diff options
Diffstat (limited to 'libpod')
56 files changed, 233 insertions, 5306 deletions
diff --git a/libpod/container_commit.go b/libpod/container_commit.go index 22da0c566..c1dd42942 100644 --- a/libpod/container_commit.go +++ b/libpod/container_commit.go @@ -6,12 +6,11 @@ import ( "strings" "github.com/containers/buildah" - "github.com/containers/buildah/util" + "github.com/containers/common/libimage" is "github.com/containers/image/v5/storage" "github.com/containers/image/v5/types" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/libpod/image" libpodutil "github.com/containers/podman/v3/pkg/util" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -32,11 +31,7 @@ type ContainerCommitOptions struct { // Commit commits the changes between a container and its image, creating a new // image -func (c *Container) Commit(ctx context.Context, destImage string, options ContainerCommitOptions) (*image.Image, error) { - var ( - imageRef types.ImageReference - ) - +func (c *Container) Commit(ctx context.Context, destImage string, options ContainerCommitOptions) (*libimage.Image, error) { if c.config.Rootfs != "" { return nil, errors.Errorf("cannot commit a container that uses an exploded rootfs") } @@ -61,7 +56,6 @@ func (c *Container) Commit(ctx context.Context, destImage string, options Contai }() } - sc := image.GetSystemContext(options.SignaturePolicyPath, "", false) builderOptions := buildah.ImportOptions{ Container: c.ID(), SignaturePolicyPath: options.SignaturePolicyPath, @@ -69,7 +63,7 @@ func (c *Container) Commit(ctx context.Context, destImage string, options Contai commitOptions := buildah.CommitOptions{ SignaturePolicyPath: options.SignaturePolicyPath, ReportWriter: options.ReportWriter, - SystemContext: sc, + SystemContext: c.runtime.imageContext, PreferredManifestType: options.PreferredManifestType, } importBuilder, err := buildah.ImportBuilder(ctx, c.runtime.store, builderOptions) @@ -191,20 +185,28 @@ func (c *Container) Commit(ctx context.Context, destImage string, options Contai importBuilder.SetOnBuild(onbuild) } - candidates, _, _, err := util.ResolveName(destImage, "", sc, c.runtime.store) - if err != nil { - return nil, errors.Wrapf(err, "error resolving name %q", destImage) - } - if len(candidates) > 0 { - imageRef, err = is.Transport.ParseStoreReference(c.runtime.store, candidates[0]) + var commitRef types.ImageReference + if destImage != "" { + // Now resolve the name. + resolvedImageName, err := c.runtime.LibimageRuntime().ResolveName(destImage) + if err != nil { + return nil, err + } + + imageRef, err := is.Transport.ParseStoreReference(c.runtime.store, resolvedImageName) if err != nil { return nil, errors.Wrapf(err, "error parsing target image name %q", destImage) } + commitRef = imageRef } - id, _, _, err := importBuilder.Commit(ctx, imageRef, commitOptions) + id, _, _, err := importBuilder.Commit(ctx, commitRef, commitOptions) if err != nil { return nil, err } defer c.newContainerEvent(events.Commit) - return c.runtime.imageRuntime.NewFromLocal(id) + img, _, err := c.runtime.libimageRuntime.LookupImage(id, nil) + if err != nil { + return nil, err + } + return img, nil } diff --git a/libpod/container_config.go b/libpod/container_config.go index ac17a2c4f..904c03f9b 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -151,6 +151,9 @@ type ContainerRootFSConfig struct { Secrets []*secrets.Secret `json:"secrets,omitempty"` // SecretPath is the secrets location in storage SecretsPath string `json:"secretsPath"` + // Volatile specifies whether the container storage can be optimized + // at the cost of not syncing all the dirty files in memory. + Volatile bool `json:"volatile,omitempty"` } // ContainerSecurityConfig is an embedded sub-config providing security configuration @@ -298,6 +301,8 @@ type ContainerMiscConfig struct { StopSignal uint `json:"stopSignal,omitempty"` // StopTimeout is the signal that will be used to stop the container StopTimeout uint `json:"stopTimeout,omitempty"` + // Timeout is maximum time a container will run before getting the kill signal + Timeout uint `json:"timeout,omitempty"` // Time container was created CreatedTime time.Time `json:"createdTime"` // CgroupManager is the cgroup manager used to create this container. diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 61cc43314..5b2103c92 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -304,6 +304,8 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp ctrConfig.WorkingDir = spec.Process.Cwd } + ctrConfig.StopTimeout = c.config.StopTimeout + ctrConfig.Timeout = c.config.Timeout ctrConfig.OpenStdin = c.config.Stdin ctrConfig.Image = c.config.RootfsImageName ctrConfig.SystemdMode = c.config.Systemd diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 80c00a622..051fe4b9e 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -451,6 +451,8 @@ func (c *Container) setupStorage(ctx context.Context) error { options.MountOpts = newOptions } + options.Volatile = c.config.Volatile + c.setupStorageMapping(&options.IDMappingOptions, &c.config.IDMappings) containerInfo, err := c.runtime.storageService.CreateContainerStorage(ctx, c.runtime.imageContext, c.config.RootfsImageName, c.config.RootfsImageID, c.config.Name, c.config.ID, options) @@ -1842,7 +1844,7 @@ func (c *Container) cleanup(ctx context.Context) error { // Unmount image volumes for _, v := range c.config.ImageVolumes { - img, err := c.runtime.ImageRuntime().NewFromLocal(v.Source) + img, _, err := c.runtime.LibimageRuntime().LookupImage(v.Source, nil) if err != nil { if lastError == nil { lastError = err diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c6839ffd0..7d57e8965 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -378,14 +378,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { case "z": fallthrough case "Z": - if c.MountLabel() != "" { - if c.ProcessLabel() != "" { - if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { - return nil, err - } - } else { - logrus.Infof("Not relabeling volume %q in container %s as SELinux is disabled", m.Source, c.ID()) - } + if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { + return nil, err } default: @@ -466,11 +460,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // Add image volumes as overlay mounts for _, volume := range c.config.ImageVolumes { // Mount the specified image. - img, err := c.runtime.ImageRuntime().NewFromLocal(volume.Source) + img, _, err := c.runtime.LibimageRuntime().LookupImage(volume.Source, nil) if err != nil { return nil, errors.Wrapf(err, "error creating image volume %q:%q", volume.Source, volume.Dest) } - mountPoint, err := img.Mount(nil, "") + mountPoint, err := img.Mount(ctx, nil, "") if err != nil { return nil, errors.Wrapf(err, "error mounting image volume %q:%q", volume.Source, volume.Dest) } @@ -2230,6 +2224,17 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) { return passwdPath, groupPath, nil } +func isRootlessCgroupSet(cgroup string) bool { + // old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent + // by default. Avoid breaking these versions and check whether the cgroup parent is + // set to the default and in this case enable the old behavior. It should not be a real + // problem because the default CgroupParent is usually owned by root so rootless users + // cannot access it. + // This check might be lifted in a future version of Podman. + // Check both that the cgroup or its parent is set to the default value (used by pods). + return cgroup != CgroupfsDefaultCgroupParent && filepath.Dir(cgroup) != CgroupfsDefaultCgroupParent +} + // Get cgroup path in a format suitable for the OCI spec func (c *Container) getOCICgroupPath() (string, error) { unified, err := cgroups.IsCgroup2UnifiedMode() @@ -2238,8 +2243,13 @@ func (c *Container) getOCICgroupPath() (string, error) { } cgroupManager := c.CgroupManager() switch { - case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)) || c.config.NoCgroups: + case c.config.NoCgroups: return "", nil + case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)): + if !isRootlessCgroupSet(c.config.CgroupParent) { + return "", nil + } + return c.config.CgroupParent, nil case c.config.CgroupsMode == cgroupSplit: if c.config.CgroupParent != "" { return c.config.CgroupParent, nil diff --git a/libpod/container_path_resolution.go b/libpod/container_path_resolution.go index d798963b1..ec7306ca1 100644 --- a/libpod/container_path_resolution.go +++ b/libpod/container_path_resolution.go @@ -128,7 +128,7 @@ func isPathOnVolume(c *Container, containerPath string) bool { if cleanedContainerPath == filepath.Clean(vol.Dest) { return true } - for dest := vol.Dest; dest != "/"; dest = filepath.Dir(dest) { + for dest := vol.Dest; dest != "/" && dest != "."; dest = filepath.Dir(dest) { if cleanedContainerPath == dest { return true } diff --git a/libpod/define/container.go b/libpod/define/container.go index 5a2ff026f..f3125afa9 100644 --- a/libpod/define/container.go +++ b/libpod/define/container.go @@ -17,3 +17,12 @@ const ( // handling of system restart, which Podman does not yet support. RestartPolicyUnlessStopped = "unless-stopped" ) + +// RestartPolicyMap maps between restart-policy valid values to restart policy types +var RestartPolicyMap = map[string]string{ + "none": RestartPolicyNone, + RestartPolicyNo: RestartPolicyNo, + RestartPolicyAlways: RestartPolicyAlways, + RestartPolicyOnFailure: RestartPolicyOnFailure, + RestartPolicyUnlessStopped: RestartPolicyUnlessStopped, +} diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index 1a38f5b0a..5283946fa 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -64,6 +64,10 @@ type InspectContainerConfig struct { Umask string `json:"Umask,omitempty"` // Secrets are the secrets mounted in the container Secrets []*InspectSecret `json:"Secrets,omitempty"` + // Timeout is time before container is killed by conmon + Timeout uint `json:"Timeout"` + // StopTimeout is time before container is stopped when calling stop + StopTimeout uint `json:"StopTimeout"` } // InspectRestartPolicy holds information about the container's restart policy. diff --git a/libpod/define/errors.go b/libpod/define/errors.go index 8d943099b..64c652eec 100644 --- a/libpod/define/errors.go +++ b/libpod/define/errors.go @@ -12,15 +12,6 @@ var ( // ErrNoSuchPod indicates the requested pod does not exist ErrNoSuchPod = errors.New("no such pod") - // ErrNoSuchImage indicates the requested image does not exist - ErrNoSuchImage = errors.New("no such image") - - // ErrMultipleImages found multiple name and tag matches - ErrMultipleImages = errors.New("found multiple name and tag matches") - - // ErrNoSuchTag indicates the requested image tag does not exist - ErrNoSuchTag = errors.New("no such tag") - // ErrNoSuchVolume indicates the requested volume does not exist ErrNoSuchVolume = errors.New("no such volume") @@ -174,9 +165,6 @@ var ( // killed, preventing normal operation. ErrConmonDead = errors.New("conmon process killed") - // ErrImageInUse indicates the requested operation failed because the image was in use - ErrImageInUse = errors.New("image is being used") - // ErrNetworkOnPodContainer indicates the user wishes to alter network attributes on a container // in a pod. This cannot be done as the infra container has all the network information ErrNetworkOnPodContainer = errors.New("network cannot be configured when it is shared with a pod") diff --git a/libpod/define/info.go b/libpod/define/info.go index 00146da48..87935be2d 100644 --- a/libpod/define/info.go +++ b/libpod/define/info.go @@ -17,6 +17,7 @@ type SecurityInfo struct { DefaultCapabilities string `json:"capabilities"` Rootless bool `json:"rootless"` SECCOMPEnabled bool `json:"seccompEnabled"` + SECCOMPProfilePath string `json:"seccompProfilePath"` SELinuxEnabled bool `json:"selinuxEnabled"` } diff --git a/libpod/diff.go b/libpod/diff.go index df1acf4bb..6ce8d809a 100644 --- a/libpod/diff.go +++ b/libpod/diff.go @@ -1,6 +1,7 @@ package libpod import ( + "github.com/containers/common/libimage" "github.com/containers/podman/v3/libpod/layers" "github.com/containers/storage/pkg/archive" "github.com/pkg/errors" @@ -49,7 +50,7 @@ func (r *Runtime) GetDiff(from, to string) ([]archive.Change, error) { // If the id matches a layer, the top layer id is returned func (r *Runtime) getLayerID(id string) (string, error) { var toLayer string - toImage, err := r.imageRuntime.NewFromLocal(id) + toImage, _, err := r.libimageRuntime.LookupImage(id, &libimage.LookupImageOptions{IgnorePlatform: true}) if err == nil { return toImage.TopLayer(), nil } diff --git a/libpod/image/config.go b/libpod/image/config.go deleted file mode 100644 index efd83d343..000000000 --- a/libpod/image/config.go +++ /dev/null @@ -1,14 +0,0 @@ -package image - -const ( - // LatestTag describes the tag used to refer to the latest version - // of an image - LatestTag = "latest" -) - -// ImageDeleteResponse is the response for removing an image from storage and containers -// what was untagged vs actually removed -type ImageDeleteResponse struct { //nolint - Untagged []string `json:"untagged"` - Deleted string `json:"deleted"` -} diff --git a/libpod/image/df.go b/libpod/image/df.go deleted file mode 100644 index 231d28df4..000000000 --- a/libpod/image/df.go +++ /dev/null @@ -1,126 +0,0 @@ -package image - -import ( - "context" - "time" - - "github.com/containers/image/v5/docker/reference" -) - -// DiskUsageStat gives disk-usage statistics for a specific image. -type DiskUsageStat struct { - // ID of the image. - ID string - // Repository of the first recorded name of the image. - Repository string - // Tag of the first recorded name of the image. - Tag string - // Created is the creation time of the image. - Created time.Time - // SharedSize is the amount of space shared with another image. - SharedSize uint64 - // UniqueSize is the amount of space used only by this image. - UniqueSize uint64 - // Size is the total size of the image (i.e., the sum of the shared and - // unique size). - Size uint64 - // Number of containers using the image. - Containers int -} - -// DiskUsage returns disk-usage statistics for the specified slice of images. -func (ir *Runtime) DiskUsage(ctx context.Context, images []*Image) ([]DiskUsageStat, error) { - stats := make([]DiskUsageStat, len(images)) - - // Build a layerTree to quickly compute (and cache!) parent/child - // relations. - tree, err := ir.layerTree() - if err != nil { - return nil, err - } - - // Calculate the stats for each image. - for i, img := range images { - stat, err := diskUsageForImage(ctx, img, tree) - if err != nil { - return nil, err - } - stats[i] = *stat - } - - return stats, nil -} - -// diskUsageForImage returns the disk-usage statistics for the specified image. -func diskUsageForImage(ctx context.Context, image *Image, tree *layerTree) (*DiskUsageStat, error) { - stat := DiskUsageStat{ - ID: image.ID(), - Created: image.Created(), - } - - // Repository and tag. - var name, repository, tag string - for _, n := range image.Names() { - if len(n) > 0 { - name = n - break - } - } - if len(name) > 0 { - named, err := reference.ParseNormalizedNamed(name) - if err != nil { - return nil, err - } - repository = named.Name() - if tagged, isTagged := named.(reference.NamedTagged); isTagged { - tag = tagged.Tag() - } - } else { - repository = "<none>" - tag = "<none>" - } - stat.Repository = repository - stat.Tag = tag - - // Shared, unique and total size. - parent, err := tree.parent(ctx, image) - if err != nil { - return nil, err - } - childIDs, err := tree.children(ctx, image, false) - if err != nil { - return nil, err - } - // Optimistically set unique size to the full size of the image. - size, err := image.Size(ctx) - if err != nil { - return nil, err - } - stat.UniqueSize = *size - - if len(childIDs) > 0 { - // If we have children, we share everything. - stat.SharedSize = stat.UniqueSize - stat.UniqueSize = 0 - } else if parent != nil { - // If we have no children but a parent, remove the parent - // (shared) size from the unique one. - size, err := parent.Size(ctx) - if err != nil { - return nil, err - } - stat.UniqueSize -= *size - stat.SharedSize = *size - } - - stat.Size = stat.SharedSize + stat.UniqueSize - - // Number of containers using the image. - containers, err := image.Containers() - if err != nil { - return nil, err - } - stat.Containers = len(containers) - - return &stat, nil -} diff --git a/libpod/image/docker_registry_options.go b/libpod/image/docker_registry_options.go deleted file mode 100644 index d95234e3d..000000000 --- a/libpod/image/docker_registry_options.go +++ /dev/null @@ -1,75 +0,0 @@ -package image - -import ( - "fmt" - - "github.com/containers/buildah/pkg/parse" - "github.com/containers/image/v5/docker/reference" - "github.com/containers/image/v5/types" - podmanVersion "github.com/containers/podman/v3/version" -) - -// DockerRegistryOptions encapsulates settings that affect how we connect or -// authenticate to a remote registry. -type DockerRegistryOptions struct { - // DockerRegistryCreds is the user name and password to supply in case - // we need to pull an image from a registry, and it requires us to - // authenticate. - DockerRegistryCreds *types.DockerAuthConfig - // DockerCertPath is the location of a directory containing CA - // certificates which will be used to verify the registry's certificate - // (all files with names ending in ".crt"), and possibly client - // certificates and private keys (pairs of files with the same name, - // except for ".cert" and ".key" suffixes). - DockerCertPath string - // DockerInsecureSkipTLSVerify turns off verification of TLS - // certificates and allows connecting to registries without encryption - // - or forces it on even if registries.conf has the registry configured as insecure. - DockerInsecureSkipTLSVerify types.OptionalBool - // If not "", overrides the use of platform.GOOS when choosing an image or verifying OS match. - OSChoice string - // If not "", overrides the use of platform.GOARCH when choosing an image or verifying architecture match. - ArchitectureChoice string - // If not "", overrides_VARIANT_ instead of the running architecture variant for choosing images. - VariantChoice string - // RegistriesConfPath can be used to override the default path of registries.conf. - RegistriesConfPath string -} - -// GetSystemContext constructs a new system context from a parent context. the values in the DockerRegistryOptions, and other parameters. -func (o DockerRegistryOptions) GetSystemContext(parent *types.SystemContext, additionalDockerArchiveTags []reference.NamedTagged) *types.SystemContext { - sc := &types.SystemContext{ - DockerAuthConfig: o.DockerRegistryCreds, - DockerCertPath: o.DockerCertPath, - DockerInsecureSkipTLSVerify: o.DockerInsecureSkipTLSVerify, - DockerArchiveAdditionalTags: additionalDockerArchiveTags, - OSChoice: o.OSChoice, - ArchitectureChoice: o.ArchitectureChoice, - VariantChoice: o.VariantChoice, - BigFilesTemporaryDir: parse.GetTempDir(), - } - if parent != nil { - sc.SignaturePolicyPath = parent.SignaturePolicyPath - sc.AuthFilePath = parent.AuthFilePath - sc.DirForceCompress = parent.DirForceCompress - sc.DockerRegistryUserAgent = parent.DockerRegistryUserAgent - sc.OSChoice = parent.OSChoice - sc.ArchitectureChoice = parent.ArchitectureChoice - sc.BlobInfoCacheDir = parent.BlobInfoCacheDir - } - return sc -} - -// GetSystemContext Constructs a new containers/image/types.SystemContext{} struct from the given signaturePolicy path -func GetSystemContext(signaturePolicyPath, authFilePath string, forceCompress bool) *types.SystemContext { - sc := &types.SystemContext{} - if signaturePolicyPath != "" { - sc.SignaturePolicyPath = signaturePolicyPath - } - sc.AuthFilePath = authFilePath - sc.DirForceCompress = forceCompress - sc.DockerRegistryUserAgent = fmt.Sprintf("libpod/%s", podmanVersion.Version) - sc.BigFilesTemporaryDir = parse.GetTempDir() - - return sc -} diff --git a/libpod/image/errors.go b/libpod/image/errors.go deleted file mode 100644 index 49f841bf4..000000000 --- a/libpod/image/errors.go +++ /dev/null @@ -1,16 +0,0 @@ -package image - -import ( - "github.com/containers/podman/v3/libpod/define" -) - -var ( - // ErrNoSuchCtr indicates the requested container does not exist - ErrNoSuchCtr = define.ErrNoSuchCtr - // ErrNoSuchPod indicates the requested pod does not exist - ErrNoSuchPod = define.ErrNoSuchPod - // ErrNoSuchImage indicates the requested image does not exist - ErrNoSuchImage = define.ErrNoSuchImage - // ErrNoSuchTag indicates the requested image tag does not exist - ErrNoSuchTag = define.ErrNoSuchTag -) diff --git a/libpod/image/filters.go b/libpod/image/filters.go deleted file mode 100644 index d316c6956..000000000 --- a/libpod/image/filters.go +++ /dev/null @@ -1,196 +0,0 @@ -package image - -import ( - "context" - "fmt" - "path/filepath" - "strconv" - "strings" - "time" - - "github.com/containers/podman/v3/pkg/inspect" - "github.com/containers/podman/v3/pkg/util" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" -) - -// ResultFilter is a mock function for image filtering -type ResultFilter func(*Image) bool - -// Filter is a function to determine whether an image is included in -// command output. Images to be outputted are tested using the function. A true -// return will include the image, a false return will exclude it. -type Filter func(*Image, *inspect.ImageData) bool - -// CreatedBeforeFilter allows you to filter on images created before -// the given time.Time -func CreatedBeforeFilter(createTime time.Time) ResultFilter { - return func(i *Image) bool { - return i.Created().Before(createTime) - } -} - -// IntermediateFilter returns filter for intermediate images (i.e., images -// with children and no tags). -func (ir *Runtime) IntermediateFilter(ctx context.Context, images []*Image) (ResultFilter, error) { - tree, err := ir.layerTree() - if err != nil { - return nil, err - } - return func(i *Image) bool { - if len(i.Names()) > 0 { - return true - } - children, err := tree.children(ctx, i, false) - if err != nil { - logrus.Error(err.Error()) - return false - } - return len(children) == 0 - }, nil -} - -// CreatedAfterFilter allows you to filter on images created after -// the given time.Time -func CreatedAfterFilter(createTime time.Time) ResultFilter { - return func(i *Image) bool { - return i.Created().After(createTime) - } -} - -// DanglingFilter allows you to filter images for dangling images -func DanglingFilter(danglingImages bool) ResultFilter { - return func(i *Image) bool { - if danglingImages { - return i.Dangling() - } - return !i.Dangling() - } -} - -// ReadOnlyFilter allows you to filter images based on read/only and read/write -func ReadOnlyFilter(readOnly bool) ResultFilter { - return func(i *Image) bool { - if readOnly { - return i.IsReadOnly() - } - return !i.IsReadOnly() - } -} - -// LabelFilter allows you to filter by images labels key and/or value -func LabelFilter(ctx context.Context, filter string) ResultFilter { - // We need to handle both label=key and label=key=value - return func(i *Image) bool { - labels, err := i.Labels(ctx) - if err != nil { - return false - } - return util.MatchLabelFilters([]string{filter}, labels) - } -} - -// ReferenceFilter allows you to filter by image name -// Replacing all '/' with '|' so that filepath.Match() can work -// '|' character is not valid in image name, so this is safe -func ReferenceFilter(ctx context.Context, referenceFilter string) ResultFilter { - filter := fmt.Sprintf("*%s*", referenceFilter) - filter = strings.Replace(filter, "/", "|", -1) - return func(i *Image) bool { - if len(referenceFilter) < 1 { - return true - } - for _, name := range i.Names() { - newName := strings.Replace(name, "/", "|", -1) - match, err := filepath.Match(filter, newName) - if err != nil { - logrus.Errorf("failed to match %s and %s, %q", name, referenceFilter, err) - } - if match { - return true - } - } - return false - } -} - -// IDFilter allows you to filter by image Id -func IDFilter(idFilter string) ResultFilter { - return func(i *Image) bool { - return i.ID() == idFilter - } -} - -// OutputImageFilter allows you to filter by an a specific image name -func OutputImageFilter(userImage *Image) ResultFilter { - return func(i *Image) bool { - return userImage.ID() == i.ID() - } -} - -// FilterImages filters images using a set of predefined filter funcs -func FilterImages(images []*Image, filters []ResultFilter) []*Image { - var filteredImages []*Image - for _, image := range images { - include := true - for _, filter := range filters { - include = include && filter(image) - } - if include { - filteredImages = append(filteredImages, image) - } - } - return filteredImages -} - -// createFilterFuncs returns an array of filter functions based on the user inputs -// and is later used to filter images for output -func (ir *Runtime) createFilterFuncs(filters []string, img *Image) ([]ResultFilter, error) { - var filterFuncs []ResultFilter - ctx := context.Background() - for _, filter := range filters { - splitFilter := strings.SplitN(filter, "=", 2) - if len(splitFilter) < 2 { - return nil, errors.Errorf("invalid filter syntax %s", filter) - } - switch splitFilter[0] { - case "before": - before, err := ir.NewFromLocal(splitFilter[1]) - if err != nil { - return nil, errors.Wrapf(err, "unable to find image %s in local stores", splitFilter[1]) - } - filterFuncs = append(filterFuncs, CreatedBeforeFilter(before.Created())) - case "since", "after": - after, err := ir.NewFromLocal(splitFilter[1]) - if err != nil { - return nil, errors.Wrapf(err, "unable to find image %s in local stores", splitFilter[1]) - } - filterFuncs = append(filterFuncs, CreatedAfterFilter(after.Created())) - case "readonly": - readonly, err := strconv.ParseBool(splitFilter[1]) - if err != nil { - return nil, errors.Wrapf(err, "invalid filter readonly=%s", splitFilter[1]) - } - filterFuncs = append(filterFuncs, ReadOnlyFilter(readonly)) - case "dangling": - danglingImages, err := strconv.ParseBool(splitFilter[1]) - if err != nil { - return nil, errors.Wrapf(err, "invalid filter dangling=%s", splitFilter[1]) - } - filterFuncs = append(filterFuncs, DanglingFilter(danglingImages)) - case "label": - labelFilter := strings.Join(splitFilter[1:], "=") - filterFuncs = append(filterFuncs, LabelFilter(ctx, labelFilter)) - case "reference": - filterFuncs = append(filterFuncs, ReferenceFilter(ctx, splitFilter[1])) - case "id": - filterFuncs = append(filterFuncs, IDFilter(splitFilter[1])) - default: - return nil, errors.Errorf("invalid filter %s ", splitFilter[0]) - } - } - if img != nil { - filterFuncs = append(filterFuncs, OutputImageFilter(img)) - } - return filterFuncs, nil -} diff --git a/libpod/image/image.go b/libpod/image/image.go deleted file mode 100644 index 3c9fb3a37..000000000 --- a/libpod/image/image.go +++ /dev/null @@ -1,1858 +0,0 @@ -package image - -import ( - "context" - "encoding/json" - stderrors "errors" - "fmt" - "io" - "io/ioutil" - "os" - "path/filepath" - "sort" - "strings" - "syscall" - "time" - - "github.com/containers/common/pkg/retry" - cp "github.com/containers/image/v5/copy" - "github.com/containers/image/v5/directory" - dockerarchive "github.com/containers/image/v5/docker/archive" - "github.com/containers/image/v5/docker/reference" - "github.com/containers/image/v5/image" - "github.com/containers/image/v5/manifest" - ociarchive "github.com/containers/image/v5/oci/archive" - "github.com/containers/image/v5/oci/layout" - "github.com/containers/image/v5/pkg/shortnames" - is "github.com/containers/image/v5/storage" - "github.com/containers/image/v5/tarball" - "github.com/containers/image/v5/transports" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - "github.com/containers/podman/v3/libpod/define" - "github.com/containers/podman/v3/libpod/driver" - "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/pkg/inspect" - "github.com/containers/podman/v3/pkg/registries" - "github.com/containers/podman/v3/pkg/util" - "github.com/containers/storage" - digest "github.com/opencontainers/go-digest" - ociv1 "github.com/opencontainers/image-spec/specs-go/v1" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" -) - -// Image is the primary struct for dealing with images -// It is still very much a work in progress -type Image struct { - // Adding these two structs for now but will cull when we near - // completion of this library. - imgRef types.Image - imgSrcRef types.ImageSource - inspect.ImageData - inspect.ImageResult - inspectInfo *types.ImageInspectInfo - InputName string - image *storage.Image - imageruntime *Runtime -} - -// Runtime contains the store -type Runtime struct { - store storage.Store - SignaturePolicyPath string - EventsLogFilePath string - EventsLogger string - Eventer events.Eventer -} - -// InfoImage keep information of Image along with all associated layers -type InfoImage struct { - // ID of image - ID string - // Tags of image - Tags []string - // Layers stores all layers of image. - Layers []LayerInfo -} - -const maxRetry = 3 - -// ImageFilter is a function to determine whether a image is included -// in command output. Images to be outputted are tested using the function. -// A true return will include the image, a false return will exclude it. -type ImageFilter func(*Image) bool //nolint - -// ErrRepoTagNotFound is the error returned when the image id given doesn't match a rep tag in store -var ErrRepoTagNotFound = stderrors.New("unable to match user input to any specific repotag") - -// ErrImageIsBareList is the error returned when the image is just a list or index -var ErrImageIsBareList = stderrors.New("image contains a manifest list or image index, but no runnable image") - -// NewImageRuntimeFromStore creates an ImageRuntime based on a provided store -func NewImageRuntimeFromStore(store storage.Store) *Runtime { - return &Runtime{ - store: store, - } -} - -// NewImageRuntimeFromOptions creates an Image Runtime including the store given -// store options -func NewImageRuntimeFromOptions(options storage.StoreOptions) (*Runtime, error) { - store, err := setStore(options) - if err != nil { - return nil, err - } - return NewImageRuntimeFromStore(store), nil -} - -func setStore(options storage.StoreOptions) (storage.Store, error) { - store, err := storage.GetStore(options) - if err != nil { - return nil, err - } - is.Transport.SetStore(store) - return store, nil -} - -// newImage creates a new image object given an "input name" and a storage.Image -func (ir *Runtime) newImage(inputName string, img *storage.Image) *Image { - return &Image{ - InputName: inputName, - imageruntime: ir, - image: img, - } -} - -// newFromStorage creates a new image object from a storage.Image. Its "input name" will be its ID. -func (ir *Runtime) newFromStorage(img *storage.Image) *Image { - return ir.newImage(img.ID, img) -} - -// NewFromLocal creates a new image object that is intended -// to only deal with local images already in the store (or -// its aliases) -func (ir *Runtime) NewFromLocal(name string) (*Image, error) { - updatedInputName, localImage, err := ir.getLocalImage(name) - if err != nil { - return nil, err - } - return ir.newImage(updatedInputName, localImage), nil -} - -// New creates a new image object where the image could be local -// or remote -func (ir *Runtime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, label *string, pullType util.PullType, progress chan types.ProgressProperties) (*Image, error) { - // We don't know if the image is local or not ... check local first - if pullType != util.PullImageAlways { - newImage, err := ir.NewFromLocal(name) - if err == nil { - return newImage, nil - } else if pullType == util.PullImageNever { - return nil, err - } - } - - // The image is not local - if signaturePolicyPath == "" { - signaturePolicyPath = ir.SignaturePolicyPath - } - imageName, err := ir.pullImageFromHeuristicSource(ctx, name, writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, &retry.RetryOptions{MaxRetry: maxRetry}, label, progress) - if err != nil { - return nil, err - } - - newImage, err := ir.NewFromLocal(imageName[0]) - if err != nil { - return nil, errors.Wrapf(err, "error retrieving local image after pulling %s", name) - } - return newImage, nil -} - -// SaveImages stores one more images in a multi-image archive. -// Note that only `docker-archive` supports storing multiple -// image. -func (ir *Runtime) SaveImages(ctx context.Context, namesOrIDs []string, format string, outputFile string, quiet, removeSignatures bool) (finalErr error) { - if format != DockerArchive { - return errors.Errorf("multi-image archives are only supported in in the %q format", DockerArchive) - } - - sys := GetSystemContext("", "", false) - - archWriter, err := dockerarchive.NewWriter(sys, outputFile) - if err != nil { - return err - } - defer func() { - err := archWriter.Close() - if err == nil { - return - } - if finalErr == nil { - finalErr = err - return - } - finalErr = errors.Wrap(finalErr, err.Error()) - }() - - // Decide whether c/image's progress bars should use stderr or stdout. - // Use stderr in case we need to be quiet or if the output is set to - // stdout. If the output is set of stdout, any log message there would - // corrupt the tarfile. - writer := os.Stdout - if quiet { - writer = os.Stderr - } - - // extend an image with additional tags - type imageData struct { - *Image - tags []reference.NamedTagged - } - - // Look up the images (and their tags) in the local storage. - imageMap := make(map[string]*imageData) // to group tags for an image - imageQueue := []string{} // to preserve relative image order - for _, nameOrID := range namesOrIDs { - // Look up the name or ID in the local image storage. - localImage, err := ir.NewFromLocal(nameOrID) - if err != nil { - return err - } - id := localImage.ID() - - iData, exists := imageMap[id] - if !exists { - imageQueue = append(imageQueue, id) - iData = &imageData{Image: localImage} - imageMap[id] = iData - } - - // Unless we referred to an ID, add the input as a tag. - if !strings.HasPrefix(id, nameOrID) { - tag, err := NormalizedTag(nameOrID) - if err != nil { - return err - } - refTagged, isTagged := tag.(reference.NamedTagged) - if isTagged { - iData.tags = append(iData.tags, refTagged) - } - } - } - - policyContext, err := getPolicyContext(sys) - if err != nil { - return err - } - defer func() { - if err := policyContext.Destroy(); err != nil { - logrus.Errorf("failed to destroy policy context: %q", err) - } - }() - - // Now copy the images one-by-one. - for _, id := range imageQueue { - dest, err := archWriter.NewReference(nil) - if err != nil { - return err - } - - img := imageMap[id] - copyOptions := getCopyOptions(sys, writer, nil, nil, SigningOptions{RemoveSignatures: removeSignatures}, "", img.tags) - copyOptions.DestinationCtx.SystemRegistriesConfPath = registries.SystemRegistriesConfPath() - - // For copying, we need a source reference that we can create - // from the image. - src, err := is.Transport.NewStoreReference(img.imageruntime.store, nil, id) - if err != nil { - return errors.Wrapf(err, "error getting source imageReference for %q", img.InputName) - } - _, err = cp.Image(ctx, policyContext, dest, src, copyOptions) - if err != nil { - return err - } - } - - return nil -} - -// LoadAllImagesFromDockerArchive loads all images from the docker archive that -// fileName points to. -func (ir *Runtime) LoadAllImagesFromDockerArchive(ctx context.Context, fileName string, signaturePolicyPath string, writer io.Writer) ([]*Image, error) { - if signaturePolicyPath == "" { - signaturePolicyPath = ir.SignaturePolicyPath - } - - sc := GetSystemContext(signaturePolicyPath, "", false) - reader, err := dockerarchive.NewReader(sc, fileName) - if err != nil { - return nil, err - } - - defer func() { - if err := reader.Close(); err != nil { - logrus.Errorf(err.Error()) - } - }() - - refLists, err := reader.List() - if err != nil { - return nil, err - } - - refPairs := []pullRefPair{} - for _, refList := range refLists { - for _, ref := range refList { - pairs, err := ir.getPullRefPairsFromDockerArchiveReference(ctx, reader, ref, sc) - if err != nil { - return nil, err - } - refPairs = append(refPairs, pairs...) - } - } - - goal := pullGoal{ - pullAllPairs: true, - refPairs: refPairs, - } - - defer goal.cleanUp() - imageNames, err := ir.doPullImage(ctx, sc, goal, writer, SigningOptions{}, &DockerRegistryOptions{}, &retry.RetryOptions{}, nil, nil) - if err != nil { - return nil, err - } - - newImages := make([]*Image, 0, len(imageNames)) - for _, name := range imageNames { - newImage, err := ir.NewFromLocal(name) - if err != nil { - return nil, errors.Wrapf(err, "error retrieving local image after pulling %s", name) - } - newImages = append(newImages, newImage) - } - ir.newImageEvent(events.LoadFromArchive, "") - return newImages, nil -} - -// LoadFromArchiveReference creates a new image object for images pulled from a tar archive and the like (podman load) -// This function is needed because it is possible for a tar archive to have multiple tags for one image -func (ir *Runtime) LoadFromArchiveReference(ctx context.Context, srcRef types.ImageReference, signaturePolicyPath string, writer io.Writer) ([]*Image, error) { - if signaturePolicyPath == "" { - signaturePolicyPath = ir.SignaturePolicyPath - } - - imageNames, err := ir.pullImageFromReference(ctx, srcRef, writer, "", signaturePolicyPath, SigningOptions{}, &DockerRegistryOptions{}, &retry.RetryOptions{}) - if err != nil { - return nil, errors.Wrapf(err, "unable to pull %s", transports.ImageName(srcRef)) - } - - newImages := make([]*Image, 0, len(imageNames)) - for _, name := range imageNames { - newImage, err := ir.NewFromLocal(name) - if err != nil { - return nil, errors.Wrapf(err, "error retrieving local image after pulling %s", name) - } - newImages = append(newImages, newImage) - } - ir.newImageEvent(events.LoadFromArchive, "") - return newImages, nil -} - -// Shutdown closes down the storage and require a bool arg as to -// whether it should do so forcibly. -func (ir *Runtime) Shutdown(force bool) error { - _, err := ir.store.Shutdown(force) - return err -} - -// GetImagesWithFilters gets images with a series of filters applied -func (ir *Runtime) GetImagesWithFilters(filters []string) ([]*Image, error) { - filterFuncs, err := ir.createFilterFuncs(filters, nil) - if err != nil { - return nil, err - } - images, err := ir.GetImages() - if err != nil { - return nil, err - } - return FilterImages(images, filterFuncs), nil -} - -func (i *Image) reloadImage() error { - newImage, err := i.imageruntime.getImage(i.ID()) - if err != nil { - return errors.Wrapf(err, "unable to reload image") - } - i.image = newImage - return nil -} - -// stringSha256 strips sha256 from user input -func stripSha256(name string) string { - if strings.HasPrefix(name, "sha256:") && len(name) > 7 { - return name[7:] - } - return name -} - -// getLocalImage resolves an unknown input describing an image and -// returns an updated input name, and a storage.Image, or an error. It is used by NewFromLocal. -func (ir *Runtime) getLocalImage(inputName string) (string, *storage.Image, error) { - imageError := fmt.Sprintf("unable to find '%s' in local storage", inputName) - if inputName == "" { - return "", nil, errors.Errorf("input name is blank") - } - - // Check if the input name has a transport and if so strip it - dest, err := alltransports.ParseImageName(inputName) - if err == nil && dest.DockerReference() != nil { - inputName = dest.DockerReference().String() - } - - // Early check for fully-qualified images and (short) IDs. - img, err := ir.store.Image(stripSha256(inputName)) - if err == nil { - return inputName, img, nil - } - - // Note that it's crucial to first decompose the image and check if - // it's a fully-qualified one or a "short name". The latter requires - // some normalization with search registries and the - // "localhost/prefix". - decomposedImage, err := decompose(inputName) - if err != nil { - // We may have a storage reference. We can't parse it to a - // reference before. Otherwise, we'd normalize "alpine" to - // "docker.io/library/alpine:latest" which would break the - // order in which we should query local images below. - if ref, err := is.Transport.ParseStoreReference(ir.store, inputName); err == nil { - img, err = is.Transport.GetStoreImage(ir.store, ref) - if err == nil { - return inputName, img, nil - } - } - return "", nil, err - } - - // The specified image is fully qualified, so it doesn't exist in the - // storage. - if decomposedImage.hasRegistry { - // However ... we may still need to normalize to docker.io: - // `docker.io/foo` -> `docker.io/library/foo` - if ref, err := is.Transport.ParseStoreReference(ir.store, inputName); err == nil { - img, err = is.Transport.GetStoreImage(ir.store, ref) - if err == nil { - return inputName, img, nil - } - } - return "", nil, errors.Wrapf(ErrNoSuchImage, imageError) - } - - sys := &types.SystemContext{ - SystemRegistriesConfPath: registries.SystemRegistriesConfPath(), - } - - candidates, err := shortnames.ResolveLocally(sys, inputName) - if err != nil { - return "", nil, err - } - - for _, candidate := range candidates { - img, err := ir.store.Image(candidate.String()) - if err == nil { - return candidate.String(), img, nil - } - } - - // Backwards compat: normalize to docker.io as some users may very well - // rely on that. - ref, err := is.Transport.ParseStoreReference(ir.store, inputName) - if err == nil { - img, err = is.Transport.GetStoreImage(ir.store, ref) - if err == nil { - return inputName, img, nil - } - } - - // Last resort: look at the repotags of all images and try to find a - // match. - images, err := ir.GetImages() - if err != nil { - return "", nil, err - } - - decomposedImage, err = decompose(inputName) - if err != nil { - return "", nil, err - } - repoImage, err := findImageInRepotags(decomposedImage, images) - if err == nil { - return inputName, repoImage, nil - } - - return "", nil, err -} - -// ID returns the image ID as a string -func (i *Image) ID() string { - return i.image.ID -} - -// IsReadOnly returns whether the image ID comes from a local store -func (i *Image) IsReadOnly() bool { - return i.image.ReadOnly -} - -// Digest returns the image's digest -func (i *Image) Digest() digest.Digest { - return i.image.Digest -} - -// Digests returns the image's digests -func (i *Image) Digests() []digest.Digest { - return i.image.Digests -} - -// GetManifest returns the image's manifest as a byte array -// and manifest type as a string. -func (i *Image) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { - imgSrcRef, err := i.toImageSourceRef(ctx) - if err != nil { - return nil, "", err - } - return imgSrcRef.GetManifest(ctx, instanceDigest) -} - -// Manifest returns the image's manifest as a byte array -// and manifest type as a string. -func (i *Image) Manifest(ctx context.Context) ([]byte, string, error) { - imgRef, err := i.toImageRef(ctx) - if err != nil { - return nil, "", err - } - return imgRef.Manifest(ctx) -} - -// Names returns a string array of names associated with the image, which may be a mixture of tags and digests -func (i *Image) Names() []string { - return i.image.Names -} - -// NamesHistory returns a string array of names previously associated with the -// image, which may be a mixture of tags and digests -func (i *Image) NamesHistory() []string { - if len(i.image.Names) > 0 && len(i.image.NamesHistory) > 0 && - // We compare the latest (time-referenced) tags for equality and skip - // it in the history if they match to not display them twice. We have - // to compare like this, because `i.image.Names` (latest last) gets - // appended on retag, whereas `i.image.NamesHistory` gets prepended - // (latest first) - i.image.Names[len(i.image.Names)-1] == i.image.NamesHistory[0] { - return i.image.NamesHistory[1:] - } - return i.image.NamesHistory -} - -// RepoTags returns a string array of repotags associated with the image -func (i *Image) RepoTags() ([]string, error) { - var repoTags []string - for _, name := range i.Names() { - named, err := reference.ParseNormalizedNamed(name) - if err != nil { - return nil, err - } - if tagged, isTagged := named.(reference.NamedTagged); isTagged { - repoTags = append(repoTags, tagged.String()) - } - } - return repoTags, nil -} - -// RepoDigests returns a string array of repodigests associated with the image -func (i *Image) RepoDigests() ([]string, error) { - var repoDigests []string - added := make(map[string]struct{}) - - for _, name := range i.Names() { - for _, imageDigest := range append(i.Digests(), i.Digest()) { - if imageDigest == "" { - continue - } - - named, err := reference.ParseNormalizedNamed(name) - if err != nil { - return nil, err - } - - canonical, err := reference.WithDigest(reference.TrimNamed(named), imageDigest) - if err != nil { - return nil, err - } - - if _, alreadyInList := added[canonical.String()]; !alreadyInList { - repoDigests = append(repoDigests, canonical.String()) - added[canonical.String()] = struct{}{} - } - } - } - sort.Strings(repoDigests) - return repoDigests, nil -} - -// Created returns the time the image was created -func (i *Image) Created() time.Time { - return i.image.Created -} - -// TopLayer returns the top layer id as a string -func (i *Image) TopLayer() string { - return i.image.TopLayer -} - -// Remove an image; container removal for the image must be done -// outside the context of images -// TODO: the force param does nothing as of now. Need to move container -// handling logic here eventually. -func (i *Image) Remove(ctx context.Context, force bool) error { - parent, err := i.GetParent(ctx) - if err != nil { - logrus.Warnf("error determining parent of image: %v, ignoring the error", err) - parent = nil - } - if _, err := i.imageruntime.store.DeleteImage(i.ID(), true); err != nil { - return err - } - i.newImageEvent(events.Remove) - for parent != nil { - nextParent, err := parent.GetParent(ctx) - if err != nil { - return err - } - children, err := parent.GetChildren(ctx) - if err != nil { - return err - } - // Do not remove if image is a base image and is not untagged, or if - // the image has more children. - if len(children) > 0 || len(parent.Names()) > 0 { - return nil - } - id := parent.ID() - if _, err := i.imageruntime.store.DeleteImage(id, true); err != nil { - logrus.Debugf("unable to remove intermediate image %q: %v", id, err) - } else { - fmt.Println(id) - } - parent = nextParent - } - return nil -} - -// getImage retrieves an image matching the given name or hash from system -// storage -// If no matching image can be found, an error is returned -func (ir *Runtime) getImage(image string) (*storage.Image, error) { - var img *storage.Image - ref, err := is.Transport.ParseStoreReference(ir.store, image) - if err == nil { - img, err = is.Transport.GetStoreImage(ir.store, ref) - } - if err != nil { - img2, err2 := ir.store.Image(image) - if err2 != nil { - if ref == nil { - return nil, errors.Wrapf(err, "error parsing reference to image %q", image) - } - return nil, errors.Wrapf(err, "unable to locate image %q", image) - } - img = img2 - } - return img, nil -} - -func (ir *Runtime) ImageNames(id string) ([]string, error) { - myImage, err := ir.getImage(id) - if err != nil { - return nil, errors.Wrapf(err, "error getting image %s ", id) - } - return myImage.Names, nil -} - -// GetImages retrieves all images present in storage -func (ir *Runtime) GetImages() ([]*Image, error) { - return ir.getImages(false) -} - -// GetRWImages retrieves all read/write images present in storage -func (ir *Runtime) GetRWImages() ([]*Image, error) { - return ir.getImages(true) -} - -// getImages retrieves all images present in storage -func (ir *Runtime) getImages(rwOnly bool) ([]*Image, error) { - images, err := ir.store.Images() - if err != nil { - return nil, err - } - newImages := []*Image{} - for _, i := range images { - if rwOnly && i.ReadOnly { - continue - } - // iterating over these, be careful to not iterate on the literal - // pointer. - image := i - img := ir.newFromStorage(&image) - newImages = append(newImages, img) - } - return newImages, nil -} - -// getImageDigest creates an image object and uses the hex value of the digest as the image ID -// for parsing the store reference -func getImageDigest(ctx context.Context, src types.ImageReference, sc *types.SystemContext) (string, error) { - newImg, err := src.NewImage(ctx, sc) - if err != nil { - return "", err - } - defer func() { - if err := newImg.Close(); err != nil { - logrus.Errorf("failed to close image: %q", err) - } - }() - imageDigest := newImg.ConfigInfo().Digest - if err = imageDigest.Validate(); err != nil { - return "", errors.Wrapf(err, "error getting config info") - } - return "@" + imageDigest.Hex(), nil -} - -// NormalizedTag returns the canonical version of tag for use in Image.Names() -func NormalizedTag(tag string) (reference.Named, error) { - decomposedTag, err := decompose(tag) - if err != nil { - return nil, err - } - // If the input doesn't specify a registry, set the registry to localhost - var ref reference.Named - if !decomposedTag.hasRegistry { - ref, err = decomposedTag.referenceWithRegistry(DefaultLocalRegistry) - if err != nil { - return nil, err - } - } else { - ref, err = decomposedTag.normalizedReference() - if err != nil { - return nil, err - } - } - // If the input does not have a tag, we need to add one (latest) - ref = reference.TagNameOnly(ref) - return ref, nil -} - -// TagImage adds a tag to the given image -func (i *Image) TagImage(tag string) error { - if err := i.reloadImage(); err != nil { - return err - } - ref, err := NormalizedTag(tag) - if err != nil { - return err - } - tags := i.Names() - if util.StringInSlice(ref.String(), tags) { - return nil - } - tags = append(tags, ref.String()) - if err := i.imageruntime.store.SetNames(i.ID(), tags); err != nil { - return err - } - if err := i.reloadImage(); err != nil { - return err - } - i.newImageEvent(events.Tag) - return nil -} - -// UntagImage removes the specified tag from the image. -// If the tag does not exist, ErrNoSuchTag is returned. -func (i *Image) UntagImage(tag string) error { - if err := i.reloadImage(); err != nil { - return err - } - - // Normalize the tag as we do