github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #9765 from AkihiroSuda/remove-schema1

Browse Source 
Disable the support for Schema 1 images
This commit is contained in:
Samuel Karp 2024-02-17 09:20:15 +00:00 committed by GitHub
commit b87d78f456
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 49 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
RELEASES.md
View File

@ -397,17 +397,19 @@ against total impact.
The deprecated features are shown in the following table:
| Component | Deprecation release | Target release for removal | Recommendation |
|----------------------------------------------------------------------------------|---------------------|----------------------------|------------------------------------------|
|----------------------------------------------------------------------------------|---------------------|---------------------------------------|------------------------------------------|
| Runtime V1 API and implementation (`io.containerd.runtime.v1.linux`) | containerd v1.4 | containerd v2.0 ✅ | Use `io.containerd.runc.v2` |
| Runc V1 implementation of Runtime V2 (`io.containerd.runc.v1`) | containerd v1.4 | containerd v2.0 ✅ | Use `io.containerd.runc.v2` |
| Built-in `aufs` snapshotter | containerd v1.5 | containerd v2.0 ✅ | Use `overlayfs` snapshotter |
| Container label `containerd.io/restart.logpath` | containerd v1.5 | containerd v2.0 ✅ | Use `containerd.io/restart.loguri` label |
| `cri-containerd-*.tar.gz` release bundles | containerd v1.6 | containerd v2.0 ✅ | Use `containerd-*.tar.gz` bundles |
| Pulling Schema 1 images (`application/vnd.docker.distribution.manifest.v1+json`) | containerd v1.7 | containerd v2.0 | Use Schema 2 or OCI images |
| Pulling Schema 1 images (`application/vnd.docker.distribution.manifest.v1+json`) | containerd v1.7 | containerd v2.1 (Disabled in v2.0 ✅) | Use Schema 2 or OCI images |
| CRI `v1alpha2` | containerd v1.7 | containerd v2.0 ✅ | Use CRI `v1` |
| Legacy CRI implementation of podsandbox support | containerd v2.0 | containerd v2.0 ✅ | |
| Go-Plugin library (`*.so`) as containerd runtime plugin | containerd v2.0 | containerd v2.1 | Use external plugins (proxy or binary) |
- Pulling Schema 1 images has been disabled in containerd v2.0, but it still can be enabled by setting an environment variable `CONTAINERD_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE=1`
until containerd v2.1. `ctr` users have to specify `--local` too (e.g., `ctr images pull --local`).
### Deprecated config properties
The deprecated properties in [`config.toml`](./docs/cri/config.md) are shown in the following table:

5
client/pull.go
View File

@ -197,7 +197,10 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim
)
if desc.MediaType == images.MediaTypeDockerSchema1Manifest && rCtx.ConvertSchema1 {
schema1Converter := schema1.NewConverter(store, fetcher)
schema1Converter, err := schema1.NewConverter(store, fetcher)
if err != nil {
return images.Image{}, fmt.Errorf("failed to get converter for %q: %w", ref, err)
}
handler = images.Handlers(append(rCtx.BaseHandlers, schema1Converter)...)

22
core/remotes/docker/schema1/converter.go
View File

@ -27,6 +27,7 @@ import (
"errors"
"fmt"
"io"
"os"
"strconv"
"strings"
"sync"
@ -36,6 +37,7 @@ import (
"github.com/containerd/containerd/v2/core/images"
"github.com/containerd/containerd/v2/core/remotes"
"github.com/containerd/containerd/v2/pkg/archive/compression"
"github.com/containerd/containerd/v2/pkg/deprecation"
"github.com/containerd/containerd/v2/pkg/labels"
"github.com/containerd/errdefs"
"github.com/containerd/log"
@ -67,14 +69,30 @@ type Converter struct {
layerBlobs map[digest.Digest]ocispec.Descriptor
}
var ErrDisabled = fmt.Errorf("Pulling Schema 1 images have been deprecated and disabled by default since containerd v2.0. "+
"As a workaround you may set an environment variable `%s=1`, but this will be completely removed in containerd v2.1.",
deprecation.EnvPullSchema1Image)
// NewConverter returns a new converter
func NewConverter(contentStore content.Store, fetcher remotes.Fetcher) *Converter {
func NewConverter(contentStore content.Store, fetcher remotes.Fetcher) (*Converter, error) {
s := os.Getenv(deprecation.EnvPullSchema1Image)
if s == "" {
return nil, ErrDisabled
}
enable, err := strconv.ParseBool(s)
if err != nil {
return nil, fmt.Errorf("failed to parse `%s=%s`: %w", deprecation.EnvPullSchema1Image, s, err)
}
if !enable {
return nil, ErrDisabled
}
log.L.Warn(ErrDisabled)
return &Converter{
contentStore: contentStore,
fetcher: fetcher,
blobMap: map[digest.Digest]blobState{},
layerBlobs: map[digest.Digest]ocispec.Descriptor{},
}
}, nil
}
// Handle fetching descriptors for a docker media type

