version: bump to v0.1.28

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

.travis.yml

@@ -1,10 +1,24 @@
-sudo: required
 
-services:
-  - docker
+matrix:
+  include:
+  -  os: linux
+     sudo: required
+     services:
+       - docker
+  -  os: osx
 
 notifications:
   email: false
 
+install:
+  # NOTE: The (brew update) should not be necessary, and slows things down;
+  # we include it as a workaround for https://github.com/Homebrew/brew/issues/3299
+  # ideally Travis should bake the (brew update) into its images
+  # (https://github.com/travis-ci/travis-ci/issues/8552 ), but that’s only going
+  # to happen around November 2017 per https://blog.travis-ci.com/2017-10-16-a-new-default-os-x-image-is-coming .
+  # Remove the (brew update) at that time.
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew update && brew install gpgme ; fi
+
 script:
-  - make check
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]];   then hack/travis_osx.sh ; fi
+  - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then make check ; fi

CONTRIBUTING.md

@@ -8,7 +8,9 @@ that we follow.
 * [Reporting Issues](#reporting-issues)
 * [Submitting Pull Requests](#submitting-pull-requests)
 * [Communications](#communications)
+<!--
 * [Becoming a Maintainer](#becoming-a-maintainer)
+-->
 
 ## Reporting Issues
 
@@ -37,9 +39,9 @@ It's ok to just open up a PR with the fix, but make sure you include the same
 information you would have included in an issue - like how to reproduce it.
 
 PRs for new features should include some background on what use cases the
-new code is trying to address. And, when possible and it makes, try to break-up
+new code is trying to address. When possible and when it makes sense, try to break-up
 larger PRs into smaller ones - it's easier to review smaller
-code changes. But, only if those smaller ones make sense as stand-alone PRs.
+code changes. But only if those smaller ones make sense as stand-alone PRs.
 
 Regardless of the type of PR, all PRs should include:
 * well documented code changes
@@ -47,9 +49,9 @@ Regardless of the type of PR, all PRs should include:
 * documentation changes
 
 Squash your commits into logical pieces of work that might want to be reviewed
-separate from the rest of the PRs. But, squashing down to just one commit is ok
-too since in the end the entire PR will be reviewed anyway. When in doubt, 
-squash.
+separate from the rest of the PRs. Ideally, each commit should implement a single
+idea, and the PR branch should pass the tests at every commit.  GitHub makes it easy
+to review the cumulative effect of many commits; so, when in doubt, use smaller commits.
 
 PRs that fix issues should include a reference like `Closes #XXXX` in the
 commit message so that github will automatically close the referenced issue
@@ -115,7 +117,7 @@ commit automatically with `git commit -s`.
 
 ## Communications
 
-For general questions, or dicsussions, please use the 
+For general questions, or discussions, please use the 
 IRC group on `irc.freenode.net` called `container-projects`
 that has been setup.
 

Dockerfile

@@ -7,15 +7,18 @@ RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md
 	# gpgme bindings deps
 	libassuan-devel gpgme-devel \
 	ostree-devel \
-	gnupg
+	gnupg \
+	# OpenShift deps
+	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+	&& dnf clean all
 
 # Install two versions of the registry. The first is an older version that
 # only supports schema1 manifests. The second is a newer version that supports
 # both. This allows integration-cli tests to cover push/pull with both schema1
 # and schema2 manifests.
-ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
-ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
 RUN set -x \
+	&& REGISTRY_COMMIT_SCHEMA1=ec87e9b6971d831f0eff752ddb54fb64693e51cd \
+	&& REGISTRY_COMMIT=47a064d4195a9b56133891bbb13620c3ac83a827 \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
 	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
@@ -27,12 +30,12 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 RUN set -x \
-	&& yum install -y which git tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
 	&& export GOPATH=$(mktemp -d) \
-	&& git clone -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
+	&& git clone --depth 1 -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
 	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
 	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
 	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
+	&& rm -rf "$GOPATH" \
 	&& mkdir /registry
 
 ENV GOPATH /usr/share/gocode:/go

Dockerfile.build

@@ -1,4 +1,4 @@
-FROM ubuntu:16.04
+FROM ubuntu:17.04
 
 RUN apt-get update && apt-get install -y \
     golang \
@@ -6,7 +6,9 @@ RUN apt-get update && apt-get install -y \
     git-core \
     libdevmapper-dev \
     libgpgme11-dev \
-    go-md2man
+    go-md2man \
+    libglib2.0-dev \
+    libostree-dev
 
 ENV GOPATH=/
 WORKDIR /src/github.com/projectatomic/skopeo

Makefile

@@ -2,7 +2,20 @@
 
 export GO15VENDOREXPERIMENT=1
 
+ifeq ($(shell uname),Darwin)
+PREFIX ?= ${DESTDIR}/usr/local
+DARWIN_BUILD_TAG=containers_image_ostree_stub
+# On macOS, (brew install gpgme) installs it within /usr/local, but /usr/local/include is not in the default search path.
+# Rather than hard-code this directory, use gpgme-config. Sadly that must be done at the top-level user
+# instead of locally in the gpgme subpackage, because cgo supports only pkg-config, not general shell scripts,
+# and gpgme does not install a pkg-config file.
+# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
+# (and the user will probably find out because the cgo compilation will fail).
+GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
+else
 PREFIX ?= ${DESTDIR}/usr
+endif
+
 INSTALLDIR=${PREFIX}/bin
 MANINSTALLDIR=${PREFIX}/share/man
 CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
@@ -10,11 +23,16 @@ REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
 SIGSTOREDIR=${DESTDIR}/var/lib/atomic/sigstore
 BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
 GO_MD2MAN ?= go-md2man
+GO ?= go
 
 ifeq ($(DEBUG), 1)
   override GOGCFLAGS += -N -l
 endif
 
+ifeq ($(shell go env GOOS), linux)
+  GO_DYN_FLAGS="-buildmode=pie"
+endif
+
 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
 # set env like gobuildtag?
@@ -34,7 +52,7 @@ MANPAGES_MD = $(wildcard docs/*.md)
 
 BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh)
 LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
-LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(DARWIN_BUILD_TAG)
 BUILDTAGS += $(LOCAL_BUILD_TAGS)
 
 #   make all DEBUG=1
@@ -57,10 +75,10 @@ binary-static: cmd/skopeo
 
 # Build w/o using Docker containers
 binary-local:
-	go build -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+	$(GPGME_ENV) $(GO) build ${GO_DYN_FLAGS} -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
 
 binary-local-static:
-	go build -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+	$(GPGME_ENV) $(GO) build -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
 
 build-container:
 	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
@@ -76,17 +94,22 @@ clean:
 
 install: install-binary install-docs install-completions
 	install -d -m 755 ${SIGSTOREDIR}
-	install -D -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
-	install -D -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml
+	install -d -m 755 ${CONTAINERSSYSCONFIGDIR}
+	install -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
+	install -d -m 755 ${REGISTRIESDDIR}
+	install -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml
 
 install-binary: ./skopeo
-	install -D -m 755 skopeo ${INSTALLDIR}/skopeo
+	install -d -m 755 ${INSTALLDIR}
+	install -m 755 skopeo ${INSTALLDIR}/skopeo
 
 install-docs: docs/skopeo.1
-	install -D -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
+	install -d -m 755 ${MANINSTALLDIR}/man1
+	install -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
 
 install-completions:
-	install -m 644 -D completions/bash/skopeo ${BASHINSTALLDIR}/skopeo
+	install -m 755 -d ${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${BASHINSTALLDIR}/skopeo
 
 shell: build-container
 	$(DOCKER_RUN_DOCKER) bash
@@ -111,4 +134,4 @@ validate-local:
 	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
 
 test-unit-local:
-	go test -tags "$(BUILDTAGS)" $$(go list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')
+	$(GPGME_ENV) $(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')

README.md

@@ -1,16 +1,53 @@
 skopeo [![Build Status](https://travis-ci.org/projectatomic/skopeo.svg?branch=master)](https://travis-ci.org/projectatomic/skopeo)
 =
 
-_Please be aware `skopeo` is still work in progress and it currently supports only registry API V2_
+<img src="https://cdn.rawgit.com/projectatomic/skopeo/master/docs/skopeo.svg" width="250">
 
-`skopeo` is a command line utility for various operations on container images and image repositories.
+----
+
+`skopeo` is a command line utility that performs various operations on container images and image repositories.
+
+`skopeo` can work with [OCI images](https://github.com/opencontainers/image-spec) as well as the original Docker v2 images.
+
+Skopeo works with API V2 registries such as Docker registries, the Atomic registry, private registries, local directories and local OCI-layout directories.  Skopeo does not require a daemon to be running to perform these operations which consist of:
+
+ * Copying an image from and to various storage mechanisms.
+   For example you can copy images from one registry to another, without requiring priviledge.
+ * Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
+ * Deleting an image from an image repository.
+ * When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
+
+ Skopeo operates on the following image and repository types:
+
+ * containers-storage:docker-reference
+         An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf
+
+ * dir:path
+         An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+ * docker://docker-reference
+         An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $HOME/.docker/config.json, which is set e.g. using (docker login).
+
+ * docker-archive:path[:docker-reference]
+         An image is stored in the `docker save` formated file.  docker-reference is only used when creating such a file, and it must not contain a digest.
+
+ * docker-daemon:docker-reference
+         An image docker-reference stored in the docker daemon internal storage.  docker-reference must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+ * oci:path:tag
+         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
+
+ * ostree:image[@/absolute/repo/path]
+         An image in local OSTree repository.  /absolute/repo/path defaults to /ostree/repo.
 
 Inspecting a repository
 -
 `skopeo` is able to _inspect_ a repository on a Docker registry and fetch images layers.
-By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
+The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
 json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
-a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
+a repository or a tag before pulling it (using disk space).  The inspect command can show you which tags are available for the given 
+repository, the labels the image has, the creation date and operating system of the image and more.  
+
 
 Examples:
 ```sh
@@ -47,14 +84,25 @@ $ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
 
 Copying images
 -
-`skopeo` can copy container images between various storage mechanisms,
-e.g. Docker registries (including the Docker Hub), the Atomic Registry,
-local directories, and local OCI-layout directories:
+`skopeo` can copy container images between various storage mechanisms, including:
+* Docker distribution based registries
+
+  -  The Docker Hub, OpenShift, GCR, Artifactory, Quay ...
+
+* Container Storage backends
+
+  -  Docker daemon storage
+
+  -  github.com/containers/storage (Backend for CRI-O, Buildah and friends)
+
+* Local directories
+
+* Local OCI-layout directories
 
