From d4b9dade1382875712099964c413f4277a3257c4 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 5 Oct 2022 15:11:35 -0700 Subject: [PATCH] Updates oci image config to support upstream ArgsEscaped ArgsEscaped has now been merged into upstream OCI image spec. This change removes the workaround we were doing in containerd to deserialize the extra json outside of the spec and instead just uses the formal spec types. Signed-off-by: Justin Terry --- go.mod | 2 +- go.sum | 5 +- integration/client/go.mod | 2 +- integration/client/go.sum | 4 +- oci/spec_opts.go | 18 +----- oci/spec_opts_windows_test.go | 64 ++++++------------- .../image-spec/specs-go/v1/annotations.go | 9 +++ .../image-spec/specs-go/v1/artifact.go | 34 ++++++++++ .../image-spec/specs-go/v1/config.go | 9 +++ .../image-spec/specs-go/v1/descriptor.go | 5 +- .../image-spec/specs-go/v1/manifest.go | 5 +- .../image-spec/specs-go/v1/mediatype.go | 3 + .../image-spec/specs-go/version.go | 4 +- vendor/modules.txt | 4 +- 14 files changed, 95 insertions(+), 73 deletions(-) create mode 100644 vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go diff --git a/go.mod b/go.mod index 8fbbc6c82..da8d14ea4 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( github.com/moby/sys/signal v0.7.0 github.com/moby/sys/symlink v0.2.0 github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 + github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b github.com/opencontainers/runc v1.1.4 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/selinux v1.10.1 diff --git a/go.sum b/go.sum index 7d2b46944..2fe161778 100644 --- a/go.sum +++ b/go.sum @@ -759,8 +759,8 @@ github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs= -github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs= +github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8= +github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= @@ -846,7 +846,6 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k= -github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= diff --git a/integration/client/go.mod b/integration/client/go.mod index 5d3e5dfec..b3c66806b 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -12,7 +12,7 @@ require ( github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 github.com/gogo/protobuf v1.3.2 // indirect github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 + github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.8.0 diff --git a/integration/client/go.sum b/integration/client/go.sum index 0f639f34e..051ec8fde 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -530,8 +530,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs= -github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs= +github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8= +github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= diff --git a/oci/spec_opts.go b/oci/spec_opts.go index f42bf781d..8adb59180 100644 --- a/oci/spec_opts.go +++ b/oci/spec_opts.go @@ -406,22 +406,6 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts { // even if there is no specified user in the image config return WithAdditionalGIDs("root")(ctx, client, c, s) } else if s.Windows != nil { - // imageExtended is a superset of the oci Image struct that changes - // the Config type to be imageConfigExtended in order to add the - // ability to deserialize `ArgsEscaped` which is not an OCI field, - // but is supported by Docker built images. - type imageExtended struct { - Config struct { - ArgsEscaped bool `json:"ArgsEscaped,omitempty"` - } - } - // Deserialize the extended image format for Windows. - var ociImageExtended imageExtended - if err := json.Unmarshal(imageConfigBytes, &ociImageExtended); err != nil { - return err - } - argsEscaped := ociImageExtended.Config.ArgsEscaped - s.Process.Env = replaceOrAppendEnvValues(config.Env, s.Process.Env) // To support Docker ArgsEscaped on Windows we need to combine the @@ -462,7 +446,7 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts { return errors.New("no arguments specified") } - if argsEscaped && (len(config.Entrypoint) > 0 || cmdFromImage) { + if config.ArgsEscaped && (len(config.Entrypoint) > 0 || cmdFromImage) { s.Process.Args = nil s.Process.CommandLine = cmd[0] if len(cmd) > 1 { diff --git a/oci/spec_opts_windows_test.go b/oci/spec_opts_windows_test.go index eea6aacb8..26466704c 100644 --- a/oci/spec_opts_windows_test.go +++ b/oci/spec_opts_windows_test.go @@ -18,13 +18,11 @@ package oci import ( "context" - "encoding/json" "testing" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/namespaces" - "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/opencontainers/runtime-spec/specs-go" ) @@ -114,36 +112,6 @@ func TestWithWindowNetworksAllowUnqualifiedDNSQuery(t *testing.T) { } } -func newFakeArgsEscapedImage(config ocispec.ImageConfig) (Image, error) { - type imageExtended struct { - Config struct { - ocispec.ImageConfig - ArgsEscaped bool `json:"ArgsEscaped,omitempty"` - } - } - - // Copy to extended format. - configExtended := imageExtended{} - configExtended.Config.ImageConfig = config - configExtended.Config.ArgsEscaped = true - - configBlob, err := json.Marshal(configExtended) - if err != nil { - return nil, err - } - configDescriptor := ocispec.Descriptor{ - MediaType: ocispec.MediaTypeImageConfig, - Digest: digest.NewDigestFromBytes(digest.SHA256, configBlob), - } - - return fakeImage{ - config: configDescriptor, - blobs: map[string]blob{ - configDescriptor.Digest.String(): configBlob, - }, - }, nil -} - // TestWithProcessArgsOverwritesWithImage verifies that when calling // WithImageConfig followed by WithProcessArgs when `ArgsEscaped==false` that // the process args overwrite the image args. @@ -152,8 +120,9 @@ func TestWithProcessArgsOverwritesWithImage(t *testing.T) { img, err := newFakeImage(ocispec.Image{ Config: ocispec.ImageConfig{ - Entrypoint: []string{"powershell.exe", "-Command", "Write-Host Hello"}, - Cmd: []string{"cmd.exe", "/S", "/C", "echo Hello"}, + Entrypoint: []string{"powershell.exe", "-Command", "Write-Host Hello"}, + Cmd: []string{"cmd.exe", "/S", "/C", "echo Hello"}, + ArgsEscaped: false, }, }) if err != nil { @@ -192,9 +161,12 @@ func TestWithProcessArgsOverwritesWithImage(t *testing.T) { func TestWithProcessArgsOverwritesWithImageArgsEscaped(t *testing.T) { t.Parallel() - img, err := newFakeArgsEscapedImage(ocispec.ImageConfig{ - Entrypoint: []string{`powershell.exe -Command "C:\My Data\MyExe.exe" -arg1 "-arg2 value2"`}, - Cmd: []string{`cmd.exe /S /C "C:\test path\test.exe"`}, + img, err := newFakeImage(ocispec.Image{ + Config: ocispec.ImageConfig{ + Entrypoint: []string{`powershell.exe -Command "C:\My Data\MyExe.exe" -arg1 "-arg2 value2"`}, + Cmd: []string{`cmd.exe /S /C "C:\test path\test.exe"`}, + ArgsEscaped: true, + }, }) if err != nil { t.Fatal(err) @@ -274,9 +246,12 @@ func TestWithImageOverwritesWithProcessArgs(t *testing.T) { func TestWithImageArgsEscapedOverwritesWithProcessArgs(t *testing.T) { t.Parallel() - img, err := newFakeArgsEscapedImage(ocispec.ImageConfig{ - Entrypoint: []string{`powershell.exe -Command "C:\My Data\MyExe.exe" -arg1 "-arg2 value2"`}, - Cmd: []string{`cmd.exe /S /C "C:\test path\test.exe"`}, + img, err := newFakeImage(ocispec.Image{ + Config: ocispec.ImageConfig{ + Entrypoint: []string{`powershell.exe -Command "C:\My Data\MyExe.exe" -arg1 "-arg2 value2"`}, + Cmd: []string{`cmd.exe /S /C "C:\test path\test.exe"`}, + ArgsEscaped: true, + }, }) if err != nil { t.Fatal(err) @@ -510,9 +485,12 @@ func TestWithImageConfigArgsEscapedWindows(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - img, err := newFakeArgsEscapedImage(ocispec.ImageConfig{ - Entrypoint: tc.entrypoint, - Cmd: tc.cmd, + img, err := newFakeImage(ocispec.Image{ + Config: ocispec.ImageConfig{ + Entrypoint: tc.entrypoint, + Cmd: tc.cmd, + ArgsEscaped: true, + }, }) if err != nil { t.Fatal(err) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go index 581cf7cdf..6f9e6fd3a 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go @@ -59,4 +59,13 @@ const ( // AnnotationBaseImageName is the annotation key for the image reference of the image's base image. AnnotationBaseImageName = "org.opencontainers.image.base.name" + + // AnnotationArtifactCreated is the annotation key for the date and time on which the artifact was built, conforming to RFC 3339. + AnnotationArtifactCreated = "org.opencontainers.artifact.created" + + // AnnotationArtifactDescription is the annotation key for the human readable description for the artifact. + AnnotationArtifactDescription = "org.opencontainers.artifact.description" + + // AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing. + AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied" ) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go new file mode 100644 index 000000000..03d76ce43 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go @@ -0,0 +1,34 @@ +// Copyright 2022 