with TagImage. - ref, err := NormalizedTag(tag) - if err != nil { - return err - } - tag = ref.String() - - var newTags []string - tags := i.Names() - if !util.StringInSlice(tag, tags) { - return errors.Wrapf(ErrNoSuchTag, "%q", tag) - } - for _, t := range tags { - if tag != t { - newTags = append(newTags, t) - } - } - if err := i.imageruntime.store.SetNames(i.ID(), newTags); err != nil { - return err - } - if err := i.reloadImage(); err != nil { - return err - } - i.newImageEvent(events.Untag) - return nil -} - -// PushImageToHeuristicDestination pushes the given image to "destination", which is heuristically parsed. -// Use PushImageToReference if the destination is known precisely. -func (i *Image) PushImageToHeuristicDestination(ctx context.Context, destination, manifestMIMEType, authFile, digestFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions, additionalDockerArchiveTags []reference.NamedTagged, progress chan types.ProgressProperties) error { - if destination == "" { - return errors.Wrapf(syscall.EINVAL, "destination image name must be specified") - } - - // Get the destination Image Reference - dest, err := alltransports.ParseImageName(destination) - if err != nil { - if hasTransport(destination) { - return errors.Wrapf(err, "error getting destination imageReference for %q", destination) - } - // Try adding the images default transport - destination2 := DefaultTransport + destination - dest, err = alltransports.ParseImageName(destination2) - if err != nil { - return err - } - } - return i.PushImageToReference(ctx, dest, manifestMIMEType, authFile, digestFile, signaturePolicyPath, writer, forceCompress, signingOptions, dockerRegistryOptions, additionalDockerArchiveTags, progress) -} - -// PushImageToReference pushes the given image to a location described by the given path -func (i *Image) PushImageToReference(ctx context.Context, dest types.ImageReference, manifestMIMEType, authFile, digestFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions, additionalDockerArchiveTags []reference.NamedTagged, progress chan types.ProgressProperties) error { - sc := GetSystemContext(signaturePolicyPath, authFile, forceCompress) - sc.BlobInfoCacheDir = filepath.Join(i.imageruntime.store.GraphRoot(), "cache") - - policyContext, err := getPolicyContext(sc) - if err != nil { - return err - } - defer func() { - if err := policyContext.Destroy(); err != nil { - logrus.Errorf("failed to destroy policy context: %q", err) - } - }() - - // Look up the source image, expecting it to be in local storage - src, err := is.Transport.ParseStoreReference(i.imageruntime.store, i.ID()) - if err != nil { - return errors.Wrapf(err, "error getting source imageReference for %q", i.InputName) - } - copyOptions := getCopyOptions(sc, writer, nil, dockerRegistryOptions, signingOptions, manifestMIMEType, additionalDockerArchiveTags) - copyOptions.DestinationCtx.SystemRegistriesConfPath = registries.SystemRegistriesConfPath() // FIXME: Set this more globally. Probably no reason not to have it in every types.SystemContext, and to compute the value just once in one place. - if progress != nil { - copyOptions.Progress = progress - copyOptions.ProgressInterval = time.Second - } - // Copy the image to the remote destination - manifestBytes, err := cp.Image(ctx, policyContext, dest, src, copyOptions) - if err != nil { - return errors.Wrapf(err, "error copying image to the remote destination") - } - digest, err := manifest.Digest(manifestBytes) - if err != nil { - return errors.Wrapf(err, "error computing digest of manifest of new image %q", transports.ImageName(dest)) - } - - logrus.Debugf("Successfully pushed %s with digest %s", transports.ImageName(dest), digest.String()) - - if digestFile != "" { - if err = ioutil.WriteFile(digestFile, []byte(digest.String()), 0644); err != nil { - return errors.Wrapf(err, "failed to write digest to file %q", digestFile) - } - } - i.newImageEvent(events.Push) - return nil -} - -// MatchesID returns a bool based on if the input id -// matches the image's id -// TODO: This isn't used anywhere, so remove it -func (i *Image) MatchesID(id string) bool { - return strings.HasPrefix(i.ID(), id) -} - -// ToImageRef returns an image reference type from an image -// TODO: Hopefully we can remove this exported function for mheon -func (i *Image) ToImageRef(ctx context.Context) (types.Image, error) { - return i.toImageRef(ctx) -} - -// toImageSourceRef returns an ImageSource Reference type from an image -func (i *Image) toImageSourceRef(ctx context.Context) (types.ImageSource, error) { - if i == nil { - return nil, errors.Errorf("cannot convert nil image to image source reference") - } - if i.imgSrcRef == nil { - ref, err := is.Transport.ParseStoreReference(i.imageruntime.store, "@"+i.ID()) - if err != nil { - return nil, errors.Wrapf(err, "error parsing reference to image %q", i.ID()) - } - imgSrcRef, err := ref.NewImageSource(ctx, nil) - if err != nil { - return nil, errors.Wrapf(err, "error reading image %q as image source", i.ID()) - } - i.imgSrcRef = imgSrcRef - } - return i.imgSrcRef, nil -} - -//Size returns the size of the image -func (i *Image) Size(ctx context.Context) (*uint64, error) { - sum, err := i.imageruntime.store.ImageSize(i.ID()) - if err == nil && sum >= 0 { - usum := uint64(sum) - return &usum, nil - } - return nil, errors.Wrap(err, "unable to determine size") -} - -// toImageRef returns an Image Reference type from an image -func (i *Image) toImageRef(ctx context.Context) (types.Image, error) { - if i == nil { - return nil, errors.Errorf("cannot convert nil image to image reference") - } - imgSrcRef, err := i.toImageSourceRef(ctx) - if err != nil { - return nil, err - } - if i.imgRef == nil { - systemContext := &types.SystemContext{} - unparsedDefaultInstance := image.UnparsedInstance(imgSrcRef, nil) - imgRef, err := image.FromUnparsedImage(ctx, systemContext, unparsedDefaultInstance) - if err != nil { - // check for a "tried-to-treat-a-bare-list-like-a-runnable-image" problem, else - // return info about the not-a-bare-list runnable image part of this storage.Image - if manifestBytes, manifestType, err2 := imgSrcRef.GetManifest(ctx, nil); err2 == nil { - if manifest.MIMETypeIsMultiImage(manifestType) { - if list, err3 := manifest.ListFromBlob(manifestBytes, manifestType); err3 == nil { - switch manifestType { - case ociv1.MediaTypeImageIndex: - err = errors.Wrapf(ErrImageIsBareList, "%q is an image index", i.InputName) - case manifest.DockerV2ListMediaType: - err = errors.Wrapf(ErrImageIsBareList, "%q is a manifest list", i.InputName) - default: - err = errors.Wrapf(ErrImageIsBareList, "%q", i.InputName) - } - for _, instanceDigest := range list.Instances() { - instance := instanceDigest - unparsedInstance := image.UnparsedInstance(imgSrcRef, &instance) - if imgRef2, err4 := image.FromUnparsedImage(ctx, systemContext, unparsedInstance); err4 == nil { - imgRef = imgRef2 - err = nil - break - } - } - } - } - } - if err != nil { - return nil, errors.Wrapf(err, "error reading image %q as image", i.ID()) - } - } - i.imgRef = imgRef - } - return i.imgRef, nil -} - -// DriverData gets the driver data from the store on a layer -func (i *Image) DriverData() (*define.DriverData, error) { - return driver.GetDriverData(i.imageruntime.store, i.TopLayer()) -} - -// Layer returns the image's top layer -func (i *Image) Layer() (*storage.Layer, error) { - return i.imageruntime.store.Layer(i.image.TopLayer) -} - -// History contains the history information of an image -type History struct { - ID string `json:"id"` - Created *time.Time `json:"created"` - CreatedBy string `json:"createdBy"` - Size int64 `json:"size"` - Comment string `json:"comment"` - Tags []string `json:"tags"` -} - -// History gets the history of an image and the IDs of images that are part of -// its history -func (i *Image) History(ctx context.Context) ([]*History, error) { - img, err := i.toImageRef(ctx) - if err != nil { - if errors.Cause(err) == ErrImageIsBareList { - return nil, nil - } - return nil, err - } - oci, err := img.OCIConfig(ctx) - if err != nil { - return nil, err - } - - // Build a mapping from top-layer to image ID. - images, err := i.imageruntime.GetImages() - if err != nil { - return nil, err - } - topLayerMap := make(map[string]string) - for _, image := range images { - if _, exists := topLayerMap[image.TopLayer()]; !exists { - topLayerMap[image.TopLayer()] = image.ID() - } - } - - var allHistory []*History - var layer *storage.Layer - - // Check if we have an actual top layer to prevent lookup errors. - if i.TopLayer() != "" { - layer, err = i.imageruntime.store.Layer(i.TopLayer()) - if err != nil { - return nil, err - } - } - - // Iterate in reverse order over the history entries, and lookup the - // corresponding image ID, size and get the next later if needed. - numHistories := len(oci.History) - 1 - for x := numHistories; x >= 0; x-- { - var size int64 - - id := "<missing>" - if x == numHistories { - id = i.ID() - } - if layer != nil { - if !oci.History[x].EmptyLayer { - size = layer.UncompressedSize - } - if imageID, exists := topLayerMap[layer.ID]; exists { - id = imageID - // Delete the entry to avoid reusing it for following history items. - delete(topLayerMap, layer.ID) - } - } - h := History{ - ID: id, - Created: oci.History[x].Created, - CreatedBy: oci.History[x].CreatedBy, - Size: size, - Comment: oci.History[x].Comment, - } - if layer != nil { - h.Tags = layer.Names - } - allHistory = append(allHistory, &h) - - if layer != nil && layer.Parent != "" && !oci.History[x].EmptyLayer { - layer, err = i.imageruntime.store.Layer(layer.Parent) - if err != nil { - return nil, err - } - } - } - - return allHistory, nil -} - -// Dangling returns a bool if the image is "dangling" -func (i *Image) Dangling() bool { - return len(i.Names()) == 0 -} - -// User returns the image's user -func (i *Image) User(ctx context.Context) (string, error) { - imgInspect, err := i.inspect(ctx, false) - if err != nil { - return "", err - } - return imgInspect.Config.User, nil -} - -// StopSignal returns the image's StopSignal -func (i *Image) StopSignal(ctx context.Context) (string, error) { - imgInspect, err := i.inspect(ctx, false) - if err != nil { - return "", err - } - return imgInspect.Config.StopSignal, nil -} - -// WorkingDir returns the image's WorkingDir -func (i *Image) WorkingDir(ctx context.Context) (string, error) { - imgInspect, err := i.inspect(ctx, false) - if err != nil { - return "", err - } - return imgInspect.Config.WorkingDir, nil -} - -// Cmd returns the image's cmd -func (i *Image) Cmd(ctx context.Context) ([]string, error) { - imgInspect, err := i.inspect(ctx, false) - if err != nil { - return nil, err - } - return imgInspect.Config.Cmd, nil -} - -// Entrypoint returns the image's entrypoint -func (i *Image) Entrypoint(ctx context.Context) ([]string, error) { - imgInspect, err := i.inspect(ctx, false) - if err != nil { - return nil, err - } - return imgInspect.Config.Entrypoint, nil -} - -// Env returns the image's env -func (i *Image) Env(ctx context.Context) ([]string, error) { - imgInspect, err := i.imageInspectInfo(ctx) - if err != nil { - return nil, err - } - return imgInspect.Env, nil -} - -// Labels returns the image's labels -func (i *Image) Labels(ctx context.Context) (map[string]string, error) { - imgInspect, err := i.imageInspectInfo(ctx) - if err != nil { - return nil, err - } - return imgInspect.Labels, nil -} - -// GetLabel Returns a case-insensitive match of a given label -func (i *Image) GetLabel(ctx context.Context, label string) (string, error) { - labels, err := i.Labels(ctx) - if err != nil { - return "", err - } - - for k, v := range labels { - if strings.EqualFold(k, label) { - return v, nil - } - } - return "", nil -} - -// Annotations returns the annotations of an image -func (i *Image) Annotations(ctx context.Context) (map[string]string, error) { - imageManifest, manifestType, err := i.Manifest(ctx) - if err != nil { - imageManifest, manifestType, err = i.GetManifest(ctx, nil) - if err != nil { - return nil, err - } - } - annotations := make(map[string]string) - if manifestType == ociv1.MediaTypeImageManifest { - var m ociv1.Manifest - if err := json.Unmarshal(imageManifest, &m); err == nil { - for k, v := range m.Annotations { - annotations[k] = v - } - } - } - return annotations, nil -} - -// ociv1Image converts an image to an imgref and then returns its config blob -// converted to an ociv1 image type -func (i *Image) ociv1Image(ctx context.Context) (*ociv1.Image, error) { - imgRef, err := i.toImageRef(ctx) - if err != nil { - return nil, err - } - return imgRef.OCIConfig(ctx) -} - -func (i *Image) imageInspectInfo(ctx context.Context) (*types.ImageInspectInfo, error) { - if i.inspectInfo == nil { - ic, err := i.toImageRef(ctx) - if err != nil { - return nil, err - } - imgInspect, err := ic.Inspect(ctx) - if err != nil { - return nil, err - } - i.inspectInfo = imgInspect - } - return i.inspectInfo, nil -} - -func (i *Image) inspect(ctx context.Context, calculateSize bool) (*inspect.ImageData, error) { - ociv1Img, err := i.ociv1Image(ctx) - if err != nil { - ociv1Img = &ociv1.Image{} - } - info, err := i.imageInspectInfo(ctx) - if err != nil { - info = &types.ImageInspectInfo{} - } - annotations, err := i.Annotations(ctx) - if err != nil { - return nil, err - } - - size := int64(-1) - if calculateSize { - if usize, err := i.Size(ctx); err == nil { - size = int64(*usize) - } - } - - parent, err := i.ParentID(ctx) - if err != nil { - return nil, err - } - - repoTags, err := i.RepoTags() - if err != nil { - return nil, err - } - - repoDigests, err := i.RepoDigests() - if err != nil { - return nil, err - } - - driver, err := i.DriverData() - if err != nil { - return nil, err - } - - _, manifestType, err := i.GetManifest(ctx, nil) - if err != nil { - return nil, errors.Wrapf(err, "unable to determine manifest type") - } - comment, err := i.Comment(ctx, manifestType) - if err != nil { - return nil, err - } - - data := &inspect.ImageData{ - ID: i.ID(), - Parent: parent, - RepoTags: repoTags, - RepoDigests: repoDigests, - Comment: comment, - Created: ociv1Img.Created, - Author: ociv1Img.Author, - Architecture: ociv1Img.Architecture, - Os: ociv1Img.OS, - Config: &ociv1Img.Config, - Version: info.DockerVersion, - Size: size, - // This is good enough for now, but has to be - // replaced later with correct calculation logic - VirtualSize: size, - Annotations: annotations, - Digest: i.Digest(), - Labels: info.Labels, - RootFS: &inspect.RootFS{ - Type: ociv1Img.RootFS.Type, - Layers: ociv1Img.RootFS.DiffIDs, - }, - GraphDriver: driver, - ManifestType: manifestType, - User: ociv1Img.Config.User, - History: ociv1Img.History, - NamesHistory: i.NamesHistory(), - } - if manifestType == manifest.DockerV2Schema2MediaType { - hc, err := i.GetHealthCheck(ctx) - if err != nil { - return nil, err - } - if hc != nil { - data.HealthCheck = hc - } - } - return data, nil -} - -// Inspect returns an image's inspect data -func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) { - return i.inspect(ctx, true) -} - -// InspectNoSize returns an image's inspect data without calculating the size for the image -func (i *Image) InspectNoSize(ctx context.Context) (*inspect.ImageData, error) { - return i.inspect(ctx, false) -} - -// Import imports and image into the store and returns an image -func (ir *Runtime) Import(ctx context.Context, path, reference string, writer io.Writer, signingOptions SigningOptions, imageConfig ociv1.Image) (*Image, error) { - src, err := tarball.Transport.ParseReference(path) - if err != nil { - return nil, errors.Wrapf(err, "error parsing image name %q", path) - } - - updater, ok := src.(tarball.ConfigUpdater) - if !ok { - return nil, errors.Wrapf(err, "unexpected type, a tarball reference should implement tarball.ConfigUpdater") - } - - annotations := make(map[string]string) - - // config ociv1.Image - err = updater.ConfigUpdate(imageConfig, annotations) - if err != nil { - return nil, errors.Wrapf(err, "error updating image config") - } - - sc := GetSystemContext(ir.SignaturePolicyPath, "", false) - - // if reference not given, get the image digest - if reference == "" { - reference, err = getImageDigest(ctx, src, sc) - if err != nil { - return nil, err - } - } - policyContext, err := getPolicyContext(sc) - if err != nil { - return nil, err - } - defer func() { - if err := policyContext.Destroy(); err != nil { - logrus.Errorf("failed to destroy policy context: %q", err) - } - }() - copyOptions := getCopyOptions(sc, writer, nil, nil, signingOptions, "", nil) - dest, err := is.Transport.ParseStoreReference(ir.store, reference) - if err != nil { - return nil, errors.Wrapf(err, "error getting image reference for %q", reference) - } - _, err = cp.Image(ctx, policyContext, dest, src, copyOptions) - if err != nil { - return nil, err - } - newImage, err := ir.NewFromLocal(reference) - if err == nil { - newImage.newImageEvent(events.Import) - } - return newImage, err -} - -// MatchRepoTag takes a string and tries to match it against an -// image's repotags -func (i *Image) MatchRepoTag(input string) (string, error) { - results := make(map[int][]string) - var maxCount int - // first check if we have an exact match with the input - if util.StringInSlice(input, i.Names()) { - return input, nil - } - // next check if we are missing the tag - dcImage, err := decompose(input) - if err != nil { - return "", err - } - imageRegistry, imageName, imageSuspiciousTagValueForSearch := dcImage.suspiciousRefNameTagValuesForSearch() - for _, repoName := range i.Names() { - count := 0 - dcRepoName, err := decompose(repoName) - if err != nil { - return "", err - } - repoNameRegistry, repoNameName, repoNameSuspiciousTagValueForSearch := dcRepoName.suspiciousRefNameTagValuesForSearch() - if repoNameRegistry == imageRegistry && imageRegistry != "" { - count++ - } - if repoNameName == imageName && imageName != "" { - count++ - } else if splitString(repoNameName) == splitString(imageName) { - count++ - } - if repoNameSuspiciousTagValueForSearch == imageSuspiciousTagValueForSearch { - count++ - } - results[count] = append(results[count], repoName) - if count > maxCount { - maxCount = count - } - } - if maxCount == 0 { - return "", ErrRepoTagNotFound - } - if len(results[maxCount]) > 1 { - return "", errors.Errorf("user input matched multiple repotags for the image") - } - return results[maxCount][0], nil -} - -// splitString splits input string by / and returns the last array item -func splitString(input string) string { - split := strings.Split(input, "/") - return split[len(split)-1] -} - -// IsParent goes through the layers in the store and checks if i.TopLayer is -// the parent of any other layer in store. Double check that image with that -// layer exists as well. -func (i *Image) IsParent(ctx context.Context) (bool, error) { - children, err := i.getChildren(ctx, false) - if err != nil { - if errors.Cause(err) == ErrImageIsBareList { - return false, nil - } - return false, err - } - return len(children) > 0, nil -} - -// historiesMatch returns the number of entries in the histories which have the -// same contents -func historiesMatch(a, b []ociv1.History) int { - i := 0 - for i < len(a) && i < len(b) { - if a[i].Created != nil && b[i].Created == nil { - return i - } - if a[i].Created == nil && b[i].Created != nil { - return i - } - if a[i].Created != nil && b[i].Created != nil { - if !a[i].Created.Equal(*(b[i].Created)) { - return i - } - } - if a[i].CreatedBy != b[i].CreatedBy { - return i - } - if a[i].Author != b[i].Author { - return i - } - if a[i].Comment != b[i].Comment { - return i - } - if a[i].EmptyLayer != b[i].EmptyLayer { - return i - } - i++ - } - return i -} - -// areParentAndChild checks diff ID and history in the two images and return -// true if the second should be considered to be directly based on the first -func areParentAndChild(parent, child *ociv1.Image) bool { - // the child and candidate parent should share all of the - // candidate parent's diff IDs, which together would have - // controlled which layers were used - - // Both, child and parent, may be nil when the storage is left in an - // incoherent state. Issue #7444 describes such a case when a build - // has been killed. - if child == nil || parent == nil { - return false - } - - if len(parent.RootFS.DiffIDs) > len(child.RootFS.DiffIDs) { - return false - } - childUsesCandidateDiffs := true - for i := range parent.RootFS.DiffIDs { - if child.RootFS.DiffIDs[i] != parent.RootFS.DiffIDs[i] { - childUsesCandidateDiffs = false - break - } - } - if !childUsesCandidateDiffs { - return false - } - // the child should have the same history as the parent, plus - // one more entry - if len(parent.History)+1 != len(child.History) { - return false - } - if historiesMatch(parent.History, child.History) != len(parent.History) { - return false - } - return true -} - -// GetParent returns the image ID of the parent. Return nil if a parent is not found. -func (i *Image) GetParent(ctx context.Context) (*Image, error) { - tree, err := i.imageruntime.layerTree() - if err != nil { - return nil, err - } - return tree.parent(ctx, i) -} - -// ParentID returns the image ID of the parent. Return empty string if a parent is not found. -func (i *Image) ParentID(ctx context.Context) (string, error) { - parent, err := i.GetParent(ctx) - if err == nil && parent != nil { - return parent.ID(), nil - } - return "", err -} - -// GetChildren returns a list of the imageIDs that depend on the image -func (i *Image) GetChildren(ctx context.Context) ([]string, error) { - children, err := i.getChildren(ctx, true) - if err != nil { - if errors.Cause(err) == ErrImageIsBareList { - return nil, nil - } - return nil, err - } - return children, nil -} - -// getChildren returns a list of imageIDs that depend on the image. If all is -// false, only the first child image is returned. -func (i *Image) getChildren(ctx context.Context, all bool) ([]string, error) { - tree, err := i.imageruntime.layerTree() - if err != nil { - return nil, err - } - - return tree.children(ctx, i, all) -} - -// InputIsID returns a bool if the user input for an image -// is the image's partial or full id -func (i *Image) InputIsID() bool { - return strings.HasPrefix(i.ID(), i.InputName) -} - -// Containers a list of container IDs associated with the image -func (i *Image) Containers() ([]string, error) { - containers, err := i.imageruntime.store.Containers() - if err != nil { - return nil, err - } - var imageContainers []string - for _, c := range containers { - if c.ImageID == i.ID() { - imageContainers = append(imageContainers, c.ID) - } - } - return imageContainers, err -} - -// Comment returns the Comment for an image depending on its ManifestType -func (i *Image) Comment(ctx context.Context, manifestType string) (string, error) { - if manifestType == manifest.DockerV2Schema2MediaType { - imgRef, err := i.toImageRef(ctx) - if err != nil { - return "", errors.Wrapf(err, "unable to create image reference from image") - } - blob, err := imgRef.ConfigBlob(ctx) - if err != nil { - return "", errors.Wrapf(err, "unable to get config blob from image") - } - b := manifest.Schema2Image{} - if err := json.Unmarshal(blob, &b); err != nil { - return "", err - } - return b.Comment, nil - } - ociv1Img, err := i.ociv1Image(ctx) - if err != nil { - if errors.Cause(err) == ErrImageIsBareList { - return "", nil - } - return "", err - } - if len(ociv1Img.History) > 0 { - return ociv1Img.History[0].Comment, nil - } - return "", nil -} - -// Save writes a container image to the filesystem -func (i *Image) Save(ctx context.Context, source, format, output string, moreTags []string, quiet, compress, removeSignatures bool) error { - var ( - writer io.Writer - destRef types.ImageReference - manifestType string - err error - ) - - if quiet { - writer = os.Stderr - } - switch format { - case "oci-archive": - destImageName := imageNameForSaveDestination(i, source) - destRef, err = ociarchive.NewReference(output, destImageName) // destImageName may be "" - if err != nil { - return errors.Wrapf(err, "error getting OCI archive ImageReference for (%q, %q)", output, destImageName) - } - case "oci-dir": - destImageName := imageNameForSaveDestination(i, source) - destRef, err = layout.NewReference(output, destImageName) // destImageName may be "" - if err != nil { - return errors.Wrapf(err, "error getting the OCI directory ImageReference for (%q, %q)", output, destImageName) - } - manifestType = ociv1.MediaTypeImageManifest - case "docker-dir": - destRef, err = directory.NewReference(output) - if err != nil { - return errors.Wrapf(err, "error getting directory ImageReference for %q", output) - } - manifestType = manifest.DockerV2Schema2MediaType - case "docker-archive", "": - destImageName := imageNameForSaveDestination(i, source) - ref, err := dockerArchiveDstReference(destImageName) - if err != nil { - return err - } - destRef, err = dockerarchive.NewReference(output, ref) - if err != nil { - return errors.Wrapf(err, "error getting Docker archive ImageReference for %s:%v", output, ref) - } - default: - return errors.Errorf("unknown format option %q", format) - } - // supports saving multiple tags to the same tar archive - var additionaltags []reference.NamedTagged - if len(moreTags) > 0 { - additionaltags, err = GetAdditionalTags(moreTags) - if err != nil { - return err - } - } - if err := i.PushImageToReference(ctx, destRef, manifestType, "", "", "", writer, compress, SigningOptions{RemoveSignatures: removeSignatures}, &DockerRegistryOptions{}, additionaltags, nil); err != nil { - return errors.Wrapf(err, "unable to save %q", source) - } - i.newImageEvent(events.Save) - return nil -} - -// dockerArchiveDestReference returns a NamedTagged reference for a tagged image and nil for untagged image. -func dockerArchiveDstReference(normalizedInput string) (reference.NamedTagged, error) { - if normalizedInput == "" { - return nil, nil - } - ref, err := reference.ParseNormalizedNamed(normalizedInput) - if err != nil { - return nil, errors.Wrapf(err, "docker-archive parsing reference %s", normalizedInput) - } - ref = reference.TagNameOnly(ref) - namedTagged, isTagged := ref.