 ```sh
 $ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
 $ skopeo copy docker://busybox:latest dir:existingemptydirectory
-$ skopeo copy docker://busybox:latest oci:busybox_ocilayout
+$ skopeo copy docker://busybox:latest oci:busybox_ocilayout:latest
 ```
 
 Deleting images
@@ -115,7 +163,7 @@ Building without a container requires a bit more manual work and setup in your e
 
 Install the necessary dependencies:
 ```sh
-Fedora$ sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel
+Fedora$ sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel ostree-devel
 macOS$ brew install gpgme
 ```
 

cmd/skopeo/cgo_pthread_ordering_workaround.go

@@ -1,3 +1,5 @@
+// +build !containers_image_openpgp
+
 package main
 
 /*

cmd/skopeo/copy.go

@@ -7,9 +7,11 @@ import (
 	"strings"
 
 	"github.com/containers/image/copy"
+	"github.com/containers/image/manifest"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/urfave/cli"
 )
 
@@ -55,12 +57,27 @@ func copyHandler(context *cli.Context) error {
 		return err
 	}
 
+	var manifestType string
+	if context.IsSet("format") {
+		switch context.String("format") {
+		case "oci":
+			manifestType = imgspecv1.MediaTypeImageManifest
+		case "v2s1":
+			manifestType = manifest.DockerV2Schema1SignedMediaType
+		case "v2s2":
+			manifestType = manifest.DockerV2Schema2MediaType
+		default:
+			return fmt.Errorf("unknown format %q. Choose on of the supported formats: 'oci', 'v2s1', or 'v2s2'", context.String("format"))
+		}
+	}
+
 	return copy.Image(policyContext, destRef, srcRef, &copy.Options{
-		RemoveSignatures: removeSignatures,
-		SignBy:           signBy,
-		ReportWriter:     os.Stdout,
-		SourceCtx:        sourceCtx,
-		DestinationCtx:   destinationCtx,
+		RemoveSignatures:      removeSignatures,
+		SignBy:                signBy,
+		ReportWriter:          os.Stdout,
+		SourceCtx:             sourceCtx,
+		DestinationCtx:        destinationCtx,
+		ForceManifestMIMEType: manifestType,
 	})
 }
 
@@ -80,6 +97,10 @@ var copyCmd = cli.Command{
 	Action:    copyHandler,
 	// FIXME: Do we need to namespace the GPG aspect?
 	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.BoolFlag{
 			Name:  "remove-signatures",
 			Usage: "Do not copy signatures from SOURCE-IMAGE",
@@ -121,5 +142,23 @@ var copyCmd = cli.Command{
 			Value: "",
 			Usage: "`DIRECTORY` to use for OSTree temporary files",
 		},
+		cli.StringFlag{
+			Name:  "src-shared-blob-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use to fetch retrieved blobs (OCI layout sources only)",
+		},
+		cli.StringFlag{
+			Name:  "dest-shared-blob-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use to store retrieved blobs (OCI layout destinations only)",
+		},
+		cli.StringFlag{
+			Name:  "format, f",
+			Usage: "`MANIFEST TYPE` (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)",
+		},
+		cli.BoolFlag{
+			Name:  "dest-compress",
+			Usage: "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)",
+		},
 	},
 }

cmd/skopeo/delete.go

@@ -24,10 +24,7 @@ func deleteHandler(context *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	if err := ref.DeleteImage(ctx); err != nil {
-		return err
-	}
-	return nil
+	return ref.DeleteImage(ctx)
 }
 
 var deleteCmd = cli.Command{
@@ -44,6 +41,10 @@ var deleteCmd = cli.Command{
 	ArgsUsage: "IMAGE-NAME",
 	Action:    deleteHandler,
 	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.StringFlag{
 			Name:  "creds",
 			Value: "",

cmd/skopeo/inspect.go

@@ -6,12 +6,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/transports"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
 
@@ -42,6 +42,10 @@ var inspectCmd = cli.Command{
 	`, strings.Join(transports.ListNames(), ", ")),
 	ArgsUsage: "IMAGE-NAME",
 	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.StringFlag{
 			Name:  "cert-dir",
 			Value: "",

cmd/skopeo/layers.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/containers/image/directory"
 	"github.com/containers/image/image"
-	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
@@ -25,16 +24,15 @@ var layersCmd = cli.Command{
 		if c.NArg() == 0 {
 			return errors.New("Usage: layers imageReference [layer...]")
 		}
-		rawSource, err := parseImageSource(c, c.Args()[0], []string{
-			// TODO: skopeo layers only supports these now
-			// eventually we'll remove this command altogether...
-			manifest.DockerV2Schema1SignedMediaType,
-			manifest.DockerV2Schema1MediaType,
-		})
+		ctx, err := contextFromGlobalOptions(c, "")
 		if err != nil {
 			return err
 		}
-		src, err := image.FromSource(rawSource)
+		rawSource, err := parseImageSource(c, c.Args()[0])
+		if err != nil {
+			return err
+		}
+		src, err := image.FromSource(ctx, rawSource)
 		if err != nil {
 			if closeErr := rawSource.Close(); closeErr != nil {
 				return errors.Wrapf(err, " (close error: %v)", closeErr)
@@ -115,10 +113,6 @@ var layersCmd = cli.Command{
 			return err
 		}
 
-		if err := dest.Commit(); err != nil {
-			return err
-		}
-
-		return nil
+		return dest.Commit()
 	},
 }

cmd/skopeo/main.go

@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/signature"
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/projectatomic/skopeo/version"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
 
@@ -50,6 +50,16 @@ func createApp() *cli.App {
 			Value: "",
 			Usage: "use registry configuration files in `DIR` (e.g. for container signature storage)",
 		},
+		cli.StringFlag{
+			Name:  "override-arch",
+			Value: "",
+			Usage: "use `ARCH` instead of the architecture of the machine for choosing images",
+		},
+		cli.StringFlag{
+			Name:  "override-os",
+			Value: "",
+			Usage: "use `OS` instead of the running OS for choosing images",
+		},
 	}
 	app.Before = func(c *cli.Context) error {
 		if c.GlobalBool("debug") {

cmd/skopeo/utils.go

@@ -11,12 +11,17 @@ import (
 
 func contextFromGlobalOptions(c *cli.Context, flagPrefix string) (*types.SystemContext, error) {
 	ctx := &types.SystemContext{
-		RegistriesDirPath: c.GlobalString("registries.d"),
-		DockerCertPath:    c.String(flagPrefix + "cert-dir"),
+		RegistriesDirPath:  c.GlobalString("registries.d"),
+		ArchitectureChoice: c.GlobalString("override-arch"),
+		OSChoice:           c.GlobalString("override-os"),
+		DockerCertPath:     c.String(flagPrefix + "cert-dir"),
 		// DEPRECATED: keep this here for backward compatibility, but override
 		// them if per subcommand flags are provided (see below).
 		DockerInsecureSkipTLSVerify: !c.GlobalBoolT("tls-verify"),
 		OSTreeTmpDirPath:            c.String(flagPrefix + "ostree-tmp-dir"),
+		OCISharedBlobDirPath:        c.String(flagPrefix + "shared-blob-dir"),
+		DirForceCompress:            c.Bool(flagPrefix + "compress"),
+		AuthFilePath:                c.String("authfile"),
 	}
 	if c.IsSet(flagPrefix + "tls-verify") {
 		ctx.DockerInsecureSkipTLSVerify = !c.BoolT(flagPrefix + "tls-verify")
@@ -57,8 +62,8 @@ func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
 }
 
 // parseImage converts image URL-like string to an initialized handler for that image.
-// The caller must call .Close() on the returned Image.
-func parseImage(c *cli.Context) (types.Image, error) {
+// The caller must call .Close() on the returned ImageCloser.
+func parseImage(c *cli.Context) (types.ImageCloser, error) {
 	imgName := c.Args().First()
 	ref, err := alltransports.ParseImageName(imgName)
 	if err != nil {
@@ -72,9 +77,8 @@ func parseImage(c *cli.Context) (types.Image, error) {
 }
 
 // parseImageSource converts image URL-like string to an ImageSource.
-// requestedManifestMIMETypes is as in types.ImageReference.NewImageSource.
 // The caller must call .Close() on the returned ImageSource.
-func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func parseImageSource(c *cli.Context, name string) (types.ImageSource, error) {
 	ref, err := alltransports.ParseImageName(name)
 	if err != nil {
 		return nil, err
@@ -83,5 +87,5 @@ func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []
 	if err != nil {
 		return nil, err
 	}
-	return ref.NewImageSource(ctx, requestedManifestMIMETypes)
+	return ref.NewImageSource(ctx)
 }

completions/bash/skopeo

@@ -20,30 +20,36 @@ _complete_() {
 }
 
 _skopeo_copy() {
-     local options_with_args="
-	--sign-by
-	--src-creds --screds
-	--src-cert-dir
-	--src-tls-verify
-	--dest-creds --dcreds
-	--dest-cert-dir
-	--dest-ostree-tmp-dir
-	--dest-tls-verify
-     "
-     local boolean_options="
-	--remove-signatures
-     "
-     _complete_ "$options_with_args" "$boolean_options"
+    local options_with_args="
+    --authfile
+    --format -f
+    --sign-by
+    --src-creds --screds
+    --src-cert-dir
+    --src-tls-verify
+    --dest-creds --dcreds
+    --dest-cert-dir
+    --dest-ostree-tmp-dir
+    --dest-tls-verify
+    "
+
+    local boolean_options="
+    --dest-compress
+    --remove-signatures
+    "
+
+    _complete_ "$options_with_args" "$boolean_options"
 }
 
 _skopeo_inspect() {
      local options_with_args="
-	--creds
-	--cert-dir
+     --authfile
+     --creds
+     --cert-dir
      "
      local boolean_options="
-	--raw
-	--tls-verify
+     --raw
+     --tls-verify
     "
     _complete_ "$options_with_args" "$boolean_options"
 }
@@ -75,11 +81,12 @@ _skopeo_manifest_digest() {
 
 _skopeo_delete() {
      local options_with_args="
-	   --creds
-	   --cert-dir
+     --authfile
+     --creds
+     --cert-dir
      "
      local boolean_options="
-	   --tls-verify
+     --tls-verify
      "
     _complete_ "$options_with_args" "$boolean_options"
 }
@@ -99,6 +106,8 @@ _skopeo_skopeo() {
      local options_with_args="
 	   --policy
 	   --registries.d
+       --override-arch
+       --override-os
      "
      local boolean_options="
 	   --insecure-policy

docs/skopeo.1.md

@@ -2,33 +2,42 @@
 % Jhon Honce
 % August 2016
 # NAME
-skopeo -- Various operations with container images and container image registries
+skopeo -- Command line utility used to interact with local and remote container images and container image registries
 # SYNOPSIS
 **skopeo** [_global options_] _command_ [_command options_]
 # DESCRIPTION
-`skopeo` is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a container registry and fetch image. It fetches the repository's manifest and it is able to show you a `docker inspect`-like json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - which tags are available for the given repository? which labels the image has?
+`skopeo` is a command line utility providing various operations with container images and container image registries.
+
+`skopeo` can copy container images between various containers image stores, converting them as necessary.  For example you can use `skopeo` to copy container images from one container registry to another.
+
+`skopeo` can convert a Docker schema 2 or schema 1 container image to an OCI image.
+
+`skopeo` can inspect a repository on a container registry without needlessly pulling the image. Pulling an image from a repository, especially a remote repository, is an expensive network and storage operation. Skopeo fetches the repository's manifest and displays a `docker inspect`-like json output about the repository or a tag. `skopeo`, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - Which tags are available for the given repository? Which labels does the image have?
+
+`skopeo` can sign and verify container images.
+
+`skopeo` can delete container images from a remote container registry.
+
+Note: `skopeo` does not require any container runtimes to be running, to do most of
+its functionality.  It also does not require root, unless you are copying images into a container runtime storage backend, like the docker daemon or github.com/containers/storage.
 
-It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.
 ## IMAGE NAMES
 Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:
 
-  **atomic:**_hostname_**/**_namespace_**/**_stream_**:**_tag_
-  An image served by an OpenShift(Atomic) Registry server. The current OpenShift project and OpenShift Registry instance are by default read from `$HOME/.kube/config`, which is set e.g. using `(oc login)`.
-
-  **containers-storage://**_docker-reference_
+  **containers-storage:**_docker-reference_
   An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf
 
   **dir:**_path_
   An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
 
   **docker://**_docker-reference_
-  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$HOME/.docker/config.json`, which is set e.g. using `(docker login)`.
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(kpod login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
 
   **docker-archive:**_path_[**:**_docker-reference_]
-  An image is stored in the `docker save` formated file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
+  An image is stored in the `docker save` formatted file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
 
   **docker-daemon:**_docker-reference_
-  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can be docker-daemon:algo:digest (an image ID).
 
   **oci:**_path_**:**_tag_
   An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
@@ -46,6 +55,10 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
 
   **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.
 
+  **--override-arch** _arch_ Use _arch_ instead of the architecture of the machine for choosing images.
+
+  **--override-os** _OS_ Use _OS_ instead of the running OS for choosing images.
+
   **--help**|**-h** Show help
 
   **--version**|**-v** print the version number
@@ -63,12 +76,21 @@ Uses the system's trust policy to validate images, rejects images not trusted by
 
   _destination-image_ use the "image name" format described above
 
+  **--authfile** _path_
+
+  Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+  **--format, -f** _manifest-type_ Manifest type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
+
   **--remove-signatures** do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
 
   **--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_
 
   **--src-creds** _username[:password]_ for accessing the source registry
 
+  **--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)
+
   **--dest-creds** _username[:password]_ for accessing the destination registry
 
   **--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry
@@ -86,11 +108,23 @@ Existing signatures, if any, are preserved as well.
 ## skopeo delete
 **skopeo delete** _image-name_
 
-Mark _image-name_ for deletion.  To release the allocated disk space, you need to execute the container registry garabage collector. E.g.,
+Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
 
-```sh
-$ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
 ```
+/usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml
+
+If you are running the container registry inside of a container you would execute something like:
+
+$ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+```
+
+  **--authfile** _path_
+
+  Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
 
   **--creds** _username[:password]_ for accessing the registry
 
@@ -109,6 +143,11 @@ Return low-level information about _image-name_ in a registry
 
   _image-name_ name of image to retrieve information about
 
+  **--authfile** _path_
+
+  Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
   **--creds** _username[:password]_ for accessing the registry
 
