Add support to analyze OCI image layers with Podman.

NotTheEvilOne · NotTheEvilOne · commit 20a7f6efa856 · 2026-03-03T08:45:41.000+01:00
Signed-off-by: Tobias Wolf &lt;wolf@b1-systems.de&gt;
On-behalf-of: SAP &lt;tobias.wolf@sap.com&gt;
diff --git a/src/gardenlinux/constants.py b/src/gardenlinux/constants.py
@@ -167,6 +167,10 @@
 GLVD_BASE_URL = "https://security.gardenlinux.org/v1"
 
 PODMAN_CONNECTION_MAX_IDLE_SECONDS = 3
+PODMAN_FS_CHANGE_ADDED = "added"
+PODMAN_FS_CHANGE_DELETED = "deleted"
+PODMAN_FS_CHANGE_MODIFIED = "modified"
+PODMAN_FS_CHANGE_UNSUPPORTED = "unsupported"
 
 # https://github.com/gardenlinux/gardenlinux/issues/3044
 # Empty string is the 'legacy' variant with traditional root fs and still needed/supported
diff --git a/src/gardenlinux/oci/__init__.py b/src/gardenlinux/oci/__init__.py
@@ -5,6 +5,7 @@
 """
 
 from .container import Container
+from .image import Image
 from .image_manifest import ImageManifest
 from .index import Index
 from .layer import Layer
@@ -15,6 +16,7 @@
 __all__ = [
     "Container",
     "ImageManifest",
+    "Image",
     "Index",
     "Layer",
     "Manifest",
diff --git a/src/gardenlinux/oci/image.py b/src/gardenlinux/oci/image.py
@@ -0,0 +1,204 @@
+# -*- coding: utf-8 -*-
+
+"""
+OCI podman
+"""
+
+import logging
+from os import PathLike
+from pathlib import Path
+from tarfile import open as tarfile_open
+from urllib.parse import urlencode
+from tempfile import TemporaryDirectory
+from typing import Any, Dict, List, Optional
+
+from podman.domain.images import Image as _Image
+
+from ..constants import (
+    PODMAN_FS_CHANGE_ADDED,
+    PODMAN_FS_CHANGE_DELETED,
+    PODMAN_FS_CHANGE_MODIFIED,
+    PODMAN_FS_CHANGE_UNSUPPORTED,
+)
+from .podman_context import PodmanContext
+from .podman_object_context import PodmanObjectContext
+
+PODMAN_CHANGES_KINDS = {
+    0: PODMAN_FS_CHANGE_MODIFIED,
+    1: PODMAN_FS_CHANGE_ADDED,
+    2: PODMAN_FS_CHANGE_DELETED,
+}
+
+
+class Image(PodmanObjectContext):
+    """
+    Podman image class with extended API features support.
+
+    :author:     Garden Linux Maintainers
+    :copyright:  Copyright 2024 SAP SE
+    :package:    gardenlinux
+    :subpackage: oci
+    :since:      1.0.0
+    :license:    https://www.apache.org/licenses/LICENSE-2.0
+                 Apache License, Version 2.0
+    """
+
+    def __init__(self, image: _Image, logger: Optional[logging.Logger] = None):
+        """
+        Constructor __init__(Image)
+
+        :since: 1.0.0
+        """
+
+        PodmanObjectContext.__init__(self, logger)
+        self._image_id = image.id
+
+    @property
+    def id(self) -> str:
+        """
+        podman-py.readthedocs.io: Returns the identifier for the object.
+
+        :return: (str) Identifier for the object
+        :since:  1.0.0
+        """
+
+        return self._image_id  # type: ignore[no-any-return]
+
+    @property
+    @PodmanContext.wrap
+    def labels(self, podman: PodmanContext) -> Dict[str, str]:
+        """
+        podman-py.readthedocs.io: Returns the identifier for the object.
+
+        :return: (str) Identifier for the object
+        :since:  1.0.0
+        """
+
+        return self._get(podman=podman).labels  # type: ignore[no-any-return]
+
+    @property
+    @PodmanContext.wrap
+    def layer_image_ids(self, podman: PodmanContext) -> List[str]:
+        """
+        Returns the podman image IDs of all parent layers.
+
+        :param podman: Podman context
+
+        :return: (list) Podman layer image IDs
+        :since:  1.0.0
+        """
+
+        return [
+            image_data["Id"]
+            for image_data in self.history(podman=podman)
+            if len(image_data["Id"]) == 64
+        ]
+
+    def __getattr__(
+        self,
+        name: str,
+    ) -> Any:
+        """
