Contains fixes for new linters, removed depracted and removed linters
from the config.
Most notably because we use go 1.22 now we can get rid of the copy for
loop vars[1]. Also as of the go 1..2 we can use the new int range syntax
in for loops the new intrange linter checks that.
[1] https://go.dev/blog/loopvar-preview
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Partial fix for https://github.com/containers/podman/issues/23120
Working on a fix for this crash, but want same error to come back as
non-remote case.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds a couple of new linters with many new warnings:
- perfsprint (fixed in code, excluded for tests)
- revive (fix the problems, disabled the dot import check as we use it
for ginkgo)
- inamedparam (disabled because it is opinionated)
- testifylint (great linter but we have like 1000+ issues that I have no
time fixing now)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For the positive case, the reference key does an OR
operation. For the negative case, the reference key
does an AND operation.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
When multiple filters are given, only return objects
that match all the filters given by the user.
This matches Docker behavior.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
To prevent the podman remote client from using libimage which causes a
lot of bloat due the c/image and c/storage dependencies add the
`!remote` tag.
This will cause a hard compile time failure if the remote client ends up
pulling in libimage.
Fixes#1702
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The id and digest filters for podman images was broken
as it would only match on the full ID or Digest, so when
users would give a substring of either not results would be
given even though there were matches.
Fix to check on prefix now instead.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
When looking up an image by digest, make sure that the entire repository
of the specified value is considered. Previously, both the repository
and the tag have been ignored and we looked for _some_ image with a
matching digest.
As outlined in #1248, Docker stopped ignoring the repository with
version v20.10.20 (Oct '22) which is a compelling reason to do the same.
To be clear, previously `something@digest` would look for any image with
`digest` while `something` is entirely ignored. With this change, both
`something` and `digest` must match the image.
This change breaks two e2e tests in Podman CI which relied on the
previous behavior. There is a risk of breaking users but there is a
strong security argument to perform this change: if the repository does
not match the (previously) returned issue, there is a fair chance of a
user error.
Fixes: containers/common#1248
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Make sure that reference filters properly work on digests as well.
To keep things simple, try to lookup an image for the user-specified
value and compare IDs. This will implicitly fix #containers/podman/issues/18445
and probably more (unknown) issues.
Fixes: #containers/podman/issues/18445
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Computing the layer tree requires listing all images. Certain code
paths have all images at hand already, so let's optimize a bit to
avoid listing them redundantly.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
there was some eerily similar code in c/common and in podman for
creating filter functions for various types. Move some of it here
and add support for the label!= filter in libnetwork only. Libimage already supports it.
after this merges, will file a PR with the fix for containers within podman as well
see containers/podman#14182
Signed-off-by: Charlie Doern <cdoern@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Podman CI wants that for pruning. The pruning code unconditionally sets
the dangling filter since that's crucial for pruning.
Also fix a typo in the error message:
`s/more then/more than/`
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
For compatibility mode, we need to have a filter that gets rid of
manifest lists from the list of all images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Further turn applying the filters into a method of `type Image`.
Also change the loop when filtering images to not append the
loop variable to the result slice; it's always the same pointer.
Fixes: containers/podman/issues/12582
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The same filters types should be disjoint, while
each selected filter type is required. This will allow callers to pass
multiple reference filters and if an image matches it is returned.
Other filters the image has to match all filters to be returned.
Specifying "since", "after", "before", "containers", "dangling","intermediate", "readonly", "until" more then once is an error.
[NO NEW TESTS NEEDED] I will open up a validation against buildah to
make sure this passes before merging.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It turns out that FamiliarMatch is only useful for matching Docker Hub
but we should not limit it to that and match values against registry.
For instance, FamiliarMatch is *not* able to match a FQN reference
against a Docker Hub image. I am convinced that we should *not* behave
as Docker does in this case.
This brings us back to the behavior prior to commit c15939746c but
with a fixed matching algorithm. The specified value will now be
matched against 1) the FQN 2) without domain 3) without domain and path.
If specified also a second time without digest/tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The previously inherited behavior from Podman was matching too
aggressively. Now, the filter matches the exact behavior of
Docker, simplifies the code and is tested directly in libimage.
Context: containers/podman#11905
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
With commit e983ccadc6 the dangling checks have been changed to be
compatible with Docker. Since then, the dangling also need to compute
children.
Speed up the dangling and intermediate checks by computing the layer
tree *once* instead of for each filter invocation.
**Before:**
real 0m10.837s
user 0m11.308s
sys 0m4.231s
**After:**
real 0m0.476s
user 0m0.478s
sys 0m0.151s
Context: github.com/containers/podman/issues/11997
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Support pruning images in use by external containers (e.g., build
containers). Requires extending the containers filter, adding a
callback to libpod and a new options for image removal.
Tests will be added to Podman.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As discussed in github.com/containers/podman/issues/10832 the definition
of a "dangling" image in Podman has historically been incorrect. While
the Docker docs describe a dangling image as an image without a tag, and
Podman implemented the filters as such, Docker actually implemented the
filters for images without a tag and without children.
Refine the dangling filters and hence `IsDangling()` to only return true
if an image is untagged and has no children.
Also correct the comments of `IsIntermediate()`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When writing LookupImage, I thought that it's a good idea to always
attempt to match an image against the local (or requested) platform.
The use case I had in mind is multi-arch support:
`$ podman run image` should only match `image` if it matches the local
platform. We may have previously pulled `image` for another
architecture.
