vendor: Update osbuild/images to commit dd48a38be218

This is needed for the test_distro.NewTestDistro change.
2023-09-15 08:18:06 -07:00 · 2023-09-15 08:18:06 -07:00 · 1b65f15449
commit 1b65f15449
parent eab16830aa
345 changed files with 276130 additions and 14546 deletions
--- a/vendor/github.com/containers/image/v5/internal/blobinfocache/blobinfocache.go
+++ b/vendor/github.com/containers/image/v5/internal/blobinfocache/blobinfocache.go
@ -23,6 +23,12 @@ type v1OnlyBlobInfoCache struct {
 	types.BlobInfoCache
 }

+func (bic *v1OnlyBlobInfoCache) Open() {
+}
+
+func (bic *v1OnlyBlobInfoCache) Close() {
+}
+
 func (bic *v1OnlyBlobInfoCache) RecordDigestCompressorName(anyDigest digest.Digest, compressorName string) {
 }

--- a/vendor/github.com/containers/image/v5/internal/blobinfocache/types.go
+++ b/vendor/github.com/containers/image/v5/internal/blobinfocache/types.go
@ -18,6 +18,13 @@ const (
 // of compression was applied to the blobs it keeps information about.
 type BlobInfoCache2 interface {
 	types.BlobInfoCache
+
+	// Open() sets up the cache for future accesses, potentially acquiring costly state. Each Open() must be paired with a Close().
+	// Note that public callers may call the types.BlobInfoCache operations without Open()/Close().
+	Open()
+	// Close destroys state created by Open().
+	Close()
+
 	// RecordDigestCompressorName records a compressor for the blob with the specified digest,
 	// or Uncompressed or UnknownCompression.
 	// WARNING: Only call this with LOCALLY VERIFIED data; don’t record a compressor for a
--- a/vendor/github.com/containers/image/v5/internal/image/oci.go
+++ b/vendor/github.com/containers/image/v5/internal/image/oci.go
@ -12,8 +12,10 @@ import (
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/blobinfocache/none"
 	"github.com/containers/image/v5/types"
+	ociencspec "github.com/containers/ocicrypt/spec"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/exp/slices"
 )

 type manifestOCI1 struct {
@ -86,7 +88,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
 // old image manifests work (docker v2s1 especially).
 func (m *manifestOCI1) OCIConfig(ctx context.Context) (*imgspecv1.Image, error) {
 	if m.m.Config.MediaType != imgspecv1.MediaTypeImageConfig {
-		return nil, internalManifest.NewNonImageArtifactError(m.m.Config.MediaType)
+		return nil, internalManifest.NewNonImageArtifactError(&m.m.Manifest)
 	}

 	cb, err := m.ConfigBlob(ctx)
@ -194,26 +196,72 @@ func (m *manifestOCI1) convertToManifestSchema2Generic(ctx context.Context, opti
 	return m.convertToManifestSchema2(ctx, options)
 }

