From b96445ff59d00cd3b2a170b040743257fd755cb7 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 6 Dec 2022 10:14:34 -0800 Subject: [PATCH] Fix edge case with previously (failed) ingested content --- cmd/bashbrew/oci-builder.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/cmd/bashbrew/oci-builder.go b/cmd/bashbrew/oci-builder.go index 7ab67b3..25f09f6 100644 --- a/cmd/bashbrew/oci-builder.go +++ b/cmd/bashbrew/oci-builder.go @@ -62,7 +62,7 @@ func readContentJSON(ctx context.Context, cs content.Provider, desc imagespec.De } // given a containerd content store, an io/fs reference to an "OCI image layout", and an OCI descriptor, import the given blob into the content store (with appropriate validation) -func importOCIBlob(ctx context.Context, cs content.Ingester, fs iofs.FS, descriptor imagespec.Descriptor) error { +func importOCIBlob(ctx context.Context, cs content.Store, fs iofs.FS, descriptor imagespec.Descriptor) error { // https://github.com/opencontainers/image-spec/blob/v1.0.2/image-layout.md#blobs blob, err := fs.Open(path.Join("blobs", string(descriptor.Digest.Algorithm()), descriptor.Digest.Encoded())) // "blobs/sha256/deadbeefdeadbeefdeadbeef..." if err != nil { @@ -70,6 +70,11 @@ func importOCIBlob(ctx context.Context, cs content.Ingester, fs iofs.FS, descrip } defer blob.Close() + ingestRef := string(descriptor.Digest) + + // explicitly "abort" the ref we're about to use in case there's a partial or failed ingest already (which content.WriteBlob will then quietly reuse, over and over) + _ = cs.Abort(ctx, ingestRef) + // WriteBlob does *not* limit reads to the provided size, so let's wrap ourselves in a LimitedReader to prevent reading (much) more than we intend r := io.LimitReader( blob, @@ -77,7 +82,7 @@ func importOCIBlob(ctx context.Context, cs content.Ingester, fs iofs.FS, descrip ) // WriteBlob verifies the digest and the size while ingesting - return content.WriteBlob(ctx, cs, string(descriptor.Digest), r, descriptor) + return content.WriteBlob(ctx, cs, ingestRef, r, descriptor) } // this is "docker build" but for "Builder: oci-import"