   **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry
@@ -240,6 +279,9 @@ $ skopeo standalone-verify busybox-manifest.json registry.example.com/example/bu
 Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
 ```
 
+# SEE ALSO
+kpod-login(1), docker-login(1)
+
 # AUTHORS
 
 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo.svg

@@ -0,0 +1,546 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="480.61456"
+   height="472.66098"
+   viewBox="0 0 127.1626 125.05822"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
+   sodipodi:docname="skopeo.svg"
+   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
+   inkscape:export-xdpi="90"
+   inkscape:export-ydpi="90">
+  <defs
+     id="defs2">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84477">
+      <stop
+         style="stop-color:#0093d9;stop-opacity:1"
+         offset="0"
+         id="stop84473" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84475" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84469">
+      <stop
+         style="stop-color:#f6e6c8;stop-opacity:1"
+         offset="0"
+         id="stop84465" />
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1"
+         offset="1"
+         id="stop84467" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84461">
+      <stop
+         style="stop-color:#bfdce8;stop-opacity:1;"
+         offset="0"
+         id="stop84457" />
+      <stop
+         style="stop-color:#2a72ac;stop-opacity:1"
+         offset="1"
+         id="stop84459" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84420">
+      <stop
+         style="stop-color:#a7a9ac;stop-opacity:1;"
+         offset="0"
+         id="stop84416" />
+      <stop
+         style="stop-color:#e7e8e9;stop-opacity:1"
+         offset="1"
+         id="stop84418" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84347">
+      <stop
+         style="stop-color:#2c2d2f;stop-opacity:1;"
+         offset="0"
+         id="stop84343" />
+      <stop
+         style="stop-color:#000000;stop-opacity:1"
+         offset="1"
+         id="stop84345" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84339">
+      <stop
+         style="stop-color:#002442;stop-opacity:1;"
+         offset="0"
+         id="stop84335" />
+      <stop
+         style="stop-color:#151617;stop-opacity:1"
+         offset="1"
+         id="stop84337" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84331">
+      <stop
+         style="stop-color:#003d6e;stop-opacity:1;"
+         offset="0"
+         id="stop84327" />
+      <stop
+         style="stop-color:#59b5ff;stop-opacity:1"
+         offset="1"
+         id="stop84329" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84323">
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1;"
+         offset="0"
+         id="stop84319" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84321" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84325"
+       x1="221.5741"
+       y1="250.235"
+       x2="219.20772"
+       y2="221.99771"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84331"
+       id="linearGradient84333"
+       x1="223.23239"
+       y1="212.83418"
+       x2="245.52328"
+       y2="129.64345"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84341"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84347"
+       id="linearGradient84349"
+       x1="212.05453"
+       y1="215.20055"
+       x2="237.73705"
+       y2="230.02835"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84363"
+       x1="193.61516"
+       y1="225.045"
+       x2="224.08698"
+       y2="223.54327"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84377"
+       x1="182.72513"
+       y1="222.54439"
+       x2="184.01024"
+       y2="210.35291"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84408"
+       x1="211.73801"
+       y1="225.48302"
+       x2="204.24324"
+       y2="238.46432"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84422"
+       x1="190.931"
+       y1="221.83777"
+       x2="187.53873"
+       y2="229.26593"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84425"
+       gradientUnits="userSpaceOnUse"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84441"
+       x1="169.95944"
+       y1="215.77036"
+       x2="174.0289"
+       y2="207.81528"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84455"
+       x1="234.08092"
+       y1="252.39755"
+       x2="245.88477"
+       y2="251.21777"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84461"
+       id="radialGradient84463"
+       cx="213.19594"
+       cy="223.40646"
+       fx="214.12064"
+       fy="217.34077"
+       r="33.39888"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84469"
+       id="radialGradient84471"
+       cx="207.18298"
+       cy="211.06483"
+       fx="207.18298"
+       fy="211.06483"
+       r="2.77954"
+       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84477"
+       id="linearGradient84479"
+       x1="241.60336"
+       y1="255.46982"
+       x2="244.45177"
+       y2="250.4846"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1"
+     inkscape:cx="517.27113"
+     inkscape:cy="314.79773"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer1"
+     inkscape:document-rotation="0"
+     showgrid="false"
+     units="px"
+     inkscape:snap-global="false"
+     inkscape:window-width="2560"
+     inkscape:window-height="1376"
+     inkscape:window-x="0"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-149.15784,-175.92614)">
+    <g
+       id="g84497"
+       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
+       transform="translate(0,10.583333)">
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84485"
+         width="31.605196"
+         height="19.16976"
+         x="299.48376"
+         y="87.963303"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84487"
+         width="16.725054"
+         height="9.8947001"
+         x="258.07639"
+         y="92.60083"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84489"
+         width="4.8383565"
+         height="11.503917"
+         x="253.2236"
+         y="91.796227"
+         transform="rotate(30)" />
+      <rect
+         y="86.859642"
+         x="331.21924"
+         height="21.377089"
+         width="4.521956"
+         id="rect84491"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         transform="rotate(30)" />
+    </g>
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       id="path84483"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="cccccc"
+       inkscape:connector-curvature="0"
+       id="path84481"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <circle
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="path84224"
+       cx="213.64427"
+       cy="234.18927"
+       r="35.482784" />
+    <circle
+       r="33.39888"
+       cy="234.18927"
+       cx="213.64427"
+       id="circle84226"
+       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84114"
+       width="31.605196"
+       height="19.16976"
+       x="304.77545"
+       y="97.128738"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84116"
+       width="4.521956"
+       height="21.377089"
+       x="300.27435"
+       y="96.025078"
+       transform="rotate(30)" />
+    <rect
+       y="99.087395"
+       x="283.71848"
+       height="15.252436"
+       width="16.459545"
+       id="rect84118"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       y="98.190086"
+       x="280.00021"
+       height="17.047071"
+       width="3.617183"
+       id="rect84120"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84122"
+       width="16.725054"
+       height="9.8947001"
+       x="263.36807"
+       y="101.76627"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84124"
+       width="4.8383565"
+       height="11.503917"
+       x="258.51526"
+       y="100.96166"
+       transform="rotate(30)" />
+    <rect
+       y="96.025078"
+       x="336.51093"
+       height="21.377089"
+       width="4.521956"
+       id="rect84126"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <path
+       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
+       id="rect84313"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84128"
+       d="m 215.3335,241.36799 22.49734,12.98884"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84130"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
+       id="path84134"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccccc" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       id="path84136"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
+       id="rect84410"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
+       id="path84284"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
+       id="rect84351"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
+       id="rect84365"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="ccccc"
+       inkscape:connector-curvature="0"
+       id="path84138"
+       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <ellipse
+       cy="223.01579"
+       cx="207.08998"
+       id="circle84140"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       rx="3.8395541"
+       ry="3.8438656" />
+    <path
+       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
+       id="path84272"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84142"
+       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84144"
+       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       sodipodi:nodetypes="ccc" />
+    <path
+       sodipodi:nodetypes="ccc"
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
+       id="path84280"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
+       id="path84290"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccc" />
+    <path
+       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
+       id="ellipse84292"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
+       id="path84298"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
+       id="path84379"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
+       id="rect84396"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
+       id="rect84429"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
+       id="rect84443"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 215.55025,240.82707 22.49734,12.98884"
+       id="path84521"
+       inkscape:connector-curvature="0" />
+  </g>
+</svg>

hack/travis_osx.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+
+export GOPATH=$(pwd)/_gopath
+export PATH=$GOPATH/bin:$PATH
+
+_projectatomic="${GOPATH}/src/github.com/projectatomic"
+mkdir -vp ${_projectatomic}
+ln -vsf $(pwd) ${_projectatomic}/skopeo
+
+go get -u github.com/cpuguy83/go-md2man github.com/golang/lint/golint
+
+cd ${_projectatomic}/skopeo
+make validate-local test-unit-local binary-local
+sudo make install
+skopeo -v

integration/copy_test.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -14,6 +15,8 @@ import (
 	"github.com/containers/image/signature"
 	"github.com/go-check/check"
 	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/opencontainers/image-tools/image"
 )
 
 func init() {
@@ -87,8 +90,11 @@ func (s *CopySuite) TearDownSuite(c *check.C) {
 	}
 }
 
-func (s *CopySuite) TestCopyFailsWithManifestList(c *check.C) {
-	assertSkopeoFails(c, ".*can not copy docker://estesp/busybox:latest: manifest contains multiple images.*", "copy", "docker://estesp/busybox:latest", "dir:somedir")
+func (s *CopySuite) TestCopyWithManifestList(c *check.C) {
+	dir, err := ioutil.TempDir("", "copy-manifest-list")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir)
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "dir:"+dir)
 }
 
 func (s *CopySuite) TestCopyFailsWhenImageOSDoesntMatchRuntimeOS(c *check.C) {
@@ -135,14 +141,20 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
 	c.Assert(out, check.Equals, "")
 
-	// docker v2s2 -> OCI image layout
+	// docker v2s2 -> OCI image layout with image name
 	// ociDest will be created by oci: if it doesn't exist
 	// so don't create it here to exercise auto-creation
-	ociDest := "busybox-latest"
+	ociDest := "busybox-latest-image"
+	ociImgName := "busybox"
 	defer os.RemoveAll(ociDest)
-	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest)
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest+":"+ociImgName)
 	_, err = os.Stat(ociDest)
 	c.Assert(err, check.IsNil)
+
+	// docker v2s2 -> OCI image layout without image name
+	ociDest = "busybox-latest-noimage"
+	defer os.RemoveAll(ociDest)
+	assertSkopeoFails(c, ".*Error initializing destination oci:busybox-latest-noimage:: cannot save image with empty image.ref.name.*", "copy", "docker://busybox:latest", "oci:"+ociDest)
 }
 
 // Check whether dir: images in dir1 and dir2 are equal, ignoring schema1 signatures.
@@ -241,13 +253,15 @@ func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
 	c.Assert(out, check.Equals, "")
 
 	// For some silly reason we pass a logger to the OCI library here...
-	//logger := log.New(os.Stderr, "", 0)
+	logger := log.New(os.Stderr, "", 0)
 
-	// TODO: Verify using the upstream OCI image validator.
-	//err = image.ValidateLayout(oci1, nil, logger)
-	//c.Assert(err, check.IsNil)
-	//err = image.ValidateLayout(oci2, nil, logger)
-	//c.Assert(err, check.IsNil)
+	// Verify using the upstream OCI image validator, this should catch most
+	// non-compliance errors. DO NOT REMOVE THIS TEST UNLESS IT'S ABSOLUTELY
+	// NECESSARY.
+	err = image.ValidateLayout(oci1, nil, logger)
+	c.Assert(err, check.IsNil)
+	err = image.ValidateLayout(oci2, nil, logger)
+	c.Assert(err, check.IsNil)
 
 	// Now verify that everything is identical. Currently this is true, but
 	// because we recompute the manifests on-the-fly this doesn't necessarily
@@ -580,6 +594,32 @@ func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
 	s.testCopySchemaConversionRegistries(c, "docker://"+v2s1DockerRegistryURL+"/schema1", "docker://"+v2DockerRegistryURL+"/schema2")
 }
 
+func (s *CopySuite) TestCopyManifestConversion(c *check.C) {
+	topDir, err := ioutil.TempDir("", "manifest-conversion")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	srcDir := filepath.Join(topDir, "source")
