summaryrefslogtreecommitdiff
path: root/vendor/github.com
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com')
-rw-r--r--vendor/github.com/containers/common/libimage/image.go18
-rw-r--r--vendor/github.com/containers/common/libimage/pull.go48
-rw-r--r--vendor/github.com/containers/common/libimage/runtime.go56
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go2
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/default_linux.go42
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp.json50
-rw-r--r--vendor/github.com/containers/common/version/version.go2
7 files changed, 119 insertions, 99 deletions
diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go
index 3bcdbabec..f1272f507 100644
--- a/vendor/github.com/containers/common/libimage/image.go
+++ b/vendor/github.com/containers/common/libimage/image.go
@@ -61,6 +61,24 @@ func (i *Image) reload() error {
return nil
}
+// isCorrupted returns an error if the image may be corrupted.
+func (i *Image) isCorrupted(name string) error {
+ // If it's a manifest list, we're good for now.
+ if _, err := i.getManifestList(); err == nil {
+ return nil
+ }
+
+ ref, err := i.StorageReference()
+ if err != nil {
+ return err
+ }
+
+ if _, err := ref.NewImage(context.Background(), nil); err != nil {
+ return errors.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err)
+ }
+ return nil
+}
+
// Names returns associated names with the image which may be a mix of tags and
// digests.
func (i *Image) Names() []string {
diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go
index 0271f0051..0a5e49fd2 100644
--- a/vendor/github.com/containers/common/libimage/pull.go
+++ b/vendor/github.com/containers/common/libimage/pull.go
@@ -105,6 +105,20 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP
r.writeEvent(&Event{ID: "", Name: name, Time: time.Now(), Type: EventTypeImagePull})
}
+ // Some callers may set the platform via the system context at creation
+ // time of the runtime. We need this information to decide whether we
+ // need to enforce pulling from a registry (see
+ // containers/podman/issues/10682).
+ if options.Architecture == "" {
+ options.Architecture = r.systemContext.ArchitectureChoice
+ }
+ if options.OS == "" {
+ options.OS = r.systemContext.OSChoice
+ }
+ if options.Variant == "" {
+ options.Variant = r.systemContext.VariantChoice
+ }
+
var (
pulledImages []string
pullError error
@@ -333,7 +347,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference
// from a registry. On successful pull it returns the used fully-qualified
// name that can later be used to look up the image in the local containers
// storage.
-func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) {
+func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo
// Sanity check.
if err := pullPolicy.Validate(); err != nil {
return nil, err
@@ -349,11 +363,41 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
// resolved name for pulling. Assume we're doing a `pull foo`.
// If there's already a local image "localhost/foo", then we should
// attempt pulling that instead of doing the full short-name dance.
- localImage, resolvedImageName, err = r.LookupImage(imageName, nil)
+ lookupOptions := &LookupImageOptions{
+ // NOTE: we must ignore the platform of a local image when
+ // doing lookups. Some images set an incorrect or even invalid
+ // platform (see containers/podman/issues/10682). Doing the
+ // lookup while ignoring the platform checks prevents
+ // redundantly downloading the same image.
+ IgnorePlatform: true,
+ }
+ localImage, resolvedImageName, err = r.LookupImage(imageName, lookupOptions)
if err != nil && errors.Cause(err) != storage.ErrImageUnknown {
logrus.Errorf("Looking up %s in local storage: %v", imageName, err)
}
+ // If the local image is corrupted, we need to repull it.
+ if localImage != nil {
+ if err := localImage.isCorrupted(imageName); err != nil {
+ logrus.Error(err)
+ localImage = nil
+ }
+ }
+
+ // Unless the pull policy is "always", we must pessimistically assume
+ // that the local image has an invalid architecture (see
+ // containers/podman/issues/10682). Hence, whenever the user requests
+ // a custom platform, set the pull policy to "always" to make sure
+ // we're pulling down the image.
+ //
+ // NOTE that this is will even override --pull={false,never}. This is
+ // very likely a bug but a consistent one in Podman/Buildah and should
+ // be addressed at a later point.