+// prepareLayerDecryptEditsIfNecessary checks if options requires layer decryptions.
+// If not, it returns (nil, nil).
+// If decryption is required, it returns a set of edits to provide to OCI1.UpdateLayerInfos,
+// and edits *options to not try decryption again.
+func (m *manifestOCI1) prepareLayerDecryptEditsIfNecessary(options *types.ManifestUpdateOptions) ([]types.BlobInfo, error) {
+	if options == nil || !slices.ContainsFunc(options.LayerInfos, func(info types.BlobInfo) bool {
+		return info.CryptoOperation == types.Decrypt
+	}) {
+		return nil, nil
+	}
+
+	originalInfos := m.LayerInfos()
+	if len(originalInfos) != len(options.LayerInfos) {
+		return nil, fmt.Errorf("preparing to decrypt before conversion: %d layers vs. %d layer edits", len(originalInfos), len(options.LayerInfos))
+	}
+
+	res := slices.Clone(originalInfos) // Start with a full copy so that we don't forget to copy anything: use the current data in full unless we intentionaly deviate.
+	updatedEdits := slices.Clone(options.LayerInfos)
+	for i, info := range options.LayerInfos {
+		if info.CryptoOperation == types.Decrypt {
+			res[i].CryptoOperation = types.Decrypt
+			updatedEdits[i].CryptoOperation = types.PreserveOriginalCrypto // Don't try to decrypt in a schema[12] manifest later, that would fail.
+		}
+		// Don't do any compression-related MIME type conversions. m.LayerInfos() should not set these edit instructions, but be explicit.
+		res[i].CompressionOperation = types.PreserveOriginal
+		res[i].CompressionAlgorithm = nil
+	}
+	options.LayerInfos = updatedEdits
+	return res, nil
+}
+
 // convertToManifestSchema2 returns a genericManifest implementation converted to manifest.DockerV2Schema2MediaType.
 // It may use options.InformationOnly and also adjust *options to be appropriate for editing the returned
 // value.
 // This does not change the state of the original manifestOCI1 object.
-func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, _ *types.ManifestUpdateOptions) (*manifestSchema2, error) {
+func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, options *types.ManifestUpdateOptions) (*manifestSchema2, error) {
 	if m.m.Config.MediaType != imgspecv1.MediaTypeImageConfig {
-		return nil, internalManifest.NewNonImageArtifactError(m.m.Config.MediaType)
+		return nil, internalManifest.NewNonImageArtifactError(&m.m.Manifest)
+	}
+
+	// Mostly we first make a format conversion, and _afterwards_ do layer edits. But first we need to do the layer edits
+	// which remove OCI-specific features, because trying to convert those layers would fail.
+	// So, do the layer updates for decryption.
+	ociManifest := m.m
+	layerDecryptEdits, err := m.prepareLayerDecryptEditsIfNecessary(options)
+	if err != nil {
+		return nil, err
+	}
+	if layerDecryptEdits != nil {
+		ociManifest = manifest.OCI1Clone(ociManifest)
+		if err := ociManifest.UpdateLayerInfos(layerDecryptEdits); err != nil {
+			return nil, err
+		}
 	}

 	// Create a copy of the descriptor.
-	config := schema2DescriptorFromOCI1Descriptor(m.m.Config)
+	config := schema2DescriptorFromOCI1Descriptor(ociManifest.Config)

 	// Above, we have already checked that this manifest refers to an image, not an OCI artifact,
 	// so the only difference between OCI and DockerSchema2 is the mediatypes. The
 	// media type of the manifest is handled by manifestSchema2FromComponents.
 	config.MediaType = manifest.DockerV2Schema2ConfigMediaType

-	layers := make([]manifest.Schema2Descriptor, len(m.m.Layers))
+	layers := make([]manifest.Schema2Descriptor, len(ociManifest.Layers))
 	for idx := range layers {
-		layers[idx] = schema2DescriptorFromOCI1Descriptor(m.m.Layers[idx])
+		layers[idx] = schema2DescriptorFromOCI1Descriptor(ociManifest.Layers[idx])
 		switch layers[idx].MediaType {
 		case imgspecv1.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // NonDistributable layers are deprecated, but we want to continue to support manipulating pre-existing images.
 			layers[idx].MediaType = manifest.DockerV2Schema2ForeignLayerMediaType
@ -227,6 +275,10 @@ func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, _ *types.Mani
 			layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
 		case imgspecv1.MediaTypeImageLayerZstd:
 			return nil, fmt.Errorf("Error during manifest conversion: %q: zstd compression is not supported for docker images", layers[idx].MediaType)
+			// FIXME: s/Zsdt/Zstd/ after ocicrypt with https://github.com/containers/ocicrypt/pull/91 is released
+		case ociencspec.MediaTypeLayerEnc, ociencspec.MediaTypeLayerGzipEnc, ociencspec.MediaTypeLayerZstdEnc,
+			ociencspec.MediaTypeLayerNonDistributableEnc, ociencspec.MediaTypeLayerNonDistributableGzipEnc, ociencspec.MediaTypeLayerNonDistributableZsdtEnc:
+			return nil, fmt.Errorf("during manifest conversion: encrypted layers (%q) are not supported in docker images", layers[idx].MediaType)
 		default:
 			return nil, fmt.Errorf("Unknown media type during manifest conversion: %q", layers[idx].MediaType)
 		}
@ -244,7 +296,7 @@ func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, _ *types.Mani
 // This does not change the state of the original manifestOCI1 object.
 func (m *manifestOCI1) convertToManifestSchema1(ctx context.Context, options *types.ManifestUpdateOptions) (genericManifest, error) {
 	if m.m.Config.MediaType != imgspecv1.MediaTypeImageConfig {
-		return nil, internalManifest.NewNonImageArtifactError(m.m.Config.MediaType)
+		return nil, internalManifest.NewNonImageArtifactError(&m.m.Manifest)
 	}

