentially again leaving the problem for later stages of the supply chain pipeline to deal with.

is it worth matching the SRPM listed in the RPM header during the prefetch to be sure the lockfile was properly generated?

That would inherently mean that SRPMs always need to be specified in the lockfile alongside RPMs which isn't going to be the case once the RPM support lands since the vast majority of consumers is only ever going to be interested in doing <dnf|zypper> install <package> for which having to list SRPMs inside the lockfile is IMO simply an added burden. Again, what would be the added value in this case if we parse every single URL trying to match the file name to pair it with a name we found in a given RPM header?

[brunoapimentel]

what would be the added value in this case if we parse every single URL trying to match the file name to pair it with a name we found in a given RPM header?

In the context of Konflux, the SRPMs will be made available in source containers, so it could be a way to guarantee we're distributing accurate sources. If we think of Cachi2 as only responsible for fetching, then we could offload this verification to a later part of the pipeline.

I'm imagining a scenario in which the SRPMs listed in the lockfile are not correct, even if by mistake of whoever put the file together. Does Cachi2 need to care about it? Maybe not, but let's make this explicit in the design so that whatever pipeline is using Cachi2 can decide how to deal with the consequences.

which having to list SRPMs inside the lockfile is IMO simply an added burden

Interesting, so SRPMs won't be mandatory? I can totally see this use case, I think it makes sense, but I hadn't thought about it before.

[eskultety]

In the context of Konflux, the SRPMs will be made available in source containers, so it could be a way to guarantee we're distributing accurate sources. If we think of Cachi2 as only responsible for fetching, then we could offload this verification to a later part of the pipeline.

I get that point, but as I explained I don't think cachi2 has enough data to verify this correctly apart from dealing with checksums.

Interesting, so SRPMs won't be mandatory? I can totally see this use case, I think it makes sense, but I hadn't thought about it before.

Well, it must be, because a for app containers SRPMs are completely irrelevant, that's been the missing link all along, you can do 'pip install foo' in your builder container, but any platform dependency (e.g. RPM) would have to fetched online and not hermetically.

[onosek]

Generate .repo files on the cachi2's output? Currently, there are these options:

1. Cachi2 will generate the repofile - The original design included generating .repo files within the output.
2. Cachi2 won't generate the repofile - Cachi2's main task is to fetch dependencies. Move that feature out of the cachi2. Is the consumer of the output able/willing to generate .repo files for itself?
3. Compromise - Move that feature out of the cachi2's main task (cachi2 fetch-deps command) to at least separate the task from the main part. Do I understand well, @eskultety, would it require another call of cachi2 with a new command like for example cachi2 generate_repofiles ... ?

Thoughts?

@Tojaj @ralphbean @eskultety

[Tojaj]

I like to option proposed by @brunoapimentel above, thus I vote for the 3) compromise

[ralphbean]

Yeah, that makes sense to me too. The generate-env and inject-files examples really helped illustrate how the createrepo call shouldn't go directly in the fetch-deps command.

[onosek]

Thanks Ralph. Just to clarify ... you mentioned createrepo call not to go directly in the fetch-deps command. The question was about .repo files and they are not generated by createrepo (it generates repository metadata). Yes, we will generate .repo files in a separate cachi2 command (option 3).

What about createrepo then? Could it stay in fetch-deps as it was originally designed?

[ralphbean]

No, I think we're suggesting to move that out of fetch-deps too. I think the criticism is that createrepo is generating new content that's not the same as the repo metadata for the repo that the rpms were fetched from. It would be doing more than just fetching.

(We had an idea at one point that maybe we could just literally fetch the remote repo metadata and have cachi2 provide a local copy of it, but @Tojaj pointed out that that remote repo metadata might have full url references in it, which would be fragile.)

Unfortunately, that task of creating the repo metadata doesn't fit with an existing cachi2 command. Looks like it will need a new command to me, like Bruno suggested. Maybe cachi2 generate-repo rpm? Such a command should just no-op and exit cleanly for other package managers, right?

The function of the cachi2 generate-env ... is awfully similar to what we need for the .repo files: "generate something needed by a build to convince it to use the content that was just fetched."

[eskultety]

Seems like this one has been settled. Please take my comment here in consideration when moving forward with a subcommand: #465 (reply in thread)

[onosek]

I updated the design based on your comments. Summary of changes:

1. block schema - shows the functionality was divided into fetching rpms/sources (fetch-deps command) and other tasks like generating repos and repofile. Other tasks should be performed within the (generate-env or inject-files).
2. SBOMs are mentioned. Do we want more detailed specification in the design?
3. output structure change:
   output/<arch>/sources/*.src.rpm -> output/sources/<arch>/<repoid>/*.src.rpm
   Reasons:
   • separate all sources to their own structure so createrepo doesn't have to process them when together with rpms. And when traversing the sources structure it is not so large.
   • Splitting sources per arches and repoids. Despite we will probably deliver single source image (SRPMs might eventually be in one common directory) I prefer not to lose the information about the structure and it is more general for other eventual use-cases.