+	destDir1 := filepath.Join(topDir, "dest1")
+	destDir2 := filepath.Join(topDir, "dest2")
+
+	// oci to v2s1 and vice-versa not supported yet
+	// get v2s2 manifest type
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox", "dir:"+srcDir)
+	verifyManifestMIMEType(c, srcDir, manifest.DockerV2Schema2MediaType)
+	// convert from v2s2 to oci
+	assertSkopeoSucceeds(c, "", "copy", "--format=oci", "dir:"+srcDir, "dir:"+destDir1)
+	verifyManifestMIMEType(c, destDir1, imgspecv1.MediaTypeImageManifest)
+	// convert from oci to v2s2
+	assertSkopeoSucceeds(c, "", "copy", "--format=v2s2", "dir:"+destDir1, "dir:"+destDir2)
+	verifyManifestMIMEType(c, destDir2, manifest.DockerV2Schema2MediaType)
+	// convert from v2s2 to v2s1
+	assertSkopeoSucceeds(c, "", "copy", "--format=v2s1", "dir:"+srcDir, "dir:"+destDir1)
+	verifyManifestMIMEType(c, destDir1, manifest.DockerV2Schema1SignedMediaType)
+	// convert from v2s1 to v2s2
+	assertSkopeoSucceeds(c, "", "copy", "--format=v2s2", "dir:"+destDir1, "dir:"+destDir2)
+	verifyManifestMIMEType(c, destDir2, manifest.DockerV2Schema2MediaType)
+}
+
 func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Registry, schema2Registry string) {
 	topDir, err := ioutil.TempDir("", "schema-conversion")
 	c.Assert(err, check.IsNil)

vendor.conf

@@ -3,7 +3,7 @@ github.com/containers/image master
 github.com/opencontainers/go-digest master
 gopkg.in/cheggaaa/pb.v1 ad4efe000aa550bb54918c06ebbadc0ff17687b9 https://github.com/cheggaaa/pb
 github.com/containers/storage master
-github.com/Sirupsen/logrus v0.10.0
+github.com/sirupsen/logrus v1.0.0
 github.com/go-check/check v1
 github.com/stretchr/testify v1.1.3
 github.com/davecgh/go-spew master
@@ -11,22 +11,24 @@ github.com/pmezard/go-difflib master
 github.com/pkg/errors master
 golang.org/x/crypto master
 # docker deps from https://github.com/docker/docker/blob/v1.11.2/hack/vendor.sh
-github.com/docker/docker v1.13.0
-github.com/docker/go-connections 4ccf312bf1d35e5dbda654e57a9be4c3f3cd0366
-github.com/vbatts/tar-split v0.10.1
+github.com/docker/docker 30eb4d8cdc422b023d5f11f29a82ecb73554183b
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/vbatts/tar-split v0.10.2
 github.com/gorilla/context 14f550f51a
 github.com/gorilla/mux e444e69cbd
 github.com/docker/go-units 8a7beacffa3009a9ac66bad506b18ffdd110cf97
 golang.org/x/net master
+github.com/gogo/protobuf fcdc5011193ff531a548e9b0301828d5a5b97fd8
 # end docker deps
 golang.org/x/text master
 github.com/docker/distribution master
 github.com/docker/libtrust master
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
 github.com/opencontainers/runc master
-github.com/opencontainers/image-spec v1.0.0-rc6
+github.com/opencontainers/image-spec v1.0.0
 # -- start OCI image validation requirements.
-github.com/opencontainers/runtime-spec v1.0.0-rc4
-github.com/opencontainers/image-tools v0.1.0
+github.com/opencontainers/runtime-spec v1.0.0
+github.com/opencontainers/image-tools 6d941547fa1df31900990b3fb47ec2468c9c6469
 github.com/xeipuuv/gojsonschema master
 github.com/xeipuuv/gojsonreference master
 github.com/xeipuuv/gojsonpointer master
@@ -47,3 +49,4 @@ github.com/opencontainers/selinux master
 golang.org/x/sys master
 github.com/tchap/go-patricia v2.2.6
 github.com/BurntSushi/toml master
+github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac

vendor/github.com/BurntSushi/toml/COPYING

@@ -1,14 +1,21 @@
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-                    Version 2, December 2004
+The MIT License (MIT)
 
- Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+Copyright (c) 2013 TOML authors
 
- Everyone is permitted to copy and distribute verbatim or modified
- copies of this license document, and changing it is allowed as long
- as the name is changed.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. You just DO WHAT THE FUCK YOU WANT TO.
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/BurntSushi/toml/lex.go

@@ -775,7 +775,7 @@ func lexDatetime(lx *lexer) stateFn {
 		return lexDatetime
 	}
 	switch r {
-	case '-', 'T', ':', '.', 'Z':
+	case '-', 'T', ':', '.', 'Z', '+':
 		return lexDatetime
 	}
 

vendor/github.com/Sirupsen/logrus/json_formatter.go

@@ -1,41 +0,0 @@
-package logrus
-
-import (
-	"encoding/json"
-	"fmt"
-)
-
-type JSONFormatter struct {
-	// TimestampFormat sets the format used for marshaling timestamps.
-	TimestampFormat string
-}
-
-func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {
-	data := make(Fields, len(entry.Data)+3)
-	for k, v := range entry.Data {
-		switch v := v.(type) {
-		case error:
-			// Otherwise errors are ignored by `encoding/json`
-			// https://github.com/Sirupsen/logrus/issues/137
-			data[k] = v.Error()
-		default:
-			data[k] = v
-		}
-	}
-	prefixFieldClashes(data)
-
-	timestampFormat := f.TimestampFormat
-	if timestampFormat == "" {
-		timestampFormat = DefaultTimestampFormat
-	}
-
-	data["time"] = entry.Time.Format(timestampFormat)
-	data["msg"] = entry.Message
-	data["level"] = entry.Level.String()
-
-	serialized, err := json.Marshal(data)
-	if err != nil {
-		return nil, fmt.Errorf("Failed to marshal fields to JSON, %v", err)
-	}
-	return append(serialized, '\n'), nil
-}

vendor/github.com/Sirupsen/logrus/logger.go

@@ -1,212 +0,0 @@
-package logrus
-
-import (
-	"io"
-	"os"
-	"sync"
-)
-
-type Logger struct {
-	// The logs are `io.Copy`'d to this in a mutex. It's common to set this to a
-	// file, or leave it default which is `os.Stderr`. You can also set this to
-	// something more adventorous, such as logging to Kafka.
-	Out io.Writer
-	// Hooks for the logger instance. These allow firing events based on logging
-	// levels and log entries. For example, to send errors to an error tracking
-	// service, log to StatsD or dump the core on fatal errors.
-	Hooks LevelHooks
-	// All log entries pass through the formatter before logged to Out. The
-	// included formatters are `TextFormatter` and `JSONFormatter` for which
-	// TextFormatter is the default. In development (when a TTY is attached) it
-	// logs with colors, but to a file it wouldn't. You can easily implement your
-	// own that implements the `Formatter` interface, see the `README` or included
-	// formatters for examples.
-	Formatter Formatter
-	// The logging level the logger should log at. This is typically (and defaults
-	// to) `logrus.Info`, which allows Info(), Warn(), Error() and Fatal() to be
-	// logged. `logrus.Debug` is useful in
-	Level Level
-	// Used to sync writing to the log.
-	mu sync.Mutex
-}
-
-// Creates a new logger. Configuration should be set by changing `Formatter`,
-// `Out` and `Hooks` directly on the default logger instance. You can also just
-// instantiate your own:
-//
-//    var log = &Logger{
-//      Out: os.Stderr,
-//      Formatter: new(JSONFormatter),
-//      Hooks: make(LevelHooks),
-//      Level: logrus.DebugLevel,
-//    }
-//
-// It's recommended to make this a global instance called `log`.
-func New() *Logger {
-	return &Logger{
-		Out:       os.Stderr,
-		Formatter: new(TextFormatter),
-		Hooks:     make(LevelHooks),
-		Level:     InfoLevel,
-	}
-}
-
-// Adds a field to the log entry, note that you it doesn't log until you call
-// Debug, Print, Info, Warn, Fatal or Panic. It only creates a log entry.
-// If you want multiple fields, use `WithFields`.
-func (logger *Logger) WithField(key string, value interface{}) *Entry {
-	return NewEntry(logger).WithField(key, value)
-}
-
-// Adds a struct of fields to the log entry. All it does is call `WithField` for
-// each `Field`.
-func (logger *Logger) WithFields(fields Fields) *Entry {
-	return NewEntry(logger).WithFields(fields)
-}
-
-// Add an error as single field to the log entry.  All it does is call
-// `WithError` for the given `error`.
-func (logger *Logger) WithError(err error) *Entry {
-	return NewEntry(logger).WithError(err)
-}
-
-func (logger *Logger) Debugf(format string, args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debugf(format, args...)
-	}
-}
-
-func (logger *Logger) Infof(format string, args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Infof(format, args...)
-	}
-}
-
-func (logger *Logger) Printf(format string, args ...interface{}) {
-	NewEntry(logger).Printf(format, args...)
-}
-
-func (logger *Logger) Warnf(format string, args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnf(format, args...)
-	}
-}
-
-func (logger *Logger) Warningf(format string, args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnf(format, args...)
-	}
-}
-
-func (logger *Logger) Errorf(format string, args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Errorf(format, args...)
-	}
-}
-
-func (logger *Logger) Fatalf(format string, args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatalf(format, args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panicf(format string, args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panicf(format, args...)
-	}
-}
-
-func (logger *Logger) Debug(args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debug(args...)
-	}
-}
-
-func (logger *Logger) Info(args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Info(args...)
-	}
-}
-
-func (logger *Logger) Print(args ...interface{}) {
-	NewEntry(logger).Info(args...)
-}
-
-func (logger *Logger) Warn(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warn(args...)
-	}
-}
-
-func (logger *Logger) Warning(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warn(args...)
-	}
-}
-
-func (logger *Logger) Error(args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Error(args...)
-	}
-}
-
-func (logger *Logger) Fatal(args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatal(args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panic(args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panic(args...)
-	}
-}
-
-func (logger *Logger) Debugln(args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debugln(args...)
-	}
-}
-
-func (logger *Logger) Infoln(args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Infoln(args...)
-	}
-}
-
-func (logger *Logger) Println(args ...interface{}) {
-	NewEntry(logger).Println(args...)
-}
-
-func (logger *Logger) Warnln(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnln(args...)
-	}
-}
-
-func (logger *Logger) Warningln(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnln(args...)
-	}
-}
-
-func (logger *Logger) Errorln(args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Errorln(args...)
-	}
-}
-
-func (logger *Logger) Fatalln(args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatalln(args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panicln(args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panicln(args...)
-	}
-}

vendor/github.com/Sirupsen/logrus/terminal_solaris.go

@@ -1,15 +0,0 @@
-// +build solaris
-
-package logrus
-
-import (
-	"os"
-
-	"golang.org/x/sys/unix"
-)
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal() bool {
-	_, err := unix.IoctlGetTermios(int(os.Stdout.Fd()), unix.TCGETA)
-	return err == nil
-}

vendor/github.com/Sirupsen/logrus/terminal_windows.go

@@ -1,27 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows
-
-package logrus
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-var kernel32 = syscall.NewLazyDLL("kernel32.dll")
-
-var (
-	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
-)
-
-// IsTerminal returns true if stderr's file descriptor is a terminal.
-func IsTerminal() bool {
-	fd := syscall.Stderr
-	var st uint32
-	r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(fd), uintptr(unsafe.Pointer(&st)), 0)
-	return r != 0 && e == 0
-}

vendor/github.com/Sirupsen/logrus/writer.go

@@ -1,31 +0,0 @@
-package logrus
-
-import (
-	"bufio"
-	"io"
-	"runtime"
-)
-
-func (logger *Logger) Writer() *io.PipeWriter {
-	reader, writer := io.Pipe()
-
-	go logger.writerScanner(reader)
-	runtime.SetFinalizer(writer, writerFinalizer)
-
-	return writer
-}
-
-func (logger *Logger) writerScanner(reader *io.PipeReader) {
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		logger.Print(scanner.Text())
-	}
-	if err := scanner.Err(); err != nil {
-		logger.Errorf("Error while reading from Writer: %s", err)
-	}
-	reader.Close()
-}
-
-func writerFinalizer(writer *io.PipeWriter) {
-	writer.Close()
-}

vendor/github.com/containers/image/README.md

@@ -51,14 +51,19 @@ Ensure that the dependencies documented [in vendor.conf](https://github.com/cont
 are also available
 (using those exact versions or different versions of your choosing).
 
-This library, by default, also depends on the GpgME C library. Either install it:
+This library, by default, also depends on the GpgME and libostree C libraries. Either install them:
 ```sh
-Fedora$ dnf install gpgme-devel libassuan-devel
+Fedora$ dnf install gpgme-devel libassuan-devel libostree-devel
 macOS$ brew install gpgme
 ```
-or use the `containers_image_openpgp` build tag (e.g. using `go build -tags …`)
-This will use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
+or use the build tags described below to avoid the dependencies (e.g. using `go build -tags …`)
+
+### Supported build tags
+
+- `containers_image_openpgp`: Use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
 the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+- `containers_image_ostree_stub`: Instead of importing `ostree:` transport in `github.com/containers/image/transports/alltransports`, use a stub which reports that the transport is not supported. This allows building the library without requiring the `libostree` development libraries. The `github.com/containers/image/ostree` package is completely disabled
+and impossible to import when this build tag is in use.
 
 ## Contributing
 

vendor/github.com/containers/image/copy/copy.go

@@ -3,6 +3,7 @@ package copy
 import (
 	"bytes"
 	"compress/gzip"
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -11,9 +12,6 @@ import (
 	"strings"
 	"time"
 
-	pb "gopkg.in/cheggaaa/pb.v1"
-
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/image"
 	"github.com/containers/image/pkg/compression"
 	"github.com/containers/image/signature"
@@ -21,6 +19,8 @@ import (
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	pb "gopkg.in/cheggaaa/pb.v1"
