location for container inspection scripts

[ktdreyer]

I have a couple of read-only tools for inspecting containers:

• koji-search-containers: This tool searches all OSBS container builds for a particular RPM build. The tool answers the question "which containers have this RPM"? It helps my product teams ensure that we're shipping the correct container image(s) alongside our RPMs.

• koji-diff-containers: This tool looks up two OSBS container build NVRs in Koji, queries the RPMs within both containers, and prints the differences between the RPM lists. It helps my product teams ensure that the updates that we ship to users only contain the exact changes we intend.

• koji-container-signatures: This tool inspects all the RPMs in a container build. It ensures that the RPM builds in the container are all signed by a particular GPG key (eg. Red Hat's gold-signing key). This helps us check that we are not shipping containers with unsigned or incorrectly-signed RPMs.

I can keep these tools in https://pagure.io/koji-tools, but they all share quite a few methods, so I would need to refactor them to use a central library. (For example, I have a method get_metadata() that downloads the OSBS metadata.json, another one that parses it, etc).

I'm wondering if it makes more sense to put these tools into the koji-containerbuild-cli plugin as additional sub-commands. What do you think?

[ktdreyer]

One other reason for merging these into koji-containerbuild is that eventually if kojiweb ever becomes pluggable, we could do things like "diff RPMs" in the kojiweb interface.

[athos-ribeiro]

Hi Ken,

That would be very nice to have! +1

Cc @twaugh @MartinBasti @rcerven

I am also wondering if we would be able to extend these in the future to find content based on cachito stored data.

[MartinBasti]

Hello, we discussed about this and the best solution seems to create a new repo within this namespace, called osbs-scripts or osbs-tools (name TBD)

koji command should stay minimal, this builds on top of current koji api so we should have it in different tool to not make mess in koji CLI itself.

There is also open question if we should:

• create a set of isolated scripts
• create one script with subcommands

[ktdreyer]

There is a discussion on koji-devel about moving some of the koji-tools scripts into koji CLI sub-commands. That is why I think it could be useful to do that here.

Here are the specific reasons I wanted to build this into koji-containerbuild (or some common library):

1. When I am walking new team members through the process of building containers, it is already really difficult to understand dist-git, rpkg, kerberos, etc. If we add an entirely separate set tool on top of that, it raises the barrier to entry, which makes OSBS harder for users to understand and contribute.

2. In Ceph, we have internal tooling that already uses the logic I've written for koji-container-signatures. Ideally this container-signature-checking would be a library that other higher-level Python tools could call, rather than a standalone script. Also, there are other internal tools (MetaXOR) that would benefit from sharing methods like parse_rpm_signatures() if they were in a real library.

[MartinBasti]

OK, if this is a way how koji devs wants to handle such toolings, we can reevaluate that decision.

[MartinBasti]

We agreed to go with the same approach as koji then. Are you willing to contribute patches to koji-c for this?

[ktdreyer]

Absolutely. We can close this ticket since it was just a discussion, and I'll send separate PRs for the tools I listed above.