mirror of
https://github.com/linuxkit/linuxkit.git
synced 2026-04-10 05:29:59 +00:00
bump pkg/init containerd, runc and image-spec to fix CVEs
Signed-off-by: Avi Deitcher <avi@deitcher.net>
This commit is contained in:
Avi Deitcher
134
pkg/init/vendor/github.com/containerd/containerd/pull.go
generated
vendored
134
pkg/init/vendor/github.com/containerd/containerd/pull.go
generated
vendored
@@ -18,23 +18,34 @@ package containerd
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"golang.org/x/sync/semaphore"
|
||||
|
||||
"github.com/containerd/containerd/errdefs"
|
||||
"github.com/containerd/containerd/images"
|
||||
"github.com/containerd/containerd/platforms"
|
||||
"github.com/containerd/containerd/pkg/unpack"
|
||||
"github.com/containerd/containerd/remotes"
|
||||
"github.com/containerd/containerd/remotes/docker"
|
||||
"github.com/containerd/containerd/remotes/docker/schema1"
|
||||
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sync/errgroup"
|
||||
"golang.org/x/sync/semaphore"
|
||||
"github.com/containerd/containerd/remotes/docker/schema1" //nolint:staticcheck // Ignore SA1019. Need to keep deprecated package for compatibility.
|
||||
"github.com/containerd/containerd/tracing"
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/containerd/platforms"
|
||||
)
|
||||
|
||||
const (
|
||||
pullSpanPrefix = "pull"
|
||||
)
|
||||
|
||||
// Pull downloads the provided content into containerd's content store
|
||||
// and returns a platform specific image object
|
||||
func (c *Client) Pull(ctx context.Context, ref string, opts ...RemoteOpt) (_ Image, retErr error) {
|
||||
ctx, span := tracing.StartSpan(ctx, tracing.Name(pullSpanPrefix, "Pull"))
|
||||
defer span.End()
|
||||
|
||||
pullCtx := defaultRemoteContext()
|
||||
|
||||
for _, o := range opts {
|
||||
if err := o(c, pullCtx); err != nil {
|
||||
return nil, err
|
||||
@@ -49,43 +60,78 @@ func (c *Client) Pull(ctx context.Context, ref string, opts ...RemoteOpt) (_ Ima
|
||||
} else {
|
||||
p, err := platforms.Parse(pullCtx.Platforms[0])
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "invalid platform %s", pullCtx.Platforms[0])
|
||||
return nil, fmt.Errorf("invalid platform %s: %w", pullCtx.Platforms[0], err)
|
||||
}
|
||||
|
||||
pullCtx.PlatformMatcher = platforms.Only(p)
|
||||
}
|
||||
}
|
||||
|
||||
span.SetAttributes(
|
||||
tracing.Attribute("image.ref", ref),
|
||||
tracing.Attribute("unpack", pullCtx.Unpack),
|
||||
tracing.Attribute("max.concurrent.downloads", pullCtx.MaxConcurrentDownloads),
|
||||
tracing.Attribute("platforms.count", len(pullCtx.Platforms)),
|
||||
)
|
||||
|
||||
ctx, done, err := c.WithLease(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer done(ctx)
|
||||
|
||||
var unpacks int32
|
||||
var unpackEg *errgroup.Group
|
||||
var unpackWrapper func(f images.Handler) images.Handler
|
||||
var unpacker *unpack.Unpacker
|
||||
|
||||
if pullCtx.Unpack {
|
||||
// unpacker only supports schema 2 image, for schema 1 this is noop.