 )
 
 type digestingReader struct {
@@ -30,23 +30,6 @@ type digestingReader struct {
 	validationFailed bool
 }
 
-// imageCopier allows us to keep track of diffID values for blobs, and other
-// data, that we're copying between images, and cache other information that
-// might allow us to take some shortcuts
-type imageCopier struct {
-	copiedBlobs       map[digest.Digest]digest.Digest
-	cachedDiffIDs     map[digest.Digest]digest.Digest
-	manifestUpdates   *types.ManifestUpdateOptions
-	dest              types.ImageDestination
-	src               types.Image
-	rawSource         types.ImageSource
-	diffIDsAreNeeded  bool
-	canModifyManifest bool
-	reportWriter      io.Writer
-	progressInterval  time.Duration
-	progress          chan types.ProgressProperties
-}
-
 // newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
 // and set validationFailed to true if the source stream does not match expectedDigest.
 func newDigestingReader(source io.Reader, expectedDigest digest.Digest) (*digestingReader, error) {
@@ -85,6 +68,27 @@ func (d *digestingReader) Read(p []byte) (int, error) {
 	return n, err
 }
 
+// copier allows us to keep track of diffID values for blobs, and other
+// data shared across one or more images in a possible manifest list.
+type copier struct {
+	copiedBlobs      map[digest.Digest]digest.Digest
+	cachedDiffIDs    map[digest.Digest]digest.Digest
+	dest             types.ImageDestination
+	rawSource        types.ImageSource
+	reportWriter     io.Writer
+	progressInterval time.Duration
+	progress         chan types.ProgressProperties
+}
+
+// imageCopier tracks state specific to a single image (possibly an item of a manifest list)
+type imageCopier struct {
+	c                 *copier
+	manifestUpdates   *types.ManifestUpdateOptions
+	src               types.Image
+	diffIDsAreNeeded  bool
+	canModifyManifest bool
+}
+
 // Options allows supplying non-default configuration modifying the behavior of CopyImage.
 type Options struct {
 	RemoveSignatures bool   // Remove any pre-existing signatures. SignBy will still add a new signature.
@@ -94,6 +98,8 @@ type Options struct {
 	DestinationCtx   *types.SystemContext
 	ProgressInterval time.Duration                 // time to wait between reports to signal the progress channel
 	Progress         chan types.ProgressProperties // Reported to when ProgressInterval has arrived for a single artifact+offset.
+	// manifest MIME type of image set by user. "" is default and means use the autodetection to the the manifest MIME type
+	ForceManifestMIMEType string
 }
 
 // Image copies image from srcRef to destRef, using policyContext to validate
@@ -114,10 +120,6 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		reportWriter = options.ReportWriter
 	}
 
-	writeReport := func(f string, a ...interface{}) {
-		fmt.Fprintf(reportWriter, f, a...)
-	}
-
 	dest, err := destRef.NewImageDestination(options.DestinationCtx)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing destination %s", transports.ImageName(destRef))
@@ -128,91 +130,127 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		}
 	}()
 
-	destSupportedManifestMIMETypes := dest.SupportedManifestMIMETypes()
-
-	rawSource, err := srcRef.NewImageSource(options.SourceCtx, destSupportedManifestMIMETypes)
+	rawSource, err := srcRef.NewImageSource(options.SourceCtx)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing source %s", transports.ImageName(srcRef))
 	}
-	unparsedImage := image.UnparsedFromSource(rawSource)
 	defer func() {
-		if unparsedImage != nil {
-			if err := unparsedImage.Close(); err != nil {
-				retErr = errors.Wrapf(retErr, " (unparsed: %v)", err)
-			}
+		if err := rawSource.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (src: %v)", err)
 		}
 	}()
 
+	c := &copier{
+		copiedBlobs:      make(map[digest.Digest]digest.Digest),
+		cachedDiffIDs:    make(map[digest.Digest]digest.Digest),
+		dest:             dest,
+		rawSource:        rawSource,
+		reportWriter:     reportWriter,
+		progressInterval: options.ProgressInterval,
+		progress:         options.Progress,
+	}
+
+	unparsedToplevel := image.UnparsedInstance(rawSource, nil)
+	multiImage, err := isMultiImage(unparsedToplevel)
+	if err != nil {
+		return errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(srcRef))
+	}
+
+	if !multiImage {
+		// The simple case: Just copy a single image.
+		if err := c.copyOneImage(policyContext, options, unparsedToplevel); err != nil {
+			return err
+		}
+	} else {
+		// This is a manifest list. Choose a single image and copy it.
+		// FIXME: Copy to destinations which support manifest lists, one image at a time.
+		instanceDigest, err := image.ChooseManifestInstanceFromManifestList(options.SourceCtx, unparsedToplevel)
+		if err != nil {
+			return errors.Wrapf(err, "Error choosing an image from manifest list %s", transports.ImageName(srcRef))
+		}
+		logrus.Debugf("Source is a manifest list; copying (only) instance %s", instanceDigest)
+		unparsedInstance := image.UnparsedInstance(rawSource, &instanceDigest)
+
+		if err := c.copyOneImage(policyContext, options, unparsedInstance); err != nil {
+			return err
+		}
+	}
+
+	if err := c.dest.Commit(); err != nil {
+		return errors.Wrap(err, "Error committing the finished image")
+	}
+
+	return nil
+}
+
+// Image copies a single (on-manifest-list) image unparsedImage, using policyContext to validate
+// source image admissibility.
+func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *Options, unparsedImage *image.UnparsedImage) (retErr error) {
+	// The caller is handling manifest lists; this could happen only if a manifest list contains a manifest list.
+	// Make sure we fail cleanly in such cases.
+	multiImage, err := isMultiImage(unparsedImage)
+	if err != nil {
+		// FIXME FIXME: How to name a reference for the sub-image?
+		return errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(unparsedImage.Reference()))
+	}
+	if multiImage {
+		return fmt.Errorf("Unexpectedly received a manifest list instead of a manifest for a single image")
+	}
+
 	// Please keep this policy check BEFORE reading any other information about the image.
+	// (the multiImage check above only matches the MIME type, which we have received anyway.
+	// Actual parsing of anything should be deferred.)
 	if allowed, err := policyContext.IsRunningImageAllowed(unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
 		return errors.Wrap(err, "Source image rejected")
 	}
-	src, err := image.FromUnparsedImage(unparsedImage)
+	src, err := image.FromUnparsedImage(options.SourceCtx, unparsedImage)
 	if err != nil {
-		return errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(srcRef))
+		return errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(c.rawSource.Reference()))
 	}
-	unparsedImage = nil
-	defer func() {
-		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (source: %v)", err)
-		}
-	}()
 
-	if err := checkImageDestinationForCurrentRuntimeOS(src, dest); err != nil {
+	if err := checkImageDestinationForCurrentRuntimeOS(options.DestinationCtx, src, c.dest); err != nil {
 		return err
 	}
 
-	if src.IsMultiImage() {
-		return errors.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef))
-	}
-
 	var sigs [][]byte
 	if options.RemoveSignatures {
 		sigs = [][]byte{}
 	} else {
-		writeReport("Getting image source signatures\n")
-		s, err := src.Signatures()
+		c.Printf("Getting image source signatures\n")
+		s, err := src.Signatures(context.TODO())
 		if err != nil {
 			return errors.Wrap(err, "Error reading signatures")
 		}
 		sigs = s
 	}
 	if len(sigs) != 0 {
-		writeReport("Checking if image destination supports signatures\n")
-		if err := dest.SupportsSignatures(); err != nil {
+		c.Printf("Checking if image destination supports signatures\n")
+		if err := c.dest.SupportsSignatures(); err != nil {
 			return errors.Wrap(err, "Can not copy signatures")
 		}
 	}
 
-	canModifyManifest := len(sigs) == 0
-	manifestUpdates := types.ManifestUpdateOptions{}
-	manifestUpdates.InformationOnly.Destination = dest
+	ic := imageCopier{
+		c:               c,
+		manifestUpdates: &types.ManifestUpdateOptions{InformationOnly: types.ManifestUpdateInformation{Destination: c.dest}},
+		src:             src,
+		// diffIDsAreNeeded is computed later
+		canModifyManifest: len(sigs) == 0,
+	}
 
-	if err := updateEmbeddedDockerReference(&manifestUpdates, dest, src, canModifyManifest); err != nil {
+	if err := ic.updateEmbeddedDockerReference(); err != nil {
 		return err
 	}
 
 	// We compute preferredManifestMIMEType only to show it in error messages.
 	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
-	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := determineManifestConversion(&manifestUpdates, src, destSupportedManifestMIMETypes, canModifyManifest)
+	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := ic.determineManifestConversion(c.dest.SupportedManifestMIMETypes(), options.ForceManifestMIMEType)
 	if err != nil {
 		return err
 	}
 
-	// If src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates) will be true, it needs to be true by the time we get here.
-	ic := imageCopier{
-		copiedBlobs:       make(map[digest.Digest]digest.Digest),
-		cachedDiffIDs:     make(map[digest.Digest]digest.Digest),
-		manifestUpdates:   &manifestUpdates,
-		dest:              dest,
-		src:               src,
-		rawSource:         rawSource,
-		diffIDsAreNeeded:  src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates),
-		canModifyManifest: canModifyManifest,
-		reportWriter:      reportWriter,
-		progressInterval:  options.ProgressInterval,
-		progress:          options.Progress,
-	}
+	// If src.UpdatedImageNeedsLayerDiffIDs(ic.manifestUpdates) will be true, it needs to be true by the time we get here.
+	ic.diffIDsAreNeeded = src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates)
 
 	if err := ic.copyLayers(); err != nil {
 		return err
@@ -234,9 +272,9 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		}
 		// If the original MIME type is acceptable, determineManifestConversion always uses it as preferredManifestMIMEType.
 		// So if we are here, we will definitely be trying to convert the manifest.
-		// With !canModifyManifest, that would just be a string of repeated failures for the same reason,
+		// With !ic.canModifyManifest, that would just be a string of repeated failures for the same reason,
 		// so let’s bail out early and with a better error message.
-		if !canModifyManifest {
+		if !ic.canModifyManifest {
 			return errors.Wrap(err, "Writing manifest failed (and converting it is not possible)")
 		}
 
@@ -244,7 +282,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		errs := []string{fmt.Sprintf("%s(%v)", preferredManifestMIMEType, err)}
 		for _, manifestMIMEType := range otherManifestMIMETypeCandidates {
 			logrus.Debugf("Trying to use manifest type %s…", manifestMIMEType)
-			manifestUpdates.ManifestMIMEType = manifestMIMEType
+			ic.manifestUpdates.ManifestMIMEType = manifestMIMEType
 			attemptedManifest, err := ic.copyUpdatedConfigAndManifest()
 			if err != nil {
 				logrus.Debugf("Upload of manifest type %s failed: %v", manifestMIMEType, err)
@@ -263,35 +301,44 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 	}
 
 	if options.SignBy != "" {
-		newSig, err := createSignature(dest, manifest, options.SignBy, reportWriter)
+		newSig, err := c.createSignature(manifest, options.SignBy)
 		if err != nil {
 			return err
 		}
 		sigs = append(sigs, newSig)
 	}
 
-	writeReport("Storing signatures\n")
-	if err := dest.PutSignatures(sigs); err != nil {
+	c.Printf("Storing signatures\n")
+	if err := c.dest.PutSignatures(sigs); err != nil {
 		return errors.Wrap(err, "Error writing signatures")
 	}
 
-	if err := dest.Commit(); err != nil {
-		return errors.Wrap(err, "Error committing the finished image")
-	}
-
 	return nil
 }
 
-func checkImageDestinationForCurrentRuntimeOS(src types.Image, dest types.ImageDestination) error {
+// Printf writes a formatted string to c.reportWriter.
+// Note that the method name Printf is not entirely arbitrary: (go tool vet)
+// has a built-in list of functions/methods (whatever object they are for)
+// which have their format strings checked; for other names we would have
+// to pass a parameter to every (go tool vet) invocation.
+func (c *copier) Printf(format string, a ...interface{}) {
+	fmt.Fprintf(c.reportWriter, format, a...)
+}
+
+func checkImageDestinationForCurrentRuntimeOS(ctx *types.SystemContext, src types.Image, dest types.ImageDestination) error {
 	if dest.MustMatchRuntimeOS() {
+		wantedOS := runtime.GOOS
+		if ctx != nil && ctx.OSChoice != "" {
+			wantedOS = ctx.OSChoice
+		}
 		c, err := src.OCIConfig()
 		if err != nil {
 			return errors.Wrapf(err, "Error parsing image configuration")
 		}
-		osErr := fmt.Errorf("image operating system %q cannot be used on %q", c.OS, runtime.GOOS)
-		if runtime.GOOS == "windows" && c.OS == "linux" {
+		osErr := fmt.Errorf("image operating system %q cannot be used on %q", c.OS, wantedOS)
+		if wantedOS == "windows" && c.OS == "linux" {
 			return osErr
-		} else if runtime.GOOS != "windows" && c.OS == "windows" {
+		} else if wantedOS != "windows" && c.OS == "windows" {
 			return osErr
 		}
 	}
@@ -299,35 +346,44 @@ func checkImageDestinationForCurrentRuntimeOS(src types.Image, dest types.ImageD
 }
 
 // updateEmbeddedDockerReference handles the Docker reference embedded in Docker schema1 manifests.
-func updateEmbeddedDockerReference(manifestUpdates *types.ManifestUpdateOptions, dest types.ImageDestination, src types.Image, canModifyManifest bool) error {
-	destRef := dest.Reference().DockerReference()
+func (ic *imageCopier) updateEmbeddedDockerReference() error {
+	destRef := ic.c.dest.Reference().DockerReference()
 	if destRef == nil {
 		return nil // Destination does not care about Docker references
 	}
-	if !src.EmbeddedDockerReferenceConflicts(destRef) {
+	if !ic.src.EmbeddedDockerReferenceConflicts(destRef) {
 		return nil // No reference embedded in the manifest, or it matches destRef already.
 	}
 
-	if !canModifyManifest {
+	if !ic.canModifyManifest {