(reference.NamedTagged) - if !isTagged { - namedTagged = nil - } - return namedTagged, nil -} - -// GetConfigBlob returns a schema2image. If the image is not a schema2, then -// it will return an error -func (i *Image) GetConfigBlob(ctx context.Context) (*manifest.Schema2Image, error) { - imageRef, err := i.toImageRef(ctx) - if err != nil { - return nil, err - } - b, err := imageRef.ConfigBlob(ctx) - if err != nil { - return nil, errors.Wrapf(err, "unable to get config blob for %s", i.ID()) - } - blob := manifest.Schema2Image{} - if err := json.Unmarshal(b, &blob); err != nil { - return nil, errors.Wrapf(err, "unable to parse image blob for %s", i.ID()) - } - return &blob, nil -} - -// GetHealthCheck returns a HealthConfig for an image. This function only works with -// schema2 images. -func (i *Image) GetHealthCheck(ctx context.Context) (*manifest.Schema2HealthConfig, error) { - configBlob, err := i.GetConfigBlob(ctx) - if err != nil { - return nil, err - } - return configBlob.ContainerConfig.Healthcheck, nil -} - -// newImageEvent creates a new event based on an image -func (ir *Runtime) newImageEvent(status events.Status, name string) { - e := events.NewEvent(status) - e.Type = events.Image - e.Name = name - if err := ir.Eventer.Write(e); err != nil { - logrus.Infof("unable to write event to %s", ir.EventsLogFilePath) - } -} - -// newImageEvent creates a new event based on an image -func (i *Image) newImageEvent(status events.Status) { - e := events.NewEvent(status) - e.ID = i.ID() - e.Type = events.Image - if len(i.Names()) > 0 { - e.Name = i.Names()[0] - } - if err := i.imageruntime.Eventer.Write(e); err != nil { - logrus.Infof("unable to write event to %s", i.imageruntime.EventsLogFilePath) - } -} - -// Mount mounts a image's filesystem on the host -// The path where the image has been mounted is returned -func (i *Image) Mount(options []string, mountLabel string) (string, error) { - defer i.newImageEvent(events.Mount) - return i.mount(options, mountLabel) -} - -// Unmount unmounts a image's filesystem on the host -func (i *Image) Unmount(force bool) error { - defer i.newImageEvent(events.Unmount) - return i.unmount(force) -} - -// Mounted returns whether the image is mounted and the path it is mounted -// at (if it is mounted). -// If the image is not mounted, no error is returned, and the mountpoint -// will be set to "". -func (i *Image) Mounted() (bool, string, error) { - mountedTimes, err := i.imageruntime.store.Mounted(i.TopLayer()) - if err != nil { - return false, "", err - } - - if mountedTimes > 0 { - layer, err := i.imageruntime.store.Layer(i.TopLayer()) - if err != nil { - return false, "", err - } - return true, layer.MountPoint, nil - } - - return false, "", nil -} - -// mount mounts the container's root filesystem -func (i *Image) mount(options []string, mountLabel string) (string, error) { - mountPoint, err := i.imageruntime.store.MountImage(i.ID(), options, mountLabel) - if err != nil { - return "", errors.Wrapf(err, "error mounting storage for image %s", i.ID()) - } - mountPoint, err = filepath.EvalSymlinks(mountPoint) - if err != nil { - return "", errors.Wrapf(err, "error resolving storage path for image %s", i.ID()) - } - return mountPoint, nil -} - -// unmount unmounts the image's root filesystem -func (i *Image) unmount(force bool) error { - // Also unmount storage - if _, err := i.imageruntime.store.UnmountImage(i.ID(), force); err != nil { - return errors.Wrapf(err, "error unmounting image %s root filesystem", i.ID()) - } - - return nil -} - -// LayerInfo keeps information of single layer -type LayerInfo struct { - // Layer ID - ID string - // Parent ID of current layer. - ParentID string - // ChildID of current layer. - // there can be multiple children in case of fork - ChildID []string - // RepoTag will have image repo names, if layer is top layer of image - RepoTags []string - // Size stores Uncompressed size of layer. - Size int64 -} - -// GetLayersMapWithImageInfo returns map of image-layers, with associated information like RepoTags, parent and list of child layers. -func GetLayersMapWithImageInfo(imageruntime *Runtime) (map[string]*LayerInfo, error) { - // TODO: evaluate if we can reuse `layerTree` here. - - // Memory allocated to store map of layers with key LayerID. - // Map will build dependency chain with ParentID and ChildID(s) - layerInfoMap := make(map[string]*LayerInfo) - - // scan all layers & fill size and parent id for each layer in layerInfoMap - layers, err := imageruntime.store.Layers() - if err != nil { - return nil, err - } - for _, layer := range layers { - _, ok := layerInfoMap[layer.ID] - if !ok { - layerInfoMap[layer.ID] = &LayerInfo{ - ID: layer.ID, - Size: layer.UncompressedSize, - ParentID: layer.Parent, - } - } else { - return nil, fmt.Errorf("detected multiple layers with the same ID %q", layer.ID) - } - } - - // scan all layers & add all childid's for each layers to layerInfo - for _, layer := range layers { - _, ok := layerInfoMap[layer.ID] - if ok { - if layer.Parent != "" { - layerInfoMap[layer.Parent].ChildID = append(layerInfoMap[layer.Parent].ChildID, layer.ID) - } - } else { - return nil, fmt.Errorf("lookup error: layer-id %s, not found", layer.ID) - } - } - - // Add the Repo Tags to Top layer of each image. - imgs, err := imageruntime.store.Images() - if err != nil { - return nil, err - } - layerInfoMap[""] = &LayerInfo{} - for _, img := range imgs { - e, ok := layerInfoMap[img.TopLayer] - if !ok { - return nil, fmt.Errorf("top-layer for image %s not found local store", img.ID) - } - e.RepoTags = append(e.RepoTags, img.Names...) - } - return layerInfoMap, nil -} - -// BuildImageHierarchyMap stores hierarchy of images such that all parent layers using which image is built are stored in imageInfo -// Layers are added such that (Start)RootLayer->...intermediate Parent Layer(s)-> TopLayer(End) -func BuildImageHierarchyMap(imageInfo *InfoImage, layerMap map[string]*LayerInfo, layerID string) error { - if layerID == "" { - return nil - } - ll, ok := layerMap[layerID] - if !ok { - return fmt.Errorf("lookup error: layerid %s not found", layerID) - } - if err := BuildImageHierarchyMap(imageInfo, layerMap, ll.ParentID); err != nil { - return err - } - - imageInfo.Layers = append(imageInfo.Layers, *ll) - return nil -} diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go deleted file mode 100644 index 2b42d6394..000000000 --- a/libpod/image/image_test.go +++ /dev/null @@ -1,318 +0,0 @@ -package image - -import ( - "context" - "fmt" - "io/ioutil" - "os" - "testing" - - "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/pkg/util" - podmanVersion "github.com/containers/podman/v3/version" - "github.com/containers/storage" - "github.com/containers/storage/pkg/reexec" - "github.com/opencontainers/go-digest" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -var ( - bbNames = []string{"docker.io/library/busybox:latest", "docker.io/library/busybox", "docker.io/busybox:latest", "docker.io/busybox", "busybox:latest", "busybox"} - bbGlibcNames = []string{"docker.io/library/busybox:glibc", "docker.io/busybox:glibc", "busybox:glibc"} -) - -type localImageTest struct { - fqname, taggedName string - img *Image - names []string -} - -// make a temporary directory for the runtime -func mkWorkDir() (string, error) { - return ioutil.TempDir("", "podman-test") -} - -// shutdown the runtime and clean behind it -func cleanup(workdir string, ir *Runtime) { - if err := ir.Shutdown(false); err != nil { - fmt.Println(err) - os.Exit(1) - } - err := os.RemoveAll(workdir) - if err != nil { - fmt.Println(err) - os.Exit(1) - } -} - -func makeLocalMatrix(b, bg *Image) []localImageTest { - var l []localImageTest - // busybox - busybox := localImageTest{ - fqname: "docker.io/library/busybox:latest", - taggedName: "bb:latest", - } - busybox.img = b - busybox.names = b.Names() - busybox.names = append(busybox.names, []string{"bb:latest", "bb", b.ID(), b.ID()[0:7], fmt.Sprintf("busybox@%s", b.Digest())}...) - - // busybox-glibc - busyboxGlibc := localImageTest{ - fqname: "docker.io/library/busybox:glibc", - taggedName: "bb:glibc", - } - - busyboxGlibc.img = bg - busyboxGlibc.names = bbGlibcNames - - l = append(l, busybox, busyboxGlibc) - return l -} - -func TestMain(m *testing.M) { - if reexec.Init() { - return - } - os.Exit(m.Run()) -} - -// TestImage_NewFromLocal tests finding the image locally by various names, -// tags, and aliases -func TestImage_NewFromLocal(t *testing.T) { - if os.Geteuid() != 0 { // containers/storage requires root access - t.Skipf("Test not running as root") - } - - workdir, err := mkWorkDir() - assert.NoError(t, err) - so := storage.StoreOptions{ - RunRoot: workdir, - GraphRoot: workdir, - } - writer := os.Stdout - - // Need images to be present for this test - ir, err := NewImageRuntimeFromOptions(so) - assert.NoError(t, err) - defer cleanup(workdir, ir) - - ir.Eventer = events.NewNullEventer() - bb, err := ir.New(context.Background(), "docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, nil, util.PullImageMissing, nil) - assert.NoError(t, err) - bbglibc, err := ir.New(context.Background(), "docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, nil, util.PullImageMissing, nil) - assert.NoError(t, err) - - tm := makeLocalMatrix(bb, bbglibc) - for _, image := range tm { - // tag our images - err = image.img.TagImage(image.taggedName) - assert.NoError(t, err) - for _, name := range image.names { - newImage, err := ir.NewFromLocal(name) - require.NoError(t, err) - assert.Equal(t, newImage.ID(), image.img.ID()) - } - } -} - -// TestImage_New tests pulling the image by various names, tags, and from -// different registries -func TestImage_New(t *testing.T) { - if os.Geteuid() != 0 { // containers/storage requires root access - t.Skipf("Test not running as root") - } - - var names []string - workdir, err := mkWorkDir() - assert.NoError(t, err) - so := storage.StoreOptions{ - RunRoot: workdir, - GraphRoot: workdir, - } - ir, err := NewImageRuntimeFromOptions(so) - assert.NoError(t, err) - defer cleanup(workdir, ir) - - ir.Eventer = events.NewNullEventer() - // Build the list of pull names - names = append(names, bbNames...) - writer := os.Stdout - - opts := DockerRegistryOptions{ - RegistriesConfPath: "testdata/registries.conf", - } - // Iterate over the names and delete the image - // after the pull - for _, img := range names { - newImage, err := ir.New(context.Background(), img, "", "", writer, &opts, SigningOptions{}, nil, util.PullImageMissing, nil) - require.NoError(t, err, img) - assert.NotEqual(t, newImage.ID(), "") - err = newImage.Remove(context.Background(), false) - assert.NoError(t, err) - } -} - -// TestImage_MatchRepoTag tests the various inputs we need to match -// against an image's reponames -func TestImage_MatchRepoTag(t *testing.T) { - if os.Geteuid() != 0 { // containers/storage requires root access - t.Skipf("Test not running as root") - } - - //Set up - workdir, err := mkWorkDir() - assert.NoError(t, err) - so := storage.StoreOptions{ - RunRoot: workdir, - GraphRoot: workdir, - } - ir, err := NewImageRuntimeFromOptions(so) - require.NoError(t, err) - defer cleanup(workdir, ir) - - opts := DockerRegistryOptions{ - RegistriesConfPath: "testdata/registries.conf", - } - ir.Eventer = events.NewNullEventer() - newImage, err := ir.New(context.Background(), "busybox", "", "", os.Stdout, &opts, SigningOptions{}, nil, util.PullImageMissing, nil) - require.NoError(t, err) - err = newImage.TagImage("foo:latest") - require.NoError(t, err) - err = newImage.TagImage("foo:bar") - require.NoError(t, err) - - // Tests start here. - for _, name := range bbNames { - repoTag, err := newImage.MatchRepoTag(name) - assert.NoError(t, err) - assert.Equal(t, "docker.io/library/busybox:latest", repoTag) - } - - // Test against tagged images of busybox - - // foo should resolve to foo:latest - repoTag, err := newImage.MatchRepoTag("foo") - require.NoError(t, err) - assert.Equal(t, "localhost/foo:latest", repoTag) - - // foo:bar should resolve to foo:bar - repoTag, err = newImage.MatchRepoTag("foo:bar") - require.NoError(t, err) - assert.Equal(t, "localhost/foo:bar", repoTag) -} - -// TestImage_RepoDigests tests RepoDigest generation. -func TestImage_RepoDigests(t *testing.T) { - dgst, err := digest.Parse("sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc") - require.NoError(t, err) - - for _, tt := range []struct { - name string - names []string - expected []string - }{ - { - name: "empty", - names: []string{}, - expected: nil, - }, - { - name: "tagged", - names: []string{"docker.io/library/busybox:latest"}, - expected: []string{"docker.io/library/busybox@sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc"}, - }, - { - name: "digest", - names: []string{"docker.io/library/busybox@sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc"}, - expected: []string{"docker.io/library/busybox@sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc"}, - }, - } { - test := tt - t.Run(test.name, func(t *testing.T) { - image := &Image{ - image: &storage.Image{ - Names: test.names, - Digest: dgst, - }, - } - actual, err := image.RepoDigests() - require.NoError(t, err) - assert.Equal(t, test.expected, actual) - - image = &Image{ - image: &storage.Image{ - Names: test.names, - Digests: []digest.Digest{dgst}, - }, - } - actual, err = image.RepoDigests() - require.NoError(t, err) - assert.Equal(t, test.expected, actual) - }) - } -} - -// Test_splitString tests the splitString function in image that -// takes input and splits on / and returns the last array item -func Test_splitString(t *testing.T) { - assert.Equal(t, splitString("foo/bar"), "bar") - assert.Equal(t, splitString("a/foo/bar"), "bar") - assert.Equal(t, splitString("bar"), "bar") -} - -// Test_stripSha256 tests test the stripSha256 function which removes -// the prefix "sha256:" from a string if it is present -func Test_stripSha256(t *testing.T) { - assert.Equal(t, stripSha256(""), "") - assert.Equal(t, stripSha256("test1"), "test1") - assert.Equal(t, stripSha256("sha256:9110ae7f579f35ee0c3938696f23fe0f5fbe641738ea52eb83c2df7e9995fa17"), "9110ae7f579f35ee0c3938696f23fe0f5fbe641738ea52eb83c2df7e9995fa17") - assert.Equal(t, stripSha256("sha256:9110ae7f"), "9110ae7f") - assert.Equal(t, stripSha256("sha256:"), "sha256:") - assert.Equal(t, stripSha256("sha256:a"), "a") -} - -func TestNormalizedTag(t *testing.T) { - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - - for _, c := range []struct{ input, expected string }{ - {"#", ""}, // Clearly invalid - {"example.com/busybox", "example.com/busybox:latest"}, // Qualified name-only - {"example.com/busybox:notlatest", "example.com/busybox:notlatest"}, // Qualified name:tag - {"example.com/busybox" + digestSuffix, "example.com/busybox" + digestSuffix}, // Qualified name@digest; FIXME? Should we allow tagging with a digest at all? - {"example.com/busybox:notlatest" + digestSuffix, "example.com/busybox:notlatest" + digestSuffix}, // Qualified name:tag@digest - {"busybox:latest", "localhost/busybox:latest"}, // Unqualified name-only - {"ns/busybox:latest", "localhost/ns/busybox:latest"}, // Unqualified with a dot-less namespace - {"docker.io/busybox:latest", "docker.io/library/busybox:latest"}, // docker.io without /library/ - } { - res, err := NormalizedTag(c.input) - if c.expected == "" { - assert.Error(t, err, c.input) - } else { - assert.NoError(t, err, c.input) - assert.Equal(t, c.expected, res.String()) - } - } -} - -func TestGetSystemContext(t *testing.T) { - sc := GetSystemContext("", "", false) - assert.Equal(t, sc.SignaturePolicyPath, "") - assert.Equal(t, sc.AuthFilePath, "") - assert.Equal(t, sc.DirForceCompress, false) - assert.Equal(t, sc.DockerRegistryUserAgent, fmt.Sprintf("libpod/%s", podmanVersion.Version)) - assert.Equal(t, sc.BigFilesTemporaryDir, "/var/tmp") - - oldtmpdir := os.Getenv("TMPDIR") - os.Setenv("TMPDIR", "/mnt") - sc = GetSystemContext("/tmp/foo", "/tmp/bar", true) - assert.Equal(t, sc.SignaturePolicyPath, "/tmp/foo") - assert.Equal(t, sc.AuthFilePath, "/tmp/bar") - assert.Equal(t, sc.DirForceCompress, true) - assert.Equal(t, sc.BigFilesTemporaryDir, "/mnt") - if oldtmpdir != "" { - os.Setenv("TMPDIR", oldtmpdir) - } else { - os.Unsetenv("TMPDIR") - } -} diff --git a/libpod/image/layer_tree.go b/libpod/image/layer_tree.go deleted file mode 100644 index aa3084449..000000000 --- a/libpod/image/layer_tree.go +++ /dev/null @@ -1,239 +0,0 @@ -package image - -import ( - "context" - - ociv1 "github.com/opencontainers/image-spec/specs-go/v1" - "github.com/sirupsen/logrus" -) - -// layerTree is an internal representation of local layers. -type layerTree struct { - // nodes is the actual layer tree with layer IDs being keys. - nodes map[string]*layerNode - // ociCache is a cache for Image.ID -> OCI Image. Translations are done - // on-demand. - ociCache map[string]*ociv1.Image -} - -// node returns a layerNode for the specified layerID. -func (t *layerTree) node(layerID string) *layerNode { - node, exists := t.nodes[layerID] - if !exists { - node = &layerNode{} - t.nodes[layerID] = node - } - return node -} - -// toOCI returns an OCI image for the specified image. -func (t *layerTree) toOCI(ctx context.Context, i *Image) (*ociv1.Image, error) { - var err error - oci, exists := t.ociCache[i.ID()] - if !exists { - oci, err = i.ociv1Image(ctx) - if err == nil { - t.ociCache[i.ID()] = oci - } - } - return oci, err -} - -// layerNode is a node in a layerTree. It's ID is the key in a layerTree. -type layerNode struct { - children []*layerNode - images []*Image - parent *layerNode -} - -// layerTree extracts a layerTree from the layers in the local storage and -// relates them to the specified images. -func (ir *Runtime) layerTree() (*layerTree, error) { - layers, err := ir.store.Layers() - if err != nil { - return nil, err - } - - images, err := ir.GetImages() - if err != nil { - return nil, err - } - - tree := layerTree{ - nodes: make(map[string]*layerNode), - ociCache: make(map[string]*ociv1.Image), - } - - // First build a tree purely based on layer information. - for _, layer := range layers { - node := tree.node(layer.ID) - if layer.Parent == "" { - continue - } - parent := tree.node(layer.Parent) - node.parent = parent - parent.children = append(parent.children, node) - } - - // Now assign the images to each (top) layer. - for i := range images { - img := images[i] // do not leak loop variable outside the scope - topLayer := img.TopLayer() - if topLayer == "" { - continue - } - node, exists := tree.nodes[topLayer] - if !exists { - // Note: erroring out in this case has turned out having been a - // mistake. Users may not be able to recover, so we're now - // throwing a warning to guide them to resolve the issue and - // turn the errors non-fatal. - logrus.Warnf("Top layer %s of image %s not found in layer tree. The storage may be corrupted, consider running `podman system reset`.", topLayer, img.ID()) - continue - } - node.images = append(node.images, img) - } - - return &tree, nil -} - -// children returns the image IDs of children . Child images are images -// with either the same top layer as parent or parent being the true parent -// layer. Furthermore, the history of the parent and child images must match -// with the parent having one history item less. -// If all is true, all images are returned. Otherwise, the first image is -// returned. -func (t *layerTree) children(ctx context.Context, parent *Image, all bool) ([]string, error) { - if parent.TopLayer() == "" { - return nil, nil - } - - var children []string - - parentNode, exists := t.nodes[parent.TopLayer()] - if !exists { - // Note: erroring out in this case has turned out having been a - // mistake. Users may not be able to recover, so we're now - // throwing a warning to guide them to resolve the issue and - // turn the errors non-fatal. - logrus.Warnf("Layer %s not found in layer. The storage may be corrupted, consider running `podman system reset`.", parent.TopLayer()) - return children, nil - } - - parentID := parent.ID() - parentOCI, err := t.toOCI(ctx, parent) - if err != nil { - return nil, err - } - - // checkParent returns true if child and parent are in such a relation. - checkParent := func(child *Image) (bool, error) { - if parentID == child.ID() { - return false, nil - } - childOCI, err := t.toOCI(ctx, child) - if err != nil { - return false, err - } - // History check. - return areParentAndChild(parentOCI, childOCI), nil - } - - // addChildrenFrom adds child images of parent to children. Returns - // true if any image is a child of parent. - addChildrenFromNode := func(node *layerNode) (bool, error) { - foundChildren := false - for _, childImage := range node.images { - isChild, err := checkParent(childImage) - if err != nil { - return foundChildren, err - } - if isChild { - foundChildren = true - children = append(children, childImage.ID()) - if all { - return foundChildren, nil - } - } - } - return foundChildren, nil - } - - // First check images where parent's top layer is also the parent - // layer. - for _, childNode := range parentNode.children { - found, err := addChildrenFromNode(childNode) - if err != nil { - return nil, err - } - if found && all { - return children, nil - } - } - - // Now check images with the same top layer. - if _, err := addChildrenFromNode(parentNode); err != nil { - return nil, err - } - - return children, nil -} - -// parent returns the parent image or nil if no parent image could be found. -func (t *layerTree) parent(ctx context.Context, child *Image) (*Image, error) { - if child.TopLayer() == "" { - return nil, nil - } - - node, exists := t.nodes[child.TopLayer()] - if !exists { - // Note: erroring out in this case has turned out having been a - // mistake. Users may not be able to recover, so we're now - // throwing a warning to guide them to resolve the issue and - // turn the errors non-fatal. - logrus.Warnf("Layer %s not found in layer. The storage may be corrupted, consider running `podman system reset`.", child.TopLayer()) - return nil, nil - } - - childOCI, err := t.toOCI(ctx, child) - if err != nil { - return nil, err - } - - // Check images from the parent node (i.e., parent layer) and images - // with the same layer (i.e., same top layer). - childID := child.ID() - images := node.images - if node.parent != nil { - images = append(images, node.parent.images...) - } - for _, parent := range images { - if parent.ID() == childID { - continue - } - parentOCI, err := t.toOCI(ctx, parent) - if err != nil { - return nil, err - } - // History check. - if areParentAndChild(parentOCI, childOCI) { - return parent, nil - } - } - - return nil, nil -} - -// hasChildrenAndParent returns true if the specified image has children and a -// parent. -func (t *layerTree) hasChildrenAndParent(ctx context.Context, i *Image) (bool, error) { - children, err := t.children(ctx, i, false) - if err != nil { - return false, err - } - if len(children) == 0 { - return false, nil - } - parent, err := t.parent(ctx, i) - return parent != nil, err -} diff --git a/libpod/image/manifests.go b/libpod/image/manifests.go deleted file mode 100644 index 1ae3693c9..000000000 --- a/libpod/image/manifests.go +++ /dev/null @@ -1,209 +0,0 @@ -package image - -import ( - "context" - "fmt" - - "github.com/containers/buildah/manifests" - "github.com/containers/image/v5/docker" - "github.com/containers/image/v5/manifest" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - "github.com/opencontainers/go-digest" -) - -// Options for adding a manifest -// swagger:model ManifestAddOpts -type ManifestAddOpts struct { - All bool `json:"all"` - Annotation map[string]string `json:"annotation"` - Arch string `json:"arch"` - Features []string `json:"features"` - Images []string `json:"images"` - OS string `json:"os"` - OSVersion string `json:"os_version"` - Variant string `json:"variant"` -} - -// ManifestAnnotateOptions defines the options for -// manifest annotate -type ManifestAnnotateOpts struct { - Annotation map[string]string `json:"annotation"` - Arch string `json:"arch"` - Features []string `json:"features"` - OS string `json:"os"` - OSFeatures []string `json:"os_feature"` - OSVersion string `json:"os_version"` - Variant string `json:"variant"` -} - -// InspectManifest returns a dockerized version of the manifest list -func (i *Image) InspectManifest() (*manifest.Schema2List, error) { - list, err := i.getManifestList() - if err != nil { - return nil, err - } - return list.Docker(), nil -} - -// ExistsManifest checks if a manifest list exists -func (i *Image) ExistsManifest() (bool, error) { - _, err := i.getManifestList() - if err != nil { - return false, err - } - return true, nil -} - -// RemoveManifest removes the given digest from the manifest list. -func (i *Image) RemoveManifest(d digest.Digest) (string, error) { - list, err := i.getManifestList() - if err != nil { - return "", err - } - if err := list.Remove(d); err != nil { - return "", err - } - return list.SaveToImage(i.imageruntime.store, i.ID(), nil, "") -} - -// getManifestList is a helper to obtain a manifest list -func (i *Image) getManifestList() (manifests.List, error) { - _, list, err := manifests.LoadFromImage(i.imageruntime.store, i.ID()) - return list, err -} - -// CreateManifestList creates a new manifest list and can optionally add given images -// to the list -func CreateManifestList(rt *Runtime, systemContext types.SystemContext, names []string, imgs []string, all bool) (string, error) { - list := manifests.Create() - opts := ManifestAddOpts{Images: names, All: all} - for _, img := range imgs { - ref, err := alltransports.ParseImageName(img) - if err != nil { - dockerPrefix := fmt.Sprintf("%s://", docker.Transport.Name()) - ref, err = alltransports.ParseImageName(fmt.Sprintf("%s%s", dockerPrefix, img)) - if err != nil { - return "", err - } - } - list, err = addManifestToList(ref, list, systemContext, opts) - if err != nil { - return "", err - } - } - return list.SaveToImage(rt.store, "", names, manifest.DockerV2ListMediaType) -} - -func addManifestToList(ref types.ImageReference, list manifests.List, systemContext types.SystemContext, opts ManifestAddOpts) (manifests.List, error) { - d, err := list.Add(context.Background(), &systemContext, ref, opts.All) - if err != nil { - return nil, err - } - if opts.OS != "" { - if err := list.SetOS(d, opts.OS); err != nil { - return nil, err - } - } - if len(opts.OSVersion) > 0 { - if err := list.SetOSVersion(d, opts.OSVersion); err != nil { - return nil, err - } - } - if len(opts.Features) > 0 { - if err := list.SetFeatures(d, opts.Features); err != nil { - return nil, err - } - } - if len(opts.Arch) > 0 { - if err := list.SetArchitecture(d, opts.Arch); err != nil { - return nil, err - } - } - if len(opts.Variant) > 0 { - if err := list.SetVariant(d, opts.Variant); err != nil { - return nil, err - } - } - if len(opts.Annotation) > 0 { - if err := list.SetAnnotations(&d, opts.Annotation); err != nil { - return nil, err - } - } - return list, err -} - -// AddManifest adds a manifest to a given manifest list. -func (i *Image) AddManifest(systemContext types.SystemContext, opts ManifestAddOpts) (string, error) { - ref, err := alltransports.ParseImageName(opts.Images[0]) - if err != nil { - dockerPrefix := fmt.Sprintf("%s://", docker.Transport.Name()) - ref, err = alltransports.ParseImageName(fmt.Sprintf("%s%s", dockerPrefix, opts.Images[0])) - if err != nil { - return "", err - } - } - list, err := i.getManifestList() - if err != nil { - return "", err - } - list, err = addManifestToList(ref, list, systemContext, opts) - if err != nil { - return "", err - } - return list.SaveToImage(i.imageruntime.store, i.ID(), nil, "") -} - -// PushManifest pushes a manifest to a destination -func (i *Image) PushManifest(dest types.ImageReference, opts manifests.PushOptions) (digest.Digest, error) { - list, err := i.getManifestList() - if err != nil { - return "", err - } - _, d, err := list.Push(context.Background(), dest, opts) - return d, err -} - -// AnnotateManifest updates an image configuration of a manifest list. -func (i *Image) AnnotateManifest(systemContext types.SystemContext, d digest.Digest, opts ManifestAnnotateOpts) (string, error) { - list, err := i.getManifestList() - if err != nil { - return "", err - } - if len(opts.OS) > 0 { - if err := list.SetOS(d, opts.OS); err != nil { - return "", err - } - } - if len(opts.OSVersion) > 0 { - if err := list.SetOSVersion(d, opts.OSVersion); err != nil { - return "", err - } - } - if len(opts.Features) > 0 { - if err := list.SetFeatures(d, opts.Features); err != nil { - return "", err - } - } - if len(opts.OSFeatures) > 0 { - if err := list.SetOSFeatures(d, opts.OSFeatures); err != nil { - return "", err - } - } - if len(opts.Arch) > 0 { - if err := list.SetArchitecture(d, opts.Arch); err != nil { - return "", err - } - } - if len(opts.Variant) > 0 { - if err := list.SetVariant(d, opts.Variant); err != nil { - return "", err - } - } - if len(opts.Annotation) > 0 { - if err := list.SetAnnotations(&d, opts.Annotation); err != nil { - return "", err - } - } - return list.SaveToImage(i.imageruntime.store, i.ID(), nil, "") -} diff --git a/libpod/image/parts.go b/libpod/image/parts.go deleted file mode 100644 index 08421320c..000000000 --- a/libpod/image/parts.go +++ /dev/null @@ -1,104 +0,0 @@ -package image - -import ( - "strings" - - "github.com/containers/image/v5/docker/reference" - "github.com/pkg/errors" -) - -// imageParts describes the parts of an image's name -type imageParts struct { - unnormalizedRef reference.Named // WARNING: Did not go through docker.io[/library] normalization - hasRegistry bool -} - -// Registries must contain a ":" or a "." or be localhost; this helper exists for users of reference.Parse. -// For inputs that should use the docker.io[/library] normalization, use reference.ParseNormalizedNamed instead. -func isRegistry(name string) bool { - return strings.ContainsAny(name, ".:") || name == "localhost" -} - -// GetImageBaseName uses decompose and string splits to obtain the base -// name of an image. Doing this here because it beats changing the -// imageParts struct names to be exported as well. -func GetImageBaseName(input string) (string, error) { - decomposedImage, err := decompose(input) - if err != nil { - return "", err - } - splitImageName := strings.Split(decomposedImage.unnormalizedRef.Name(), "/") - return splitImageName[len(splitImageName)-1], nil -} - -// decompose breaks an input name into an imageParts description -func decompose(input string) (imageParts, error) { - imgRef, err := reference.Parse(input) - if err != nil { - return imageParts{}, err - } - unnormalizedNamed := imgRef.(reference.Named) - // ip.unnormalizedRef, because it uses reference.Parse and not reference.ParseNormalizedNamed, - // does not use the standard heuristics for domains vs. namespaces/repos, so we need to check - // explicitly. - hasRegistry := isRegistry(reference.Domain(unnormalizedNamed)) - return imageParts{ - unnormalizedRef: unnormalizedNamed, - hasRegistry: hasRegistry, - }, nil -} - -// suspiciousRefNameTagValuesForSearch returns a "tag" value used in a previous implementation. -// This exists only to preserve existing behavior in heuristic code; it’s dubious that that behavior is correct, -// especially for the tag value. -func (ip *imageParts) suspiciousRefNameTagValuesForSearch() (string, string, string) { - registry := reference.Domain(ip.unnormalizedRef) - imageName := reference.Path(ip.unnormalizedRef) - // ip.unnormalizedRef, because it uses reference.Parse and not reference.ParseNormalizedNamed, - // does not use the standard heuristics for domains vs. namespaces/repos. - if registry != "" && !isRegistry(registry) { - imageName = registry + "/" + imageName - registry = "" - } - - var tag string - if tagged, isTagged := ip.unnormalizedRef.(reference.NamedTagged); isTagged { - tag = tagged.Tag() - } else if _, hasDigest := ip.unnormalizedRef.(reference.Digested); hasDigest { - tag = "none" - } else { - tag = LatestTag - } - return registry, imageName, tag -} - -// referenceWithRegistry returns a (normalized) reference.Named composed of ip (with !ip.hasRegistry) -// qualified with registry. -func (ip *imageParts) referenceWithRegistry(registry string) (reference.Named, error) { - if ip.hasRegistry { - return nil, errors.Errorf("internal error: referenceWithRegistry called on imageParts with a registry (%#v)", *ip) - } - // We could build a reference.WithName+WithTag/WithDigest here, but we need to round-trip via a string - // and a ParseNormalizedNamed anyway to get the right normalization of docker.io/library, so - // just use a string directly. - qualified := registry + "/" + ip.unnormalizedRef.String() - ref, err := reference.ParseNormalizedNamed(qualified) - if err != nil { - return nil, errors.Wrapf(err, "error normalizing registry+unqualified reference %#v", qualified) - } - return ref, nil -} - -// normalizedReference returns a (normalized) reference for ip (with ip.hasRegistry) -func (ip *imageParts) normalizedReference() (reference.Named, error) { - if !ip.hasRegistry { - return nil, errors.Errorf("internal error: normalizedReference called on imageParts without a registry (%#v)", *ip) - } - // We need to round-trip via a string to get the right normalization of docker.io/library - s := ip.unnormalizedRef.String() - ref, err := reference.ParseNormalizedNamed(s) - if err != nil { // Should never happen - return nil, errors.Wrapf(err, "error normalizing qualified reference %#v", s) - } - return ref, nil -} diff --git a/libpod/image/parts_test.go b/libpod/image/parts_test.go deleted file mode 100644 index 726e55e86..000000000 --- a/libpod/image/parts_test.go +++ /dev/null @@ -1,123 +0,0 @@ -package image - -import ( - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func TestDecompose(t *testing.T) { - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - - for _, c := range []struct { - input string - registry, name, suspiciousTagValueForSearch string - hasRegistry bool - }{ - {"#", "", "", "", false}, // Entirely invalid input - { // Fully qualified docker.io, name-only input - "docker.io/library/busybox", "docker.io", "library/busybox", "latest", true, - }, - { // Fully qualified example.com, name-only input - "example.com/ns/busybox", "example.com", "ns/busybox", "latest", true, - }, - { // Unqualified single-name input - "busybox", "", "busybox", "latest", false, - }, - { // Unqualified namespaced input - "ns/busybox", "", "ns/busybox", "latest", false, - }, - { // name:tag - "example.com/ns/busybox:notlatest", "example.com", "ns/busybox", "notlatest", true, - }, - { // name@digest - // FIXME? .suspiciousTagValueForSearch == "none" - "example.com/ns/busybox" + digestSuffix, "example.com", "ns/busybox", "none", true, - }, - { // name:tag@digest - "example.com/ns/busybox:notlatest" + digestSuffix, "example.com", "ns/busybox", "notlatest", true, - }, - } { - parts, err := decompose(c.input) - if c.name == "" { - assert.Error(t, err, c.input) - } else { - assert.NoError(t, err, c.input) - registry, name, suspiciousTagValueForSearch := parts.suspiciousRefNameTagValuesForSearch() - assert.Equal(t, c.registry, registry, c.input) - assert.Equal(t, c.name, name, c.input) - assert.Equal(t, c.suspiciousTagValueForSearch, suspiciousTagValueForSearch, c.input) - assert.Equal(t, c.hasRegistry, parts.hasRegistry, c.input) - } - } -} - -func TestImagePartsReferenceWithRegistry(t *testing.T) { - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - - for _, c := range []struct { - input string - withDocker, withNonDocker string - }{ - {"example.com/ns/busybox", "", ""}, // Fully-qualified input is invalid. - {"busybox", "docker.io/library/busybox", "example.com/busybox"}, // Single-name input - {"ns/busybox", "docker.io/ns/busybox", "example.com/ns/busybox"}, // Namespaced input - {"ns/busybox:notlatest", "docker.io/ns/busybox:notlatest", "example.com/ns/busybox:notlatest"}, // name:tag - {"ns/busybox" + digestSuffix, "docker.io/ns/busybox" + digestSuffix, "example.com/ns/busybox" + digestSuffix}, // name@digest - { // name:tag@digest - "ns/busybox:notlatest" + digestSuffix, - "docker.io/ns/busybox:notlatest" + digestSuffix, "example.com/ns/busybox:notlatest" + digestSuffix, - }, - } { - parts, err := decompose(c.input) - require.NoError(t, err) - if c.withDocker == "" { - _, err := parts.referenceWithRegistry("docker.io") - assert.Error(t, err, c.input) - _, err = parts.referenceWithRegistry("example.com") - assert.Error(t, err, c.input) - } else { - ref, err := parts.referenceWithRegistry("docker.io") - require.NoError(t, err, c.input) - assert.Equal(t, c.withDocker, ref.String()) - ref, err = parts.referenceWithRegistry("example.com") - require.NoError(t, err, c.input) - assert.Equal(t, c.withNonDocker, ref.String()) - } - } - - // Invalid registry value - parts, err := decompose("busybox") - require.NoError(t, err) - _, err = parts.referenceWithRegistry("invalid@domain") - assert.Error(t, err) -} - -func TestImagePartsNormalizedReference(t *testing.T) { - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - - for _, c := range []struct{ input, expected string }{ - {"busybox", ""}, // Unqualified input is invalid - {"docker.io/busybox", "docker.io/library/busybox"}, // docker.io single-name - {"example.com/busybox", "example.com/busybox"}, // example.com single-name - {"docker.io/ns/busybox", "docker.io/ns/busybox"}, // docker.io namespaced - {"example.com/ns/busybox", "example.com/ns/busybox"}, // example.com namespaced - {"example.com/ns/busybox:notlatest", "example.com/ns/busybox:notlatest"}, // name:tag - {"example.com/ns/busybox" + digestSuffix, "example.com/ns/busybox" + digestSuffix}, // name@digest - { // name:tag@digest - "example.com/ns/busybox:notlatest" + digestSuffix, "example.com/ns/busybox:notlatest" + digestSuffix, - }, - } { - parts, err := decompose(c.input) - require.NoError(t, err) - if c.expected == "" { - _, err := parts.normalizedReference() - assert.Error(t, err, c.input) - } else { - ref, err := parts.normalizedReference() - require.NoError(t, err, c.input) - assert.Equal(t, c.expected, ref.String()) - } - } -} diff --git a/libpod/image/prune.go b/libpod/image/prune.go deleted file mode 100644 index 0e41fde44..000000000 --- a/libpod/image/prune.go +++ /dev/null @@ -1,164 +0,0 @@ -package image - -import ( - "context" - "strconv" - "strings" - - "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/pkg/domain/entities/reports" - "github.com/containers/podman/v3/pkg/util" - "github.com/containers/storage" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" -) - -func generatePruneFilterFuncs(filter, filterValue string) (ImageFilter, error) { - switch filter { - case "label": - return func(i *Image) bool { - labels, err := i.Labels(context.Background()) - if err != nil { - return false - } - return util.MatchLabelFilters([]string{filterValue}, labels) - }, nil - - case "until": - until, err := util.ComputeUntilTimestamp([]string{filterValue}) - if err != nil { - return nil, err - } - return func(i *Image) bool { - if !until.IsZero() && i.Created().After((until)) { - return true - } - return false - }, nil - case "dangling": - danglingImages, err := strconv.ParseBool(filterValue) - if err != nil { - return nil, errors.Wrapf(err, "invalid filter dangling=%s", filterValue) - } - return ImageFilter(DanglingFilter(danglingImages)), nil - } - return nil, nil -} - -// GetPruneImages returns a slice of images that have no names/unused -func (ir *Runtime) GetPruneImages(ctx context.Context, all bool, filterFuncs []ImageFilter) ([]*Image, error) { - var ( - pruneImages []*Image - ) - - allImages, err := ir.GetRWImages() - if err != nil { - return nil, err - } - - tree, err := ir.layerTree() - if err != nil { - return nil, err - } - - for _, i := range allImages { - // filter the images based on this. - for _, filterFunc := range filterFuncs { - if !filterFunc(i) { - continue - } - } - - if all { - containers, err := i.Containers() - if err != nil { - return nil, err - } - if len(containers) < 1 { - pruneImages = append(pruneImages, i) - continue - } - } - - // skip the cache (i.e., with parent) and intermediate (i.e., - // with children) images - intermediate, err := tree.hasChildrenAndParent(ctx, i) - if err != nil { - return nil, err - } - if intermediate { - continue - } - - if i.Dangling() { - pruneImages = append(pruneImages, i) - } - } - return pruneImages, nil -} - -// PruneImages prunes dangling and optionally all unused images from the local -// image store -func (ir *Runtime) PruneImages(ctx context.Context, all bool, filter []string) ([]*reports.PruneReport, error) { - preports := make([]*reports.PruneReport, 0) - filterFuncs := make([]ImageFilter, 0, len(filter)) - for _, f := range filter { - filterSplit := strings.SplitN(f, "=", 2) - if len(filterSplit) < 2 { - return nil, errors.Errorf("filter input must be in the form of filter=value: %s is invalid", f) - } - - generatedFunc, err := generatePruneFilterFuncs(filterSplit[0], filterSplit[1]) - if err != nil { - return nil, errors.Wrapf(err, "invalid filter") - } - filterFuncs = append(filterFuncs, generatedFunc) - } - - prev := 0 - for { - toPrune, err := ir.GetPruneImages(ctx, all, filterFuncs) - if err != nil { - return nil, errors.Wrap(err, "unable to get images to prune") - } - numImages := len(toPrune) - if numImages == 0 || numImages == prev { - // If there's nothing left to do, return. - break - } - prev = numImages - for _, img := range toPrune { - repotags, err := img.RepoTags() - if err != nil { - return nil, err - } - nameOrID := img.ID() - s, err := img.Size(ctx) - imgSize := uint64(0) - if err != nil { - logrus.Warnf("Failed to collect image size for: %s, %s", nameOrID, err) - } else { - imgSize = *s - } - if err := img.Remove(ctx, false); err != nil { - if errors.Cause(err) == storage.ErrImageUsedByContainer { - logrus.Warnf("Failed to prune image %s as it is in use: %v.\nA container associated with containers/storage (e.g., Buildah, CRI-O, etc.) maybe associated with this image.\nUsing the rmi command with the --force option will remove the container and image, but may cause failures for other dependent systems.", img.ID(), err) - continue - } - return nil, errors.Wrap(err, "failed to prune image") - } - defer img.newImageEvent(events.Prune) - - if len(repotags) > 0 { - nameOrID = repotags[0] - } - - preports = append(preports, &reports.PruneReport{ - Id: nameOrID, - Err: nil, - Size: uint64(imgSize), - }) - } - } - return preports, nil -} diff --git a/libpod/image/pull.go b/libpod/image/pull.go deleted file mode 100644 index 6517fbd07..000000000 --- a/libpod/image/pull.go +++ /dev/null @@ -1,437 +0,0 @@ -package image - -import ( - "context" - "fmt" - "io" - "path/filepath" - "strings" - "time" - - "github.com/containers/common/pkg/retry" - cp "github.com/containers/image/v5/copy" - "github.com/containers/image/v5/directory" - "github.com/containers/image/v5/docker" - dockerarchive "github.com/containers/image/v5/docker/archive" - ociarchive "github.com/containers/image/v5/oci/archive" - oci "github.com/containers/image/v5/oci/layout" - "github.com/containers/image/v5/pkg/shortnames" - is "github.com/containers/image/v5/storage" - "github.com/containers/image/v5/transports" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/pkg/errorhandling" - "github.com/containers/podman/v3/pkg/registries" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" -) - -var ( - // DockerArchive is the transport we prepend to an image name - // when saving to docker-archive - DockerArchive = dockerarchive.Transport.Name() - // OCIArchive is the transport we prepend to an image name - // when saving to oci-archive - OCIArchive = ociarchive.Transport.Name() - // DirTransport is the transport for pushing and pulling - // images to and from a directory - DirTransport = directory.Transport.Name() - // DockerTransport is the transport for docker registries - DockerTransport = docker.Transport.Name() - // OCIDirTransport is the transport for pushing and pulling - // images to and from a directory containing an OCI image - OCIDirTransport = oci.Transport.Name() - // AtomicTransport is the transport for atomic registries - AtomicTransport = "atomic" - // DefaultTransport is a prefix that we apply to an image name - // NOTE: This is a string prefix, not actually a transport name usable for transports.Get(); - // and because syntaxes of image names are transport-dependent, the prefix is not really interchangeable; - // each user implicitly assumes the appended string is a Docker-like reference. - DefaultTransport = DockerTransport + "://" - // DefaultLocalRegistry is the default local registry for local image operations - // Remote pulls will still use defined registries - DefaultLocalRegistry = "localhost" -) - -// pullRefPair records a pair of prepared image references to pull. -type pullRefPair struct { - image string - srcRef types.ImageReference - dstRef types.ImageReference - resolvedShortname *shortnames.PullCandidate // if set, must be recorded after successful pull -} - -// cleanUpFunc is a function prototype for clean-up functions. -type cleanUpFunc func() error - -// pullGoal represents the prepared image references and decided behavior to be executed by imagePull -type pullGoal struct { - refPairs []pullRefPair - pullAllPairs bool // Pull all refPairs instead of stopping on first success. - cleanUpFuncs []cleanUpFunc // Mainly used to close long-lived objects (e.g., an archive.Reader) - shortName string // Set when pulling a short name - resolved *shortnames.Resolved // Set when pulling a short name -} - -// cleanUp invokes all cleanUpFuncs. Certain resources may not be available -// anymore. Errors are logged. -func (p *pullGoal) cleanUp() { - for _, f := range p.cleanUpFuncs { - if err := f(); err != nil { - logrus.Error(err.Error()) - } - } -} - -// singlePullRefPairGoal returns a no-frills pull goal for the specified reference pair. -func singlePullRefPairGoal(rp pullRefPair) *pullGoal { - return &pullGoal{ - refPairs: []pullRefPair{rp}, - pullAllPairs: false, // Does not really make a difference. - } -} - -func (ir *Runtime) getPullRefPair(srcRef types.ImageReference, destName string) (pullRefPair, error) { - decomposedDest, err := decompose(destName) - if err == nil && !decomposedDest.hasRegistry { - // If the image doesn't have a registry, set it as the default repo - ref, err := decomposedDest.referenceWithRegistry(DefaultLocalRegistry) - if err != nil { - return pullRefPair{}, err - } - destName = ref.String() - } - - reference := destName - if srcRef.DockerReference() != nil { - reference = srcRef.DockerReference().String() - } - destRef, err := is.Transport.ParseStoreReference(ir.store, reference) - if err != nil { - return pullRefPair{}, errors.Wrapf(err, "error parsing dest reference name %#v", destName) - } - return pullRefPair{ - image: destName, - srcRef: srcRef, - dstRef: destRef, - }, nil -} - -// getSinglePullRefPairGoal calls getPullRefPair with the specified parameters, and returns a single-pair goal for the return value. -func (ir *Runtime) getSinglePullRefPairGoal(srcRef types.ImageReference, destName string) (*pullGoal, error) { - rp, err := ir.getPullRefPair(srcRef, destName) - if err != nil { - return nil, err - } - return singlePullRefPairGoal(rp), nil -} - -// getPullRefPairsFromDockerArchiveReference returns a slice of pullRefPairs -// for the specified docker reference and the corresponding archive.Reader. -func (ir *Runtime) getPullRefPairsFromDockerArchiveReference(ctx context.Context, reader *dockerarchive.Reader, ref types.ImageReference, sc *types.SystemContext) ([]pullRefPair, error) { - destNames, err := reader.ManifestTagsForReference(ref) - if err != nil { - return nil, err - } - - if len(destNames) == 0 { - destName, err := getImageDigest(ctx, ref, sc) - if err != nil { - return nil, err - } - destNames = append(destNames, destName) - } else { - for i := range destNames { - ref, err := NormalizedTag(destNames[i]) - if err != nil { - return nil, err - } - destNames[i] = ref.String() - } - } - - refPairs := []pullRefPair{} - for _, destName := range destNames { - destRef, err := is.Transport.ParseStoreReference(ir.store, destName) - if err != nil { - return nil, errors.Wrapf(err, "error parsing dest reference name %#v", destName) - } - pair := pullRefPair{ - image: destName, - srcRef: ref, - dstRef: destRef, - } - refPairs = append(refPairs, pair) - } - - return refPairs, nil -} - -// pullGoalFromImageReference returns a pull goal for a single ImageReference, depending on the used transport. -// Note that callers are responsible for invoking (*pullGoal).cleanUp() to clean up possibly open resources. -func (ir *Runtime) pullGoalFromImageReference(ctx context.Context, srcRef types.ImageReference, imgName string, sc *types.SystemContext) (*pullGoal, error) { - // supports pulling from docker-archive, oci, and registries - switch srcRef.Transport().Name() { - case DockerArchive: - reader, readerRef, err := dockerarchive.NewReaderForReference(sc, srcRef) - if err != nil { - return nil, err - } - - pairs, err := ir.getPullRefPairsFromDockerArchiveReference(ctx, reader, readerRef, sc) - if