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +// Artifact describes an artifact manifest. +// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON. +type Artifact struct { + // MediaType is the media type of the object this schema refers to. + MediaType string `json:"mediaType"` + + // ArtifactType is the IANA media type of the artifact this schema refers to. + ArtifactType string `json:"artifactType"` + + // Blobs is a collection of blobs referenced by this manifest. + Blobs []Descriptor `json:"blobs,omitempty"` + + // Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest. + Subject *Descriptor `json:"subject,omitempty"` + + // Annotations contains arbitrary metadata for the artifact manifest. + Annotations map[string]string `json:"annotations,omitempty"` +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go index ffff4b6d1..e6aa113f0 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go @@ -48,6 +48,15 @@ type ImageConfig struct { // StopSignal contains the system call signal that will be sent to the container to exit. StopSignal string `json:"StopSignal,omitempty"` + + // ArgsEscaped `[Deprecated]` - This field is present only for legacy + // compatibility with Docker and should not be used by new image builders. + // It is used by Docker for Windows images to indicate that the `Entrypoint` + // or `Cmd` or both, contains only a single element array, that is a + // pre-escaped, and combined into a single string `CommandLine`. If `true` + // the value in `Entrypoint` or `Cmd` should be used as-is to avoid double + // escaping. + ArgsEscaped bool `json:"ArgsEscaped,omitempty"` } // RootFS describes a layer content addresses diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go index 94f19be62..9654aa5af 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go @@ -1,4 +1,4 @@ -// Copyright 2016 The Linux Foundation +// Copyright 2016-2022 The Linux Foundation // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -44,6 +44,9 @@ type Descriptor struct { // // This should only be used when referring to a manifest. Platform *Platform `json:"platform,omitempty"` + + // ArtifactType is the IANA media type of this artifact. + ArtifactType string `json:"artifactType,omitempty"` } // Platform describes the platform which the image in the manifest runs on. diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go index 8212d520c..730a09359 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go @@ -1,4 +1,4 @@ -// Copyright 2016 The Linux Foundation +// Copyright 2016-2022 The Linux Foundation // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -30,6 +30,9 @@ type Manifest struct { // Layers is an indexed list of layers referenced by the manifest. Layers []Descriptor `json:"layers"` + // Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest. + Subject *Descriptor `json:"subject,omitempty"` + // Annotations contains arbitrary metadata for the image manifest. Annotations map[string]string `json:"annotations,omitempty"` } diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go index 4f35ac134..935b481e3 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go @@ -54,4 +54,7 @@ const ( // MediaTypeImageConfig specifies the media type for the image configuration. MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json" + + // MediaTypeArtifactManifest specifies the media type for a content descriptor. + MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json" ) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/version.go b/vendor/github.com/opencontainers/image-spec/specs-go/version.go index 31f99cf64..1afd590fe 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/version.go @@ -20,9 +20,9 @@ const ( // VersionMajor is for an API incompatible changes VersionMajor = 1 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 0 + VersionMinor = 1 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 2 + VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "-dev" diff --git a/vendor/modules.txt b/vendor/modules.txt index 149eca80d..d706c7130 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -322,8 +322,8 @@ github.com/modern-go/reflect2 ## explicit; go 1.13 github.com/opencontainers/go-digest github.com/opencontainers/go-digest/digestset -# github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 -## explicit; go 1.16 +# github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b +## explicit; go 1.17 github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1