 		return errors.Errorf("Copying a schema1 image with an embedded Docker reference to %s (Docker reference %s) would invalidate existing signatures. Explicitly enable signature removal to proceed anyway",
-			transports.ImageName(dest.Reference()), destRef.String())
+			transports.ImageName(ic.c.dest.Reference()), destRef.String())
 	}
-	manifestUpdates.EmbeddedDockerReference = destRef
+	ic.manifestUpdates.EmbeddedDockerReference = destRef
 	return nil
 }
 
-// copyLayers copies layers from src/rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.canModifyManifest.
+// copyLayers copies layers from ic.src/ic.c.rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.canModifyManifest.
 func (ic *imageCopier) copyLayers() error {
 	srcInfos := ic.src.LayerInfos()
 	destInfos := []types.BlobInfo{}
 	diffIDs := []digest.Digest{}
+	updatedSrcInfos := ic.src.LayerInfosForCopy()
+	srcInfosUpdated := false
+	if updatedSrcInfos != nil && !reflect.DeepEqual(srcInfos, updatedSrcInfos) {
+		if !ic.canModifyManifest {
+			return errors.Errorf("Internal error: copyLayers() needs to use an updated manifest but that was known to be forbidden")
+		}
+		srcInfos = updatedSrcInfos
+		srcInfosUpdated = true
+	}
 	for _, srcLayer := range srcInfos {
 		var (
 			destInfo types.BlobInfo
 			diffID   digest.Digest
 			err      error
 		)
-		if ic.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
+		if ic.c.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
 			// DiffIDs are, currently, needed only when converting from schema1.
 			// In which case src.LayerInfos will not have URLs because schema1
 			// does not support them.
@@ -335,7 +391,7 @@ func (ic *imageCopier) copyLayers() error {
 				return errors.New("getting DiffID for foreign layers is unimplemented")
 			}
 			destInfo = srcLayer
-			fmt.Fprintf(ic.reportWriter, "Skipping foreign layer %q copy to %s\n", destInfo.Digest, ic.dest.Reference().Transport().Name())
+			ic.c.Printf("Skipping foreign layer %q copy to %s\n", destInfo.Digest, ic.c.dest.Reference().Transport().Name())
 		} else {
 			destInfo, diffID, err = ic.copyLayer(srcLayer)
 			if err != nil {
@@ -349,7 +405,7 @@ func (ic *imageCopier) copyLayers() error {
 	if ic.diffIDsAreNeeded {
 		ic.manifestUpdates.InformationOnly.LayerDiffIDs = diffIDs
 	}
-	if layerDigestsDiffer(srcInfos, destInfos) {
+	if srcInfosUpdated || layerDigestsDiffer(srcInfos, destInfos) {
 		ic.manifestUpdates.LayerInfos = destInfos
 	}
 	return nil
@@ -380,7 +436,7 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
 			// We have set ic.diffIDsAreNeeded based on the preferred MIME type returned by determineManifestConversion.
 			// So, this can only happen if we are trying to upload using one of the other MIME type candidates.
 			// Because UpdatedImageNeedsLayerDiffIDs is true only when converting from s1 to s2, this case should only arise
-			// when ic.dest.SupportedManifestMIMETypes() includes both s1 and s2, the upload using s1 failed, and we are now trying s2.
+			// when ic.c.dest.SupportedManifestMIMETypes() includes both s1 and s2, the upload using s1 failed, and we are now trying s2.
 			// Supposedly s2-only registries do not exist or are extremely rare, so failing with this error message is good enough for now.
 			// If handling such registries turns out to be necessary, we could compute ic.diffIDsAreNeeded based on the full list of manifest MIME type candidates.
 			return nil, errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
@@ -396,27 +452,27 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
 		return nil, errors.Wrap(err, "Error reading manifest")
 	}
 
-	if err := ic.copyConfig(pendingImage); err != nil {
+	if err := ic.c.copyConfig(pendingImage); err != nil {
 		return nil, err
 	}
 
-	fmt.Fprintf(ic.reportWriter, "Writing manifest to image destination\n")
-	if err := ic.dest.PutManifest(manifest); err != nil {
+	ic.c.Printf("Writing manifest to image destination\n")
+	if err := ic.c.dest.PutManifest(manifest); err != nil {
 		return nil, errors.Wrap(err, "Error writing manifest")
 	}
 	return manifest, nil
 }
 
 // copyConfig copies config.json, if any, from src to dest.
-func (ic *imageCopier) copyConfig(src types.Image) error {
+func (c *copier) copyConfig(src types.Image) error {
 	srcInfo := src.ConfigInfo()
 	if srcInfo.Digest != "" {
-		fmt.Fprintf(ic.reportWriter, "Copying config %s\n", srcInfo.Digest)
+		c.Printf("Copying config %s\n", srcInfo.Digest)
 		configBlob, err := src.ConfigBlob()
 		if err != nil {
 			return errors.Wrapf(err, "Error reading config blob %s", srcInfo.Digest)
 		}
-		destInfo, err := ic.copyBlobFromStream(bytes.NewReader(configBlob), srcInfo, nil, false)
+		destInfo, err := c.copyBlobFromStream(bytes.NewReader(configBlob), srcInfo, nil, false)
 		if err != nil {
 			return err
 		}
@@ -438,12 +494,12 @@ type diffIDResult struct {
 // and returns a complete blobInfo of the copied layer, and a value for LayerDiffIDs if diffIDIsNeeded
 func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
 	// Check if we already have a blob with this digest
-	haveBlob, extantBlobSize, err := ic.dest.HasBlob(srcInfo)
+	haveBlob, extantBlobSize, err := ic.c.dest.HasBlob(srcInfo)
 	if err != nil {
 		return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest)
 	}
 	// If we already have a cached diffID for this blob, we don't need to compute it
-	diffIDIsNeeded := ic.diffIDsAreNeeded && (ic.cachedDiffIDs[srcInfo.Digest] == "")
+	diffIDIsNeeded := ic.diffIDsAreNeeded && (ic.c.cachedDiffIDs[srcInfo.Digest] == "")
 	// If we already have the blob, and we don't need to recompute the diffID, then we might be able to avoid reading it again
 	if haveBlob && !diffIDIsNeeded {
 		// Check the blob sizes match, if we were given a size this time
@@ -452,17 +508,17 @@ func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest
 		}
 		srcInfo.Size = extantBlobSize
 		// Tell the image destination that this blob's delta is being applied again.  For some image destinations, this can be faster than using GetBlob/PutBlob
-		blobinfo, err := ic.dest.ReapplyBlob(srcInfo)
+		blobinfo, err := ic.c.dest.ReapplyBlob(srcInfo)
 		if err != nil {
 			return types.BlobInfo{}, "", errors.Wrapf(err, "Error reapplying blob %s at destination", srcInfo.Digest)
 		}
-		fmt.Fprintf(ic.reportWriter, "Skipping fetch of repeat blob %s\n", srcInfo.Digest)
-		return blobinfo, ic.cachedDiffIDs[srcInfo.Digest], err
+		ic.c.Printf("Skipping fetch of repeat blob %s\n", srcInfo.Digest)
+		return blobinfo, ic.c.cachedDiffIDs[srcInfo.Digest], err
 	}
 
 	// Fallback: copy the layer, computing the diffID if we need to do so
-	fmt.Fprintf(ic.reportWriter, "Copying blob %s\n", srcInfo.Digest)
-	srcStream, srcBlobSize, err := ic.rawSource.GetBlob(srcInfo)
+	ic.c.Printf("Copying blob %s\n", srcInfo.Digest)
+	srcStream, srcBlobSize, err := ic.c.rawSource.GetBlob(srcInfo)
 	if err != nil {
 		return types.BlobInfo{}, "", errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
 	}
@@ -480,7 +536,7 @@ func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest
 			return types.BlobInfo{}, "", errors.Wrap(diffIDResult.err, "Error computing layer DiffID")
 		}
 		logrus.Debugf("Computed DiffID %s for layer %s", diffIDResult.digest, srcInfo.Digest)
-		ic.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
+		ic.c.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
 	}
 	return blobInfo, diffIDResult.digest, nil
 }
@@ -514,7 +570,7 @@ func (ic *imageCopier) copyLayerFromStream(srcStream io.Reader, srcInfo types.Bl
 			return pipeWriter
 		}
 	}
-	blobInfo, err := ic.copyBlobFromStream(srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest) // Sets err to nil on success
+	blobInfo, err := ic.c.copyBlobFromStream(srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest) // Sets err to nil on success
 	return blobInfo, diffIDChan, err
 	// We need the defer … pipeWriter.CloseWithError() to happen HERE so that the caller can block on reading from diffIDChan
 }
@@ -548,7 +604,7 @@ func computeDiffID(stream io.Reader, decompressor compression.DecompressorFunc)
 // perhaps sending a copy to an io.Writer if getOriginalLayerCopyWriter != nil,
 // perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied blob.
-func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+func (c *copier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
 	getOriginalLayerCopyWriter func(decompressor compression.DecompressorFunc) io.Writer,
 	canCompress bool) (types.BlobInfo, error) {
 	// The copying happens through a pipeline of connected io.Readers.
@@ -576,13 +632,13 @@ func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.Blo
 
 	// === Report progress using a pb.Reader.
 	bar := pb.New(int(srcInfo.Size)).SetUnits(pb.U_BYTES)
-	bar.Output = ic.reportWriter
+	bar.Output = c.reportWriter
 	bar.SetMaxWidth(80)
 	bar.ShowTimeLeft = false
 	bar.ShowPercent = false
 	bar.Start()
 	destStream = bar.NewProxyReader(destStream)
-	defer fmt.Fprint(ic.reportWriter, "\n")
+	defer bar.Finish()
 
 	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
 	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
@@ -593,7 +649,7 @@ func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.Blo
 
 	// === Compress the layer if it is uncompressed and compression is desired
 	var inputInfo types.BlobInfo
-	if !canCompress || isCompressed || !ic.dest.ShouldCompressLayers() {
+	if !canCompress || isCompressed || !c.dest.ShouldCompressLayers() {
 		logrus.Debugf("Using original blob without modification")
 		inputInfo = srcInfo
 	} else {
@@ -610,19 +666,19 @@ func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.Blo
 		inputInfo.Size = -1
 	}
 
-	// === Report progress using the ic.progress channel, if required.
-	if ic.progress != nil && ic.progressInterval > 0 {
+	// === Report progress using the c.progress channel, if required.
+	if c.progress != nil && c.progressInterval > 0 {
 		destStream = &progressReader{
 			source:   destStream,
-			channel:  ic.progress,
-			interval: ic.progressInterval,
+			channel:  c.progress,
+			interval: c.progressInterval,
 			artifact: srcInfo,
 			lastTime: time.Now(),
 		}
 	}
 
 	// === Finally, send the layer stream to dest.
-	uploadedInfo, err := ic.dest.PutBlob(destStream, inputInfo)
+	uploadedInfo, err := c.dest.PutBlob(destStream, inputInfo)
 	if err != nil {
 		return types.BlobInfo{}, errors.Wrap(err, "Error writing blob")
 	}

vendor/github.com/containers/image/copy/manifest.go

@@ -3,10 +3,10 @@ package copy
 import (
 	"strings"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // preferredManifestMIMETypes lists manifest MIME types in order of our preference, if we can't use the original manifest and need to convert.
@@ -37,16 +37,20 @@ func (os *orderedSet) append(s string) {
 	}
 }
 
-// determineManifestConversion updates manifestUpdates to convert manifest to a supported MIME type, if necessary and canModifyManifest.
-// Note that the conversion will only happen later, through src.UpdatedImage
+// determineManifestConversion updates ic.manifestUpdates to convert manifest to a supported MIME type, if necessary and ic.canModifyManifest.
+// Note that the conversion will only happen later, through ic.src.UpdatedImage
 // Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
 // and a list of other possible alternatives, in order.
-func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool) (string, []string, error) {
-	_, srcType, err := src.Manifest()
+func (ic *imageCopier) determineManifestConversion(destSupportedManifestMIMETypes []string, forceManifestMIMEType string) (string, []string, error) {
+	_, srcType, err := ic.src.Manifest()
 	if err != nil { // This should have been cached?!
 		return "", nil, errors.Wrap(err, "Error reading manifest")
 	}
 
+	if forceManifestMIMEType != "" {
+		destSupportedManifestMIMETypes = []string{forceManifestMIMEType}
+	}
+
 	if len(destSupportedManifestMIMETypes) == 0 {
 		return srcType, []string{}, nil // Anything goes; just use the original as is, do not try any conversions.
 	}
@@ -67,10 +71,10 @@ func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, s
 	if _, ok := supportedByDest[srcType]; ok {
 		prioritizedTypes.append(srcType)
 	}
-	if !canModifyManifest {
-		// We could also drop the !canModifyManifest parameter and have the caller
+	if !ic.canModifyManifest {
+		// We could also drop the !ic.canModifyManifest check and have the caller
 		// make the choice; it is already doing that to an extent, to improve error
-		// messages.  But it is nice to hide the “if !canModifyManifest, do no conversion”
+		// messages.  But it is nice to hide the “if !ic.canModifyManifest, do no conversion”
 		// special case in here; the caller can then worry (or not) only about a good UI.
 		logrus.Debugf("We can't modify the manifest, hoping for the best...")
 		return srcType, []string{}, nil // Take our chances - FIXME? Or should we fail without trying?
@@ -94,9 +98,18 @@ func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, s
 	}
 	preferredType := prioritizedTypes.list[0]
 	if preferredType != srcType {
-		manifestUpdates.ManifestMIMEType = preferredType
+		ic.manifestUpdates.ManifestMIMEType = preferredType
 	} else {
 		logrus.Debugf("... will first try using the original manifest unmodified")
 	}
 	return preferredType, prioritizedTypes.list[1:], nil
 }
+
+// isMultiImage returns true if img is a list of images
+func isMultiImage(img types.UnparsedImage) (bool, error) {
+	_, mt, err := img.Manifest()
+	if err != nil {
+		return false, err
+	}
+	return manifest.MIMETypeIsMultiImage(mt), nil
+}

vendor/github.com/containers/image/copy/sign.go

@@ -1,17 +1,13 @@
 package copy
 
 import (
-	"fmt"
-	"io"
-
 	"github.com/containers/image/signature"
 	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
 	"github.com/pkg/errors"
 )
 
-// createSignature creates a new signature of manifest at (identified by) dest using keyIdentity.
-func createSignature(dest types.ImageDestination, manifest []byte, keyIdentity string, reportWriter io.Writer) ([]byte, error) {
+// createSignature creates a new signature of manifest using keyIdentity.
+func (c *copier) createSignature(manifest []byte, keyIdentity string) ([]byte, error) {
