29f66a251f
Version 5.22 introduced a new option to /etc/containers/policy.json called
keyPaths, see
https://github.com/containers/image/pull/1609
EL9 immediately took advantage of this new feature and started using it, see
04645c4a84
This quickly became an issue in our code: The go library (containers/image)
parses the configuration file very strictly and refuses to create a client
when policy.json with an unknown key is present on the filesystem. As we
used 5.21.1 that doesn't know the new key, our unit tests started to
failing when containers-common was present.
Reproducer:
podman run --pull=always --rm -it centos:stream9
dnf install -y dnf-plugins-core
dnf config-manager --set-enabled crb
dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core
git clone https://github.com/osbuild/osbuild-composer
cd osbuild-composer
# install the new containers-common and run the test
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm
go test -count 1 ./...
# this returns:
--- FAIL: TestClientResolve (0.00s)
client_test.go:31:
Error Trace: client_test.go:31
Error: Received unexpected error:
Unknown key "keyPaths"
invalid policy in "/etc/containers/policy.json"
github.com/containers/image/v5/signature.NewPolicyFromFile
/osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88
github.com/osbuild/osbuild-composer/internal/container.NewClient
/osbuild-composer/internal/container/client.go:123
github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve
/osbuild-composer/internal/container/client_test.go:29
testing.tRunner
/usr/lib/golang/src/testing/testing.go:1439
runtime.goexit
/usr/lib/golang/src/runtime/asm_amd64.s:1571
Test: TestClientResolve
client_test.go:32:
Error Trace: client_test.go:32
Error: Expected value not to be nil.
Test: TestClientResolve
When run with an older containers-common, it succeeds:
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm
go test -count 1 ./...
PASS
To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0.
Unfortunately, this wasn't so simple, see
go get github.com/containers/image/v5@latest
go: github.com/containers/image/v5@v5.22.0 requires
github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires
github.com/honeycombio/beeline-go@v1.1.1 requires
github.com/gobuffalo/pop/v5@v5.3.1 requires
github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3
It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been
recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this
broke a ton of packages depending on it. I was able to fix it by adding
exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
to our go.mod, see
https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657
After adding it,
go get github.com/containers/image/v5@latest
succeeded and tools/prepare-source.sh took care of the rest.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
75 lines
2.2 KiB
Go
75 lines
2.2 KiB
Go
// Copyright 2018 Google LLC All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package name
|
|
|
|
import (
|
|
"fmt"
|
|
)
|
|
|
|
// Reference defines the interface that consumers use when they can
|
|
// take either a tag or a digest.
|
|
type Reference interface {
|
|
fmt.Stringer
|
|
|
|
// Context accesses the Repository context of the reference.
|
|
Context() Repository
|
|
|
|
// Identifier accesses the type-specific portion of the reference.
|
|
Identifier() string
|
|
|
|
// Name is the fully-qualified reference name.
|
|
Name() string
|
|
|
|
// Scope is the scope needed to access this reference.
|
|
Scope(string) string
|
|
}
|
|
|
|
// ParseReference parses the string as a reference, either by tag or digest.
|
|
func ParseReference(s string, opts ...Option) (Reference, error) {
|
|
if t, err := NewTag(s, opts...); err == nil {
|
|
return t, nil
|
|
}
|
|
if d, err := NewDigest(s, opts...); err == nil {
|
|
return d, nil
|
|
}
|
|
return nil, newErrBadName("could not parse reference: " + s)
|
|
}
|
|
|
|
type stringConst string
|
|
|
|
// MustParseReference behaves like ParseReference, but panics instead of
|
|
// returning an error. It's intended for use in tests, or when a value is
|
|
// expected to be valid at code authoring time.
|
|
//
|
|
// To discourage its use in scenarios where the value is not known at code
|
|
// authoring time, it must be passed a string constant:
|
|
//
|
|
// const str = "valid/string"
|
|
// MustParseReference(str)
|
|
// MustParseReference("another/valid/string")
|
|
// MustParseReference(str + "/and/more")
|
|
//
|
|
// These will not compile:
|
|
//
|
|
// var str = "valid/string"
|
|
// MustParseReference(str)
|
|
// MustParseReference(strings.Join([]string{"valid", "string"}, "/"))
|
|
func MustParseReference(s stringConst, opts ...Option) Reference {
|
|
ref, err := ParseReference(string(s), opts...)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return ref
|
|
}
|