|
||||
u, err := c.newUnpacker(ctx, pullCtx)
|
||||
snapshotterName, err := c.resolveSnapshotterName(ctx, pullCtx.Snapshotter)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "create unpacker")
|
||||
return nil, fmt.Errorf("unable to resolve snapshotter: %w", err)
|
||||
}
|
||||
span.SetAttributes(tracing.Attribute("snapshotter.name", snapshotterName))
|
||||
var uconfig UnpackConfig
|
||||
for _, opt := range pullCtx.UnpackOpts {
|
||||
if err := opt(ctx, &uconfig); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
var platformMatcher platforms.Matcher
|
||||
if !uconfig.CheckPlatformSupported {
|
||||
platformMatcher = platforms.All
|
||||
}
|
||||
|
||||
// Check client Unpack config
|
||||
platform := unpack.Platform{
|
||||
Platform: platformMatcher,
|
||||
SnapshotterKey: snapshotterName,
|
||||
Snapshotter: c.SnapshotService(snapshotterName),
|
||||
SnapshotOpts: append(pullCtx.SnapshotterOpts, uconfig.SnapshotOpts...),
|
||||
Applier: c.DiffService(),
|
||||
ApplyOpts: uconfig.ApplyOpts,
|
||||
}
|
||||
uopts := []unpack.UnpackerOpt{unpack.WithUnpackPlatform(platform)}
|
||||
if pullCtx.MaxConcurrentDownloads > 0 {
|
||||
uopts = append(uopts, unpack.WithLimiter(semaphore.NewWeighted(int64(pullCtx.MaxConcurrentDownloads))))
|
||||
}
|
||||
if uconfig.DuplicationSuppressor != nil {
|
||||
uopts = append(uopts, unpack.WithDuplicationSuppressor(uconfig.DuplicationSuppressor))
|
||||
}
|
||||
unpacker, err = unpack.NewUnpacker(ctx, c.ContentStore(), uopts...)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to initialize unpacker: %w", err)
|
||||
}
|
||||
unpackWrapper, unpackEg = u.handlerWrapper(ctx, pullCtx, &unpacks)
|
||||
defer func() {
|
||||
if err := unpackEg.Wait(); err != nil {
|
||||
if _, err := unpacker.Wait(); err != nil {
|
||||
if retErr == nil {
|
||||
retErr = errors.Wrap(err, "unpack")
|
||||
retErr = fmt.Errorf("unpack: %w", err)
|
||||
}
|
||||
}
|
||||
}()
|
||||
wrapper := pullCtx.HandlerWrapper
|
||||
pullCtx.HandlerWrapper = func(h images.Handler) images.Handler {
|
||||
if wrapper == nil {
|
||||
return unpackWrapper(h)
|
||||
return unpacker.Unpack(h)
|
||||
}
|
||||
return unpackWrapper(wrapper(h))
|
||||
return unpacker.Unpack(wrapper(h))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -97,12 +143,15 @@ func (c *Client) Pull(ctx context.Context, ref string, opts ...RemoteOpt) (_ Ima
|
||||
// NOTE(fuweid): unpacker defers blobs download. before create image
|
||||
// record in ImageService, should wait for unpacking(including blobs
|
||||
// download).
|
||||
if pullCtx.Unpack {
|
||||
if unpackEg != nil {
|
||||
if err := unpackEg.Wait(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var ur unpack.Result
|
||||
if unpacker != nil {
|
||||
_, unpackSpan := tracing.StartSpan(ctx, tracing.Name(pullSpanPrefix, "UnpackWait"))
|
||||
if ur, err = unpacker.Wait(); err != nil {
|
||||
unpackSpan.SetStatus(err)
|
||||
unpackSpan.End()
|
||||
return nil, err
|
||||
}
|
||||
unpackSpan.End()
|
||||
}
|
||||
|
||||
img, err = c.createNewImage(ctx, img)
|
||||
@@ -111,14 +160,13 @@ func (c *Client) Pull(ctx context.Context, ref string, opts ...RemoteOpt) (_ Ima
|
||||
}
|
||||
|
||||
i := NewImageWithPlatform(c, img, pullCtx.PlatformMatcher)
|
||||
span.SetAttributes(tracing.Attribute("image.ref", i.Name()))
|
||||
|
||||
if pullCtx.Unpack {
|
||||
if unpacks == 0 {
|
||||
// Try to unpack is none is done previously.