 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
 		return nil, errors.Wrap(err, "Error initializing GPG")
@@ -21,12 +17,12 @@ func createSignature(dest types.ImageDestination, manifest []byte, keyIdentity s
 		return nil, errors.Wrap(err, "Signing not supported")
 	}
 
-	dockerReference := dest.Reference().DockerReference()
+	dockerReference := c.dest.Reference().DockerReference()
 	if dockerReference == nil {
-		return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
+		return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(c.dest.Reference()))
 	}
 
-	fmt.Fprintf(reportWriter, "Signing manifest\n")
+	c.Printf("Signing manifest\n")
 	newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, keyIdentity)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating signature")

vendor/github.com/containers/image/directory/directory_dest.go

@@ -4,19 +4,77 @@ import (
 	"io"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
+const version = "Directory Transport Version: 1.0\n"
+
+// ErrNotContainerImageDir indicates that the directory doesn't match the expected contents of a directory created
+// using the 'dir' transport
+var ErrNotContainerImageDir = errors.New("not a containers image directory, don't want to overwrite important data")
+
 type dirImageDestination struct {
-	ref dirReference
+	ref      dirReference
+	compress bool
 }
 
-// newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ref dirReference) types.ImageDestination {
-	return &dirImageDestination{ref}
+// newImageDestination returns an ImageDestination for writing to a directory.
+func newImageDestination(ref dirReference, compress bool) (types.ImageDestination, error) {
+	d := &dirImageDestination{ref: ref, compress: compress}
+
+	// If directory exists check if it is empty
+	// if not empty, check whether the contents match that of a container image directory and overwrite the contents
+	// if the contents don't match throw an error
+	dirExists, err := pathExists(d.ref.resolvedPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error checking for path %q", d.ref.resolvedPath)
+	}
+	if dirExists {
+		isEmpty, err := isDirEmpty(d.ref.resolvedPath)
+		if err != nil {
+			return nil, err
+		}
+
+		if !isEmpty {
+			versionExists, err := pathExists(d.ref.versionPath())
+			if err != nil {
+				return nil, errors.Wrapf(err, "error checking if path exists %q", d.ref.versionPath())
+			}
+			if versionExists {
+				contents, err := ioutil.ReadFile(d.ref.versionPath())
+				if err != nil {
+					return nil, err
+				}
+				// check if contents of version file is what we expect it to be
+				if string(contents) != version {
+					return nil, ErrNotContainerImageDir
+				}
+			} else {
+				return nil, ErrNotContainerImageDir
+			}
+			// delete directory contents so that only one image is in the directory at a time
+			if err = removeDirContents(d.ref.resolvedPath); err != nil {
+				return nil, errors.Wrapf(err, "error erasing contents in %q", d.ref.resolvedPath)
+			}
+			logrus.Debugf("overwriting existing container image directory %q", d.ref.resolvedPath)
+		}
+	} else {
+		// create directory if it doesn't exist
+		if err := os.MkdirAll(d.ref.resolvedPath, 0755); err != nil {
+			return nil, errors.Wrapf(err, "unable to create directory %q", d.ref.resolvedPath)
+		}
+	}
+	// create version file
+	err = ioutil.WriteFile(d.ref.versionPath(), []byte(version), 0644)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error creating version file %q", d.ref.versionPath())
+	}
+	return d, nil
 }
 
 // Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
@@ -42,7 +100,7 @@ func (d *dirImageDestination) SupportsSignatures() error {
 
 // ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
 func (d *dirImageDestination) ShouldCompressLayers() bool {
-	return false
+	return d.compress
 }
 
 // AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
@@ -147,3 +205,39 @@ func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
 func (d *dirImageDestination) Commit() error {
 	return nil
 }
+
+// returns true if path exists
+func pathExists(path string) (bool, error) {
+	_, err := os.Stat(path)
+	if err == nil {
+		return true, nil
+	}
+	if err != nil && os.IsNotExist(err) {
+		return false, nil
+	}
+	return false, err
+}
+
+// returns true if directory is empty
+func isDirEmpty(path string) (bool, error) {
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return false, err
+	}
+	return len(files) == 0, nil
+}
+
+// deletes the contents of a directory
+func removeDirContents(path string) error {
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return err
+	}
+
+	for _, file := range files {
+		if err := os.RemoveAll(filepath.Join(path, file.Name())); err != nil {
+			return err
+		}
+	}
+	return nil
+}

vendor/github.com/containers/image/directory/directory_src.go

@@ -1,6 +1,7 @@
 package directory
 
 import (
+	"context"
 	"io"
 	"io/ioutil"
 	"os"
@@ -34,7 +35,12 @@ func (s *dirImageSource) Close() error {
 
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *dirImageSource) GetManifest() ([]byte, string, error) {
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *dirImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if instanceDigest != nil {
+		return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
+	}
 	m, err := ioutil.ReadFile(s.ref.manifestPath())
 	if err != nil {
 		return nil, "", err
@@ -42,10 +48,6 @@ func (s *dirImageSource) GetManifest() ([]byte, string, error) {
 	return m, manifest.GuessMIMEType(m), err
 }
 
-func (s *dirImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
-}
-
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
 func (s *dirImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
 	r, err := os.Open(s.ref.layerPath(info.Digest))
@@ -59,7 +61,14 @@ func (s *dirImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, err
 	return r, fi.Size(), nil
 }
 
-func (s *dirImageSource) GetSignatures() ([][]byte, error) {
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	if instanceDigest != nil {
+		return nil, errors.Errorf(`Manifests lists are not supported by "dir:"`)
+	}
 	signatures := [][]byte{}
 	for i := 0; ; i++ {
 		signature, err := ioutil.ReadFile(s.ref.signaturePath(i))
@@ -73,3 +82,8 @@ func (s *dirImageSource) GetSignatures() ([][]byte, error) {
 	}
 	return signatures, nil
 }
+
+// LayerInfosForCopy() returns updated layer info that should be used when copying, in preference to values in the manifest, if specified.
+func (s *dirImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/directory/directory_transport.go

@@ -134,27 +134,30 @@ func (ref dirReference) PolicyConfigurationNamespaces() []string {
 	return res
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref dirReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref dirReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
 	src := newImageSource(ref)
-	return image.FromSource(src)
+	return image.FromSource(ctx, src)
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dirReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (ref dirReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ref), nil
 }
 
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
 func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ref), nil
+	compress := false
+	if ctx != nil {
+		compress = ctx.DirForceCompress
+	}
+	return newImageDestination(ref, compress)
 }
 
 // DeleteImage deletes the named image from the registry, if supported.
@@ -177,3 +180,8 @@ func (ref dirReference) layerPath(digest digest.Digest) string {
 func (ref dirReference) signaturePath(index int) string {
 	return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1))
 }
+
+// versionPath returns a path for the version file within a directory using our conventions.
+func (ref dirReference) versionPath() string {
+	return filepath.Join(ref.path, "version")
+}

vendor/github.com/containers/image/docker/archive/dest.go

@@ -19,15 +19,24 @@ func newImageDestination(ctx *types.SystemContext, ref archiveReference) (types.
 	if ref.destinationRef == nil {
 		return nil, errors.Errorf("docker-archive: destination reference not supplied (must be of form <path>:<reference:tag>)")
 	}
-	fh, err := os.OpenFile(ref.path, os.O_WRONLY|os.O_EXCL|os.O_CREATE, 0644)
+
+	// ref.path can be either a pipe or a regular file
+	// in the case of a pipe, we require that we can open it for write
+	// in the case of a regular file, we don't want to overwrite any pre-existing file
+	// so we check for Size() == 0 below (This is racy, but using O_EXCL would also be racy,
+	// only in a different way. Either way, it’s up to the user to not have two writers to the same path.)
+	fh, err := os.OpenFile(ref.path, os.O_WRONLY|os.O_CREATE, 0644)
 	if err != nil {
-		// FIXME: It should be possible to modify archives, but the only really
-		//        sane way of doing it is to create a copy of the image, modify
-		//        it and then do a rename(2).
-		if os.IsExist(err) {
-			err = errors.New("docker-archive doesn't support modifying existing images")
-		}
-		return nil, err
+		return nil, errors.Wrapf(err, "error opening file %q", ref.path)
+	}
+
+	fhStat, err := fh.Stat()
+	if err != nil {
+		return nil, errors.Wrapf(err, "error statting file %q", ref.path)
+	}
+
+	if fhStat.Mode().IsRegular() && fhStat.Size() != 0 {
+		return nil, errors.New("docker-archive doesn't support modifying existing images")
 	}
 
 	return &archiveImageDestination{

vendor/github.com/containers/image/docker/archive/src.go

@@ -1,9 +1,9 @@
 package archive
 
 import (
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
+	"github.com/sirupsen/logrus"
 )
 
 type archiveImageSource struct {
@@ -34,3 +34,8 @@ func (s *archiveImageSource) Reference() types.ImageReference {
 func (s *archiveImageSource) Close() error {
 	return nil
 }
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *archiveImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/docker/archive/transport.go

@@ -125,20 +125,19 @@ func (ref archiveReference) PolicyConfigurationNamespaces() []string {
 	return []string{}
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref archiveReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref archiveReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
 	src := newImageSource(ctx, ref)
-	return ctrImage.FromSource(src)
+	return ctrImage.FromSource(ctx, src)
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref archiveReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (ref archiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ctx, ref), nil
 }
 

vendor/github.com/containers/image/docker/daemon/client.go

@@ -0,0 +1,69 @@
+package daemon
+
+import (
+	"net/http"
+	"path/filepath"
+
+	"github.com/containers/image/types"
+	dockerclient "github.com/docker/docker/client"
+	"github.com/docker/go-connections/tlsconfig"
+)
+
+const (
+	// The default API version to be used in case none is explicitly specified
+	defaultAPIVersion = "1.22"
+)
+
+// NewDockerClient initializes a new API client based on the passed SystemContext.
+func newDockerClient(ctx *types.SystemContext) (*dockerclient.Client, error) {
+	host := dockerclient.DefaultDockerHost
+	if ctx != nil && ctx.DockerDaemonHost != "" {
+		host = ctx.DockerDaemonHost
+	}
+
+	// Sadly, unix:// sockets don't work transparently with dockerclient.NewClient.
+	// They work fine with a nil httpClient; with a non-nil httpClient, the transport’s
+	// TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket
+	// regardless of the values in the *tls.Config), and we would have to call sockets.ConfigureTransport.
+	//
+	// We don't really want to configure anything for unix:// sockets, so just pass a nil *http.Client.
+	proto, _, _, err := dockerclient.ParseHost(host)
+	if err != nil {
+		return nil, err
+	}
+	var httpClient *http.Client
+	if proto != "unix" {
+		hc, err := tlsConfig(ctx)
+		if err != nil {
+			return nil, err
+		}
+		httpClient = hc
+	}
+
+	return dockerclient.NewClient(host, defaultAPIVersion, httpClient, nil)
+}
+
+func tlsConfig(ctx *types.SystemContext) (*http.Client, error) {
+	options := tlsconfig.Options{}
+	if ctx != nil && ctx.DockerDaemonInsecureSkipTLSVerify {
+		options.InsecureSkipVerify = true
+	}
+
+	if ctx != nil && ctx.DockerDaemonCertPath != "" {
+		options.CAFile = filepath.Join(ctx.DockerDaemonCertPath, "ca.pem")
+		options.CertFile = filepath.Join(ctx.DockerDaemonCertPath, "cert.pem")
+		options.KeyFile = filepath.Join(ctx.DockerDaemonCertPath, "key.pem")
+	}
+
+	tlsc, err := tlsconfig.Client(options)
+	if err != nil {
+		return nil, err
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsc,
+		},
+		CheckRedirect: dockerclient.CheckRedirect,
+	}, nil
+}

vendor/github.com/containers/image/docker/daemon/daemon_dest.go

@@ -3,17 +3,18 @@ package daemon
 import (
 	"io"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 )
 
 type daemonImageDestination struct {
 	ref                  daemonReference
+	mustMatchRuntimeOS   bool
 	*tarfile.Destination // Implements most of types.ImageDestination
 	// For talking to imageLoadGoroutine
 	goroutineCancel context.CancelFunc
@@ -24,7 +25,7 @@ type daemonImageDestination struct {
 }
 
 // newImageDestination returns a types.ImageDestination for the specified image reference.
-func newImageDestination(systemCtx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
+func newImageDestination(ctx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
 	if ref.ref == nil {
 		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
 	}
@@ -33,7 +34,12 @@ func newImageDestination(systemCtx *types.SystemContext, ref daemonReference) (t
 		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
 	}
 
-	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	var mustMatchRuntimeOS = true
+	if ctx != nil && ctx.DockerDaemonHost != client.DefaultDockerHost {
+		mustMatchRuntimeOS = false
+	}
+
+	c, err := newDockerClient(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}
@@ -42,16 +48,17 @@ func newImageDestination(systemCtx *types.SystemContext, ref daemonReference) (t
 	// Commit() may never be called, so we may never read from this channel; so, make this buffered to allow imageLoadGoroutine to write status and terminate even if we never read it.