2
integration/client/client_test.go
View File

@ -40,6 +40,7 @@ import (
"github.com/containerd/containerd/v2/defaults"
imagelist "github.com/containerd/containerd/v2/integration/images"
"github.com/containerd/containerd/v2/internal/testutil"
"github.com/containerd/containerd/v2/pkg/deprecation"
"github.com/containerd/containerd/v2/pkg/namespaces"
"github.com/containerd/errdefs"
"github.com/containerd/log"
@ -422,6 +423,7 @@ func TestImagePullSomePlatforms(t *testing.T) {
}
func TestImagePullSchema1(t *testing.T) {
t.Setenv(deprecation.EnvPullSchema1Image, "1")
client, err := newClient(t, address)
if err != nil {
t.Fatal(err)

2
integration/client/client_unix_test.go
View File

@ -23,6 +23,7 @@ import (
. "github.com/containerd/containerd/v2/client"
"github.com/containerd/containerd/v2/integration/images"
"github.com/containerd/containerd/v2/pkg/deprecation"
"github.com/containerd/platforms"
)
@ -46,6 +47,7 @@ var (
)
func TestImagePullSchema1WithEmptyLayers(t *testing.T) {
t.Setenv(deprecation.EnvPullSchema1Image, "1")
client, err := newClient(t, address)
if err != nil {
t.Fatal(err)

2
integration/containerd_image_test.go
View File

@ -28,6 +28,7 @@ import (
containerd "github.com/containerd/containerd/v2/client"
"github.com/containerd/containerd/v2/integration/images"
"github.com/containerd/containerd/v2/internal/cri/labels"
"github.com/containerd/containerd/v2/pkg/deprecation"
"github.com/containerd/containerd/v2/pkg/namespaces"
"github.com/containerd/errdefs"
"github.com/stretchr/testify/assert"
@ -267,6 +268,7 @@ func TestContainerdSandboxImagePulledOutsideCRI(t *testing.T) {
}
func TestContainerdImageWithDockerSchema1(t *testing.T) {
t.Setenv(deprecation.EnvPullSchema1Image, "1")
if goruntime.GOOS == "windows" {
t.Skip("Skipped on Windows because the test image is not a multi-platform one.")
}

7
pkg/deprecation/deprecation.go
View File

@ -33,8 +33,13 @@ const (
CRIRegistryConfigs Warning = Prefix + "cri-registry-configs"
)
const (
EnvPrefix = "CONTAINERD_ENABLE_DEPRECATED_"
EnvPullSchema1Image = EnvPrefix + "PULL_SCHEMA_1_IMAGE"
)
var messages = map[Warning]string{
PullSchema1Image: "Schema 1 images are deprecated since containerd v1.7 and removed in containerd v2.0. " +
PullSchema1Image: "Schema 1 images are deprecated since containerd v1.7, disabled in containerd v2.0, and will be removed in containerd v2.1. " +
`Since containerd v1.7.8, schema 1 images are identified by the "io.containerd.image/converted-docker-schema1" label.`,
GoPluginLibrary: "Dynamically-linked Go plugins as containerd runtimes are deprecated since containerd v2.0 and removed in containerd v2.1.",
CRIRegistryMirrors: "The `mirrors` property of `[plugins.\"io.containerd.grpc.v1.cri\".registry]` is deprecated since containerd v1.5 and will be removed in containerd v2.0." +