+ if pullPolicy != config.PullPolicyAlways && len(options.Architecture)+len(options.OS)+len(options.Variant) > 0 {
+ logrus.Debugf("Enforcing pull policy to %q to support custom platform (arch: %q, os: %q, variant: %q)", "always", options.Architecture, options.OS, options.Variant)
+ pullPolicy = config.PullPolicyAlways
+ }
+
if pullPolicy == config.PullPolicyNever {
if localImage != nil {
logrus.Debugf("Pull policy %q but no local image has been found for %s", pullPolicy, imageName)
diff --git a/vendor/github.com/containers/common/libimage/runtime.go b/vendor/github.com/containers/common/libimage/runtime.go
index efa182544..3cbd3dcf4 100644
--- a/vendor/github.com/containers/common/libimage/runtime.go
+++ b/vendor/github.com/containers/common/libimage/runtime.go
@@ -144,9 +144,8 @@ func (r *Runtime) Exists(name string) (bool, error) {
if image == nil {
return false, nil
}
- // Inspect the image to make sure if it's corrupted or not.
- if _, err := image.Inspect(context.Background(), false); err != nil {
- logrus.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err)
+ if err := image.isCorrupted(name); err != nil {
+ logrus.Error(err)
return false, nil
}
return true, nil
@@ -159,6 +158,13 @@ type LookupImageOptions struct {
// the platform does not matter, for instance, for image removal.
IgnorePlatform bool
+ // Lookup an image matching the specified architecture.
+ Architecture string
+ // Lookup an image matching the specified OS.
+ OS string
+ // Lookup an image matching the specified variant.
+ Variant string
+
// If set, do not look for items/instances in the manifest list that
// match the current platform but return the manifest list as is.
lookupManifest bool
@@ -210,6 +216,25 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image,
name = strings.TrimPrefix(name, "sha256:")
}
+ // Set the platform for matching local images.
+ if !options.IgnorePlatform {
+ if options.Architecture == "" {
+ options.Architecture = r.systemContext.ArchitectureChoice
+ }
+ if options.Architecture == "" {
+ options.Architecture = runtime.GOARCH
+ }
+ if options.OS == "" {
+ options.OS = r.systemContext.OSChoice
+ }
+ if options.OS == "" {
+ options.OS = runtime.GOOS
+ }
+ if options.Variant == "" {
+ options.Variant = r.systemContext.VariantChoice
+ }
+ }
+
// First, check if we have an exact match in the storage. Maybe an ID
// or a fully-qualified image name.
img, err := r.lookupImageInLocalStorage(name, name, options)
@@ -295,7 +320,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo
if err != nil {
return nil, err
}
- instance, err := manifestList.LookupInstance(context.Background(), "", "", "")
+ instance, err := manifestList.LookupInstance(context.Background(), options.Architecture, options.OS, options.Variant)
if err != nil {
// NOTE: If we are not looking for a specific platform
// and already found the manifest list, then return it
@@ -316,7 +341,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo
return image, nil
}
- matches, err := imageReferenceMatchesContext(context.Background(), ref, &r.systemContext)
+ matches, err := r.imageReferenceMatchesContext(ref, options)
if err != nil {
return nil, err
}
@@ -428,12 +453,13 @@ func (r *Runtime) ResolveName(name string) (string, error) {
}
// imageReferenceMatchesContext return true if the specified reference matches
-// the platform (os, arch, variant) as specified by the system context.
-func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, sys *types.SystemContext) (bool, error) {
- if sys == nil {
+// the platform (os, arch, variant) as specified by the lookup options.
