Move diff/windows to plugins/diff/windows

Signed-off-by: Derek McGowan <derek@mcg.dev>
2024-01-17 09:51:08 -08:00
parent 2d861b6ead
commit d14350376e
4 changed files with 2 additions and 2 deletions
--- a/plugins/diff/windows/cimfs.go
+++ b/plugins/diff/windows/cimfs.go
@@ -0,0 +1,111 @@
+//go:build windows
+// +build windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package windows
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Microsoft/hcsshim/pkg/cimfs"
+	"github.com/containerd/containerd/v2/archive"
+	"github.com/containerd/containerd/v2/core/content"
+	"github.com/containerd/containerd/v2/diff"
+	"github.com/containerd/containerd/v2/errdefs"
+	"github.com/containerd/containerd/v2/metadata"
+	"github.com/containerd/containerd/v2/mount"
+	"github.com/containerd/containerd/v2/platforms"
+	"github.com/containerd/containerd/v2/plugins"
+	"github.com/containerd/plugin"
+	"github.com/containerd/plugin/registry"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func init() {
+	registry.Register(&plugin.Registration{
+		Type: plugins.DiffPlugin,
+		ID:   "cimfs",
+		Requires: []plugin.Type{
+			plugins.MetadataPlugin,
+		},
+		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+			md, err := ic.GetSingle(plugins.MetadataPlugin)
+			if err != nil {
+				return nil, err
+			}
+
+			if !cimfs.IsCimFSSupported() {
+				return nil, fmt.Errorf("host windows version doesn't support CimFS: %w", plugin.ErrSkipPlugin)
+			}
+			ic.Meta.Platforms = append(ic.Meta.Platforms, platforms.DefaultSpec())
+			return NewCimDiff(md.(*metadata.DB).ContentStore())
+		},
+	})
+}
+
+// cimDiff does filesystem comparison and application
+// for CimFS specific layer diffs.
+type cimDiff struct {
+	store content.Store
+}
+
+// NewCimDiff is the Windows cim container layer implementation
+// for comparing and applying filesystem layers
+func NewCimDiff(store content.Store) (CompareApplier, error) {
+	return cimDiff{
+		store: store,
+	}, nil
+}
+
+// Apply applies the content associated with the provided digests onto the
+// provided mounts. Archive content will be extracted and decompressed if
+// necessary.
+func (c cimDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mounts []mount.Mount, opts ...diff.ApplyOpt) (d ocispec.Descriptor, err error) {
+	layer, parentLayerPaths, err := cimMountsToLayerAndParents(mounts)
+	if err != nil {
+		return emptyDesc, err
+	}
+	return applyDiffCommon(ctx, c.store, desc, layer, parentLayerPaths, archive.AsCimContainerLayer(), opts...)
+}
+
+// Compare creates a diff between the given mounts and uploads the result
+// to the content store.
+func (c cimDiff) Compare(ctx context.Context, lower, upper []mount.Mount, opts ...diff.Opt) (d ocispec.Descriptor, err error) {
+	// support for generating layer diff of cimfs layers will be added later.
+	return emptyDesc, errdefs.ErrNotImplemented
+}
+
+func cimMountsToLayerAndParents(mounts []mount.Mount) (string, []string, error) {
+	if len(mounts) != 1 {
+		return "", nil, fmt.Errorf("%w: number of mounts should always be 1 for Windows layers", errdefs.ErrInvalidArgument)
+	}
+	mnt := mounts[0]
+	if mnt.Type != "CimFS" {
+		// This is a special case error. When this is received the diff service
+		// will attempt the next differ in the chain.
+		return "", nil, errdefs.ErrNotImplemented
+	}
+
+	parentLayerPaths, err := mnt.GetParentPaths()
+	if err != nil {
+		return "", nil, err
+	}
+
+	return mnt.Source, parentLayerPaths, nil
+}
--- a/plugins/diff/windows/windows.go
+++ b/plugins/diff/windows/windows.go
@@ -0,0 +1,410 @@
+//go:build windows
+// +build windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package windows
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/containerd/containerd/v2/archive"
+	"github.com/containerd/containerd/v2/archive/compression"
+	"github.com/containerd/containerd/v2/core/content"
+	"github.com/containerd/containerd/v2/diff"
+	"github.com/containerd/containerd/v2/errdefs"
+	"github.com/containerd/containerd/v2/labels"
+	"github.com/containerd/containerd/v2/metadata"
+	"github.com/containerd/containerd/v2/mount"
+	"github.com/containerd/containerd/v2/pkg/epoch"
+	"github.com/containerd/containerd/v2/platforms"
+	"github.com/containerd/containerd/v2/plugins"
+	"github.com/containerd/log"
+	"github.com/containerd/plugin"
+	"github.com/containerd/plugin/registry"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func init() {
+	registry.Register(&plugin.Registration{
+		Type: plugins.DiffPlugin,
+		ID:   "windows",
+		Requires: []plugin.Type{
+			plugins.MetadataPlugin,
+		},
+		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+			md, err := ic.GetSingle(plugins.MetadataPlugin)
+			if err != nil {
+				return nil, err
+			}
+
+			ic.Meta.Platforms = append(ic.Meta.Platforms, platforms.DefaultSpec())
+			return NewWindowsDiff(md.(*metadata.DB).ContentStore())
+		},
+	})
+}
+
+// CompareApplier handles both comparison and
+// application of layer diffs.