[brunoapimentel]

1. I see what you are trying to imply with the changes in the schema, but I'm wondering if putting "generate SBOM" alongside "generate repos & generate repofile" is the best way to represent it, since the "inject-files" command would be executed after the whole process of "fetch-deps" is finished, and would use the contents of the output dir as input to proceed with the generation.

3. Just be wary that the current output structure is as follow:

output/bom.json
output/deps/npm/<npm files or subfolders>
output/deps/gomod/<gomod files or subfolders>

And so on, depending on the package managers used by the request. I believe we'd better still keep the same base layout and add rpms on top of it:

output/deps/rpm/sources
output/deps/rpm/<arch>

[onosek]

Thanks for the comment.

1. I modified the schema. Commands are graphically highlighted and hopefully, the sequence of cachi2 commands is more obvious.
2. Output paths are updated with deps/rpm for compatibility with other package managers.

[cgwalters]

It doesn’t. Users are required to include all transitive dependencies in the rpms.lock.yaml file. Ideally, a tool would do this for them.

Come on, that's just not going to work in practice. You say "doesn't require changes to Containerfile"...yes, but in reality it will because users will need to add packages in two places, and would lead to a desire to deduplicate.

Our world really does not need another RPM lockfile format. We have a lot of tools already in this space (xref osbuild/osbuild#1134 ); there's one actively used in fedora-coreos and osbuild too.

Lockfile handling should be in dnf. Also, we should add a declarative format there (that isn't a lockfile necessarily).

[j-mracek]

Using spec file is nice idea, but it means some requirements will be not fulfill. Be honest I always prefer to use existing format rather to create a new one.

One of the requirement was to verify that a package that is going in is exactly the same. When a package is from Red Hat distribution we can trust NEVRA, because it represent always the same package even checksum differs (due to a different signature).

Architecture is also something that is not fixed in SPEC requires - package abc-0:1-1.x86_64 might be installed by Requires: abc = 0:1-1 but it also might install package abc-0:1-1.i686. And not all projects uses ISA macro to specify 32/64 architecture.

[cgwalters]

For any situation in which the input requirements provide multiple solutions...I think we should probably default to erroring out.

This happened a while ago, I was using BuildRequires: pkgconfig(openssl) in one of my packages. That worked fine until one day an openssl-deprecated package appeared that had the same provides, and suddenly it became unpredictable.

Today dnf will just pick something, but I think we need to require unambiguous inputs in a context like this.

I mean, in the end the "lockfile generator" tool is going to need to do the same depsolve! And if it's just using the dnf heuristics, that isn't really better...because it may just suddenly change when the container owner goes to update their container for other reasons.

(Also without nice "diffing" logic/tools, it'd be pretty easy to miss package changes in a giant pile of generated YAML)

So I guess my opinion here remains that in general, instead of trying to have each container include a giant set of pinned packages, we should do rpm-software-management/dnf5#833 (comment)

Which is basically - the base container image (identified by an immutable tag or digest) also pins an immutable set of rpms that will never change - including identifying them by specific sha256 digest - imagine basically we stick the repodata (which includes exact digests) as OCI artifacts.

Then by combining two things:

• Containers have a machine-readable requirements.spec (or rpm-requirements.txt, whatever)
• Containers can pin their base images

We get the combined desired effects here - and the only thing that needs to be included in each individual container is using e.g.:

FROM registry.access.redhat.com/ubi9/ubi:9.4.3

And as long as they have a requirements.spec, an external tool like cachi2 can know exactly what external inputs they require without having all the individual sha256s and exact NEVRAs included for individual RPMs in a not-human-readable YAML blob. (And it may be required to have the solver errors out if there are multiple solutions)

[chmeliik]

Which is basically - the base container image (identified by an immutable tag or digest) also pins an immutable set of rpms that will never change - including identifying them by specific sha256 digest - imagine basically we stick the repodata (which includes exact digests) as OCI artifacts.

I don't think I understand how this would work.

But the example you gave here makes more sense to me: rpm-software-management/dnf5#833 (comment)

base: quay.io/fedora/rpms:40.20240325@sha256:...
packages:
  - foo
  - bar
  - baz
repo-packages:
  image: quay.io/fedora/rpms:40.20240320@sha256:...
  packages:
    - kernel
    - iptables

This is not really that different from the rpms.in.yaml format used in https://github.com/konflux-ci/rpm-lockfile-prototype?tab=readme-ov-file#whats-the-input_file, except that the repos in contentOrigin are "immutable".

