diff options
| author | Valentin Rothberg <rothberg@redhat.com> | 2021-06-21 10:51:51 +0200 |
|---|---|---|
| committer | Valentin Rothberg <rothberg@redhat.com> | 2021-06-23 15:42:13 +0200 |
| commit | 5fc622f945de46db85c8cc0284f935bac1929e3a (patch) | |
| tree | 9fe97bbaaafbe3f3804a422a4a53edaefde636b3 /vendor | |
| parent | d3afc6b3b6d6ba1d900b74d24affb132f38622d3 (diff) | |
| download | podman-5fc622f945de46db85c8cc0284f935bac1929e3a.tar.gz podman-5fc622f945de46db85c8cc0284f935bac1929e3a.tar.bz2 podman-5fc622f945de46db85c8cc0284f935bac1929e3a.zip | |
create: support images with invalid platform
Much to my regret, there is a number of images in the wild with invalid
platforms breaking the platform checks in libimage that want to make
sure that a local image is matching the expected platform.
Imagine a `podman run --arch=arm64 fedora` with a local amd64 fedora
image. We really shouldn't use the local one in this case and pull down
the arm64 one.
The strict platform checks in libimage in combination with invalid
platforms in images surfaced in Podman being able to pull an image but
failing to look it up in subsequent presence checks. A `podman run`
would hence pull such an image but fail to create the container.
Support images with invalid platforms by vendoring the latest HEAD from
containers/common. Also remove the partially implemented pull-policy
logic from Podman and let libimage handle that entirely. However,
whenever --arch, --os or --platform are specified, the pull policy will
be forced to "newer". This way, we pessimistically assume that the
local image has an invalid platform and we reach out to the registry.
If there's a newer image (i.e., one with a different digest), we'll pull
it down.
Please note that most of the logic has either already been implemented
in libimage or been moved down which allows for removing some clutter
from Podman.
[NO TESTS NEEDED] since c/common has new tests. Podman can rely on the
existing tests.
Fixes: #10648
Fixes: #10682
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'vendor')
8 files changed, 120 insertions, 100 deletions
diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go index 3bcdbabec..f1272f507 100644 --- a/vendor/github.com/containers/common/libimage/image.go +++ b/vendor/github.com/containers/common/libimage/image.go @@ -61,6 +61,24 @@ func (i *Image) reload() error { return nil } +// isCorrupted returns an error if the image may be corrupted. +func (i *Image) isCorrupted(name string) error { + // If it's a manifest list, we're good for now. + if _, err := i.getManifestList(); err == nil { + return nil + } + + ref, err := i.StorageReference() + if err != nil { + return err + } + + if _, err := ref.NewImage(context.Background(), nil); err != nil { + return errors.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + } + return nil +} + // Names returns associated names with the image which may be a mix of tags and // digests. func (i *Image) Names() []string { diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go index 0271f0051..0a5e49fd2 100644 --- a/vendor/github.com/containers/common/libimage/pull.go +++ b/vendor/github.com/containers/common/libimage/pull.go @@ -105,6 +105,20 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP r.writeEvent(&Event{ID: "", Name: name, Time: time.Now(), Type: EventTypeImagePull}) } + // Some callers may set the platform via the system context at creation + // time of the runtime. We need this information to decide whether we + // need to enforce pulling from a registry (see + // containers/podman/issues/10682). + if options.Architecture == "" { + options.Architecture = r.systemContext.ArchitectureChoice + } + if options.OS == "" { + options.OS = r.systemContext.OSChoice + } + if options.Variant == "" { + options.Variant = r.systemContext.VariantChoice + } + var ( pulledImages []string pullError error @@ -333,7 +347,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference // from a registry. On successful pull it returns the used fully-qualified // name that can later be used to look up the image in the local containers // storage. -func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { +func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo // Sanity check. if err := pullPolicy.Validate(); err != nil { return nil, err @@ -349,11 +363,41 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str // resolved name for pulling. Assume we're doing a `pull foo`. // If there's already a local image "localhost/foo", then we should // attempt pulling that instead of doing the full short-name dance. - localImage, resolvedImageName, err = r.LookupImage(imageName, nil) + lookupOptions := &LookupImageOptions{ + // NOTE: we must ignore the platform of a local image when + // doing lookups. Some images set an incorrect or even invalid + // platform (see containers/podman/issues/10682). Doing the + // lookup while ignoring the platform checks prevents + // redundantly downloading the same image. + IgnorePlatform: true, + } + localImage, resolvedImageName, err = r.LookupImage(imageName, lookupOptions) if err != nil && errors.Cause(err) != storage.ErrImageUnknown { logrus.Errorf("Looking up %s in local storage: %v", imageName, err) } + // If the local image is corrupted, we need to repull it. + if localImage != nil { + if err := localImage.isCorrupted(imageName); err != nil { + logrus.Error(err) + localImage = nil + } + } + + // Unless the pull policy is "always", we must pessimistically assume + // that the local image has an invalid architecture (see + // containers/podman/issues/10682). Hence, whenever the user requests + // a custom platform, set the pull policy to "always" to make sure + // we're pulling down the image. + // + // NOTE that this is will even override --pull={false,never}. This is + // very likely a bug but a consistent one in Podman/Buildah and should + // be addressed at a later point. + if pullPolicy != config.PullPolicyAlways && len(options.Architecture)+len(options.OS)+len(options.Variant) > 0 { + logrus.Debugf("Enforcing pull policy to %q to support custom platform (arch: %q, os: %q, variant: %q)", "always", options.Architecture, options.OS, options.Variant) + pullPolicy = config.PullPolicyAlways + } + if pullPolicy == config.PullPolicyNever { if localImage != nil { logrus.Debugf("Pull policy %q but no local image has been found for %s", pullPolicy, imageName) diff --git a/vendor/github.com/containers/common/libimage/runtime.go b/vendor/github.com/containers/common/libimage/runtime.go index efa182544..3cbd3dcf4 100644 --- a/vendor/github.com/containers/common/libimage/runtime.go +++ b/vendor/github.com/containers/common/libimage/runtime.go @@ -144,9 +144,8 @@ func (r *Runtime) Exists(name string) (bool, error) { if image == nil { return false, nil } - // Inspect the image to make sure if it's corrupted or not. - if _, err := image.Inspect(context.Background(), false); err != nil { - logrus.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + if err := image.isCorrupted(name); err != nil { + logrus.Error(err) return false, nil } return true, nil @@ -159,6 +158,13 @@ type LookupImageOptions struct { // the platform does not matter, for instance, for image removal. IgnorePlatform bool + // Lookup an image matching the specified architecture. + Architecture string + // Lookup an image matching the specified OS. + OS string + // Lookup an image matching the specified variant. + Variant string + // If set, do not look for items/instances in the manifest list that // match the current platform but return the manifest list as is. lookupManifest bool @@ -210,6 +216,25 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image, name = strings.TrimPrefix(name, "sha256:") } + // Set the platform for matching local images. + if !options.IgnorePlatform { + if options.Architecture == "" { + options.Architecture = r.systemContext.ArchitectureChoice + } + if options.Architecture == "" { + options.Architecture = runtime.GOARCH + } + if options.OS == "" { + options.OS = r.systemContext.OSChoice + } + if options.OS == "" { + options.OS = runtime.GOOS + } + if options.Variant == "" { + options.Variant = r.systemContext.VariantChoice + } + } + // First, check if we have an exact match in the storage. Maybe an ID // or a fully-qualified image name. img, err := r.lookupImageInLocalStorage(name, name, options) @@ -295,7 +320,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo if err != nil { return nil, err } - instance, err := manifestList.LookupInstance(context.Background(), "", "", "") + instance, err := manifestList.LookupInstance(context.Background(), options.Architecture, options.OS, options.Variant) if err != nil { // NOTE: If we are not looking for a specific platform // and already found the manifest list, then return it @@ -316,7 +341,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo return image, nil } - matches, err := imageReferenceMatchesContext(context.Background(), ref, &r.systemContext) + matches, err := r.imageReferenceMatchesContext(ref, options) if err != nil { return nil, err } @@ -428,12 +453,13 @@ func (r *Runtime) ResolveName(name string) (string, error) { } // imageReferenceMatchesContext return true if the specified reference matches -// the platform (os, arch, variant) as specified by the system context. -func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, sys *types.SystemContext) (bool, error) { - if sys == nil { +// the platform (os, arch, variant) as specified by the lookup options. +func (r *Runtime) imageReferenceMatchesContext(ref types.ImageReference, options *LookupImageOptions) (bool, error) { + if options.IgnorePlatform { return true, nil } - img, err := ref.NewImage(ctx, sys) + ctx := context.Background() + img, err := ref.NewImage(ctx, &r.systemContext) if err != nil { return false, err } @@ -442,16 +468,8 @@ func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, if err != nil { return false, err } - osChoice := sys.OSChoice - if osChoice == "" { - osChoice = runtime.GOOS - } - arch := sys.ArchitectureChoice - if arch == "" { - arch = runtime.GOARCH - } - if osChoice == data.Os && arch == data.Architecture { - if sys.VariantChoice == "" || sys.VariantChoice == data.Variant { + if options.OS == data.Os && options.Architecture == data.Architecture { + if options.Variant == "" || options.Variant == data.Variant { return true, nil } } diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index 0d23d6ac6..af6efbbf2 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -1053,7 +1053,7 @@ func (c *Config) Write() error { if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil { return err } - configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600) + configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) if err != nil { return err } diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go index edb1294d6..725e0bfc7 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go +++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go @@ -51,14 +51,9 @@ func DefaultProfile() *Seccomp { { Names: []string{ "bdflush", - "clone3", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -71,10 +66,6 @@ func DefaultProfile() *Seccomp { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -118,6 +109,7 @@ func DefaultProfile() *Seccomp { "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -191,6 +183,7 @@ func DefaultProfile() *Seccomp { "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -241,6 +234,7 @@ func DefaultProfile() *Seccomp { "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -286,6 +280,9 @@ func DefaultProfile() *Seccomp { "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -318,6 +315,7 @@ func DefaultProfile() *Seccomp { "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -354,6 +352,7 @@ func DefaultProfile() *Seccomp { "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -665,31 +664,6 @@ func DefaultProfile() *Seccomp { }, { Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActAllow, - Args: []*Arg{}, - Includes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, - { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActErrno, - ErrnoRet: &eperm, - Args: []*Arg{}, - Excludes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, - { - Names: []string{ "acct", }, Action: ActAllow, diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json index 885240e50..eeb41d5d8 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -54,14 +54,9 @@ { "names": [ "bdflush", - "clone3", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -74,10 +69,6 @@ "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -124,6 +115,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -197,6 +189,7 @@ "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -247,6 +240,7 @@ "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -292,6 +286,9 @@ "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -324,6 +321,7 @@ "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -360,6 +358,7 @@ "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -761,39 +760,6 @@ }, { "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "excludes": {} - }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "errnoRet": 1 - }, - { - "names": [ "acct" ], "action": "SCMP_ACT_ALLOW", diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 6c899987a..8907e21ab 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.40.1-dev" +const Version = "0.40.2-dev" diff --git a/vendor/modules.txt b/vendor/modules.txt index 282b6ba66..c4cfc0d83 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/overlay github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/util -# github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d +# github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec github.com/containers/common/libimage github.com/containers/common/libimage/manifests github.com/containers/common/pkg/apparmor |