 	// We can't directly convert images to V1, but we can transitively convert via a V2 image
--- a/vendor/github.com/containers/image/v5/internal/manifest/docker_schema2_list.go
+++ b/vendor/github.com/containers/image/v5/internal/manifest/docker_schema2_list.go
@ -64,13 +64,8 @@ func (list *Schema2ListPublic) Instance(instanceDigest digest.Digest) (ListUpdat
 				MediaType: manifest.MediaType,
 			}
 			ret.ReadOnly.CompressionAlgorithmNames = []string{compression.GzipAlgorithmName}
-			ret.ReadOnly.Platform = &imgspecv1.Platform{
-				OS:           manifest.Platform.OS,
-				Architecture: manifest.Platform.Architecture,
-				OSVersion:    manifest.Platform.OSVersion,
-				OSFeatures:   manifest.Platform.OSFeatures,
-				Variant:      manifest.Platform.Variant,
-			}
+			platform := ociPlatformFromSchema2PlatformSpec(manifest.Platform)
+			ret.ReadOnly.Platform = &platform
 			return ret, nil
 		}
 	}
@ -119,17 +114,20 @@ func (index *Schema2ListPublic) editInstances(editInstances []ListEdit) error {
 			}
 			index.Manifests[targetIndex].MediaType = editInstance.UpdateMediaType
 		case ListOpAdd:
-			addInstance := Schema2ManifestDescriptor{
-				Schema2Descriptor{Digest: editInstance.AddDigest, Size: editInstance.AddSize, MediaType: editInstance.AddMediaType},
-				Schema2PlatformSpec{
-					OS:           editInstance.AddPlatform.OS,
-					Architecture: editInstance.AddPlatform.Architecture,
-					OSVersion:    editInstance.AddPlatform.OSVersion,
-					OSFeatures:   editInstance.AddPlatform.OSFeatures,
-					Variant:      editInstance.AddPlatform.Variant,
-				},
+			if editInstance.AddPlatform == nil {
+				// Should we create a struct with empty fields instead?
+				// Right now ListOpAdd is only called when an instance with the same platform value
+				// already exists in the manifest, so this should not be reached in practice.
+				return fmt.Errorf("adding a schema2 list instance with no platform specified is not supported")
 			}
-			addedEntries = append(addedEntries, addInstance)
+			addedEntries = append(addedEntries, Schema2ManifestDescriptor{
+				Schema2Descriptor{
+					Digest:    editInstance.AddDigest,
+					Size:      editInstance.AddSize,
+					MediaType: editInstance.AddMediaType,
+				},
+				schema2PlatformSpecFromOCIPlatform(*editInstance.AddPlatform),
+			})
 		default:
 			return fmt.Errorf("internal error: invalid operation: %d", editInstance.ListOperation)
 		}
@ -158,13 +156,7 @@ func (list *Schema2ListPublic) ChooseInstance(ctx *types.SystemContext) (digest.
 	}
 	for _, wantedPlatform := range wantedPlatforms {
 		for _, d := range list.Manifests {
-			imagePlatform := imgspecv1.Platform{
-				Architecture: d.Platform.Architecture,
-				OS:           d.Platform.OS,
-				OSVersion:    d.Platform.OSVersion,
-				OSFeatures:   slices.Clone(d.Platform.OSFeatures),
-				Variant:      d.Platform.Variant,
-			}
+			imagePlatform := ociPlatformFromSchema2PlatformSpec(d.Platform)
 			if platform.MatchesPlatform(imagePlatform, wantedPlatform) {
 				return d.Digest, nil
 			}
@ -224,20 +216,14 @@ func Schema2ListPublicClone(list *Schema2ListPublic) *Schema2ListPublic {
 func (list *Schema2ListPublic) ToOCI1Index() (*OCI1IndexPublic, error) {
 	components := make([]imgspecv1.Descriptor, 0, len(list.Manifests))
 	for _, manifest := range list.Manifests {
-		converted := imgspecv1.Descriptor{
+		platform := ociPlatformFromSchema2PlatformSpec(manifest.Platform)
+		components = append(components, imgspecv1.Descriptor{
 			MediaType: manifest.MediaType,
 			Size:      manifest.Size,
 			Digest:    manifest.Digest,
 			URLs:      slices.Clone(manifest.URLs),
-			Platform: &imgspecv1.Platform{
-				OS:           manifest.Platform.OS,
-				Architecture: manifest.Platform.Architecture,
-				OSFeatures:   slices.Clone(manifest.Platform.OSFeatures),
-				OSVersion:    manifest.Platform.OSVersion,
-				Variant:      manifest.Platform.Variant,
-			},
-		}
-		components = append(components, converted)
+			Platform:  &platform,
+		})
 	}
 	oci := OCI1IndexPublicFromComponents(components, nil)
 	return oci, nil
@ -312,3 +298,15 @@ func Schema2ListFromManifest(manifest []byte) (*Schema2List, error) {
 	}
 	return schema2ListFromPublic(public), nil
 }
+
+// ociPlatformFromSchema2PlatformSpec converts a schema2 platform p to the OCI struccture.
+func ociPlatformFromSchema2PlatformSpec(p Schema2PlatformSpec) imgspecv1.Platform {
+	return imgspecv1.Platform{
+		Architecture: p.Architecture,
+		OS:           p.OS,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   slices.Clone(p.OSFeatures),
+		Variant:      p.Variant,
+		// Features is not supported in OCI, and discarded.
+	}
+}
--- a/vendor/github.com/containers/image/v5/internal/manifest/errors.go
+++ b/vendor/github.com/containers/image/v5/internal/manifest/errors.go
@ -1,6 +1,10 @@
 package manifest