err != nil { - // No need to defer for a single error path. - if err := reader.Close(); err != nil { - logrus.Error(err.Error()) - } - return nil, err - } - - return &pullGoal{ - pullAllPairs: true, - refPairs: pairs, - cleanUpFuncs: []cleanUpFunc{reader.Close}, - }, nil - - case OCIArchive: - // retrieve the manifest from index.json to access the image name - manifest, err := ociarchive.LoadManifestDescriptor(srcRef) - if err != nil { - return nil, errors.Wrapf(err, "error loading manifest for %q", srcRef) - } - var dest string - if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" { - // If the input image has no image.ref.name, we need to feed it a dest anyways - // use the hex of the digest - dest, err = getImageDigest(ctx, srcRef, sc) - if err != nil { - return nil, errors.Wrapf(err, "error getting image digest; image reference not found") - } - } else { - dest = manifest.Annotations["org.opencontainers.image.ref.name"] - } - return ir.getSinglePullRefPairGoal(srcRef, dest) - - case DirTransport: - image := toLocalImageName(srcRef.StringWithinTransport()) - return ir.getSinglePullRefPairGoal(srcRef, image) - - case OCIDirTransport: - split := strings.SplitN(srcRef.StringWithinTransport(), ":", 2) - image := toLocalImageName(split[0]) - return ir.getSinglePullRefPairGoal(srcRef, image) - - default: - return ir.getSinglePullRefPairGoal(srcRef, imgName) - } -} - -// toLocalImageName converts an image name into a 'localhost/' prefixed one -func toLocalImageName(imageName string) string { - return fmt.Sprintf( - "%s/%s", - DefaultLocalRegistry, - strings.TrimLeft(imageName, "/"), - ) -} - -// pullImageFromHeuristicSource pulls an image based on inputName, which is heuristically parsed and may involve configured registries. -// Use pullImageFromReference if the source is known precisely. -func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName string, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, retryOptions *retry.RetryOptions, label *string, progress chan types.ProgressProperties) ([]string, error) { - var goal *pullGoal - sc := GetSystemContext(signaturePolicyPath, authfile, false) - if dockerOptions != nil { - sc.OSChoice = dockerOptions.OSChoice - sc.ArchitectureChoice = dockerOptions.ArchitectureChoice - sc.VariantChoice = dockerOptions.VariantChoice - sc.SystemRegistriesConfPath = dockerOptions.RegistriesConfPath - } - if signaturePolicyPath == "" { - sc.SignaturePolicyPath = ir.SignaturePolicyPath - } - sc.BlobInfoCacheDir = filepath.Join(ir.store.GraphRoot(), "cache") - srcRef, err := alltransports.ParseImageName(inputName) - if err != nil { - // We might be pulling with an unqualified image reference in which case - // we need to make sure that we're not using any other transport. - srcTransport := alltransports.TransportFromImageName(inputName) - if srcTransport != nil && srcTransport.Name() != DockerTransport { - return nil, err - } - goal, err = ir.pullGoalFromPossiblyUnqualifiedName(sc, writer, inputName) - if err != nil { - return nil, errors.Wrap(err, "error getting default registries to try") - } - } else { - goal, err = ir.pullGoalFromImageReference(ctx, srcRef, inputName, sc) - if err != nil { - return nil, errors.Wrapf(err, "error determining pull goal for image %q", inputName) - } - } - defer goal.cleanUp() - return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, retryOptions, label, progress) -} - -// pullImageFromReference pulls an image from a types.imageReference. -func (ir *Runtime) pullImageFromReference(ctx context.Context, srcRef types.ImageReference, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, retryOptions *retry.RetryOptions) ([]string, error) { - sc := GetSystemContext(signaturePolicyPath, authfile, false) - if dockerOptions != nil { - sc.OSChoice = dockerOptions.OSChoice - sc.ArchitectureChoice = dockerOptions.ArchitectureChoice - sc.VariantChoice = dockerOptions.VariantChoice - } - goal, err := ir.pullGoalFromImageReference(ctx, srcRef, transports.ImageName(srcRef), sc) - if err != nil { - return nil, errors.Wrapf(err, "error determining pull goal for image %q", transports.ImageName(srcRef)) - } - defer goal.cleanUp() - return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, retryOptions, nil, nil) -} - -func cleanErrorMessage(err error) string { - errMessage := strings.TrimPrefix(errors.Cause(err).Error(), "errors:\n") - errMessage = strings.Split(errMessage, "\n")[0] - return fmt.Sprintf(" %s\n", errMessage) -} - -// doPullImage is an internal helper interpreting pullGoal. Almost everyone should call one of the callers of doPullImage instead. -func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goal pullGoal, writer io.Writer, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, retryOptions *retry.RetryOptions, label *string, progress chan types.ProgressProperties) ([]string, error) { - policyContext, err := getPolicyContext(sc) - if err != nil { - return nil, err - } - defer func() { - if err := policyContext.Destroy(); err != nil { - logrus.Errorf("failed to destroy policy context: %q", err) - } - }() - - var systemRegistriesConfPath string - if dockerOptions != nil && dockerOptions.RegistriesConfPath != "" { - systemRegistriesConfPath = dockerOptions.RegistriesConfPath - } else { - systemRegistriesConfPath = registries.SystemRegistriesConfPath() - } - - var ( - images []string - pullErrors []error - ) - - for _, imageInfo := range goal.refPairs { - copyOptions := getCopyOptions(sc, writer, dockerOptions, nil, signingOptions, "", nil) - copyOptions.SourceCtx.SystemRegistriesConfPath = systemRegistriesConfPath // FIXME: Set this more globally. Probably no reason not to have it in every types.SystemContext, and to compute the value just once in one place. - if progress != nil { - copyOptions.Progress = progress - copyOptions.ProgressInterval = time.Second - } - // Print the following statement only when pulling from a docker or atomic registry - if writer != nil && (imageInfo.srcRef.Transport().Name() == DockerTransport || imageInfo.srcRef.Transport().Name() == AtomicTransport) { - if _, err := io.WriteString(writer, fmt.Sprintf("Trying to pull %s...\n", imageInfo.image)); err != nil { - return nil, err - } - } - // If the label is not nil, check if the label exists and if not, return err - if label != nil { - if err := checkRemoteImageForLabel(ctx, *label, imageInfo, sc); err != nil { - return nil, err - } - } - imageInfo := imageInfo - if err = retry.RetryIfNecessary(ctx, func() error { - _, err = cp.Image(ctx, policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions) - return err - }, retryOptions); err != nil { - pullErrors = append(pullErrors, err) - logrus.Debugf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err) - if writer != nil { - _, _ = io.WriteString(writer, cleanErrorMessage(err)) - } - } else { - if imageInfo.resolvedShortname != nil { - if err := imageInfo.resolvedShortname.Record(); err != nil { - logrus.Errorf("Error recording short-name alias %q: %v", imageInfo.resolvedShortname.Value.String(), err) - } - } - if !goal.pullAllPairs { - ir.newImageEvent(events.Pull, "") - return []string{imageInfo.image}, nil - } - images = append(images, imageInfo.image) - } - } - // If no image was found, we should handle. Lets be nicer to the user - // and see if we can figure out why. - if len(images) == 0 { - if goal.resolved != nil { - return nil, goal.resolved.FormatPullErrors(pullErrors) - } - return nil, errorhandling.JoinErrors(pullErrors) - } - - ir.newImageEvent(events.Pull, images[0]) - return images, nil -} - -// pullGoalFromPossiblyUnqualifiedName looks at inputName and determines the possible -// image references to try pulling in combination with the registries.conf file as well -func (ir *Runtime) pullGoalFromPossiblyUnqualifiedName(sys *types.SystemContext, writer io.Writer, inputName string) (*pullGoal, error) { - if sys == nil { - sys = &types.SystemContext{} - } - - resolved, err := shortnames.Resolve(sys, inputName) - if err != nil { - return nil, err - } - - if desc := resolved.Description(); len(desc) > 0 { - logrus.Debug(desc) - if writer != nil { - if _, err := writer.Write([]byte(desc + "\n")); err != nil { - return nil, err - } - } - } - - refPairs := []pullRefPair{} - for i, candidate := range resolved.PullCandidates { - srcRef, err := docker.NewReference(candidate.Value) - if err != nil { - return nil, err - } - ps, err := ir.getPullRefPair(srcRef, candidate.Value.String()) - if err != nil { - return nil, err - } - ps.resolvedShortname = &resolved.PullCandidates[i] - refPairs = append(refPairs, ps) - } - return &pullGoal{ - refPairs: refPairs, - pullAllPairs: false, - shortName: inputName, - resolved: resolved, - }, nil -} - -// checkRemoteImageForLabel checks if the remote image has a specific label. if the label exists, we -// return nil, else we return an error -func checkRemoteImageForLabel(ctx context.Context, label string, imageInfo pullRefPair, sc *types.SystemContext) error { - labelImage, err := imageInfo.srcRef.NewImage(ctx, sc) - if err != nil { - return err - } - remoteInspect, err := labelImage.Inspect(ctx) - if err != nil { - return err - } - // Labels are case insensitive; so we iterate instead of simple lookup - for k := range remoteInspect.Labels { - if strings.EqualFold(label, k) { - return nil - } - } - return errors.Errorf("%s has no label %s in %q", imageInfo.image, label, remoteInspect.Labels) -} diff --git a/libpod/image/pull_test.go b/libpod/image/pull_test.go deleted file mode 100644 index 2e1464ad3..000000000 --- a/libpod/image/pull_test.go +++ /dev/null @@ -1,388 +0,0 @@ -package image - -import ( - "context" - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "testing" - - "github.com/containers/image/v5/transports" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - "github.com/containers/storage" - "github.com/containers/storage/pkg/idtools" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -// newTestRuntime returns a *Runtime implementation and a cleanup function which the caller is expected to call. -func newTestRuntime(t *testing.T) (*Runtime, func()) { - wd, err := ioutil.TempDir("", "testStorageRuntime") - require.NoError(t, err) - err = os.MkdirAll(wd, 0700) - require.NoError(t, err) - - store, err := storage.GetStore(storage.StoreOptions{ - RunRoot: filepath.Join(wd, "run"), - GraphRoot: filepath.Join(wd, "root"), - GraphDriverName: "vfs", - GraphDriverOptions: []string{}, - UIDMap: []idtools.IDMap{{ - ContainerID: 0, - HostID: os.Getuid(), - Size: 1, - }}, - GIDMap: []idtools.IDMap{{ - ContainerID: 0, - HostID: os.Getgid(), - Size: 1, - }}, - }) - require.NoError(t, err) - - ir := NewImageRuntimeFromStore(store) - cleanup := func() { _ = os.RemoveAll(wd) } - return ir, cleanup -} - -// storageReferenceWithoutLocation returns ref.StringWithinTransport(), -// stripping the [store-specification] prefix from containers/image/storage reference format. -func storageReferenceWithoutLocation(ref types.ImageReference) string { - res := ref.StringWithinTransport() - if res[0] == '[' { - closeIndex := strings.IndexRune(res, ']') - if closeIndex > 0 { - res = res[closeIndex+1:] - } - } - return res -} - -func TestGetPullRefPair(t *testing.T) { - const imageID = "@0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - - ir, cleanup := newTestRuntime(t) - defer cleanup() - - for _, c := range []struct{ srcName, destName, expectedImage, expectedDstName string }{ - // == Source does not have a Docker reference (as is the case for docker-archive:, oci-archive, dir:); destination formats: - { // registry/name, no tag: - "dir:/dev/this-does-not-exist", "example.com/from-directory", - "example.com/from-directory", "example.com/from-directory:latest", - }, - { // name, no registry, no tag: - "dir:/dev/this-does-not-exist", "from-directory", - "localhost/from-directory", "localhost/from-directory:latest", - }, - { // registry/name:tag : - "dir:/dev/this-does-not-exist", "example.com/from-directory:notlatest", - "example.com/from-directory:notlatest", "example.com/from-directory:notlatest", - }, - { // name:tag, no registry: - "dir:/dev/this-does-not-exist", "from-directory:notlatest", - "localhost/from-directory:notlatest", "localhost/from-directory:notlatest", - }, - { // name@digest, no registry: - "dir:/dev/this-does-not-exist", "from-directory" + digestSuffix, - "localhost/from-directory" + digestSuffix, "localhost/from-directory" + digestSuffix, - }, - { // registry/name@digest: - "dir:/dev/this-does-not-exist", "example.com/from-directory" + digestSuffix, - "example.com/from-directory" + digestSuffix, "example.com/from-directory" + digestSuffix, - }, - { // ns/name:tag, no registry: - "dir:/dev/this-does-not-exist", "ns/from-directory:notlatest", - "localhost/ns/from-directory:notlatest", "localhost/ns/from-directory:notlatest", - }, - { // containers-storage image ID - "dir:/dev/this-does-not-exist", imageID, - imageID, imageID, - }, - // == Source does have a Docker reference. - // In that case getPullListFromRef uses the full transport:name input as a destName, - // which would be invalid in the returned dstName - but dstName is derived from the source, so it does not really matter _so_ much. - // Note that unlike real-world use we use different :source and :destination to verify the data flow in more detail. - { // registry/name:tag - "docker://example.com/busybox:source", "docker://example.com/busybox:destination", - "docker://example.com/busybox:destination", "example.com/busybox:source", - }, - { // Implied docker.io/library and :latest - "docker://busybox", "docker://busybox:destination", - "docker://busybox:destination", "docker.io/library/busybox:latest", - }, - // == Invalid destination format. - {"tarball:/dev/null", "tarball:/dev/null", "", ""}, - } { - testDescription := fmt.Sprintf("%#v %#v", c.srcName, c.destName) - srcRef, err := alltransports.ParseImageName(c.srcName) - require.NoError(t, err, testDescription) - - res, err := ir.getPullRefPair(srcRef, c.destName) - if c.expectedDstName == "" { - assert.Error(t, err, testDescription) - } else { - require.NoError(t, err, testDescription) - assert.Equal(t, c.expectedImage, res.image, testDescription) - assert.Equal(t, srcRef, res.srcRef, testDescription) - assert.Equal(t, c.expectedDstName, storageReferenceWithoutLocation(res.dstRef), testDescription) - } - } -} - -func TestPullGoalFromImageReference(t *testing.T) { - ir, cleanup := newTestRuntime(t) - defer cleanup() - - type expected struct{ image, dstName string } - for _, c := range []struct { - srcName string - expected []expected - expectedPullAllPairs bool - }{ - // == docker-archive: - {"docker-archive:/dev/this-does-not-exist", nil, false}, // Input does not exist. - {"docker-archive:/dev/null", nil, false}, // Input exists but does not contain a manifest. - // FIXME: The implementation has extra code for len(manifest) == 0?! That will fail in getImageDigest anyway. - { // RepoTags is empty - "docker-archive:testdata/docker-unnamed.tar.xz", - []expected{{"@ec9293436c2e66da44edb9efb8d41f6b13baf62283ebe846468bc992d76d7951", "@ec9293436c2e66da44edb9efb8d41f6b13baf62283ebe846468bc992d76d7951"}}, - true, - }, - { // RepoTags is a [docker.io/library/]name:latest, normalized to the short format. - "docker-archive:testdata/docker-name-only.tar.xz", - []expected{{"localhost/pretty-empty:latest", "localhost/pretty-empty:latest"}}, - true, - }, - { // RepoTags is a registry/name:latest - "docker-archive:testdata/docker-registry-name.tar.xz", - []expected{{"example.com/empty:latest", "example.com/empty:latest"}}, - true, - }, - { // RepoTags has multiple items for a single image - "docker-archive:testdata/docker-two-names.tar.xz", - []expected{ - {"localhost/pretty-empty:latest", "localhost/pretty-empty:latest"}, - {"example.com/empty:latest", "example.com/empty:latest"}, - }, - true, - }, - { // Reference image by name in multi-image archive - "docker-archive:testdata/docker-two-images.tar.xz:example.com/empty:latest", - []expected{ - {"example.com/empty:latest", "example.com/empty:latest"}, - }, - true, - }, - { // Reference image by name in multi-image archive - "docker-archive:testdata/docker-two-images.tar.xz:example.com/empty/but:different", - []expected{ - {"example.com/empty/but:different", "example.com/empty/but:different"}, - }, - true, - }, - { // Reference image by index in multi-image archive - "docker-archive:testdata/docker-two-images.tar.xz:@0", - []expected{ - {"example.com/empty:latest", "example.com/empty:latest"}, - }, - true, - }, - { // Reference image by index in multi-image archive - "docker-archive:testdata/docker-two-images.tar.xz:@1", - []expected{ - {"example.com/empty/but:different", "example.com/empty/but:different"}, - }, - true, - }, - { // Reference entire multi-image archive must fail (more than one manifest) - "docker-archive:testdata/docker-two-images.tar.xz", - []expected{}, - true, - }, - - // == oci-archive: - {"oci-archive:/dev/this-does-not-exist", nil, false}, // Input does not exist. - {"oci-archive:/dev/null", nil, false}, // Input exists but does not contain a manifest. - // FIXME: The remaining tests are commented out for now, because oci-archive: does not work unprivileged. - // { // No name annotation - // "oci-archive:testdata/oci-unnamed.tar.gz", - // []expected{{"@5c8aca8137ac47e84c69ae93ce650ce967917cc001ba7aad5494073fac75b8b6", "@5c8aca8137ac47e84c69ae93ce650ce967917cc001ba7aad5494073fac75b8b6"}}, - // false, - // }, - // { // Name is a name:latest (no normalization is defined). - // "oci-archive:testdata/oci-name-only.tar.gz", - // []expected{{"localhost/pretty-empty:latest", "localhost/pretty-empty:latest"}}, - // false, - // }, - // { // Name is a registry/name:latest - // "oci-archive:testdata/oci-registry-name.tar.gz", - // []expected{{"example.com/empty:latest", "example.com/empty:latest"}}, - // false, - // }, - // // Name exists, but is an invalid Docker reference; such names will fail when creating dstReference. - // {"oci-archive:testdata/oci-non-docker-name.tar.gz", nil, false}, - // Maybe test support of two images in a single archive? It should be transparently handled by adding a reference to srcRef. - - // == dir: - { // Absolute path - "dir:/dev/this-does-not-exist", - []expected{{"localhost/dev/this-does-not-exist", "localhost/dev/this-does-not-exist:latest"}}, - false, - }, - { // Relative path, single element. - "dir:this-does-not-exist", - []expected{{"localhost/this-does-not-exist", "localhost/this-does-not-exist:latest"}}, - false, - }, - { // Relative path, multiple elements. - "dir:testdata/this-does-not-exist", - []expected{{"localhost/testdata/this-does-not-exist", "localhost/testdata/this-does-not-exist:latest"}}, - false, - }, - - // == Others, notably: - // === docker:// (has ImageReference.DockerReference) - { // Fully-specified input - "docker://docker.io/library/busybox:latest", - []expected{{"docker://docker.io/library/busybox:latest", "docker.io/library/busybox:latest"}}, - false, - }, - { // Minimal form of the input - "docker://busybox", - []expected{{"docker://busybox", "docker.io/library/busybox:latest"}}, - false, - }, - - // === tarball: (as an example of what happens when ImageReference.DockerReference is nil). - // FIXME? This tries to parse "tarball:/dev/null" as a storageReference, and fails. - // (This is NOT an API promise that the results will continue to be this way.) - {"tarball:/dev/null", nil, false}, - } { - srcRef, err := alltransports.ParseImageName(c.srcName) - require.NoError(t, err, c.srcName) - - res, err := ir.pullGoalFromImageReference(context.Background(), srcRef, c.srcName, nil) - if len(c.expected) == 0 { - assert.Error(t, err, c.srcName) - } else { - require.NoError(t, err, c.srcName) - require.Len(t, res.refPairs, len(c.expected), c.srcName) - for i, e := range c.expected { - testDescription := fmt.Sprintf("%s #%d", c.srcName, i) - assert.Equal(t, e.image, res.refPairs[i].image, testDescription) - assert.Equal(t, transports.ImageName(srcRef), transports.ImageName(res.refPairs[i].srcRef), testDescription) - assert.Equal(t, e.dstName, storageReferenceWithoutLocation(res.refPairs[i].dstRef), testDescription) - } - assert.Equal(t, c.expectedPullAllPairs, res.pullAllPairs, c.srcName) - } - } -} - -const registriesConfWithSearch = `unqualified-search-registries = ['example.com', 'docker.io']` - -func TestPullGoalFromPossiblyUnqualifiedName(t *testing.T) { - const digestSuffix = "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - type pullRefStrings struct{ image, srcRef, dstName string } // pullRefPair with string data only - - registriesConf, err := ioutil.TempFile("", "TestPullGoalFromPossiblyUnqualifiedName") - require.NoError(t, err) - defer registriesConf.Close() - defer os.Remove(registriesConf.Name()) - - err = ioutil.WriteFile(registriesConf.Name(), []byte(registriesConfWithSearch), 0600) - require.NoError(t, err) - - ir, cleanup := newTestRuntime(t) - defer cleanup() - - sc := GetSystemContext("", "", false) - - aliasesConf, err := ioutil.TempFile("", "short-name-aliases.conf") - require.NoError(t, err) - defer aliasesConf.Close() - defer os.Remove(aliasesConf.Name()) - sc.UserShortNameAliasConfPath = aliasesConf.Name() - sc.SystemRegistriesConfPath = registriesConf.Name() - - for _, c := range []struct { - input string - expected []pullRefStrings - }{ - {"#", nil}, // Clearly invalid. - { // Fully-explicit docker.io, name-only. - "docker.io/library/busybox", - // (The docker:// representation is shortened by c/image/docker.Reference but it refers to "docker.io/library".) - []pullRefStrings{{"docker.io/library/busybox:latest", "docker://busybox:latest", "docker.io/library/busybox:latest"}}, - }, - { // docker.io with implied /library/, name-only. - "docker.io/busybox", - // (The docker:// representation is shortened by c/image/docker.Reference but it refers to "docker.io/library".) - []pullRefStrings{{"docker.io/library/busybox:latest", "docker://busybox:latest", "docker.io/library/busybox:latest"}}, - }, - { // Qualified example.com, name-only. - "example.com/ns/busybox", - []pullRefStrings{{"example.com/ns/busybox:latest", "docker://example.com/ns/busybox:latest", "example.com/ns/busybox:latest"}}, - }, - { // Qualified example.com, name:tag. - "example.com/ns/busybox:notlatest", - []pullRefStrings{{"example.com/ns/busybox:notlatest", "docker://example.com/ns/busybox:notlatest", "example.com/ns/busybox:notlatest"}}, - }, - { // Qualified example.com, name@digest. - "example.com/ns/busybox" + digestSuffix, - []pullRefStrings{{"example.com/ns/busybox" + digestSuffix, "docker://example.com/ns/busybox" + digestSuffix, - "example.com/ns/busybox" + digestSuffix}}, - }, - // Qualified example.com, name:tag@digest. This code is happy to try, but .srcRef parsing currently rejects such input. - {"example.com/ns/busybox:notlatest" + digestSuffix, nil}, - { // Unqualified, single-name, name-only - "busybox", - []pullRefStrings{ - {"example.com/busybox:latest", "docker://example.com/busybox:latest", "example.com/busybox:latest"}, - // (The docker:// representation is shortened by c/image/docker.Reference but it refers to "docker.io/library".) - {"docker.io/library/busybox:latest", "docker://busybox:latest", "docker.io/library/busybox:latest"}, - }, - }, - { // Unqualified, namespaced, name-only - "ns/busybox", - []pullRefStrings{ - {"example.com/ns/busybox:latest", "docker://example.com/ns/busybox:latest", "example.com/ns/busybox:latest"}, - }, - }, - { // Unqualified, name:tag - "busybox:notlatest", - []pullRefStrings{ - {"example.com/busybox:notlatest", "docker://example.com/busybox:notlatest", "example.com/busybox:notlatest"}, - // (The docker:// representation is shortened by c/image/docker.Reference but it refers to "docker.io/library".) - {"docker.io/library/busybox:notlatest", "docker://busybox:notlatest", "docker.io/library/busybox:notlatest"}, - }, - }, - { // Unqualified, name@digest - "busybox" + digestSuffix, - []pullRefStrings{ - {"example.com/busybox" + digestSuffix, "docker://example.com/busybox" + digestSuffix, "example.com/busybox" + digestSuffix}, - // (The docker:// representation is shortened by c/image/docker.Reference but it refers to "docker.io/library".) - {"docker.io/library/busybox" + digestSuffix, "docker://busybox" + digestSuffix, "docker.io/library/busybox" + digestSuffix}, - }, - }, - // Unqualified, name:tag@digest. This code is happy to try, but .srcRef parsing currently rejects such input. - {"busybox:notlatest" + digestSuffix, nil}, - } { - res, err := ir.pullGoalFromPossiblyUnqualifiedName(sc, nil, c.input) - if len(c.expected) == 0 { - assert.Error(t, err, c.input) - } else { - assert.NoError(t, err, c.input) - for i, e := range c.expected { - testDescription := fmt.Sprintf("%s #%d (%v)", c.input, i, res.refPairs) - assert.Equal(t, e.image, res.refPairs[i].image, testDescription) - assert.Equal(t, e.srcRef, transports.ImageName(res.refPairs[i].srcRef), testDescription) - assert.Equal(t, e.dstName, storageReferenceWithoutLocation(res.refPairs[i].dstRef), testDescription) - } - assert.False(t, res.pullAllPairs, c.input) - } - } -} diff --git