Consume OCI images for machine image

allow podman machine to extract its disk image from an oci registry or
oci-dir locally.  for now, the image must be relatively inflexible. it
must have 1 layer.  the layer must possess one image. so a dockerfile
like:

FROM scratch
COPY ./myimage.xz /myimage.xz

when using an oci dir, the directory structure must adhere to the
typical directory structure of a an oci image (with one layer).

── blobs
│   └── sha256
│       ├── 53735773573b3853bb1cae16dd21061beb416239ceb78d4ef1f2a0609f7e843b
│       ├── 80577866ec13c041693e17de61444b4696137623803c3d87f92e4f28a1f4e87b
│       └── af57637ac1ab12f833e3cfa886027cc9834a755a437d0e1cf48b5d4778af7a4e
├── index.json
└── oci-layout

in order to identify this new input, you must use a transport/schema to
differentiate from current podman machine init --image-path behavior. we
will support `oci-dir://` and `docker://` as transports.

when using the docker transport, you can only use an empty transport for
input.  for example, `podman machine init --image-path docker://`.  A
fully quailified image name will be supported in the next iteration.

the transport absent anything means, i want to pull the default fcos
image stored in a registry.  podman will determine its current version
and then look for its correlating manifest.  in this default use case,
it would look for:

quay.io/libpod/podman-machine-images:<version>

that manifest would then point to specific images that contain the
correct arch and provider disk image. i.e.

quay.io/libpod/podman-machine-images:4.6-qcow2

this PR does not enable something like
docker://quay.io/mycorp/myimage:latest yet.

names, addresses, andf schema/transports are all subject to change. the
plan is to keep this all undocumented until things firm up.

[NO NEW TESTS NEEDED]

Signed-off-by: Brent Baude <bbaude@redhat.com>

pkg/machine/ocipull/pull.go

@@ -0,0 +1,110 @@
+package ocipull
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/oci/layout"
+	"github.com/containers/image/v5/pkg/shortnames"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	specV1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// PullOptions includes data to alter certain knobs when pulling a source
+// image.
+type PullOptions struct {
+	// Require HTTPS and verify certificates when accessing the registry.
+	TLSVerify bool
+	// [username[:password] to use when connecting to the registry.
+	Credentials string
+	// Quiet the progress bars when pushing.
+	Quiet bool
+}
+
+// Pull `imageInput` from a container registry to `sourcePath`.
+func Pull(ctx context.Context, imageInput string, sourcePath string, options PullOptions) error {
+	if _, err := os.Stat(sourcePath); err == nil {
+		return fmt.Errorf("%q already exists", sourcePath)
+	}
+
+	srcRef, err := stringToImageReference(imageInput)
+	if err != nil {
+		return err
+	}
+	destRef, err := layout.ParseReference(sourcePath)
+	if err != nil {
+		return err
+	}
+
+	sysCtx := &types.SystemContext{
+		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
+	}
+	if options.Credentials != "" {
+		authConf, err := parse.AuthConfig(options.Credentials)
+		if err != nil {
+			return err
+		}
+		sysCtx.DockerAuthConfig = authConf
+	}
+
+	if err := validateSourceImageReference(ctx, srcRef, sysCtx); err != nil {
+		return err
+	}
+
+	policy, err := signature.DefaultPolicy(sysCtx)
+	if err != nil {
+		return fmt.Errorf("obtaining default signature policy: %w", err)
+	}
+	policyContext, err := signature.NewPolicyContext(policy)
+	if err != nil {
+		return fmt.Errorf("creating new signature policy context: %w", err)
+	}
+
+	copyOpts := copy.Options{
+		SourceCtx: sysCtx,
+	}
+	if !options.Quiet {
+		copyOpts.ReportWriter = os.Stderr
+	}
+	if _, err := copy.Image(ctx, policyContext, destRef, srcRef, &copyOpts); err != nil {
+		return fmt.Errorf("pulling source image: %w", err)
+	}
+
+	return nil
+}
+
+func stringToImageReference(imageInput string) (types.ImageReference, error) {
+	if shortnames.IsShortName(imageInput) {
+		return nil, fmt.Errorf("pulling source images by short name (%q) is not supported, please use a fully-qualified name", imageInput)
+	}
+
+	ref, err := alltransports.ParseImageName("docker://" + imageInput)
+	if err != nil {
+		return nil, fmt.Errorf("parsing image name: %w", err)
+	}
+
+	return ref, nil
+}
+
+func validateSourceImageReference(ctx context.Context, ref types.ImageReference, sysCtx *types.SystemContext) error {
+	src, err := ref.NewImageSource(ctx, sysCtx)
+	if err != nil {
+		return fmt.Errorf("creating image source from reference: %w", err)
+	}
+	defer src.Close()
+
+	ociManifest, _, _, err := readManifestFromImageSource(ctx, src)
+	if err != nil {
+		return err
+	}
+	if ociManifest.Config.MediaType != specV1.MediaTypeImageConfig {
+		return fmt.Errorf("invalid media type of image config %q (expected: %q)", ociManifest.Config.MediaType, specV1.MediaTypeImageConfig)
+	}
+
+	return nil
+}