-import "fmt"
+import (
+	"fmt"
+
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)

 // FIXME: This is a duplicate of c/image/manifestDockerV2Schema2ConfigMediaType.
 // Deduplicate that, depending on outcome of https://github.com/containers/image/pull/1791 .
@ -26,8 +30,20 @@ type NonImageArtifactError struct {
 	mimeType string
 }

-// NewNonImageArtifactError returns a NonImageArtifactError about an artifact with mimeType.
-func NewNonImageArtifactError(mimeType string) error {
+// NewNonImageArtifactError returns a NonImageArtifactError about an artifact manifest.
+//
+// This is typically called if manifest.Config.MediaType != imgspecv1.MediaTypeImageConfig .
+func NewNonImageArtifactError(manifest *imgspecv1.Manifest) error {
+	// Callers decide based on manifest.Config.MediaType that this is not an image;
+	// in that case manifest.ArtifactType can be optionally defined, and if it is, it is typically
+	// more relevant because config may be ~absent with imgspecv1.MediaTypeEmptyJSON.
+	//
+	// If ArtifactType and Config.MediaType are both defined and non-trivial, presumably
+	// ArtifactType is the “top-level” one, although that’s not defined by the spec.
+	mimeType := manifest.ArtifactType
+	if mimeType == "" {
+		mimeType = manifest.Config.MediaType
+	}
 	return NonImageArtifactError{mimeType: mimeType}
 }