+func (r *Runtime) imageReferenceMatchesContext(ref types.ImageReference, options *LookupImageOptions) (bool, error) {
+ if options.IgnorePlatform {
return true, nil
}
- img, err := ref.NewImage(ctx, sys)
+ ctx := context.Background()
+ img, err := ref.NewImage(ctx, &r.systemContext)
if err != nil {
return false, err
}
@@ -442,16 +468,8 @@ func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference,
if err != nil {
return false, err
}
- osChoice := sys.OSChoice
- if osChoice == "" {
- osChoice = runtime.GOOS
- }
- arch := sys.ArchitectureChoice
- if arch == "" {
- arch = runtime.GOARCH
- }
- if osChoice == data.Os && arch == data.Architecture {
- if sys.VariantChoice == "" || sys.VariantChoice == data.Variant {
+ if options.OS == data.Os && options.Architecture == data.Architecture {
+ if options.Variant == "" || options.Variant == data.Variant {
return true, nil
}
}
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 0d23d6ac6..af6efbbf2 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -1053,7 +1053,7 @@ func (c *Config) Write() error {
if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
return err
}
- configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600)
+ configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644)
if err != nil {
return err
}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
index edb1294d6..725e0bfc7 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
@@ -51,14 +51,9 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"bdflush",
- "clone3",
"io_pgetevents",
- "io_uring_enter",
- "io_uring_register",
- "io_uring_setup",
"kexec_file_load",
"kexec_load",
- "membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
@@ -71,10 +66,6 @@ func DefaultProfile() *Seccomp {
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
- "pkey_alloc",
- "pkey_free",
- "pkey_mprotect",
- "rseq",
"sgetmask",
"ssetmask",
"swapcontext",
@@ -118,6 +109,7 @@ func DefaultProfile() *Seccomp {
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
+ "clone3",
"close",
"close_range",
"connect",
@@ -191,6 +183,7 @@ func DefaultProfile() *Seccomp {
"getgroups",
"getgroups32",
"getitimer",
+ "get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
@@ -241,6 +234,7 @@ func DefaultProfile() *Seccomp {
"lstat",
"lstat64",
"madvise",
+ "mbind",
"memfd_create",
"mincore",
"mkdir",
@@ -286,6 +280,9 @@ func DefaultProfile() *Seccomp {
"pipe",
"pipe2",
"pivot_root",
+ "pkey_alloc",
+ "pkey_free",
+ "pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
@@ -318,6 +315,7 @@ func DefaultProfile() *Seccomp {
"renameat2",
"restart_syscall",
"rmdir",
+ "rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
@@ -354,6 +352,7 @@ func DefaultProfile() *Seccomp {
"sendmsg",
"sendto",
"setns",
+ "set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@@ -665,31 +664,6 @@ func DefaultProfile() *Seccomp {
},
{
Names: []string{
- "get_mempolicy",
- "mbind",
- "set_mempolicy",
- },
- Action: ActAllow,
- Args: []*Arg{},
- Includes: Filter{
- Caps: []string{"CAP_SYS_NICE"},
- },
- },
- {
- Names: []string{
- "get_mempolicy",
- "mbind",
- "set_mempolicy",
- },
- Action: ActErrno,
- ErrnoRet: &eperm,
- Args: []*Arg{},
- Excludes: Filter{
- Caps: []string{"CAP_SYS_NICE"},
- },
- },
- {
- Names: []string{
"acct",
},
Action: ActAllow,
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
index 885240e50..eeb41d5d8 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
@@ -54,14 +54,9 @@
{
"names": [
"bdflush",
- "clone3",
"io_pgetevents",
- "io_uring_enter",
- "io_uring_register",
- "io_uring_setup",
"kexec_file_load",
"kexec_load",
- "membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
@@ -74,10 +69,6 @@
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
- "pkey_alloc",
- "pkey_free",
- "pkey_mprotect",
- "rseq",
"sgetmask",
"ssetmask",
"swapcontext",
@@ -124,6 +115,7 @@
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
+ "clone3",
"close",
"close_range",
"connect",
@@ -197,6 +189,7 @@
"getgroups",
"getgroups32",
"getitimer",
+ "get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
@@ -247,6 +240,7 @@
"lstat",
"lstat64",
"madvise",
+ "mbind",
"memfd_create",
"mincore",
"mkdir",
@@ -292,6 +286,9 @@
"pipe",
"pipe2",
"pivot_root",
+ "pkey_alloc",
+ "pkey_free",
+ "pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
@@ -324,6 +321,7 @@
"renameat2",
"restart_syscall",
"rmdir",
+ "rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
@@ -360,6 +358,7 @@
"sendmsg",
"sendto",
"setns",
+ "set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@@ -761,39 +760,6 @@
},
{
"names": [
- "get_mempolicy",
- "mbind",
- "set_mempolicy"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_NICE"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "get_mempolicy",
- "mbind",
- "set_mempolicy"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_NICE"
- ]
- },
- "errnoRet": 1
- },
- {
- "names": [
"acct"
],
"action": "SCMP_ACT_ALLOW",
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 6c899987a..8907e21ab 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.40.1-dev"
+const Version = "0.40.2-dev"