docker: use umoci library and podman image library

timbretimber · timbretimber · commit e3e9e7e249f3 · 2025-11-02T16:40:31.000-07:00
* fixes issues with extracting to wrong directory
* allows pulling from other oci registries (will still pull from docker if unspecified)
* allows to specify digest (can't specify both digest and tag at the same time)
diff --git a/sources/docker.go b/sources/docker.go
@@ -2,16 +2,23 @@ package sources
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 
-	"github.com/opencontainers/umoci"
 	"github.com/opencontainers/umoci/oci/cas/dir"
 	"github.com/opencontainers/umoci/oci/casext"
 	"github.com/opencontainers/umoci/oci/layer"
 
-	"github.com/lxc/distrobuilder/shared"
+	"go.podman.io/image/v5/copy"
+	"go.podman.io/image/v5/docker/reference"
+	"go.podman.io/image/v5/oci/layout"
+	"go.podman.io/image/v5/signature"
+	"go.podman.io/image/v5/transports/alltransports"
+	"go.podman.io/image/v5/types"
+
+	imgspec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 type docker struct {
@@ -33,33 +40,78 @@ func (s *docker) Run() error {
 
 	defer func() { _ = os.RemoveAll(ociPath) }()
 
-	// Download from Docker Hub.
-	imageTag := "latest"
-	err = shared.RunCommand(
-		context.TODO(),
-		nil,
-		nil,
-		"skopeo",
-		"--insecure-policy",
-		"copy",
-		"--remove-signatures",
-		fmt.Sprintf("%s/%s", "docker://docker.io", s.definition.Source.URL),
-		fmt.Sprintf("oci:%s:%s", ociPath, imageTag))
+	// Parse the image reference
+	imageRef, err := reference.ParseNormalizedNamed(s.definition.Source.URL)
+	if err != nil {
+		return fmt.Errorf("Failed to parse image reference: %w", err)
+	}
+
+	// Docker references with both a tag and digest are currently not supported
+	var imageTag string
+	if digested, ok := imageRef.(reference.Digested); ok {
+		imageTag = digested.Digest().String()
+	} else {
+		imageTag = "latest"
+		if tagged, ok := imageRef.(reference.NamedTagged); ok {
+			imageTag = tagged.Tag()
+		}
+	}
+
+	srcRef, err := alltransports.ParseImageName(fmt.Sprintf("docker://%s", s.definition.Source.URL))
+	if err != nil {
+		return fmt.Errorf("Failed to parse image name: %w", err)
+	}
+
+	dstRef, err := layout.ParseReference(fmt.Sprintf("%s:%s", ociPath, imageTag))
+	if err != nil {
+		return fmt.Errorf("Failed to parse destination reference: %w", err)
+	}
+
+	// Create policy context
+	systemCtx := &types.SystemContext{
+		DockerInsecureSkipTLSVerify: types.OptionalBoolFalse,
+	}
+	policy, err := signature.DefaultPolicy(systemCtx)
+	if err != nil {
+		return fmt.Errorf("Failed to create policy: %w", err)
+	}
+	policyCtx, err := signature.NewPolicyContext(policy)
+	if err != nil {
+		return fmt.Errorf("Failed to create policy context: %w", err)
+	}
+
+	defer policyCtx.Destroy()
+
+	copyOptions := &copy.Options{
+		RemoveSignatures: true,
+		SourceCtx:        systemCtx,
+		DestinationCtx:   systemCtx,
+	}
+
+	ctx := context.TODO()
+
+	// Pull image from OCI registry
+	copiedManifest, err := copy.Image(ctx, policyCtx, dstRef, srcRef, copyOptions)
 	if err != nil {
 		return err
 	}
 
-	// Unpack.
-	var unpackOptions layer.UnpackOptions
-	unpackOptions.KeepDirlinks = true
+	// Unpack OCI image
+	unpackOptions := &layer.UnpackOptions{KeepDirlinks: true}
 
 	engine, err := dir.Open(ociPath)
 	if err != nil {
 		return err
 	}
 
 	engineExt := casext.NewEngine(engine)
+
 	defer func() { _ = engine.Close() }()
 
-	return umoci.Unpack(engineExt, imageTag, absRootfsDir, unpackOptions)
+	var manifest imgspec.Manifest
+	if err := json.Unmarshal(copiedManifest, &manifest); err != nil {
+		return fmt.Errorf("Failed to parse manifest: %w", err)
+	}
+
+	return layer.UnpackRootfs(ctx, engineExt, absRootfsDir, manifest, unpackOptions)
 }