--- a/vendor/github.com/containers/image/v5/internal/manifest/oci_index.go
+++ b/vendor/github.com/containers/image/v5/internal/manifest/oci_index.go
@ -170,8 +170,19 @@ func (index *OCI1IndexPublic) editInstances(editInstances []ListEdit) error {
 		index.Manifests = append(index.Manifests, addedEntries...)
 	}
 	if len(addedEntries) != 0 || updatedAnnotations {
-		slices.SortStableFunc(index.Manifests, func(a, b imgspecv1.Descriptor) bool {
-			return !instanceIsZstd(a) && instanceIsZstd(b)
+		slices.SortStableFunc(index.Manifests, func(a, b imgspecv1.Descriptor) int {
+			// FIXME? With Go 1.21 and cmp.Compare available, turn instanceIsZstd into an integer score that can be compared, and generalizes
+			// into more algorithms?
+			aZstd := instanceIsZstd(a)
+			bZstd := instanceIsZstd(b)
+			switch {
+			case aZstd == bZstd:
+				return 0
+			case !aZstd: // Implies bZstd
+				return -1
+			default: // aZstd && !bZstd
+				return 1
+			}
 		})
 	}
 	return nil
@ -228,13 +239,7 @@ func (index *OCI1IndexPublic) chooseInstance(ctx *types.SystemContext, preferGzi
 	for manifestIndex, d := range index.Manifests {
 		candidate := instanceCandidate{platformIndex: math.MaxInt, manifestPosition: manifestIndex, isZstd: instanceIsZstd(d), digest: d.Digest}
 		if d.Platform != nil {
-			imagePlatform := imgspecv1.Platform{
-				Architecture: d.Platform.Architecture,
-				OS:           d.Platform.OS,
-				OSVersion:    d.Platform.OSVersion,
-				OSFeatures:   slices.Clone(d.Platform.OSFeatures),
-				Variant:      d.Platform.Variant,
-			}
+			imagePlatform := ociPlatformClone(*d.Platform)
 			platformIndex := slices.IndexFunc(wantedPlatforms, func(wantedPlatform imgspecv1.Platform) bool {
 				return platform.MatchesPlatform(imagePlatform, wantedPlatform)
 			})
@ -288,13 +293,8 @@ func OCI1IndexPublicFromComponents(components []imgspecv1.Descriptor, annotation
 	for i, component := range components {
 		var platform *imgspecv1.Platform
 		if component.Platform != nil {
-			platform = &imgspecv1.Platform{
-				Architecture: component.Platform.Architecture,
-				OS:           component.Platform.OS,
-				OSVersion:    component.Platform.OSVersion,
-				OSFeatures:   slices.Clone(component.Platform.OSFeatures),
-				Variant:      component.Platform.Variant,
-			}
+			platformCopy := ociPlatformClone(*component.Platform)
+			platform = &platformCopy
 		}
 		m := imgspecv1.Descriptor{
 			MediaType:   component.MediaType,
@ -331,22 +331,15 @@ func (index *OCI1IndexPublic) ToSchema2List() (*Schema2ListPublic, error) {
 				Architecture: runtime.GOARCH,
 			}
 		}
-		converted := Schema2ManifestDescriptor{
+		components = append(components, Schema2ManifestDescriptor{
 			Schema2Descriptor{
 				MediaType: manifest.MediaType,
 				Size:      manifest.Size,
 				Digest:    manifest.Digest,
 				URLs:      slices.Clone(manifest.URLs),
 			},
-			Schema2PlatformSpec{
-				OS:           platform.OS,
-				Architecture: platform.Architecture,
-				OSFeatures:   slices.Clone(platform.OSFeatures),
-				OSVersion:    platform.OSVersion,
-				Variant:      platform.Variant,
-			},
-		}
-		components = append(components, converted)
+			schema2PlatformSpecFromOCIPlatform(*platform),
+		})
 	}
 	s2 := Schema2ListPublicFromComponents(components)
 	return s2, nil
@ -420,3 +413,32 @@ func OCI1IndexFromManifest(manifest []byte) (*OCI1Index, error) {
 	}
 	return oci1IndexFromPublic(public), nil
 }
+
+// ociPlatformClone returns an independent copy of p.
+func ociPlatformClone(p imgspecv1.Platform) imgspecv1.Platform {
+	// The only practical way in Go to give read-only access to an array is to copy it.
+	// The only practical way in Go to copy a deep structure is to either do it manually field by field,
