Add Podman quadlet .image file support

[ehelms]

Why are you introducing these changes? (Problem description, related links)

Container image references were embedded directly in each service role as variable defaults, making it difficult to override images for product builds, disconnected installs, or developer testing without modifying foremanctl-managed files.

Resolves: #277

What are the changes introduced in this pull request?

Image unit generation

• Introduce a shared images role with deploy_image.yaml that generates a .image quadlet unit file and .image.d/ drop-in directory for each container image
• Each service role gains an image.yaml task that calls the images role with its image name and tag, removing the per-role *_container_image variable defaults
• Container roles now reference Image=<name>.image instead of full registry URLs — systemd ensures the image unit is active before any dependent container starts

Drop-in override hierarchy

Three tiers of override are supported without touching foremanctl-managed files:

Layer	Path	Who writes it
Vendor/RPM	/usr/share/containers/systemd/<name>.image.d/10-product.conf	Product RPM
ISO/archive	/usr/share/containers/systemd/<name>.image.d/20-archive.conf	ISO extraction
User	/etc/containers/systemd/<name>.image.d/90-user.conf	Operator

The last .image.d drop-in wins. registries.conf is the right tool when a private registry mirrors upstream names exactly; .image.d drop-ins are required when image names or tags change (e.g. foreman:nightly → foreman-rhel9:stream).

Authenticated registry handling

Each image unit gets a systemd service drop-in at /etc/systemd/system/<name>-image.service.d/auth.conf that sets REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json. Users with authenticated registries run podman login <registry> --authfile=/etc/foreman/registry-auth.json before deploying; podman silently ignores the file if it does not exist.

pull-images

pull-images deploys image units (respecting any vendor drop-ins already in place), then creates a temporary Policy=always drop-in (00-pull-always.conf) for each image, performs a daemon_reload, restarts all *-image.service units in parallel, and removes the drop-ins in an always: block so cleanup happens even on failure. The pull honours any .image.d overrides already present.

Migration containers converted to quadlet oneshot services

foreman-db-migrate and pulpcore-manager-migrate are now declared as quadlet .container units with Type=oneshot rather than being run as ephemeral containers via podman_container with detach: false. Ansible starts them with state: started and waits via async/async_status. This keeps migration runs in the systemd journal and makes failure state visible via systemctl status.

Tests

• tests/images_test.py — core image files, .image.d/ drop-in directories, *-image service existence, auth drop-in presence and content, postgresql conditional on database_mode, foreman-proxy conditional on enabled_features
• tests/iop/images_test.py — same checks for all IOP image units, gated on the iop feature marker

How to test this pull request

1. Deploy with ./foremanctl deploy
2. Confirm .image files exist under /etc/containers/systemd/ for each service and that <name>-image.service units are present
3. Confirm /etc/systemd/system/<name>-image.service.d/auth.conf exists for each image
4. Run ./foremanctl pull-images and verify images are pulled; re-run and confirm it pulls again (Policy=always enforced, not just missing)
5. Place a drop-in override:

   # /etc/containers/systemd/foreman.image.d/90-user.conf
   [Image]
   Image=quay.io/foreman/foreman:pr-12345
   

   Run systemctl daemon-reload and confirm systemctl cat foreman-image.service reflects the override
6. Run ./forge test and confirm images_test.py and iop/images_test.py pass

Checklist

• Tests added/updated (if applicable)
• Documentation updated (if applicable)

[ekohl]

Do you intend to resolve #277 with this?

[ekohl]

Add a Podman quadlet .image unit system with three-tier precedence: admin overrides (/etc/foremanctl/images.d/) > vendor/RPM overrides (/usr/share/foremanctl/images.d/) > generated defaults from Ansible variables

I'm wondering if we can leverage the built in /usr/share/containers/systemd/ somehow. It's a major change, but I've been wondering if we should ship the container definitions in an RPM and deploy them to /usr/share/containers/systemd, letting foremanctl only add overrides in /etc/containers/systemd.

Also not sure if you can use /etc/containers/systemd/foreman.image.d/override.conf to replace parts of it. If so, perhaps an RPM can ship /usr/share/containers/systemd/foreman.image.d/disconnected.conf to provide disconnected installation instructions.

[ehelms]

I'm wondering if we can leverage the built in /usr/share/containers/systemd/ somehow. It's a major change, but I've been wondering if we should ship the container definitions in an RPM and deploy them to /usr/share/containers/systemd, letting foremanctl only add overrides in /etc/containers/systemd.