+        python.org: Called when an attribute lookup has not found the attribute in
+        the usual places (i.e. it is not an instance attribute nor is it found in the
+        class tree for self).
+
+        :param name: Attribute name
+
+        :return: (mixed) Attribute
+        :since:  1.0.0
+        """
+
+        @PodmanObjectContext.wrap
+        def wrapped_context(podman: PodmanContext, *args: Any, **kwargs: Any) -> Any:
+            """
+            Wrapping function to use the podman context.
+            """
+
+            py_attr = getattr(self._get(podman=podman), name)
+            return py_attr(*args, **kwargs)
+
+        return wrapped_context
+
+    def _get(self, podman: PodmanContext) -> _Image:
+        """
+        Returns the underlying podman image object.
+
+        :param podman: Podman context
+
+        :return: (podman.domains.images.Image) Podman image object
+        :since:  1.0.0
+        """
+
+        return podman.images.get(self._image_id)
+
+    @PodmanContext.wrap
+    def get_filesystem_changes(
+        self, podman: PodmanContext, parent_layer_image_id: Optional[str] = None
+    ) -> Dict[str, List[str]]:
+        """
+        Returns the underlying podman image object.
+
+        :param podman: Podman context
+
+        :return: (_Image) Podman image object
+        :since:  1.0.0
+        """
+
+        changes: Dict[str, List[str]] = {
+            PODMAN_FS_CHANGE_ADDED: [],
+            PODMAN_FS_CHANGE_DELETED: [],
+            PODMAN_FS_CHANGE_MODIFIED: [],
+            PODMAN_FS_CHANGE_UNSUPPORTED: [],
+        }
+
+        query = ""
+
+        if parent_layer_image_id is not None:
+            query = urlencode({"parent": parent_layer_image_id})
+
+        resp = self._raw_request(
+            "get", f"/images/{self._image_id}/changes?{query}", podman=podman
+        )
+
+        resp.raise_for_status()
+
+        for entry in resp.json():
+            changes[
+                PODMAN_CHANGES_KINDS.get(entry["Kind"], PODMAN_FS_CHANGE_UNSUPPORTED)
+            ].append(entry["Path"])
+
+        return changes
+
+    @staticmethod
+    @PodmanContext.wrap
+    def import_plain_tar(
+        tar_file_name: PathLike[str], podman: PodmanContext
+    ) -> str:
+        """
+        Import a plain filesystem tar archive into an OCI image.
+
+        :param tar_file_name: Plain filesystem tar archive
+        :param podman: Podman context
+
+        :return: (str) Podman image ID
+        :since:  1.0.0
+        """
+
+        image_id = None
+
+        with TemporaryDirectory() as tmpdir:
+            container_file_name = Path(tmpdir, "ContainerFile")
+            tarfile_open(tar_file_name, dereference=True).extractall(
+                path=Path(tmpdir, "archive_content"),
+                filter="fully_trusted",
+                numeric_owner=True,
+            )
+
+            with container_file_name.open("w") as container_file:
+                container_file.write("FROM scratch\nCOPY archive_content/ /")
+
+            image, _ = podman.images.build(path=tmpdir, dockerfile=container_file_name)
+            image_id = image.id
+
+        return image_id  # type: ignore[no-any-return]
diff --git a/src/gardenlinux/oci/podman.py b/src/gardenlinux/oci/podman.py
@@ -11,7 +11,9 @@
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 
+
 from ..logger import LoggerSetup
+from .image import Image
 from .podman_context import PodmanContext
 
 
@@ -116,12 +118,12 @@ def build_and_save_oci_archive(
         return {oci_archive_file_name.name: image_id}
 
     @PodmanContext.wrap
-    def get_image_id(
+    def get_image(
         self,
         container: str,
         podman: PodmanContext,
         oci_tag: Optional[str] = None,
-    ) -> str:
+    ) -> Image:
         """
         Returns the Podman image ID for a given OCI container tag.
 
