Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.
As an example, if you use the following config for your containerd:
```toml
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io/v2"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
"^library/(.*)" = "my-org/$1"
```
And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.
This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9baec2b278b8172a789bf601168292f645.
Ref: https://github.com/k3s-io/k3s/issues/11191#issuecomment-2455525773
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
use go1.23.8 as the default go version for running in CI and making
release binaries.
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
(cherry picked from commit 6f93c65f52c9e1c5e25595429fd50ce2e5da6843)
Signed-off-by: Derek McGowan <derek@mcg.dev>
- go1.23.8 (released 2025-04-01) includes security fixes to the net/http
package, as well as bug fixes to the runtime and the go command.
Ref: https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
- go1.24.2 (released 2025-04-01) includes security fixes to the net/http
package, as well as bug fixes to the compiler, the runtime, the go
command, and the crypto/tls, go/types, net/http, and testing packages.
Ref: https://github.com/golang/go/issues?q=milestone%3AGo1.24.2+label%3ACherryPickApproved
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
(cherry picked from commit 5629e9fff7de69a36f5f563d41966aa562866258)
Signed-off-by: Derek McGowan <derek@mcg.dev>
Due to current 100% failure rate on arm64 with the current OS image, disable criu testing for now
Signed-off-by: Phil Estes <estesp@amazon.com>
(cherry picked from commit 9ca6a7ee0aa0ea8added551dd16e00b2102fdea4)
Signed-off-by: Derek McGowan <derek@mcg.dev>
Prevent a panic in the Docker pusher pushWriter, by checking that
the pipe is non nil before attempting to use it.
The panic was found by Moby issue #46746 (https://github.com/moby/moby/issues/46746).
With this fix the panic no longer reproduces.
Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
Don't produce `reference for unknown type: application/vnd.in-toto+json`
warning logs when pushing/fetching an image containing the attestation
manifests.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Before this patch, calling `image.Children` on an image built with
BuildKit would produce unnecessary `encountered unknown type
application/vnd.in-toto+json; children may not be fetched` debug logs,
because the media type is neither a known layer or config type.
Make the `image.Children` aware of the attestation layers and don't
attempt to traverse them.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Fix the gRPC client dialer not using the timeout passed by the
containerd client timeout option.
Commit 63b4688175 replaced the usage of deprecated `grpc.DialContext`
with `grpc.NewClient`.
However, the `dialer.ContextDialer` relied on the context deadline to
propagate the timeout:
388fb336b0/vendor/google.golang.org/grpc/clientconn.go (L216)
This assumption is now broken, because `grpc.NewClient` doesn't do any
initial connection and defers it to the first RPC usage.
This commit passes the timeout via the `MinConnectTimeout` grpc
connection param, which will be applied to **every** connection attempt
(not just the first).
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