The core criteria for these checks is that images set their platform
(arch/os/variant) correctly. As it turned out that is not the case.
We recently performed a number of fixes to better support multi-arch
images and this change should put the last nail in the coffin.
Hence, entirely remove the `IgnorePlatform` option and only perform
platform matches if the arch, os or variant is specified explicitly via
the LookupImageOptions or the runtime's system context (as Buildah likes
to do it).
Note that this is a breaking change, so I need to update Buildah and
Podman.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Stop the whack-a-mole selectively patching multi-arch issues by forcing
all internal image lookups to ignore the platform.
In retrospect, the `IgnorePlatform` options for image lookups was a
mistake and I will remove it soon but for now, let's just patch
something we can backport to the v0.38 branch.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The following changes were not split into smaller commits since the
entire package is still work in progress and I want to keep moving:
* Various small fixes.
* The internal image cache has been removed as it's a recipe for
inconsistencies for longer running processes. This should make
libimage easier to use for CRI-O and a Podman service.
* LookupImage now returns storage.ErrUnknownImage rather than nil.
This simplifies the callers and makes sure we have a consistent
error.
* LookupImage is now able to handle manifests lists. Unless the
platform is explicitly ignored via the options, the matching
image within the manifest list is now returned. This greatly
simplifies the spec generation in Podman; no callers should have
to worry about this kind of detail.
* LookupImage has been refactored into smaller-sized and easier to
read functions.
* RemoveImages has been changed to assemble the data of removed or
untagged images. This comes in handy for pruning images. I am
heavily against having a dedicated API for pruning since the it's
really just a combination of filtering and removing images which
RemoveImages already supports. Hence these changes to satisfy
the needs of `podman image prune`.
Furthermore, it now returns an []error slice rather than a single
error. Again to make Podman happy which needs to inspect *all*
errors for setting the appropriate exit code.
* A rather large refactoring of the removal code along with very
verbose comments. Those were largely absent in the Podman code base
but there many rules and contracts embedded that I partially could
only reconstruct by manually tests and comparing to Docker.
* Add a new `containers={true,false}` filter which allows filtering
images whether they are used by containers (=true) or if no container
is using them (=false). This filter is required for pruning images
in Podman.
* `libimage/types` has been merged into `libimage`. Podman has to do
_a lot of_ massaging for the remote client already and the types
are pretty much nailed down for the remote API. Hence, I prefer to
do some translation between `libimage` types and what Podman needs
rather than splitting `libimage` in half without an obvious reason.
This way the package is self-contained allowing for an easier
navigation and maintenance.
* `libimage.PullPolicy` has been merged into `pkg/config.PullPolicy`
to have _one_ central place to deal with pull policies. The type
system in `pkg/config` sets "always" as the default unfortunately
but I think consistency is more important at that point.
* Added `CopyOptions.DirForceCompress` to enforce layer compression
when copying to a `dir` destination.
* We now use `github.com/disiqueira/gotree` for pretty printing image
trees. That greatly simplifies the code and we don't have to worry
about the logic of printing a tree. Note that trees are now always
printed top down!
* Added a new `libimage.ManifestList` type along with an API for local
lookups and performing certain operations on it to wrap around
`libimage/manifests` as previously done in `libpod/image` and other
places in Podman.
* Correct caching of `(*Image).Inspect`.
* In addition to username, password and credentials, allow for
speciying an identity token for copying images. That's needed for
Podman's remote API.
* Make image removal more tolerant toward corrupted images.
* A new "until=timestamp" filter that can be used by all APIs
supporting filtering.
* An empty string now resolves to PullPolicyMissing.
* `(*Runtime) systemContextCopy()` returns a deep copy of the runtime's
system context. Golang's shallow copies are very dangerous for long
running processes such as Podman's system service. Hence, we need to
make sure that base data is not altered over time. That adds another
external dependency but I do not see a way around that. Long term,
I desire a `(*containers/image/types.SystemContext).Copy()` function.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The new `libimage` package is an attempt to consolidate the code for
managing container images and performing operations on them such as
pulling, pushing, saving, searching, local lookups, removing etc.
Over time, Buildah, CRI-O and Podman diverged with respect to managing
container images resulting in a high amount of code duplication
rendering the tools harder to maintain (e.g., bug fixes) and harder to
extend (e.g., adding new features) than necessary.
The desire to share all that code in a common library grew and this is
an attempt to address the it.
The changes as they are now pass Buildah CI [1]. Once merged into
Buildah, I expect follow up changes when migrating Podman over to
`libimage`.
Miscellaneous changes:
* Copy `podman/pkg/signal` to `pkg/signal`.
* Copy `buildah/manifests` to `image/manifests`. Note that the unit
tests require root privileges. Skip()'s are added when running
rootless. Currently excluded from linting.
* Copy `buildah/pkg/manifests` to `pkg/manifests`. Currently excluded
from linting.
* Copy `buildah/pkg/supplemented` to `pkg/supplemented`. Currently
excluded from linting.
[1] github.com/containers/buildah/pull/3148
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Paul Holzinger
Jan Rodák
Daniel J Walsh
Urvashi Mohnani
Oleksandr Redko
Valentin Rothberg
Miloslav Trmač
openshift-ci[bot]
Charlie Doern
Sascha Grunert
rvandernoort
Valentin Rothberg