RFE: Add --sandbox option to apptainer pull

[griznog]

When pulling containers for use in Warewulf provisioning, they need to be converted to a sandbox for import into Warewulf. Current this requires two steps, which fails for cross-arch containers, e.g.:

griznog@micropterus:~$ apptainer pull --arch arm64 --force rocky9-arm64.sif docker://ghcr.io/hpcng/warewulf-rockylinux:9
INFO:    Converting OCI blobs to SIF format
INFO:    Starting build...
Copying blob 5bc70d4b4562 done   | 
Copying blob 432ce7a05a53 done   | 
Copying blob b609feeb3af0 done   | 
Copying blob bd18ea1d57cd done   | 
Copying config 1fc401ab16 done   | 
Writing manifest to image destination
2024/05/09 10:10:22  info unpack layer: sha256:bd18ea1d57cd06000daec95a66d81ed6433c5cb8b9228b67a80081b4ed00a522
2024/05/09 10:10:24  info unpack layer: sha256:432ce7a05a53970b4da84fa055611669a2759e90a960b0e1767c835ac58afe75
2024/05/09 10:10:24  warn rootless{usr/bin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2024/05/09 10:10:24  warn rootless{usr/bin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
2024/05/09 10:10:27  warn rootless{usr/libexec/openssh/ssh-keysign} ignoring (usually) harmless EPERM on setxattr "user.rootlesscontainers"
2024/05/09 10:10:28  info unpack layer: sha256:b609feeb3af0105f0e777871b79a18ee13e43d320011b5f200a69ce25aa6c419
2024/05/09 10:10:28  info unpack layer: sha256:5bc70d4b4562336cf58660514061990e4a666ca7f05eb51d73d6e11b2ee49f70
INFO:    Creating SIF file...
griznog@micropterus:~$ sudo apptainer build --sandbox ~/rocky9-arm64.sandbox rocky9-arm64.sif
2024/05/09 10:15:16 bufio.Scanner: token too long
FATAL:   Unable to build from rocky9-arm64.sif: while parsing definition: rocky9-arm64.sif: bufio.Scanner: token too long

This RFE to to have apptainer pull have the --sandbox option to pull a container directly to a sandbox. This would allow importing any arch container to use as a warewulf node image.

This can be worked around with podman:

[root@wwctl3 ~]# podman pull --arch arm64 ghcr.io/warewulf/warewulf-rockylinux:9
Trying to pull ghcr.io/warewulf/warewulf-rockylinux:9...
Getting image source signatures
Copying blob 6d77938207cc done  
Copying blob eb33ece526ba done  
Copying blob e9b0b02cb87f done  
Copying blob bd18ea1d57cd done  
Copying config bf9f907193 done  
Writing manifest to image destination
Storing signatures
bf9f9071931812582188392c74da9340a896dcbf0e3c59f33d5fc36d965c3557

[root@wwctl3 ~]# podman save ghcr.io/warewulf/warewulf-rockylinux:9 >rocky-9-arm64.tar

[root@wwctl3 ~]# wwctl container import rocky-9-arm64.tar 
Setting VNFS name: rocky-9-arm64.tar
Copying blob 63f894d629d7 done   | 
Copying blob bc4a7c7e3150 done   | 
Copying blob 0fd714170cc9 done   | 
Copying blob 5dd64b5aa51f done   | 
Copying config ad8323b836 done   | 
Writing manifest to image destination
2024/05/09 12:10:11  info unpack layer: sha256:ed5d829ed6ce2f73da12ca8fc8a5f1a81ae0e2e029fa70cf1859a4fb24d27034
2024/05/09 12:10:20  info unpack layer: sha256:7cb532ab9a68dc42db8b2f6e0940060b3aff39f233f668314305e629d92664a0
2024/05/09 12:10:49  info unpack layer: sha256:e2eb74b8a17620dc54eb0b890497df786c15632ab0757c6b11ed5137d467c370
2024/05/09 12:10:49  info unpack layer: sha256:69d63334ca5d2b100e1baa630155facd63444abb65386e8604eb908eb5d86fda
uid/gid not synced: run `wwctl container syncuser --write rocky-9-arm64.tar`
[root@wwctl3 ~]# file /var/lib/warewulf/chroots/rocky-9-arm64.tar/rootfs/usr/bin/bash
/var/lib/warewulf/chroots/rocky-9-arm64.tar/rootfs/usr/bin/bash: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a103b17425f4bf16cb5c2e8a3cd386f905d2b8cb, for GNU/Linux 3.7.0, stripped

Given there is a workaround this isn't a high-priority request, it'd just be nice to be able to use apptainer for this.