+type CompareApplier interface {
+	diff.Applier
+	diff.Comparer
+}
+
+// windowsDiff does filesystem comparison and application
+// for Windows specific layer diffs.
+type windowsDiff struct {
+	store content.Store
+}
+
+var emptyDesc = ocispec.Descriptor{}
+
+// NewWindowsDiff is the Windows container layer implementation
+// for comparing and applying filesystem layers
+func NewWindowsDiff(store content.Store) (CompareApplier, error) {
+	return windowsDiff{
+		store: store,
+	}, nil
+}
+
+// applyDiffCommon is a common function that is called by both windows & cimfs differs.
+func applyDiffCommon(ctx context.Context, store content.Store, desc ocispec.Descriptor, layerPath string, parentLayerPaths []string, applyOpt archive.ApplyOpt, opts ...diff.ApplyOpt) (d ocispec.Descriptor, err error) {
+	t1 := time.Now()
+	defer func() {
+		if err == nil {
+			log.G(ctx).WithFields(log.Fields{
+				"d":      time.Since(t1),
+				"digest": desc.Digest,
+				"size":   desc.Size,
+				"media":  desc.MediaType,
+			}).Debug("diff applied")
+		}
+	}()
+
+	var config diff.ApplyConfig
+	for _, o := range opts {
+		if err := o(ctx, desc, &config); err != nil {
+			return emptyDesc, fmt.Errorf("failed to apply config opt: %w", err)
+		}
+	}
+
+	ra, err := store.ReaderAt(ctx, desc)
+	if err != nil {
+		return emptyDesc, fmt.Errorf("failed to get reader from content store: %w", err)
+	}
+	defer ra.Close()
+
+	processor := diff.NewProcessorChain(desc.MediaType, content.NewReader(ra))
+	for {
+		if processor, err = diff.GetProcessor(ctx, processor, config.ProcessorPayloads); err != nil {
+			return emptyDesc, fmt.Errorf("failed to get stream processor for %s: %w", desc.MediaType, err)
+		}
+		if processor.MediaType() == ocispec.MediaTypeImageLayer {
+			break
+		}
+	}
+	defer processor.Close()
+
+	digester := digest.Canonical.Digester()
+	rc := &readCounter{
+		r: io.TeeReader(processor, digester.Hash()),
+	}
+
+	archiveOpts := []archive.ApplyOpt{
+		archive.WithParents(parentLayerPaths),
+		archive.WithNoSameOwner(), // Lchown is not supported on Windows
+		applyOpt,
+	}
+
+	if _, err := archive.Apply(ctx, layerPath, rc, archiveOpts...); err != nil {
+		return emptyDesc, err
+	}
+
+	// Read any trailing data
+	if _, err := io.Copy(io.Discard, rc); err != nil {
+		return emptyDesc, err
+	}
+
+	return ocispec.Descriptor{
+		MediaType: ocispec.MediaTypeImageLayer,
+		Size:      rc.c,
+		Digest:    digester.Digest(),
+	}, nil
+}
+
+// Apply applies the content associated with the provided digests onto the
+// provided mounts. Archive content will be extracted and decompressed if
+// necessary.
+func (s windowsDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mounts []mount.Mount, opts ...diff.ApplyOpt) (d ocispec.Descriptor, err error) {
+	layer, parentLayerPaths, err := mountsToLayerAndParents(mounts)
+	if err != nil {
+		return emptyDesc, err
+	}
+
+	// TODO darrenstahlmsft: When this is done isolated, we should disable these.
+	// it currently cannot be disabled, unless we add ref counting. Since this is
+	// temporary, leaving it enabled is OK for now.
+	// https://github.com/containerd/containerd/issues/1681
+	if err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
+		return emptyDesc, err
+	}
+
+	return applyDiffCommon(ctx, s.store, desc, layer, parentLayerPaths, archive.AsWindowsContainerLayer(), opts...)
+}
+
+// Compare creates a diff between the given mounts and uploads the result
+// to the content store.