a/libpod/image/search.go b/libpod/image/search.go deleted file mode 100644 index 714551e6e..000000000 --- a/libpod/image/search.go +++ /dev/null @@ -1,318 +0,0 @@ -package image - -import ( - "context" - "fmt" - "strconv" - "strings" - "sync" - - "github.com/containers/image/v5/docker" - "github.com/containers/image/v5/transports/alltransports" - "github.com/containers/image/v5/types" - sysreg "github.com/containers/podman/v3/pkg/registries" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "golang.org/x/sync/semaphore" -) - -const ( - descriptionTruncLength = 44 - maxQueries = 25 - maxParallelSearches = int64(6) -) - -// SearchResult is holding image-search related data. -type SearchResult struct { - // Index is the image index (e.g., "docker.io" or "quay.io") - Index string - // Name is the canonical name of the image (e.g., "docker.io/library/alpine"). - Name string - // Description of the image. - Description string - // Stars is the number of stars of the image. - Stars int - // Official indicates if it's an official image. - Official string - // Automated indicates if the image was created by an automated build. - Automated string - // Tag is the image tag - Tag string -} - -// SearchOptions are used to control the behaviour of SearchImages. -type SearchOptions struct { - // Filter allows to filter the results. - Filter SearchFilter - // Limit limits the number of queries per index (default: 25). Must be - // greater than 0 to overwrite the default value. - Limit int - // NoTrunc avoids the output to be truncated. - NoTrunc bool - // Authfile is the path to the authentication file. - Authfile string - // InsecureSkipTLSVerify allows to skip TLS verification. - InsecureSkipTLSVerify types.OptionalBool - // ListTags returns the search result with available tags - ListTags bool -} - -// SearchFilter allows filtering the results of SearchImages. -type SearchFilter struct { - // Stars describes the minimal amount of starts of an image. - Stars int - // IsAutomated decides if only images from automated builds are displayed. - IsAutomated types.OptionalBool - // IsOfficial decides if only official images are displayed. - IsOfficial types.OptionalBool -} - -// SearchImages searches images based on term and the specified SearchOptions -// in all registries. -func SearchImages(term string, options SearchOptions) ([]SearchResult, error) { - registry := "" - - // Try to extract a registry from the specified search term. We - // consider everything before the first slash to be the registry. Note - // that we cannot use the reference parser from the containers/image - // library as the search term may container arbitrary input such as - // wildcards. See bugzilla.redhat.com/show_bug.cgi?id=1846629. - if spl := strings.SplitN(term, "/", 2); len(spl) > 1 { - registry = spl[0] - term = spl[1] - } - - registries, err := getRegistries(registry) - if err != nil { - return nil, err - } - - // searchOutputData is used as a return value for searching in parallel. - type searchOutputData struct { - data []SearchResult - err error - } - - // Let's follow Firefox by limiting parallel downloads to 6. - sem := semaphore.NewWeighted(maxParallelSearches) - wg := sync.WaitGroup{} - wg.Add(len(registries)) - data := make([]searchOutputData, len(registries)) - - searchImageInRegistryHelper := func(index int, registry string) { - defer sem.Release(1) - defer wg.Done() - searchOutput, err := searchImageInRegistry(term, registry, options) - data[index] = searchOutputData{data: searchOutput, err: err} - } - - ctx := context.Background() - for i := range registries { - if err := sem.Acquire(ctx, 1); err != nil { - return nil, err - } - go searchImageInRegistryHelper(i, registries[i]) - } - - wg.Wait() - results := []SearchResult{} - var lastError error - for _, d := range data { - if d.err != nil { - if lastError != nil { - logrus.Errorf("%v", lastError) - } - lastError = d.err - continue - } - results = append(results, d.data...) - } - if len(results) > 0 { - return results, nil - } - return results, lastError -} - -// getRegistries returns the list of registries to search, depending on an optional registry specification -func getRegistries(registry string) ([]string, error) { - var registries []string - if registry != "" { - registries = append(registries, registry) - } else { - var err error - registries, err = sysreg.GetRegistries() - if err != nil { - return nil, errors.Wrapf(err, "error getting registries to search") - } - } - return registries, nil -} - -func searchImageInRegistry(term string, registry string, options SearchOptions) ([]SearchResult, error) { - // Max number of queries by default is 25 - limit := maxQueries - if options.Limit > 0 { - limit = options.Limit - } - - sc := GetSystemContext("", options.Authfile, false) - sc.DockerInsecureSkipTLSVerify = options.InsecureSkipTLSVerify - // FIXME: Set this more globally. Probably no reason not to have it in - // every types.SystemContext, and to compute the value just once in one - // place. - sc.SystemRegistriesConfPath = sysreg.SystemRegistriesConfPath() - if options.ListTags { - results, err := searchRepositoryTags(registry, term, sc, options) - if err != nil { - return []SearchResult{}, err - } - return results, nil - } - - results, err := docker.SearchRegistry(context.TODO(), sc, registry, term, limit) - if err != nil { - return []SearchResult{}, err - } - index := registry - arr := strings.Split(registry, ".") - if len(arr) > 2 { - index = strings.Join(arr[len(arr)-2:], ".") - } - - // limit is the number of results to output - // if the total number of results is less than the limit, output all - // if the limit has been set by the user, output those number of queries - limit = maxQueries - if len(results) < limit { - limit = len(results) - } - if options.Limit != 0 { - limit = len(results) - if options.Limit < len(results) { - limit = options.Limit - } - } - - paramsArr := []SearchResult{} - for i := 0; i < limit; i++ { - // Check whether query matches filters - if !(options.Filter.matchesAutomatedFilter(results[i]) && options.Filter.matchesOfficialFilter(results[i]) && options.Filter.matchesStarFilter(results[i])) { - continue - } - official := "" - if results[i].IsOfficial { - official = "[OK]" - } - automated := "" - if results[i].IsAutomated { - automated = "[OK]" - } - description := strings.Replace(results[i].Description, "\n", " ", -1) - if len(description) > 44 && !options.NoTrunc { - description = description[:descriptionTruncLength] + "..." - } - name := registry + "/" + results[i].Name - if index == "docker.io" && !strings.Contains(results[i].Name, "/") { - name = index + "/library/" + results[i].Name - } - params := SearchResult{ - Index: index, - Name: name, - Description: description, - Official: official, - Automated: automated, - Stars: results[i].StarCount, - } - paramsArr = append(paramsArr, params) - } - return paramsArr, nil -} - -func searchRepositoryTags(registry, term string, sc *types.SystemContext, options SearchOptions) ([]SearchResult, error) { - dockerPrefix := fmt.Sprintf("%s://", docker.Transport.Name()) - imageRef, err := alltransports.ParseImageName(fmt.Sprintf("%s/%s", registry, term)) - if err == nil && imageRef.Transport().Name() != docker.Transport.Name() { - return nil, errors.Errorf("reference %q must be a docker reference", term) - } else if err != nil { - imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s%s", dockerPrefix, fmt.Sprintf("%s/%s", registry, term))) - if err != nil { - return nil, errors.Errorf("reference %q must be a docker reference", term) - } - } - tags, err := docker.GetRepositoryTags(context.TODO(), sc, imageRef) - if err != nil { - return nil, errors.Errorf("error getting repository tags: %v", err) - } - limit := maxQueries - if len(tags) < limit { - limit = len(tags) - } - if options.Limit != 0 { - limit = len(tags) - if options.Limit < limit { - limit = options.Limit - } - } - paramsArr := []SearchResult{} - for i := 0; i < limit; i++ { - params := SearchResult{ - Name: imageRef.DockerReference().Name(), - Tag: tags[i], - } - paramsArr = append(paramsArr, params) - } - return paramsArr, nil -} - -// ParseSearchFilter turns the filter into a SearchFilter that can be used for -// searching images. -func ParseSearchFilter(filter []string) (*SearchFilter, error) { - sFilter := new(SearchFilter) - for _, f := range filter { - arr := strings.SplitN(f, "=", 2) - switch arr[0] { - case "stars": - if len(arr) < 2 { - return nil, errors.Errorf("invalid `stars` filter %q, should be stars=<value>", filter) - } - stars, err := strconv.Atoi(arr[1]) - if err != nil { - return nil, errors.Wrapf(err, "incorrect value type for stars filter") - } - sFilter.Stars = stars - case "is-automated": - if len(arr) == 2 && arr[1] == "false" { - sFilter.IsAutomated = types.OptionalBoolFalse - } else { - sFilter.IsAutomated = types.OptionalBoolTrue - } - case "is-official": - if len(arr) == 2 && arr[1] == "false" { - sFilter.IsOfficial = types.OptionalBoolFalse - } else { - sFilter.IsOfficial = types.OptionalBoolTrue - } - default: - return nil, errors.Errorf("invalid filter type %q", f) - } - } - return sFilter, nil -} - -func (f *SearchFilter) matchesStarFilter(result docker.SearchResult) bool { - return result.StarCount >= f.Stars -} - -func (f *SearchFilter) matchesAutomatedFilter(result docker.SearchResult) bool { - if f.IsAutomated != types.OptionalBoolUndefined { - return result.IsAutomated == (f.IsAutomated == types.OptionalBoolTrue) - } - return true -} - -func (f *SearchFilter) matchesOfficialFilter(result docker.SearchResult) bool { - if f.IsOfficial != types.OptionalBoolUndefined { - return result.IsOfficial == (f.IsOfficial == types.OptionalBoolTrue) - } - return true -} diff --git a/libpod/image/signing_options.go b/libpod/image/signing_options.go deleted file mode 100644 index f310da749..000000000 --- a/libpod/image/signing_options.go +++ /dev/null @@ -1,10 +0,0 @@ -package image - -// SigningOptions encapsulates settings that control whether or not we strip or -// add signatures to images when writing them. -type SigningOptions struct { - // RemoveSignatures directs us to remove any signatures which are already present. - RemoveSignatures bool - // SignBy is a key identifier of some kind, indicating that a signature should be generated using the specified private key and stored with the image. - SignBy string -} diff --git a/libpod/image/testdata/docker-name-only.tar.xz b/libpod/image/testdata/docker-name-only.tar.xz Binary files differdeleted file mode 100644 index 0cad9f108..000000000 --- a/libpod/image/testdata/docker-name-only.tar.xz +++ /dev/null diff --git a/libpod/image/testdata/docker-registry-name.tar.xz b/libpod/image/testdata/docker-registry-name.tar.xz Binary files differdeleted file mode 100644 index 181816c2e..000000000 --- a/libpod/image/testdata/docker-registry-name.tar.xz +++ /dev/null diff --git a/libpod/image/testdata/docker-two-images.tar.xz b/libpod/image/testdata/docker-two-images.tar.xz Binary files differdeleted file mode 100644 index 148d8a86b..000000000 --- a/libpod/image/testdata/docker-two-images.tar.xz +++ /dev/null diff --git a/libpod/image/testdata/docker-two-names.tar.xz b/libpod/image/testdata/docker-two-names.tar.xz Binary files differdeleted file mode 100644 index 07fbc479c..000000000 --- a/libpod/image/testdata/docker-two-names.tar.xz +++ /dev/null diff --git a/libpod/image/testdata/docker-unnamed.tar.xz b/libpod/image/testdata/docker-unnamed.tar.xz Binary files differdeleted file mode 100644 index ba6ea1bae..000000000 --- a/libpod/image/testdata/docker-unnamed.tar.xz +++ /dev/null diff --git a/libpod/image/testdata/oci-name-only.tar.gz b/libpod/image/testdata/oci-name-only.tar.gz Binary files differdeleted file mode 100644 index 57bc07564..000000000 --- a/libpod/image/testdata/oci-name-only.tar.gz +++ /dev/null diff --git a/libpod/image/testdata/oci-non-docker-name.tar.gz b/libpod/image/testdata/oci-non-docker-name.tar.gz Binary files differdeleted file mode 100644 index 5ffc0eabd..000000000 --- a/libpod/image/testdata/oci-non-docker-name.tar.gz +++ /dev/null diff --git a/libpod/image/testdata/oci-registry-name.tar.gz b/libpod/image/testdata/oci-registry-name.tar.gz Binary files differdeleted file mode 100644 index e6df87339..000000000 --- a/libpod/image/testdata/oci-registry-name.tar.gz +++ /dev/null diff --git a/libpod/image/testdata/oci-unnamed.tar.gz b/libpod/image/testdata/oci-unnamed.tar.gz Binary files differdeleted file mode 100644 index de445fdf8..000000000 --- a/libpod/image/testdata/oci-unnamed.tar.gz +++ /dev/null diff --git a/libpod/image/testdata/registries.conf b/libpod/image/testdata/registries.conf deleted file mode 100644 index 16622a1ac..000000000 --- a/libpod/image/testdata/registries.conf +++ /dev/null @@ -1,4 +0,0 @@ -short-name-mode="enforcing" - -[aliases] -"busybox"="docker.io/library/busybox" diff --git a/libpod/image/tree.go b/libpod/image/tree.go deleted file mode 100644 index c7c69462f..000000000 --- a/libpod/image/tree.go +++ /dev/null @@ -1,138 +0,0 @@ -package image - -import ( - "context" - "fmt" - "strings" - - "github.com/docker/go-units" - "github.com/pkg/errors" -) - -const ( - middleItem = "├── " - continueItem = "│ " - lastItem = "└── " -) - -type tree struct { - img *Image - imageInfo *InfoImage - layerInfo map[string]*LayerInfo - sb *strings.Builder -} - -// GenerateTree creates an image tree string representation for displaying it -// to the user. -func (i *Image) GenerateTree(whatRequires bool) (string, error) { - // Fetch map of image-layers, which is used for printing output. - layerInfo, err := GetLayersMapWithImageInfo(i.imageruntime) - if err != nil { - return "", errors.Wrapf(err, "error while retrieving layers of image %q", i.InputName) - } - - // Create an imageInfo and fill the image and layer info - imageInfo := &InfoImage{ - ID: i.ID(), - Tags: i.Names(), - } - - if err := BuildImageHierarchyMap(imageInfo, layerInfo, i.TopLayer()); err != nil { - return "", err - } - sb := &strings.Builder{} - tree := &tree{i, imageInfo, layerInfo, sb} - if err := tree.print(whatRequires); err != nil { - return "", err - } - return tree.string(), nil -} - -func (t *tree) string() string { - return t.sb.String() -} - -func (t *tree) print(whatRequires bool) error { - size, err := t.img.Size(context.Background()) - if err != nil { - return err - } - - fmt.Fprintf(t.sb, "Image ID: %s\n", t.imageInfo.ID[:12]) - fmt.Fprintf(t.sb, "Tags: %s\n", t.imageInfo.Tags) - fmt.Fprintf(t.sb, "Size: %v\n", units.HumanSizeWithPrecision(float64(*size), 4)) - if t.img.TopLayer() != "" { - fmt.Fprintf(t.sb, "Image Layers\n") - } else { - fmt.Fprintf(t.sb, "No Image Layers\n") - } - - if !whatRequires { - // fill imageInfo with layers associated with image. - // the layers will be filled such that - // (Start)RootLayer->...intermediate Parent Layer(s)-> TopLayer(End) - // Build output from imageInfo into buffer - t.printImageHierarchy(t.imageInfo) - } else { - // fill imageInfo with layers associated with image. - // the layers will be filled such that - // (Start)TopLayer->...intermediate Child Layer(s)-> Child TopLayer(End) - // (Forks)... intermediate Child Layer(s) -> Child Top Layer(End) - return t.printImageChildren(t.layerInfo, t.img.TopLayer(), "", true) - } - return nil -} - -// Stores all children layers which are created using given Image. -// Layers are stored as follows -// (Start)TopLayer->...intermediate Child Layer(s)-> Child TopLayer(End) -// (Forks)... intermediate Child Layer(s) -> Child Top Layer(End) -func (t *tree) printImageChildren(layerMap map[string]*LayerInfo, layerID string, prefix string, last bool) error { - if layerID == "" { - return nil - } - ll, ok := layerMap[layerID] - if !ok { - return fmt.Errorf("lookup error: layerid %s, not found", layerID) - } - fmt.Fprint(t.sb, prefix) - - //initialize intend with middleItem to reduce middleItem checks. - intend := middleItem - if !last { - // add continueItem i.e. '|' for next iteration prefix - prefix += continueItem - } else if len(ll.ChildID) > 1 || len(ll.ChildID) == 0 { - // The above condition ensure, alignment happens for node, which has more then 1 children. - // If node is last in printing hierarchy, it should not be printed as middleItem i.e. ├── - intend = lastItem - prefix += " " - } - - var tags string - if len(ll.RepoTags) > 0 { - tags = fmt.Sprintf(" Top Layer of: %s", ll.RepoTags) - } - fmt.Fprintf(t.sb, "%sID: %s Size: %7v%s\n", intend, ll.ID[:12], units.HumanSizeWithPrecision(float64(ll.Size), 4), tags) - for count, childID := range ll.ChildID { - if err := t.printImageChildren(layerMap, childID, prefix, count == len(ll.ChildID)-1); err != nil { - return err - } - } - return nil -} - -// prints the layers info of image -func (t *tree) printImageHierarchy(imageInfo *InfoImage) { - for count, l := range imageInfo.Layers { - var tags string - intend := middleItem - if len(l.RepoTags) > 0 { - tags = fmt.Sprintf(" Top Layer of: %s", l.RepoTags) - } - if count == len(imageInfo.Layers)-1 { - intend = lastItem - } - fmt.Fprintf(t.sb, "%s ID: %s Size: %7v%s\n", intend, l.ID[:12], units.HumanSizeWithPrecision(float64(l.Size), 4), tags) - } -} diff --git a/libpod/image/utils.go b/libpod/image/utils.go deleted file mode 100644 index dfe35c017..000000000 --- a/libpod/image/utils.go +++ /dev/null @@ -1,182 +0,0 @@ -package image - -import ( - "fmt" - "io" - "net/url" - "regexp" - "strings" - - cp "github.com/containers/image/v5/copy" - "github.com/containers/image/v5/docker/reference" - "github.com/containers/image/v5/signature" - "github.com/containers/image/v5/types" - "github.com/containers/podman/v3/libpod/define" - "github.com/containers/storage" - "github.com/pkg/errors" -) - -// findImageInRepotags takes an imageParts struct and searches images' repotags for -// a match on name:tag -func findImageInRepotags(search imageParts, images []*Image) (*storage.Image, error) { - _, searchName, searchSuspiciousTagValueForSearch := search.suspiciousRefNameTagValuesForSearch() - type Candidate struct { - name string - image *Image - } - var candidates []Candidate - for _, image := range images { - for _, name := range image.Names() { - d, err := decompose(name) - // if we get an error, ignore and keep going - if err != nil { - continue - } - _, dName, dSuspiciousTagValueForSearch := d.suspiciousRefNameTagValuesForSearch() - if dSuspiciousTagValueForSearch != searchSuspiciousTagValueForSearch { - continue - } - if dName == searchName || strings.HasSuffix(dName, "/"+searchName) { - candidates = append(candidates, Candidate{ - name: name, - image: image, - }) - } - } - } - if len(candidates) == 0 { - return nil, errors.Wrapf(define.ErrNoSuchImage, "unable to find a name and tag match for %s in repotags", searchName) - } - - // If more then one candidate and the candidates all have same name - // and only one is read/write return it. - // Otherwise return error with the list of candidates - if len(candidates) > 1 { - var ( - rwImage *Image - rwImageCnt int - ) - names := make(map[string]bool) - for _, c := range candidates { - names[c.name] = true - if !c.image.IsReadOnly() { - rwImageCnt++ - rwImage = c.image - } - } - // If only one name used and have read/write image return it - if len(names) == 1 && rwImageCnt == 1 { - return rwImage.image, nil - } - keys := []string{} - for k := range names { - keys = append(keys, k) - } - if rwImageCnt > 1 { - return nil, errors.Wrapf(define.ErrMultipleImages, "found multiple read/write images %s", strings.Join(keys, ",")) - } - return nil, errors.Wrapf(define.ErrMultipleImages, "found multiple read/only images %s", strings.Join(keys, ",")) - } - return candidates[0].image.image, nil -} - -// getCopyOptions constructs a new containers/image/copy.Options{} struct from the given parameters, inheriting some from sc. -func getCopyOptions(sc *types.SystemContext, reportWriter io.Writer, srcDockerRegistry, destDockerRegistry *DockerRegistryOptions, signing SigningOptions, manifestType string, additionalDockerArchiveTags []reference.NamedTagged) *cp.Options { - if srcDockerRegistry == nil { - srcDockerRegistry = &DockerRegistryOptions{} - } - if destDockerRegistry == nil { - destDockerRegistry = &DockerRegistryOptions{} - } - srcContext := srcDockerRegistry.GetSystemContext(sc, additionalDockerArchiveTags) - destContext := destDockerRegistry.GetSystemContext(sc, additionalDockerArchiveTags) - return &cp.Options{ - RemoveSignatures: signing.RemoveSignatures, - SignBy: signing.SignBy, - ReportWriter: reportWriter, - SourceCtx: srcContext, - DestinationCtx: destContext, - ForceManifestMIMEType: manifestType, - } -} - -// getPolicyContext sets up, initializes and returns a new context for the specified policy -func getPolicyContext(ctx *types.SystemContext) (*signature.PolicyContext, error) { - policy, err := signature.DefaultPolicy(ctx) - if err != nil { - return nil, err - } - - policyContext, err := signature.NewPolicyContext(policy) - if err != nil { - return nil, err - } - return policyContext, nil -} - -// hasTransport determines if the image string contains '://', returns bool -func hasTransport(image string) bool { - return strings.Contains(image, "://") -} - -// GetAdditionalTags returns a list of reference.NamedTagged for the -// additional tags given in images -func GetAdditionalTags(images []string) ([]reference.NamedTagged, error) { - var allTags []reference.NamedTagged - for _, img := range images { - ref, err := reference.ParseNormalizedNamed(img) - if err != nil { - return nil, errors.Wrapf(err, "error parsing additional tags") - } - refTagged, isTagged := ref.(reference.NamedTagged) - if isTagged { - allTags = append(allTags, refTagged) - } - } - return allTags, nil -} - -// IsValidImageURI checks if image name has valid format -func IsValidImageURI(imguri string) (bool, error) { - uri := "http://" + imguri - u, err := url.Parse(uri) - if err != nil { - return false, errors.Wrapf(err, "invalid image uri: %s", imguri) - } - reg := regexp.MustCompile(`^[a-zA-Z0-9-_\.]+\/?:?