Following commit fixes a `race` condition in `libimage` because in `Pull(`
after performing `copy` from remote sources it agains attempts to resolve
image via `LookupImage`, any operation between `copy` and `LookupImage` can remove
`name` from the recently pulled image. Causing race in builds.
This issue was discoverd while working on PR https://github.com/containers/buildah/pull/5971
```
buildah build -t test --jobs=2 --skip-unused-stages=false .
```
Containerfile
```
FROM quay.io/jitesoft/alpine
RUN arch
FROM --platform=linux/arm64 quay.io/jitesoft/alpine AS foreign
```
Following commit also addresses the commit 88f60eeeb3
by performing the neccessary refactor.
No functional change in public exposed API, exisiting tests should pass as-is.
[NO NEW TESTS NEEDED]
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
These images can and will change at any time and thus can break our CI
without any external changes which is very bad. The TestPush test is
failing because it expects two not one image as it converts from docker
to oci on push. However the upstream docker.io/library/alpine was
switched to an oci image thus the test started failing as the local
storage now has the same id and just stores two different tags for the
same image.
Switch to our own controlled quay.io images where possible. This is
neither complete nor do I fully understand the tests here. I did a quick
search and replace and will see what works or not.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Contains fixes for new linters, removed depracted and removed linters
from the config.
Most notably because we use go 1.22 now we can get rid of the copy for
loop vars[1]. Also as of the go 1..2 we can use the new int range syntax
in for loops the new intrange linter checks that.
[1] https://go.dev/blog/loopvar-preview
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
To prevent the podman remote client from using libimage which causes a
lot of bloat due the c/image and c/storage dependencies add the
`!remote` tag.
This will cause a hard compile time failure if the remote client ends up
pulling in libimage.
Fixes#1702
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
podman untag should error out of a name is given which does not exists
for the given image. This regression was added in commit a4a7c28aef.
There was even a test which meant to check for it but unfortunately it
did not actually check for what it should. The doNotExist check failed
early to the upper case in the repo name.
The tests have been updated to check for actual error messages to show
ensure it is failing for the right reason.
This also showed that `normalizing name` message was included twice so
I removed one case to not stutter.
Fixes a4a7c28aef ("libimage: support parallel tag/untag")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The c/storage SetNames API is depracated because it is not race free to
first get the list of names and then append our new name then write the
full list back. Instead a better Add/RemovesNames API has been added.
Tag and Untag should use these to prevent race conditions that can be
easily reproduce using podman tag in parallel. Tests have been added to
ensure it is working correctly.
Fixes https://github.com/containers/podman/issues/17515
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When looking up an image by digest, make sure that the entire repository
of the specified value is considered. Previously, both the repository
and the tag have been ignored and we looked for _some_ image with a
matching digest.
As outlined in #1248, Docker stopped ignoring the repository with
version v20.10.20 (Oct '22) which is a compelling reason to do the same.
To be clear, previously `something@digest` would look for any image with
`digest` while `something` is entirely ignored. With this change, both
`something` and `digest` must match the image.
This change breaks two e2e tests in Podman CI which relied on the
previous behavior. There is a risk of breaking users but there is a
strong security argument to perform this change: if the repository does
not match the (previously) returned issue, there is a fair chance of a
user error.
Fixes: containers/common#1248
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
When looking up an image by a short name that prefixes another image's
ID, the one matching the short name should be returned.
This means that we need to do a final lookup in the storage with the
specified name (without normalization) to continue matching short IDs.
Since it's common that users of libimage (e.g., Buildah) internally
refer to images by full ID, let's make sure that we check for that
first. This way, we'll match full IDs on first lookup and keep the
expected performance.
Note that a name starting with `sha2556:` must be followed by a 64-byte
hex value; something we didn't check for before.
Fixes: containers/podman/issues/12761
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the matching image is
also subject to further attribute checks (e.g., manifest list checks) as
specified by the user.
Fixes: containers/podman/issues/12729
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
buildkit is setting the health check in the image's config while Docker
and Podman set it in the image's container config. Hence, if the
container config's healthcheck is nil, have a look at the config.
Fixes: #containers/podman/issues/12226
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add an InspectOptions struct for inspecting images. This is a breaking
change but I think it's worth it since a considerable amount of CPU time
is spent in computing the image's parent (i.e., computing the layer is
costly) while this data is oftentimes not needed.
This cuts off 10ms of container-creation time in Podman.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Support pruning images in use by external containers (e.g., build
containers). Requires extending the containers filter, adding a
callback to libpod and a new options for image removal.
Tests will be added to Podman.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Allow for passing down credentials when comparing a local image with a
remote one. The linked BZ relates to a regression in `podman auto-update`
but while reading the code I noticed it's also impacting pull policies.
BZ: bugzilla.redhat.com/show_bug.cgi?id=2000943
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Relax the digest checks when untagging. Podman CI relies on `rmi
foo@digest` to actually work even when only untagging the image.
The behavior is wrong since the digest is not getting removed from the
image at all BUT there's currently no way in our stack to do that.
To tackle the problem at the source, we need a way in c/storage to alter
the digests of an image, similar to `SetNames()` for altering the
names/tags of an image. Once that's done, Podman can behave as Docker
does and allow for altering the digests.
For now, to unblock ongoing work, let's just relax the checks and leave
a FIXME note.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure that tag and untag reject digested input. Also add unit tests
for both to make sure we're not regressing in the future.
Fixes: containers/common#710
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As discussed in github.com/containers/podman/issues/10832 the definition
of a "dangling" image in Podman has historically been incorrect. While
the Docker docs describe a dangling image as an image without a tag, and
Podman implemented the filters as such, Docker actually implemented the
filters for images without a tag and without children.
Refine the dangling filters and hence `IsDangling()` to only return true
if an image is untagged and has no children.
Also correct the comments of `IsIntermediate()`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add unit tests for exercising all kinds of function of an `Image`
object.
Also remove an unused, redundant (and incomplete) `MountPoint` function.
`Mountpoint` is used by Podman instead.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
flouthoc
Paul Holzinger
Oleksandr Redko
openshift-merge-bot[bot]
Valentin Rothberg
Sascha Grunert
Valentin Rothberg
Daniel J Walsh