|
||||
// This is at least required for schema 1 image.
|
||||
if err := i.Unpack(ctx, pullCtx.Snapshotter, pullCtx.UnpackOpts...); err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to unpack image on snapshotter %s", pullCtx.Snapshotter)
|
||||
}
|
||||
if unpacker != nil && ur.Unpacks == 0 {
|
||||
// Unpack was tried previously but nothing was unpacked
|
||||
// This is at least required for schema 1 image.
|
||||
if err := i.Unpack(ctx, pullCtx.Snapshotter, pullCtx.UnpackOpts...); err != nil {
|
||||
return nil, fmt.Errorf("failed to unpack image on snapshotter %s: %w", pullCtx.Snapshotter, err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -126,23 +174,26 @@ func (c *Client) Pull(ctx context.Context, ref string, opts ...RemoteOpt) (_ Ima
|
||||
}
|
||||
|
||||
func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, limit int) (images.Image, error) {
|
||||
ctx, span := tracing.StartSpan(ctx, tracing.Name(pullSpanPrefix, "fetch"))
|
||||
defer span.End()
|
||||
store := c.ContentStore()
|
||||
name, desc, err := rCtx.Resolver.Resolve(ctx, ref)
|
||||
if err != nil {
|
||||
return images.Image{}, errors.Wrapf(err, "failed to resolve reference %q", ref)
|
||||
return images.Image{}, fmt.Errorf("failed to resolve reference %q: %w", ref, err)
|
||||
}
|
||||
|
||||
fetcher, err := rCtx.Resolver.Fetcher(ctx, name)
|
||||
if err != nil {
|
||||
return images.Image{}, errors.Wrapf(err, "failed to get fetcher for %q", name)
|
||||
return images.Image{}, fmt.Errorf("failed to get fetcher for %q: %w", name, err)
|
||||
}
|
||||
|
||||
var (
|
||||
handler images.Handler
|
||||
|
||||
isConvertible bool
|
||||
converterFunc func(context.Context, ocispec.Descriptor) (ocispec.Descriptor, error)
|
||||
limiter *semaphore.Weighted
|
||||
isConvertible bool
|
||||
originalSchema1Digest string
|
||||
converterFunc func(context.Context, ocispec.Descriptor) (ocispec.Descriptor, error)
|
||||
limiter *semaphore.Weighted
|
||||
)
|
||||
|
||||
if desc.MediaType == images.MediaTypeDockerSchema1Manifest && rCtx.ConvertSchema1 {
|
||||
@@ -155,6 +206,8 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim
|
||||
converterFunc = func(ctx context.Context, _ ocispec.Descriptor) (ocispec.Descriptor, error) {
|
||||
return schema1Converter.Convert(ctx)
|
||||
}
|
||||
|
||||
originalSchema1Digest = desc.Digest.String()
|
||||
} else {
|
||||
// Get all the children for a descriptor
|
||||
childrenHandler := images.ChildrenHandler(store)
|
||||
@@ -221,6 +274,13 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim
|
||||
}
|
||||
}
|
||||
|
||||
if originalSchema1Digest != "" {
|
||||
if rCtx.Labels == nil {
|
||||
rCtx.Labels = make(map[string]string)
|
||||
}
|
||||
rCtx.Labels[images.ConvertedDockerSchema1LabelKey] = originalSchema1Digest
|
||||
}
|
||||
|
||||
return images.Image{
|
||||
Name: name,
|
||||
Target: desc,
|
||||
@@ -229,6 +289,8 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim
|
||||
}
|
||||
|
||||
func (c *Client) createNewImage(ctx context.Context, img images.Image) (images.Image, error) {
|
||||
ctx, span := tracing.StartSpan(ctx, tracing.Name(pullSpanPrefix, "pull.createNewImage"))
|
||||
defer span.End()
|
||||
is := c.ImageService()
|
||||
for {
|
||||
if created, err := is.Create(ctx, img); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user