+func (s windowsDiff) Compare(ctx context.Context, lower, upper []mount.Mount, opts ...diff.Opt) (d ocispec.Descriptor, err error) {
+	t1 := time.Now()
+
+	var config diff.Config
+	for _, opt := range opts {
+		if err := opt(&config); err != nil {
+			return emptyDesc, err
+		}
+	}
+	if tm := epoch.FromContext(ctx); tm != nil && config.SourceDateEpoch == nil {
+		config.SourceDateEpoch = tm
+	}
+
+	layers, err := mountPairToLayerStack(lower, upper)
+	if err != nil {
+		return emptyDesc, err
+	}
+
+	if config.MediaType == "" {
+		config.MediaType = ocispec.MediaTypeImageLayerGzip
+	}
+
+	var isCompressed bool
+	switch config.MediaType {
+	case ocispec.MediaTypeImageLayer:
+	case ocispec.MediaTypeImageLayerGzip:
+		isCompressed = true
+	default:
+		return emptyDesc, fmt.Errorf("unsupported diff media type: %v: %w", config.MediaType, errdefs.ErrNotImplemented)
+	}
+
+	newReference := false
+	if config.Reference == "" {
+		newReference = true
+		config.Reference = uniqueRef()
+	}
+
+	cw, err := s.store.Writer(ctx, content.WithRef(config.Reference), content.WithDescriptor(ocispec.Descriptor{
+		MediaType: config.MediaType,
+	}))
+
+	if err != nil {
+		return emptyDesc, fmt.Errorf("failed to open writer: %w", err)
+	}
+
+	defer func() {
+		if err != nil {
+			cw.Close()
+			if newReference {
+				if abortErr := s.store.Abort(ctx, config.Reference); abortErr != nil {
+					log.G(ctx).WithError(abortErr).WithField("ref", config.Reference).Warnf("failed to delete diff upload")
+				}
+			}
+		}
+	}()
+
+	if !newReference {
+		if err = cw.Truncate(0); err != nil {
+			return emptyDesc, err
+		}
+	}
+
+	// TODO darrenstahlmsft: When this is done isolated, we should disable this.
+	// it currently cannot be disabled, unless we add ref counting. Since this is
+	// temporary, leaving it enabled is OK for now.
+	// https://github.com/containerd/containerd/issues/1681
+	if err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege}); err != nil {
+		return emptyDesc, err
+	}
+
+	if isCompressed {
+		dgstr := digest.SHA256.Digester()
+		var compressed io.WriteCloser
+		compressed, err = compression.CompressStream(cw, compression.Gzip)
+		if err != nil {
+			return emptyDesc, fmt.Errorf("failed to get compressed stream: %w", err)
+		}
+		err = archive.WriteDiff(ctx, io.MultiWriter(compressed, dgstr.Hash()), "", layers[0], archive.AsWindowsContainerLayerPair(), archive.WithParentLayers(layers[1:]))
+		compressed.Close()
+		if err != nil {
+			return emptyDesc, fmt.Errorf("failed to write compressed diff: %w", err)
+		}
+
+		if config.Labels == nil {
+			config.Labels = map[string]string{}
+		}
+		config.Labels[labels.LabelUncompressed] = dgstr.Digest().String()
+	} else {
+		if err = archive.WriteDiff(ctx, cw, "", layers[0], archive.AsWindowsContainerLayerPair(), archive.WithParentLayers(layers[1:])); err != nil {
+			return emptyDesc, fmt.Errorf("failed to write diff: %w", err)
+		}
+	}
+
+	var commitopts []content.Opt
+	if config.Labels != nil {
+		commitopts = append(commitopts, content.WithLabels(config.Labels))
+	}
+
+	dgst := cw.Digest()
+	if err := cw.Commit(ctx, 0, dgst, commitopts...); err != nil {
+		if !errdefs.IsAlreadyExists(err) {
+			return emptyDesc, fmt.Errorf("failed to commit: %w", err)
+		}
+	}
+
+	info, err := s.store.Info(ctx, dgst)
+	if err != nil {
+		return emptyDesc, fmt.Errorf("failed to get info from content store: %w", err)
+	}
+	if info.Labels == nil {
+		info.Labels = make(map[string]string)
+	}
+	// Set "containerd.io/uncompressed" label if digest already existed without label
+	if _, ok := info.Labels[labels.LabelUncompressed]; !ok {
+		info.Labels[labels.LabelUncompressed] = config.Labels[labels.LabelUncompressed]
+		if _, err := s.store.Update(ctx, info, "labels."+labels.LabelUncompressed); err != nil {
+			return emptyDesc, fmt.Errorf("error setting uncompressed label: %w", err)
+		}
+	}
+
+	desc := ocispec.Descriptor{
+		MediaType: config.MediaType,
+		Size:      info.Size,
+		Digest:    info.Digest,
+	}
+
+	log.G(ctx).WithFields(log.Fields{
+		"d":     time.Since(t1),
+		"dgst":  desc.Digest,
+		"size":  desc.Size,
+		"media": desc.MediaType,
+	}).Debug("diff created")
+
+	return desc, nil
+}
+
+type readCounter struct {
+	r io.Reader
+	c int64
+}
+
+func (rc *readCounter) Read(p []byte) (n int, err error) {
+	n, err = rc.r.Read(p)
+	rc.c += int64(n)
+	return
+}
+
+func mountsToLayerAndParents(mounts []mount.Mount) (string, []string, error) {
+	if len(mounts) != 1 {
+		return "", nil, fmt.Errorf("number of mounts should always be 1 for Windows layers: %w", errdefs.ErrInvalidArgument)
+	}
+	mnt := mounts[0]
+
+	if mnt.Type != "windows-layer" {
+		// This is a special case error. When this is received the diff service
+		// will attempt the next differ in the chain which for Windows is the
+		// lcow differ that we want.
