From: Brian Ketelsen <bketelsen@gmail.com>
Date: Wed, 11 Feb 2026 02:01:04 +0000 (-0500)
Subject: oci: allow user defined labels and annotations
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5aa19e2bc02661e41a23232bb861e0ec0a17ca8;p=thirdparty%2Fmkosi.git

oci: allow user defined labels and annotations

Signed-off-by: Brian Ketelsen <bketelsen@gmail.com>
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index cd411dcc3..2f54bfacc 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3678,6 +3678,7 @@ def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
                 "/sbin/init",
                 *context.config.kernel_command_line,
             ],
+            **({"Labels": dict(context.config.oci_labels)} if context.config.oci_labels else {}),
         },
         "history": [
             {
@@ -3716,6 +3717,7 @@ def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
                 if context.config.image_version
                 else {}
             ),
+            **context.config.oci_annotations,
         },
     }
     oci_manifest_blob = json.dumps(oci_manifest)
@@ -3733,6 +3735,15 @@ def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
                             "mediaType": "application/vnd.oci.image.manifest.v1+json",
                             "digest": f"sha256:{oci_manifest_digest}",
                             "size": (ca_store / oci_manifest_digest).stat().st_size,
+                            **(
+                                {
+                                    "annotations": {
+                                        "org.opencontainers.image.ref.name": context.config.image_id,
+                                    },
+                                }
+                                if context.config.image_id
+                                else {}
+                            ),
                         }
                     ],
                 }
diff --git a/mkosi/config.py b/mkosi/config.py
index d4f3dd3af..fd9e9842e 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -2030,6 +2030,8 @@ class Config:
     output_mode: Optional[int]
     image_id: Optional[str]
     image_version: Optional[str]
+    oci_labels: dict[str, str]
+    oci_annotations: dict[str, str]
     split_artifacts: list[ArtifactOutput]
     repart_dirs: list[Path]
     sysupdate_dir: Optional[Path]
@@ -2900,6 +2902,20 @@ SETTINGS: list[ConfigSetting[Any]] = [
         help="Set ID for image",
         scope=SettingScope.inherit,
     ),
+    ConfigSetting(
+        dest="oci_labels",
+        metavar="KEY=VALUE",
+        section="Output",
+        parse=config_make_dict_parser(delimiter=" ", parse=parse_key_value, unescape=True),
+        help="Set OCI config labels (visible in podman/docker inspect)",
+    ),
+    ConfigSetting(
+        dest="oci_annotations",
+        metavar="KEY=VALUE",
+        section="Output",
+        parse=config_make_dict_parser(delimiter=" ", parse=parse_key_value, unescape=True),
+        help="Set OCI manifest annotations",
+    ),
     ConfigSetting(
         dest="split_artifacts",
         section="Output",
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index 63032391f..2081b5211 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -694,6 +694,27 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     file will be named after it (possibly suffixed with the version). The
     identifier is also passed via the `$IMAGE_ID` to any build scripts
     invoked. The image ID is automatically added to `/usr/lib/os-release`.
+    When using `Format=oci`, the image ID is also set as the
+    `org.opencontainers.image.ref.name` annotation on the OCI index
+    descriptor.
+
+`OciLabels=`, `--oci-labels=`
+:   Set OCI config labels on images produced with `Format=oci`. Takes
+    a space-separated list of `KEY=VALUE` assignments. These labels are
+    stored in the OCI image config blob and are visible via
+    `podman inspect` or `docker inspect` (equivalent to `LABEL` in a
+    Containerfile). This option may be specified more than once, in
+    which case all listed labels will be set. If the same label is set
+    twice, the later setting overrides the earlier one.
+
+`OciAnnotations=`, `--oci-annotations=`
+:   Set OCI manifest annotations on images produced with `Format=oci`.
+    Takes a space-separated list of `KEY=VALUE` assignments. These
+    annotations are stored in the OCI image manifest. mkosi
+    automatically sets `io.systemd.mkosi.version` and, if `ImageVersion=`
+    is set, `org.opencontainers.image.version`. User-specified
+    annotations override these defaults. This option may be specified
+    more than once, in which case all listed annotations will be set.
 
 `SplitArtifacts=`, `--split-artifacts=`
 :   The artifact types to split out of the final image. A comma-delimited
diff --git a/tests/test_json.py b/tests/test_json.py
index 212102b46..d1f367c71 100644
--- a/tests/test_json.py
+++ b/tests/test_json.py
@@ -264,6 +264,8 @@ def test_config() -> None:
             "MinimumVersion": "123",
             "Mirror": null,
             "NSpawnSettings": null,
+            "OciAnnotations": {},
+            "OciLabels": {},
             "OpenPGPTool": "gpg",
             "Output": "outfile",
             "OutputDirectory": "/your/output/here",
@@ -519,6 +521,8 @@ def test_config() -> None:
         minimum_version="123",
         mirror=None,
         nspawn_settings=None,
+        oci_annotations={},
+        oci_labels={},
         openpgp_tool="gpg",
         output_dir=Path("/your/output/here"),
         output_extension="raw",