+	// or to use reflection (incl. a round-trip through JSON, which uses reflection).
+	//
+	// The combination of the two is just sad, and leads to code like this, which will
+	// need to be updated with every new Platform field.
+	return imgspecv1.Platform{
+		Architecture: p.Architecture,
+		OS:           p.OS,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   slices.Clone(p.OSFeatures),
+		Variant:      p.Variant,
+	}
+}
+
+// schema2PlatformSpecFromOCIPlatform converts an OCI platform p to the schema2 structure.
+func schema2PlatformSpecFromOCIPlatform(p imgspecv1.Platform) Schema2PlatformSpec {
+	return Schema2PlatformSpec{
+		Architecture: p.Architecture,
+		OS:           p.OS,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   slices.Clone(p.OSFeatures),
+		Variant:      p.Variant,
+		Features:     nil,
+	}
+}
--- a/vendor/github.com/containers/image/v5/internal/pkg/platform/platform_matcher.go
+++ b/vendor/github.com/containers/image/v5/internal/pkg/platform/platform_matcher.go
@ -128,6 +128,10 @@ var compatibility = map[string][]string{
 // the most compatible platform is first.
 // If some option (arch, os, variant) is not present, a value from current platform is detected.
 func WantedPlatforms(ctx *types.SystemContext) ([]imgspecv1.Platform, error) {
+	// Note that this does not use Platform.OSFeatures and Platform.OSVersion at all.
+	// The fields are not specified by the OCI specification, as of version 1.1, usefully enough
+	// to be interoperable, anyway.
+
 	wantedArch := runtime.GOARCH
 	wantedVariant := ""
 	if ctx != nil && ctx.ArchitectureChoice != "" {
--- a/vendor/github.com/containers/image/v5/internal/streamdigest/stream_digest.go
+++ b/vendor/github.com/containers/image/v5/internal/streamdigest/stream_digest.go
@ -15,7 +15,7 @@ import (
 // It is the caller's responsibility to call the cleanup function, which closes and removes the temporary file.
 // If an error occurs, inputInfo is not modified.
 func ComputeBlobInfo(sys *types.SystemContext, stream io.Reader, inputInfo *types.BlobInfo) (io.Reader, func(), error) {
-	diskBlob, err := os.CreateTemp(tmpdir.TemporaryDirectoryForBigFiles(sys), "stream-blob")
+	diskBlob, err := tmpdir.CreateBigFileTemp(sys, "stream-blob")
 	if err != nil {
 		return nil, nil, fmt.Errorf("creating temporary on-disk layer: %w", err)
 	}
--- a/vendor/github.com/containers/image/v5/internal/tmpdir/tmpdir.go
+++ b/vendor/github.com/containers/image/v5/internal/tmpdir/tmpdir.go
@ -17,10 +17,12 @@ var unixTempDirForBigFiles = builtinUnixTempDirForBigFiles
 // DO NOT change this, instead see unixTempDirForBigFiles above.
 const builtinUnixTempDirForBigFiles = "/var/tmp"

+const prefix = "container_images_"
+
 // TemporaryDirectoryForBigFiles returns a directory for temporary (big) files.
 // On non Windows systems it avoids the use of os.TempDir(), because the default temporary directory usually falls under /tmp
 // which on systemd based systems could be the unsuitable tmpfs filesystem.
-func TemporaryDirectoryForBigFiles(sys *types.SystemContext) string {
+func temporaryDirectoryForBigFiles(sys *types.SystemContext) string {
 	if sys != nil && sys.BigFilesTemporaryDir != "" {
 		return sys.BigFilesTemporaryDir
 	}
@ -32,3 +34,11 @@ func TemporaryDirectoryForBigFiles(sys *types.SystemContext) string {
 	}
 	return temporaryDirectoryForBigFiles
 }
+
+func CreateBigFileTemp(sys *types.SystemContext, name string) (*os.File, error) {
+	return os.CreateTemp(temporaryDirectoryForBigFiles(sys), prefix+name)
+}
+
+func MkDirBigFileTemp(sys *types.SystemContext, name string) (string, error) {
+	return os.MkdirTemp(temporaryDirectoryForBigFiles(sys), prefix+name)
+}