[0-9]*[a-z0-9-\/:]*$`) - ret := reg.FindAllString(u.Host, -1) - if len(ret) == 0 { - return false, errors.Wrapf(err, "invalid image uri: %s", imguri) - } - reg = regexp.MustCompile(`^[a-z0-9-:\./]*$`) - ret = reg.FindAllString(u.Fragment, -1) - if len(ret) == 0 { - return false, errors.Wrapf(err, "invalid image uri: %s", imguri) - } - return true, nil -} - -// imageNameForSaveDestination returns a Docker-like reference appropriate for saving img, -// which the user referred to as imgUserInput; or an empty string, if there is no appropriate -// reference. -func imageNameForSaveDestination(img *Image, imgUserInput string) string { - if strings.Contains(img.ID(), imgUserInput) { - return "" - } - - prepend := "" - localRegistryPrefix := fmt.Sprintf("%s/", DefaultLocalRegistry) - if !strings.HasPrefix(imgUserInput, localRegistryPrefix) { - // we need to check if localhost was added to the image name in NewFromLocal - for _, name := range img.Names() { - // If the user is saving an image in the localhost registry, getLocalImage need - // a name that matches the format localhost/<tag1>:<tag2> or localhost/<tag>:latest to correctly - // set up the manifest and save. - if strings.HasPrefix(name, localRegistryPrefix) && (strings.HasSuffix(name, imgUserInput) || strings.HasSuffix(name, fmt.Sprintf("%s:latest", imgUserInput))) { - prepend = localRegistryPrefix - break - } - } - } - return fmt.Sprintf("%s%s", prepend, imgUserInput) -} diff --git a/libpod/info.go b/libpod/info.go index ef0c83a2a..7a28a4cf7 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -87,6 +87,12 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { if err != nil { return nil, errors.Wrapf(err, "error getting hostname") } + + seccompProfilePath, err := DefaultSeccompPath() + if err != nil { + return nil, errors.Wrapf(err, "error getting Seccomp profile path") + } + info := define.HostInfo{ Arch: runtime.GOARCH, BuildahVersion: buildah.Version, @@ -106,6 +112,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","), Rootless: rootless.IsRootless(), SECCOMPEnabled: seccomp.IsEnabled(), + SECCOMPProfilePath: seccompProfilePath, SELinuxEnabled: selinux.GetEnabled(), }, Slirp4NetNS: define.SlirpInfo{}, diff --git a/libpod/kube.go b/libpod/kube.go index 11ccaeadc..adcfe92c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -1,6 +1,7 @@ package libpod import ( + "fmt" "math/rand" "os" "strconv" @@ -539,11 +540,17 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume namedVolumes, mounts := c.sortUserVolumes(c.config.Spec) vms := make([]v1.VolumeMount, 0, len(mounts)) vos := make([]v1.Volume, 0, len(mounts)) - for _, m := range mounts { + + var suffix string + for index, m := range mounts { vm, vo, err := generateKubeVolumeMount(m) if err != nil { return vms, vos, err } + // Name will be the same, so use the index as suffix + suffix = fmt.Sprintf("-%d", index) + vm.Name += suffix + vo.Name += suffix vms = append(vms, vm) vos = append(vos, vo) } diff --git a/libpod/network/config.go b/libpod/network/config.go index 294e23509..ac4478602 100644 --- a/libpod/network/config.go +++ b/libpod/network/config.go @@ -149,7 +149,18 @@ type DNSNameConfig struct { Capabilities map[string]bool `json:"capabilities"` } +// PodmanMachineConfig enables port handling on the host OS +type PodmanMachineConfig struct { + PluginType string `json:"type"` + Capabilities map[string]bool `json:"capabilities"` +} + // Bytes outputs the configuration as []byte func (d DNSNameConfig) Bytes() ([]byte, error) { return json.MarshalIndent(d, "", "\t") } + +// Bytes outputs the configuration as []byte +func (p PodmanMachineConfig) Bytes() ([]byte, error) { + return json.MarshalIndent(p, "", "\t") +} diff --git a/libpod/network/create.go b/libpod/network/create.go index 4fe9b445f..aca8150b5 100644 --- a/libpod/network/create.go +++ b/libpod/network/create.go @@ -231,6 +231,10 @@ func createBridge(name string, options entities.NetworkCreateOptions, runtimeCon plugins = append(plugins, NewDNSNamePlugin(DefaultPodmanDomainName)) } } + // Add the podman-machine CNI plugin if we are in a machine + if runtimeConfig.MachineEnabled() { // check if we are in a machine vm + plugins = append(plugins, NewPodmanMachinePlugin()) + } ncList["plugins"] = plugins b, err := json.MarshalIndent(ncList, "", " ") if err != nil { diff --git a/libpod/network/netconflist.go b/libpod/network/netconflist.go index 08816f2bd..d2031df6d 100644 --- a/libpod/network/netconflist.go +++ b/libpod/network/netconflist.go @@ -293,3 +293,12 @@ func getCreatedTimestamp(config *config.Config, netconf *libcni.NetworkConfigLis created := time.Unix(int64(stat.Ctim.Sec), int64(stat.Ctim.Nsec)) // nolint: unconvert return &created, nil } + +func NewPodmanMachinePlugin() PodmanMachineConfig { + caps := make(map[string]bool, 1) + caps["portMappings"] = true + return PodmanMachineConfig{ + PluginType: "podman-machine", + Capabilities: caps, + } +} diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 6e2c2880f..cfed5a1f2 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -577,7 +577,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error { // set up port forwarder for CNI-in-slirp4netns netnsPath := ctr.state.NetNS.Path() // TODO: support slirp4netns port forwarder as well - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, "") } return nil } diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go index 72ab3c919..c46dc6972 100644 --- a/libpod/networking_slirp4netns.go +++ b/libpod/networking_slirp4netns.go @@ -312,7 +312,7 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error { if netOptions.isSlirpHostForward { return r.setupRootlessPortMappingViaSlirp(ctr, cmd, apiSocket) } - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, netOptions.cidr) } return nil } @@ -363,7 +363,7 @@ func waitForSync(syncR *os.File, cmd *exec.Cmd, logFile io.ReadSeeker, timeout t return nil } -func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath string) error { +func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath, slirp4CIDR string) error { syncR, syncW, err := os.Pipe() if err != nil { return errors.Wrapf(err, "failed to open pipe") @@ -391,6 +391,16 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin } childIP := slirp4netnsIP + // set the correct childIP when a custom cidr is set + if slirp4CIDR != "" { + _, cidr, err := net.ParseCIDR(slirp4CIDR) + if err != nil { + return errors.Wrap(err, "failed to parse slirp4netns cidr") + } + // the slirp container ip is always the hundredth ip in the subnet + cidr.IP[len(cidr.IP)-1] = cidr.IP[len(cidr.IP)-1] + 100 + childIP = cidr.IP.String() + } outer: for _, r := range ctr.state.NetworkStatus { for _, i := range r.IPs { diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index c1acec977..1b1d4ad59 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1024,6 +1024,10 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co args = append(args, "-i") } + if ctr.config.Timeout > 0 { + args = append(args, fmt.Sprintf("--timeout=%d", ctr.config.Timeout)) + } + if !r.enableKeyring { args = append(args, "--no-new-keyring") } diff --git a/libpod/options.go b/libpod/options.go index 7c574df75..be26ced99 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -769,6 +769,19 @@ func WithStopTimeout(timeout uint) CtrCreateOption { } } +// WithTimeout sets the maximum time a container is allowed to run" +func WithTimeout(timeout uint) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + + ctr.config.Timeout = timeout + + return nil + } +} + // WithIDMappings sets the idmappings for the container func WithIDMappings(idmappings storage.IDMappingOptions) CtrCreateOption { return func(ctr *Container) error { @@ -2327,3 +2340,16 @@ func WithPodSlirp4netns(networkOptions map[string][]string) PodCreateOption { return nil } } + +// WithVolatile sets the volatile flag for the container storage. +// The option can potentially cause data loss when used on a container that must survive a machine reboot. +func WithVolatile() CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + + ctr.config.Volatile = true + return nil + } +} diff --git a/libpod/pod_internal.go b/libpod/pod_internal.go index 31b4ba443..e81bd7b16 100644 --- a/libpod/pod_internal.go +++ b/libpod/pod_internal.go @@ -7,6 +7,7 @@ import ( "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod/define" + "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/storage/pkg/stringid" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -74,9 +75,11 @@ func (p *Pod) refresh() error { } p.state.CgroupPath = cgroupPath case config.CgroupfsCgroupsManager: - p.state.CgroupPath = filepath.Join(p.config.CgroupParent, p.ID()) + if rootless.IsRootless() && isRootlessCgroupSet(p.config.CgroupParent) { + p.state.CgroupPath = filepath.Join(p.config.CgroupParent, p.ID()) - logrus.Debugf("setting pod cgroup to %s", p.state.CgroupPath) + logrus.Debugf("setting pod cgroup to %s", p.state.CgroupPath) + } default: return errors.Wrapf(define.ErrInvalidArg, "unknown cgroups manager %s specified", p.runtime.config.Engine.CgroupManager) } diff --git a/libpod/reset.go b/libpod/reset.go index 4199e9b76..8e753e845 100644 --- a/libpod/reset.go +++ b/libpod/reset.go @@ -6,7 +6,9 @@ import ( "os" "path/filepath" + "github.com/containers/common/libimage" "github.com/containers/podman/v3/libpod/define" + "github.com/containers/podman/v3/pkg/errorhandling" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" @@ -49,20 +51,11 @@ func (r *Runtime) Reset(ctx context.Context) error { logrus.Errorf("Error stopping pause process: %v", err) } - ir := r.ImageRuntime() - images, err := ir.GetImages() - if err != nil { - return err + rmiOptions := &libimage.RemoveImagesOptions{Filters: []string{"readonly=false"}} + if _, rmiErrors := r.LibimageRuntime().RemoveImages(ctx, nil, rmiOptions); rmiErrors != nil { + return errorhandling.JoinErrors(rmiErrors) } - for _, i := range images { - if err := i.Remove(ctx, true); err != nil { - if errors.Cause(err) == define.ErrNoSuchImage { - continue - } - logrus.Errorf("Error removing image %s: %v", i.ID(), err) - } - } volumes, err := r.state.AllVolumes() if err != nil { return err diff --git a/libpod/runtime.go b/libpod/runtime.go index 3518ed25a..80fe92b54 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -14,13 +14,13 @@ import ( "sync" "syscall" + "github.com/containers/common/libimage" "github.com/containers/common/pkg/config" "github.com/containers/image/v5/pkg/sysregistriesv2" is "github.com/containers/image/v5/storage" "github.com/containers/image/v5/types" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/libpod/lock" "github.com/containers/podman/v3/libpod/plugin" "github.com/containers/podman/v3/libpod/shutdown" @@ -76,7 +76,7 @@ type Runtime struct { runtimeFlags []string netPlugin ocicni.CNIPlugin conmonPath string - imageRuntime *image.Runtime + libimageRuntime *libimage.Runtime lockManager lock.Manager // doRenumber indicates that the runtime should perform a lock renumber @@ -371,9 +371,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { return err } runtime.eventer = eventer - if runtime.imageRuntime != nil { - runtime.imageRuntime.Eventer = eventer - } + // TODO: events for libimage // Set up containers/image if runtime.imageContext == nil { @@ -836,21 +834,21 @@ func (r *Runtime) configureStore() error { // images r.storageService = getStorageService(r.store) - ir := image.NewImageRuntimeFromStore(r.store) - ir.SignaturePolicyPath = r.config.Engine.SignaturePolicyPath - ir.EventsLogFilePath = r.config.Engine.EventsLogFilePath - ir.EventsLogger = r.config.Engine.EventsLogger - - r.imageRuntime = ir + runtimeOptions := &libimage.RuntimeOptions{ + SystemContext: r.imageContext, + } + libimageRuntime, err := libimage.RuntimeFromStore(store, runtimeOptions) + if err != nil { + return err + } + r.libimageRuntime = libimageRuntime return nil } -// ImageRuntime returns the imageruntime for image operations. -// If WithNoStore() was used, no image runtime will be available, and this -// function will return nil. -func (r *Runtime) ImageRuntime() *image.Runtime { - return r.imageRuntime +// LibimageRuntime ... to allow for a step-by-step migration to libimage. +func (r *Runtime) LibimageRuntime() *libimage.Runtime { + return r.libimageRuntime } // SystemContext returns the imagecontext diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 0acf88cbc..7d31e392f 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -295,8 +295,11 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai if podCgroup == "" { return nil, errors.Wrapf(define.ErrInternal, "pod %s cgroup is not set", pod.ID()) } - ctr.config.CgroupParent = podCgroup - } else { + canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(podCgroup) + if canUseCgroup { + ctr.config.CgroupParent = podCgroup + } + } else if !rootless.IsRootless() { ctr.config.CgroupParent = CgroupfsDefaultCgroupParent } } else if strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") { diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go index 2b101c01f..a42f9a365 100644 --- a/libpod/runtime_img.go +++ b/libpod/runtime_img.go @@ -2,158 +2,50 @@ package libpod import ( "context" - "fmt" "io" "io/ioutil" - "net/http" - "net/url" "os" buildahDefine "github.com/containers/buildah/define" "github.com/containers/buildah/imagebuildah" - "github.com/containers/image/v5/directory" + "github.com/containers/common/libimage" "github.com/containers/image/v5/docker/reference" - ociarchive "github.com/containers/image/v5/oci/archive" - "github.com/containers/image/v5/oci/layout" - "github.com/containers/image/v5/types" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/events" - "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/pkg/util" - "github.com/containers/storage" "github.com/pkg/errors" "github.com/sirupsen/logrus" - - dockerarchive "github.com/containers/image/v5/docker/archive" - v1 "github.com/opencontainers/image-spec/specs-go/v1" ) // Runtime API -// RemoveImage deletes an image from local storage -// Images being used by running containers can only be removed if force=true -func (r *Runtime) RemoveImage(ctx context.Context, img *image.Image, force bool) (*image.ImageDeleteResponse, error) { - response := image.ImageDeleteResponse{} - r.lock.Lock() - defer r.lock.Unlock() - - if !r.valid { - return nil, define.ErrRuntimeStopped - } +// RemoveContainersForImageCallback returns a callback that can be used in +// `libimage`. When forcefully removing images, containers using the image +// should be removed as well. The callback allows for more graceful removal as +// we can use the libpod-internal removal logic. +func (r *Runtime) RemoveContainersForImageCallback(ctx context.Context) libimage.RemoveContainerFunc { + return func(imageID string) error { + r.lock.Lock() + defer r.lock.Unlock() - // Get all containers, filter to only those using the image, and remove those containers - ctrs, err := r.state.AllContainers() - if err != nil { - return nil, err - } - imageCtrs := []*Container{} - for _, ctr := range ctrs { - if ctr.config.RootfsImageID == img.ID() { - imageCtrs = append(imageCtrs, ctr) + if !r.valid { + return define.ErrRuntimeStopped } - } - if len(imageCtrs) > 0 && (len(img.Names()) <= 1 || (force && img.InputIsID())) { - if force { - for _, ctr := range imageCtrs { + ctrs, err := r.state.AllContainers() + if err != nil { + return err + } + for _, ctr := range ctrs { + if ctr.config.RootfsImageID == imageID { if err := r.removeContainer(ctx, ctr, true, false, false); err != nil { - return nil, errors.Wrapf(err, "error removing image %s: container %s using image could not be removed", img.ID(), ctr.ID()) + return errors.Wrapf(err, "error removing image %s: container %s using image could not be removed", imageID, ctr.ID()) } } - } else { - return nil, errors.Wrapf(define.ErrImageInUse, "could not remove image %s as it is being used by %d containers", img.ID(), len(imageCtrs)) } + // Note that `libimage` will take care of removing any leftover + // containers from the storage. + return nil } - - hasChildren, err := img.IsParent(ctx) - if err != nil { - logrus.Warnf("error determining if an image is a parent: %v, ignoring the error", err) - hasChildren = false - } - - if (len(img.Names()) > 1 && !img.InputIsID()) || hasChildren { - // If the image has multiple reponames, we do not technically delete - // the image. we figure out which repotag the user is trying to refer - // to and untag it. - repoName, err := img.MatchRepoTag(img.InputName) - if hasChildren && errors.Cause(err) == image.ErrRepoTagNotFound { - return nil, errors.Wrapf(define.ErrImageInUse, - "unable to delete %q (cannot be forced) - image has dependent child images", img.ID()) - } - if err != nil { - return nil, err - } - if err := img.UntagImage(repoName); err != nil { - return nil, err - } - response.Untagged = append(response.Untagged, repoName) - return &response, nil - } else if len(img.Names()) > 1 && img.InputIsID() && !force { - // If the user requests to delete an image by ID and the image has multiple - // reponames and no force is applied, we error out. - return nil, errors.Wrapf(define.ErrImageInUse, - "unable to delete %s (must force) - image is referred to in multiple tags", img.ID()) - } - err = img.Remove(ctx, force) - if err != nil && errors.Cause(err) == storage.ErrImageUsedByContainer { - if errStorage := r.rmStorageContainers(force, img); errStorage == nil { - // Containers associated with the image should be deleted now, - // let's try removing the image again. - err = img.Remove(ctx, force) - } else { - err = errStorage - } - } - response.Untagged = append(response.Untagged, img.Names()...) - response.Deleted = img.ID() - return &response, err -} - -// Remove containers that are in storage rather than Podman. -func (r *Runtime) rmStorageContainers(force bool, image *image.Image) error { - ctrIDs, err := storageContainers(image.ID(), r.store) - if err != nil { - return errors.Wrapf(err, "error getting containers for image %q", image.ID()) - } - - if len(ctrIDs) > 0 && !force { - return storage.ErrImageUsedByContainer - } - - if len(ctrIDs) > 0 && force { - if err = removeStorageContainers(ctrIDs, r.store); err != nil { - return errors.Wrapf(err, "error removing containers %v for image %q", ctrIDs, image.ID()) - } - } - return nil -} - -// Returns a list of storage containers associated with the given ImageReference -func storageContainers(imageID string, store storage.Store) ([]string, error) { - ctrIDs := []string{} - containers, err := store.Containers() - if err != nil { - return nil, err - } - for _, ctr := range containers { - if ctr.ImageID == imageID { - ctrIDs = append(ctrIDs, ctr.ID) - } - } - return ctrIDs, nil -} - -// Removes the containers passed in the array. -func removeStorageContainers(ctrIDs []string, store storage.Store) error { - for _, ctrID := range ctrIDs { - if _, err := store.Unmount(ctrID, true); err != nil { - return errors.Wrapf(err, "could not unmount container %q to remove it", ctrID) - } - - if err := store.DeleteContainer(ctrID); err != nil { - return errors.Wrapf(err, "could not remove container %q", ctrID) - } - } - return nil } // newBuildEvent creates a new event based on completion of a built image @@ -177,89 +69,6 @@ func (r *Runtime) Build(ctx context.Context, options buildahDefine.BuildOptions, return id, ref, err } -// Import is called as an intermediary to the image library Import -func (r *Runtime) Import(ctx context.Context, source, reference, signaturePolicyPath string, changes []string, history string, quiet bool) (string, error) { - var ( - writer io.Writer - err error - ) - - ic := v1.ImageConfig{} - if len(changes) > 0 { - config, err := util.GetImageConfig(changes) - if err != nil { - return "", errors.Wrapf(err, "error adding config changes to image %q", source) - } - ic = config.ImageConfig - } - - hist := []v1.History{ - {Comment: history}, - } - - config := v1.Image{ - Config: ic, - History: hist, - } - - writer = nil - if !quiet { - writer = os.Stderr - } - - // if source is a url, download it and save to a temp file - u, err := url.ParseRequestURI(source) - if err == nil && u.Scheme != "" { - file, err := downloadFromURL(source) - if err != nil { - return "", err - } - defer os.Remove(file) - source = file - } - // if it's stdin, buffer it, too - if source == "-" { - file, err := DownloadFromFile(os.Stdin) - if err != nil { - return "", err - } - defer os.Remove(file) - source = file - } - - r.imageRuntime.SignaturePolicyPath = signaturePolicyPath - newImage, err := r.imageRuntime.Import(ctx, source, reference, writer, image.SigningOptions{}, config) - if err != nil { - return "", err - } - return newImage.ID(), nil -} - -// downloadFromURL downloads an image in the format "https:/example.com/myimage.tar" -// and temporarily saves in it $TMPDIR/importxyz, which is deleted after the image is imported -func downloadFromURL(source string) (string, error) { - fmt.Printf("Downloading from %q\n", source) - - outFile, err := ioutil.TempFile(util.Tmpdir(), "import") - if err != nil { - return "", errors.Wrap(err, "error creating file") - } - defer outFile.Close() - - response, err := http.Get(source) - if err != nil { - return "", errors.Wrapf(err, "error downloading %q", source) - } - defer response.Body.Close() - - _, err = io.Copy(outFile, response.Body) - if err != nil { - return "", errors.Wrapf(err, "error saving %s to %s", source, outFile.Name()) - } - - return outFile.Name(), nil -} - // DownloadFromFile reads all of the content from the reader and temporarily // saves in it $TMPDIR/importxyz, which is deleted after the image is imported func DownloadFromFile(reader *os.File) (string, error) { @@ -278,79 +87,3 @@ func DownloadFromFile(reader *os.File) (string, error) { return outFile.Name(), nil } - -// LoadImage loads a container image into local storage -func (r *Runtime) LoadImage(ctx context.Context, inputFile string, writer io.Writer, signaturePolicy string) (string, error) { - if newImages, err := r.LoadAllImageFromArchive(ctx, writer, inputFile, signaturePolicy); err == nil { - return newImages, nil - } - - return r.LoadImageFromSingleImageArchive(ctx, writer, inputFile, signaturePolicy) -} - -// LoadAllImageFromArchive loads all images from the archive of multi-image that inputFile points to. -func (r *Runtime) LoadAllImageFromArchive(ctx context.Context, writer io.Writer, inputFile, signaturePolicy string) (string, error) { - newImages, err := r.ImageRuntime().LoadAllImagesFromDockerArchive(ctx, inputFile, signaturePolicy, writer) - if err == nil { - return getImageNames(newImages), nil - } - return "", err -} - -// LoadImageFromSingleImageArchive load image from the archive of single image that inputFile points to. -func (r *Runtime) LoadImageFromSingleImageArchive(ctx context.Context, writer io.Writer, inputFile, signaturePolicy string) (string, error) { - var saveErr error - for _, referenceFn := range []func() (types.ImageReference, error){ - func() (types.ImageReference, error) { - return dockerarchive.ParseReference(inputFile) - }, - func() (types.ImageReference, error) { - return ociarchive.NewReference(inputFile, "") - }, - func() (types.ImageReference, error) { - return directory.NewReference(inputFile) - }, - func() (types.ImageReference, error) { - return layout.NewReference(inputFile, "") - }, - func() (types.ImageReference, error) { - // This item needs to be last to break out of loop and report meaningful error message - return nil, - errors.New("payload does not match any of the supported image formats (oci-archive, oci-dir, docker-archive, docker-dir)") - }, - } { - src, err := referenceFn() - if err != nil { - saveErr = err - continue - } - - newImages, err := r.ImageRuntime().LoadFromArchiveReference(ctx, src, signaturePolicy, writer) - if err == nil { - return getImageNames(newImages), nil - } - saveErr = err - } - return "", errors.Wrapf(saveErr, "error pulling image") -} - -// RemoveImageFromStorage goes directly to storage and attempts to remove -// the specified image. This is dangerous and should only be done if libpod -// reports that image is not known. This call is useful if you have a corrupted -// image that was never fully added to the libpod database. -func (r *Runtime) RemoveImageFromStorage(id string) error { - _, err := r.store.DeleteImage(id, true) - return err -} - -func getImageNames(images []*image.Image) string { - var names string - for i := range images { - if i == 0 { - names = images[i].InputName - } else { - names += ", " + images[i].InputName - } - } - return names -} diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go index 1ae375ed9..c20153c8d 100644 --- a/libpod/runtime_pod_infra_linux.go +++ b/libpod/runtime_pod_infra_linux.go @@ -6,8 +6,8 @@ import ( "context" "strings" + "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod/define" - "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" v1 "github.com/opencontainers/image-spec/specs-go/v1" @@ -212,20 +212,23 @@ func (r *Runtime) createInfraContainer(ctx context.Context, p *Pod) (*Container, return nil, define.ErrRuntimeStopped } - img := p.config.InfraContainer.InfraImage - if img == "" { - img = r.config.Engine.InfraImage + imageName := p.config.InfraContainer.InfraImage + if imageName == "" { + imageName = r.config.Engine.InfraImage } - newImage, err := r.ImageRuntime().New(ctx, img, "", "", nil, nil, image.SigningOptions{}, nil, util.PullImageMissing, nil) + + pulledImages, err := r.LibimageRuntime().Pull(ctx, imageName, config.PullPolicyMissing, nil) if err != nil { - return nil, err + return nil, errors.Wrap(err, "error pulling infra-container image") } - data, err := newImage.InspectNoSize(ctx) + newImage := pulledImages[0] + data, err := newImage.Inspect(ctx, false) if err != nil { return nil, err } - imageName := "none" + + imageName = "none" if len(newImage.Names()) > 0 { imageName = newImage.Names()[0] } diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go index cf48a9453..4ede23cac 100644 --- a/libpod/runtime_pod_linux.go +++ b/libpod/runtime_pod_linux.go @@ -75,17 +75,20 @@ func (r *Runtime) NewPod(ctx context.Context, options ...PodCreateOption) (_ *Po // Check CGroup parent sanity, and set it if it was not set switch r.config.Engine.CgroupManager { case config.CgroupfsCgroupsManager: - if pod.config.CgroupParent == "" { - pod.config.CgroupParent = CgroupfsDefaultCgroupParent - } else if strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") { - return nil, errors.Wrapf(define.ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs") - } - // If we are set to use pod cgroups, set the cgroup parent that - // all containers in the pod will share - // No need to create it with cgroupfs - the first container to - // launch should do it for us - if pod.config.UsePodCgroup { - pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID()) + canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(pod.config.CgroupParent) + if canUseCgroup { + if pod.config.CgroupParent == "" { + pod.config.CgroupParent = CgroupfsDefaultCgroupParent + } else if strings.HasSuffix(path.Base(pod.config.CgroupParent), ".slice") { + return nil, errors.Wrapf(define.ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs") + } + // If we are set to use pod cgroups, set the cgroup parent that + // all containers in the pod will share + // No need to create it with cgroupfs - the first container to + // launch should do it for us + if pod.config.UsePodCgroup { + pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID()) + } } case config.SystemdCgroupsManager: if pod.config.CgroupParent == "" { diff --git a/libpod/util.go b/libpod/util.go index b75c9179a..7f4a01f28 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -194,7 +194,15 @@ func programVersion(mountProgram string) (string, error) { // if it exists, first it checks OverrideSeccomp and then default. // If neither exist function returns "" func DefaultSeccompPath() (string, error) { - _, err := os.Stat(config.SeccompOverridePath) + def, err := config.Default() + if err != nil { + return "", err + } + if def.Containers.SeccompProfile != "" { + return def.Containers.SeccompProfile, nil + } + + _, err = os.Stat(config.SeccompOverridePath) if err == nil { return config.SeccompOverridePath, nil } |