As we stated before, tieing ourselves to an RPM laying down some base container will slow us down as any time it requires a change we have to wait for the RPM to cycle and it would split the base from any overrides. I think we would end up just deploying everything via overrides. Just feel like friction right now.

I did think about this and here is an alternative using this concept:

Updated Proposal

Place .image files alongside .container files in /etc/containers/systemd/, using quadlet's native drop-in mechanism for overrides.

Layout:

/etc/containers/systemd/
foreman.image # base, templated by foremanctl
foreman.image.d/
50-disconnected.conf # optional: disconnected registry override
90-user.conf # optional: user override

Precedence (last wins):

1. foreman.image -- foremanctl default
2. 50-disconnected.conf -- disconnected layer
3. 90-user.conf -- user layer

Numbered prefixes enforce ordering with gaps for future layers.

What this eliminates:

• Custom /etc/foremanctl/images.d/ and /usr/share/foremanctl/images.d/ directories
• Manual stat/copy/conditional precedence logic in deploy_image.yaml
• The entire images role

What stays the same:

• Container roles reference Image=foreman.image (no change)
• foremanctl templates the base .image file (just changes the destination)
• daemon-reload after deployment (already happening)

[ekohl]

Updated Proposal

This is what I had in mind.

Custom /etc/foremanctl/images.d/ and /usr/share/foremanctl/images.d/ directories

This is IMHO the big benefit.

[evgeni]

I like the idea!

There is an alternative approach from @bochi in #503, which is much simpler in the diff size, but requires custom code vs using native systemd/podman override options. Mostly mentioning it here as I wonder if this PR would also solve their usecase.

[bochi]

i like this approach too and will change my PR to only have the feature addition but no changes to image locations. looking forward to this getting merged 🙂

[ianballou]

Being able to override the container images easily would be really beneficial for development. If we eventually have containers built from PRs much like packit does with RPMs today, you could just drop those in. Or, when we need to test new versions of Pulp, we could simply drop that new Pulp container in (theforeman/pulp-oci-images#13).

[ehelms]

I'm not yet sure what change in the design is not leading to the failure. I will need to follow up with deeper investigation.

[ehelms]

I have reworked this PR based on testing and learning between the use of registries.conf and .image quadlets. The PR description template has been updated based on the current design. Generally, this will use of the combination of the two depending on situation and where each is applicable.

[ekohl]

Link to https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md as the official docs?

[ekohl]

Documenting both use cases is excellent.

[ekohl]

Should this point to https://docs.podman.io/en/latest/markdown/podman-image.unit.5.html?

[ekohl]

ISO is a very specific distribution format.

Suggested change

	##### Disconnected install from ISO
	##### Disconnected install from local media

[ekohl]

Does the order matter or can you write it like this? Removing something from the end is easier than the middle.

Suggested change

	podman login <registry> --authfile=/etc/foreman/registry-auth.json
	podman login --authfile=/etc/foreman/registry-auth.json <registry>

[ekohl]

Temporary files feel a bit nasty because it it's interrupted then they may not be cleaned up. I don't think we need to solve it right now, but I wonder if we could somehow leverage podman auto-update to pull images.

Shall we track that in a follow up issue?

[ehelms]

No. I previously researched it and it only updates based on the policy and there is no way to "temporarily" set the policy. While I agree temporary files are not the best, there really isn't another way to do this.

Spit-balling, you could theoretically have two separate services but then you gotta manage the drop-in for both. Another idea possibly, would be to use podman pull by printing the service and parsing the conf file for the image name, or using podman quadlet print.

[ekohl]

I wonder if we should file a podman issue to see if there's tooling to support this.

[ekohl]

If you use the example below you don't need podman load because it's implicit. I also wonder what the difference between podman save and podman export is. Perhaps drop the last part?

Suggested change

	In air-gapped environments, container images must be brought in without network access. `registries.conf` cannot express non-registry sources, but Podman can read images from local archive files. Images can be transported via USB or other local media using `podman save` / `podman load`, then referenced via drop-ins:
	See [podman-export(1)](https://docs.podman.io/en/latest/markdown/podman-export.1.html) for producing archive files.
	In air-gapped environments, container images must be brought in without network access. `registries.conf` cannot express non-registry sources, but Podman can read images from local archive files. These images can be transported via USB or other local media, then referenced via drop-ins.
	See [podman-export(1)](https://docs.podman.io/en/latest/markdown/podman-export.1.html) for producing archive files.