@@ -136,7 +138,22 @@ def get_image_id(
             else:
                 container_tag += f":{oci_tag}"
 
-        image = podman.images.get(container_tag)
+        return Image(podman.images.get(container_tag))
+
+    @PodmanContext.wrap
+    def get_image_id(
+        self,
+        container: str,
+        podman: PodmanContext,
+        oci_tag: Optional[str] = None,
+    ) -> str:
+        """
+        Returns the Podman image ID for a given OCI container tag.
+
+        :since: 1.0.0
+        """
+
+        image = self.get_image(container, oci_tag=oci_tag, podman=podman)
         return image.id  # type: ignore[no-any-return]
 
     @PodmanContext.wrap
@@ -202,7 +219,7 @@ def pull(
             kwargs["tag"] = oci_tag
 
         image = podman.images.pull(container, **kwargs)
-        return image.id
+        return image.id  # type: ignore[no-any-return]
 
     @PodmanContext.wrap
     def push(
diff --git a/src/gardenlinux/oci/podman_object_context.py b/src/gardenlinux/oci/podman_object_context.py
@@ -0,0 +1,88 @@
+# -*- coding: utf-8 -*-
+
+"""
+OCI podman context
+"""
+
+import logging
+from functools import wraps
+from typing import Any, Optional
+
+from requests import Response
+
+from ..logger import LoggerSetup
+from .podman_context import PodmanContext
+
+
+class PodmanObjectContext(object):
+    """
+    Podman object context handles access to the podman context for API calls.
+
+    :author:     Garden Linux Maintainers
+    :copyright:  Copyright 2024 SAP SE
+    :package:    gardenlinux
+    :subpackage: oci
+    :since:      1.0.0
+    :license:    https://www.apache.org/licenses/LICENSE-2.0
+                 Apache License, Version 2.0
+    """
+
+    def __init__(self, logger: Optional[logging.Logger] = None):
+        """
+        Constructor __init__(PodmanObjectContext)
+
+        :since: 1.0.0
+        """
+
+        if logger is None or not logger.hasHandlers():
+            logger = LoggerSetup.get_logger("gardenlinux.oci")
+
+        self._logger = logger
+
+    @PodmanContext.wrap
+    def _raw_request(
+        self,
+        method: str,
+        path_and_parameters: str,
+        podman: PodmanContext,
+        **kwargs: Any,
+    ) -> Response:
+        """
+        Returns the podman API response for the request given.
+
+        :param method: Podman API method
+        :param path_and_parameters: Podman API path and query parameters
+        :param podman: Podman context
+
+        :return: (Response) Podman API response
+        :since:  1.0.0
+        """
+
+        method_callable = getattr(podman.api, method)
+        return method_callable(path_and_parameters, **kwargs)  # type: ignore[no-any-return]
+
+    @staticmethod
+    def wrap(f: Any) -> Any:
+        """
+        Wraps the given function to provide access to a podman client.
+
+        :since: 1.0.0
+        """
+
+        @wraps(f)
+        @PodmanContext.wrap
+        def decorator(*args: Any, **kwargs: Any) -> Any:
+            """
+            Decorator for wrapping a function or method with a call context.
+            """
+
+            podman = kwargs.get("podman")
+
+            if podman is None:
+                raise RuntimeError("Podman context not ready")
+
+            del kwargs["podman"]
+
+            return f(podman=podman, *args, **kwargs)
+
+        return decorator