If all the input repos are immutable, then specifying the direct dependencies should indeed be enough for reproducibility (disregarding potential changes between versions of the tool that does the resolving).

If cachi2 could verify that all the sources are immutable, then a lockfile could perhaps be optional (but IMO it should still be a recommended option, as others have expressed in rpm-software-management/dnf5#833).

[cgwalters]

I don't think I understand how this would work.

I followed up in rpm-software-management/dnf5#833 (comment)
with how the linkage between the base image and packages could be done.

Doing that linkage is not strictly required - we can implement "versioned pinned repository lockfiles" without it. The ultimate point here is basically that instead of again having a giant list of RPMs and their sha256sums, we just pin to a set of immutable repos + versions.

But it just IMO works much more nicely together to do the pinning from the base image by default, instead of it being an opt-in.

[cgwalters]

OK so, we've been experimenting with using plain BuildRequires in spec files to describe inputs over in https://gitlab.com/fedora/bootc/base-images-experimental and we hit one limitation of it around wanting to exclude packages: https://gitlab.com/fedora/bootc/base-images-experimental/-/issues/9

I guess probably these two subthreads should be re combined and taken to an upstream place where we try to really "thin the herd" of the wild array of package lists (mainly YAML or TOML variants) that we have.

The "content resolver" stuff example would be pretty high on my list of things that needs to go away and be replaced with something standard. "comps" would be a close second.

[onosek]

Based on the comments #502 I made some changes in the design:

• repoids are not mandatory in the lockfile - instead, when repoid is not specified, a random repoid name is generated by cachi2 and this name is used as an output directory. size and checksum keys are not mandatory either.
• source key instead of sources is used in the lockfile format
• cachi2.repo files are stored in the repos.d subdir.
• source repoids are stored along with package repoids

The output now looks like:

<output>/deps/rpm/<arch>/<repoid>/*.rpm
<output>/deps/rpm/<arch>/repos.d/cachi2.repo
<output>/deps/rpm/<arch>/<repoid-source>/*.src.rpm

[eskultety]

size and checksum keys are not mandatory either.

@onosek can you point me to ^this requirement? I may have missed something in this discussion. More specifically, if these fields are not mandatory, how can we check their authenticity and confidently put entries about such packages to the SBOM?

[onosek]

AFAIK the authenticity of packages should be verified by GPG keys and when verified, missing checksum might not be a big issue.
Additionally, SBOM would contain this information about missing checksum:
https://github.com/containerbuildsystem/cachi2/blob/main/tests/integration/test_data/gomod_multiple_modules_missing_checksums/bom.json#L87-L101

But in case we don't have such GPG verification so far (or do we?) checksums should be present.
So far we don't have a tool for generating lockfiles. The lockfiles we have so far are generated manually which makes their creation even harder when the checksum is mandatory.
Thus ... I am not sure what is the way to go.

[eskultety]

AFAIK the authenticity of packages should be verified by GPG keys and when verified, missing checksum might not be a big issue.

AFAIK signing RPMs is not mandatory so rpm might not complain about such package, hence we want to check checksums as a first-level protection. Of course, when GPG keys are in place, rpm will take care of the rest. However, neither seems to be sufficient on its own.

That said, I guess the other package managers kind of set the precedent in the SBOM contents. The thing is, if we design this as optional, it is going to become harder in the future to make it mandatory by definition; conversely, one can always relax existing constraints without affecting the user base.

[eskultety]

AFAIK signing RPMs is not mandatory so rpm might not complain about such package

I stand corrected on this statement.

[achilleas-k]

I think checksums should be mandatory. I would feel a lot more confident about working with a lockfile if I could verify the content and not just the metadata/NEVRA.

One thing we've become aware of in image builder a few times is that the NEVRA->checksum mapping is, unfortunately, not always unique (unless my information is outdated, shim breaks this rule because of the signing process).

So far we don't have a tool for generating lockfiles. The lockfiles we have so far are generated manually which makes their creation even harder when the checksum is mandatory.

For RPMs/dnf, the checksum is provided in the package metadata directly so there's no need to compute it when resolving package NEVRA (and dependencies). It's of course not "trivial" to get when writing a lockfile by hand, but for a tool querying a repository, it's quite straightforward (see for example the dnf depsolver for osbuild / image builder https://github.com/osbuild/osbuild/blob/7c04e1c596acf38cf8f3a5983207626c599f4cdd/tools/osbuild-depsolve-dnf).