+		return "", nil, fmt.Errorf("windowsDiff does not support layer type %s: %w", mnt.Type, errdefs.ErrNotImplemented)
+	}
+
+	parentLayerPaths, err := mnt.GetParentPaths()
+	if err != nil {
+		return "", nil, err
+	}
+
+	if mnt.ReadOnly() {
+		if len(parentLayerPaths) == 0 {
+			// rootfs.CreateDiff creates a new, empty View to diff against,
+			// when diffing something with no parent.
+			// This makes perfect sense for a walking Diff, but for WCOW,
+			// we have to recognise this as "diff against nothing"
+			return "", nil, nil
+		}
+		// Ignore the dummy sandbox.
+		return parentLayerPaths[0], parentLayerPaths[1:], nil
+	}
+	return mnt.Source, parentLayerPaths, nil
+}
+
+// mountPairToLayerStack ensures that the two sets of mount-lists are actually a correct
+// parent-and-child, or orphan-and-empty-list, and return the full list of layers, starting
+// with the upper-most (most childish?)
+func mountPairToLayerStack(lower, upper []mount.Mount) ([]string, error) {
+
+	// May return an ErrNotImplemented, which will fall back to LCOW
+	upperLayer, upperParentLayerPaths, err := mountsToLayerAndParents(upper)
+	if err != nil {
+		return nil, fmt.Errorf("Upper mount invalid: %w", err)
+	}
+
+	lowerLayer, lowerParentLayerPaths, err := mountsToLayerAndParents(lower)
+	if errdefs.IsNotImplemented(err) {
+		// Upper was a windows-layer, lower is not. We can't handle that.
+		return nil, fmt.Errorf("windowsDiff cannot diff a windows-layer against a non-windows-layer: %w", errdefs.ErrInvalidArgument)
+	} else if err != nil {
+		return nil, fmt.Errorf("Lower mount invalid: %w", err)
+	}
+
+	// Trivial case, diff-against-nothing
+	if lowerLayer == "" {
+		if len(upperParentLayerPaths) != 0 {
+			return nil, fmt.Errorf("windowsDiff cannot diff a layer with parents against a null layer: %w", errdefs.ErrInvalidArgument)
+		}
+		return []string{upperLayer}, nil
+	}
+
+	if len(upperParentLayerPaths) < 1 {
+		return nil, fmt.Errorf("windowsDiff cannot diff a layer with no parents against another layer: %w", errdefs.ErrInvalidArgument)
+	}
+
+	if upperParentLayerPaths[0] != lowerLayer {
+		return nil, fmt.Errorf("windowsDiff cannot diff a layer against a layer other than its own parent: %w", errdefs.ErrInvalidArgument)
+	}
+
+	if len(upperParentLayerPaths) != len(lowerParentLayerPaths)+1 {
+		return nil, fmt.Errorf("windowsDiff cannot diff a layer against a layer with different parents: %w", errdefs.ErrInvalidArgument)
+	}
+	for i, upperParent := range upperParentLayerPaths[1:] {
+		if upperParent != lowerParentLayerPaths[i] {
+			return nil, fmt.Errorf("windowsDiff cannot diff a layer against a layer with different parents: %w", errdefs.ErrInvalidArgument)
+		}
+	}
+
+	return append([]string{upperLayer}, upperParentLayerPaths...), nil
+}
+
+func uniqueRef() string {
+	t := time.Now()
+	var b [3]byte
+	// Ignore read failures, just decreases uniqueness
+	rand.Read(b[:])
+	return fmt.Sprintf("%d-%s", t.UnixNano(), base64.URLEncoding.EncodeToString(b[:]))
+}