 	statusChannel := make(chan error, 1)
 
-	ctx, goroutineCancel := context.WithCancel(context.Background())
-	go imageLoadGoroutine(ctx, c, reader, statusChannel)
+	goroutineContext, goroutineCancel := context.WithCancel(context.Background())
+	go imageLoadGoroutine(goroutineContext, c, reader, statusChannel)
 
 	return &daemonImageDestination{
-		ref:             ref,
-		Destination:     tarfile.NewDestination(writer, namedTaggedRef),
-		goroutineCancel: goroutineCancel,
-		statusChannel:   statusChannel,
-		writer:          writer,
-		committed:       false,
+		ref:                ref,
+		mustMatchRuntimeOS: mustMatchRuntimeOS,
+		Destination:        tarfile.NewDestination(writer, namedTaggedRef),
+		goroutineCancel:    goroutineCancel,
+		statusChannel:      statusChannel,
+		writer:             writer,
+		committed:          false,
 	}, nil
 }
 
@@ -80,7 +87,7 @@ func imageLoadGoroutine(ctx context.Context, c *client.Client, reader *io.PipeRe
 
 // MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
 func (d *daemonImageDestination) MustMatchRuntimeOS() bool {
-	return true
+	return d.mustMatchRuntimeOS
 }
 
 // Close removes resources associated with an initialized ImageDestination, if any.

vendor/github.com/containers/image/docker/daemon/daemon_src.go

@@ -6,14 +6,12 @@ import (
 	"os"
 
 	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/internal/tmpdir"
 	"github.com/containers/image/types"
-	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )
 
-const temporaryDirectoryForBigFiles = "/var/tmp" // Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs.
-
 type daemonImageSource struct {
 	ref             daemonReference
 	*tarfile.Source // Implements most of types.ImageSource
@@ -35,7 +33,7 @@ type layerInfo struct {
 // is the config, and that the following len(RootFS) files are the layers, but that feels
 // way too brittle.)
 func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageSource, error) {
-	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	c, err := newDockerClient(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}
@@ -48,7 +46,7 @@ func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageS
 	defer inputStream.Close()
 
 	// FIXME: use SystemContext here.
-	tarCopyFile, err := ioutil.TempFile(temporaryDirectoryForBigFiles, "docker-daemon-tar")
+	tarCopyFile, err := ioutil.TempFile(tmpdir.TemporaryDirectoryForBigFiles(), "docker-daemon-tar")
 	if err != nil {
 		return nil, err
 	}
@@ -83,3 +81,8 @@ func (s *daemonImageSource) Reference() types.ImageReference {
 func (s *daemonImageSource) Close() error {
 	return os.Remove(s.tarCopyPath)
 }
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *daemonImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/docker/daemon/daemon_transport.go

@@ -151,21 +151,22 @@ func (ref daemonReference) PolicyConfigurationNamespaces() []string {
 	return []string{}
 }
 
-// NewImage returns a types.Image for this reference.
-// The caller must call .Close() on the returned Image.
-func (ref daemonReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref daemonReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
 	src, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(src)
+	return image.FromSource(ctx, src)
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref daemonReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (ref daemonReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ctx, ref)
 }
 

vendor/github.com/containers/image/docker/docker_client.go

@@ -1,38 +1,31 @@
 package docker
 
 import (
+	"context"
 	"crypto/tls"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
-	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/pkg/docker/config"
+	"github.com/containers/image/pkg/tlsclientconfig"
 	"github.com/containers/image/types"
-	"github.com/containers/storage/pkg/homedir"
 	"github.com/docker/distribution/registry/client"
-	"github.com/docker/go-connections/sockets"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 const (
-	dockerHostname     = "docker.io"
-	dockerRegistry     = "registry-1.docker.io"
-	dockerAuthRegistry = "https://index.docker.io/v1/"
-
-	dockerCfg         = ".docker"
-	dockerCfgFileName = "config.json"
-	dockerCfgObsolete = ".dockercfg"
+	dockerHostname = "docker.io"
+	dockerRegistry = "registry-1.docker.io"
 
 	systemPerHostCertDirPath = "/etc/docker/certs.d"
 
@@ -50,9 +43,13 @@ const (
 	extensionSignatureTypeAtomic    = "atomic" // extensionSignature.Type
 )
 
-// ErrV1NotSupported is returned when we're trying to talk to a
-// docker V1 registry.
-var ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
+var (
+	// ErrV1NotSupported is returned when we're trying to talk to a
+	// docker V1 registry.
+	ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
+	// ErrUnauthorizedForCredentials is returned when the status code returned is 401
+	ErrUnauthorizedForCredentials = errors.New("unable to retrieve auth token: invalid username/password")
+)
 
 // extensionSignature and extensionSignatureList come from github.com/openshift/origin/pkg/dockerregistry/server/signaturedispatcher.go:
 // signature represents a Docker image signature.
@@ -111,27 +108,7 @@ func serverDefault() *tls.Config {
 	}
 }
 
-func newTransport() *http.Transport {
-	direct := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-		DualStack: true,
-	}
-	tr := &http.Transport{
-		Proxy:               http.ProxyFromEnvironment,
-		Dial:                direct.Dial,
-		TLSHandshakeTimeout: 10 * time.Second,
-		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
-		DisableKeepAlives: true,
-	}
-	proxyDialer, err := sockets.DialerFromEnvironment(direct)
-	if err == nil {
-		tr.Dial = proxyDialer.Dial
-	}
-	return tr
-}
-
-// dockerCertDir returns a path to a directory to be consumed by setupCertificates() depending on ctx and hostPort.
+// dockerCertDir returns a path to a directory to be consumed by tlsclientconfig.SetupCertificates() depending on ctx and hostPort.
 func dockerCertDir(ctx *types.SystemContext, hostPort string) string {
 	if ctx != nil && ctx.DockerCertPath != "" {
 		return ctx.DockerCertPath
@@ -147,131 +124,105 @@ func dockerCertDir(ctx *types.SystemContext, hostPort string) string {
 	return filepath.Join(hostCertDir, hostPort)
 }
 
-func setupCertificates(dir string, tlsc *tls.Config) error {
-	logrus.Debugf("Looking for TLS certificates and private keys in %s", dir)
-	fs, err := ioutil.ReadDir(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-
-	for _, f := range fs {
-		fullPath := filepath.Join(dir, f.Name())
-		if strings.HasSuffix(f.Name(), ".crt") {
-			systemPool, err := tlsconfig.SystemCertPool()
-			if err != nil {
-				return errors.Wrap(err, "unable to get system cert pool")
-			}
-			tlsc.RootCAs = systemPool
-			logrus.Debugf(" crt: %s", fullPath)
-			data, err := ioutil.ReadFile(fullPath)
-			if err != nil {
-				return err
-			}
-			tlsc.RootCAs.AppendCertsFromPEM(data)
-		}
-		if strings.HasSuffix(f.Name(), ".cert") {
-			certName := f.Name()
-			keyName := certName[:len(certName)-5] + ".key"
-			logrus.Debugf(" cert: %s", fullPath)
-			if !hasFile(fs, keyName) {
-				return errors.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
-			}
-			cert, err := tls.LoadX509KeyPair(filepath.Join(dir, certName), filepath.Join(dir, keyName))
-			if err != nil {
-				return err
-			}
-			tlsc.Certificates = append(tlsc.Certificates, cert)
-		}
-		if strings.HasSuffix(f.Name(), ".key") {
-			keyName := f.Name()
-			certName := keyName[:len(keyName)-4] + ".cert"
-			logrus.Debugf(" key: %s", fullPath)
-			if !hasFile(fs, certName) {
-				return errors.Errorf("missing client certificate %s for key %s", certName, keyName)
-			}
-		}
-	}
-	return nil
-}
-
-func hasFile(files []os.FileInfo, name string) bool {
-	for _, f := range files {
-		if f.Name() == name {
-			return true
-		}
-	}
-	return false
-}
-
-// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
+// newDockerClientFromRef returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
 // “write” specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection)
-func newDockerClient(ctx *types.SystemContext, ref dockerReference, write bool, actions string) (*dockerClient, error) {
+func newDockerClientFromRef(ctx *types.SystemContext, ref dockerReference, write bool, actions string) (*dockerClient, error) {
 	registry := reference.Domain(ref.ref)
-	if registry == dockerHostname {
-		registry = dockerRegistry
+	username, password, err := config.GetAuthentication(ctx, reference.Domain(ref.ref))
+	if err != nil {
+		return nil, errors.Wrapf(err, "error getting username and password")
 	}
-	username, password, err := getAuth(ctx, reference.Domain(ref.ref))
+	sigBase, err := configuredSignatureStorageBase(ctx, ref, write)
 	if err != nil {
 		return nil, err
 	}
-	tr := newTransport()
+	remoteName := reference.Path(ref.ref)
+
+	return newDockerClientWithDetails(ctx, registry, username, password, actions, sigBase, remoteName)
+}
+
+// newDockerClientWithDetails returns a new dockerClient instance for the given parameters
+func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, password, actions string, sigBase signatureStorageBase, remoteName string) (*dockerClient, error) {
+	hostName := registry
+	if registry == dockerHostname {
+		registry = dockerRegistry
+	}
+	tr := tlsclientconfig.NewTransport()
 	tr.TLSClientConfig = serverDefault()
+
 	// It is undefined whether the host[:port] string for dockerHostname should be dockerHostname or dockerRegistry,
 	// because docker/docker does not read the certs.d subdirectory at all in that case.  We use the user-visible
 	// dockerHostname here, because it is more symmetrical to read the configuration in that case as well, and because
 	// generally the UI hides the existence of the different dockerRegistry.  But note that this behavior is
 	// undocumented and may change if docker/docker changes.
-	certDir := dockerCertDir(ctx, reference.Domain(ref.ref))
-	if err := setupCertificates(certDir, tr.TLSClientConfig); err != nil {
+	certDir := dockerCertDir(ctx, hostName)
+	if err := tlsclientconfig.SetupCertificates(certDir, tr.TLSClientConfig); err != nil {
 		return nil, err
 	}
+
 	if ctx != nil && ctx.DockerInsecureSkipTLSVerify {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 	}
-	client := &http.Client{Transport: tr}
-
-	sigBase, err := configuredSignatureStorageBase(ctx, ref, write)
-	if err != nil {
-		return nil, err
-	}
 
 	return &dockerClient{
 		ctx:           ctx,
 		registry:      registry,
 		username:      username,
 		password:      password,
-		client:        client,
+		client:        &http.Client{Transport: tr},
 		signatureBase: sigBase,
 		scope: authScope{
 			actions:    actions,
-			remoteName: reference.Path(ref.ref),
+			remoteName: remoteName,
 		},
 	}, nil
 }
 
+// CheckAuth validates the credentials by attempting to log into the registry
+// returns an error if an error occcured while making the http request or the status code received was 401
+func CheckAuth(ctx context.Context, sCtx *types.SystemContext, username, password, registry string) error {
+	newLoginClient, err := newDockerClientWithDetails(sCtx, registry, username, password, "", nil, "")
+	if err != nil {
+		return errors.Wrapf(err, "error creating new docker client")
+	}
+
+	resp, err := newLoginClient.makeRequest(ctx, "GET", "/v2/", nil, nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return nil
+	case http.StatusUnauthorized:
+		return ErrUnauthorizedForCredentials
+	default:
+		return errors.Errorf("error occured with status code %q", resp.StatusCode)
+	}
+}
+
 // makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // The host name and schema is taken from the client or autodetected, and the path is relative to it, i.e. the path usually starts with /v2/.
-func (c *dockerClient) makeRequest(method, path string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
-	if err := c.detectProperties(); err != nil {
+func (c *dockerClient) makeRequest(ctx context.Context, method, path string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
+	if err := c.detectProperties(ctx); err != nil {
 		return nil, err
 	}
 
 	url := fmt.Sprintf("%s://%s%s", c.scheme, c.registry, path)
-	return c.makeRequestToResolvedURL(method, url, headers, stream, -1, true)
+	return c.makeRequestToResolvedURL(ctx, method, url, headers, stream, -1, true)
 }
 
 // makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // streamLen, if not -1, specifies the length of the data expected on stream.
 // makeRequest should generally be preferred.
 // TODO(runcom): too many arguments here, use a struct
-func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[string][]string, stream io.Reader, streamLen int64, sendAuth bool) (*http.Response, error) {
+func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, sendAuth bool) (*http.Response, error) {
 	req, err := http.NewRequest(method, url, stream)
 	if err != nil {
 		return nil, err
 	}
+	req = req.WithContext(ctx)
 	if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequest above can figure out the length of bytes.Reader and similar objects without us having to compute it.
 		req.ContentLength = streamLen
 	}
@@ -308,38 +259,47 @@ func (c *dockerClient) setupRequestAuth(req *http.Request) error {
 	if len(c.challenges) == 0 {
 		return nil
 	}
-	// assume just one...
-	challenge := c.challenges[0]
-	switch challenge.Scheme {
-	case "basic":
-		req.SetBasicAuth(c.username, c.password)
-		return nil
-	case "bearer":
-		if c.token == nil || time.Now().After(c.tokenExpiration) {
-			realm, ok := challenge.Parameters["realm"]
-			if !ok {
-				return errors.Errorf("missing realm in bearer auth challenge")
+	schemeNames := make([]string, 0, len(c.challenges))
+	for _, challenge := range c.challenges {
+		schemeNames = append(schemeNames, challenge.Scheme)
+		switch challenge.Scheme {
+		case "basic":
+			req.SetBasicAuth(c.username, c.password)
+			return nil
+		case "bearer":
+			if c.token == nil || time.Now().After(c.tokenExpiration) {
+				realm, ok := challenge.Parameters["realm"]
+				if !ok {
+					return errors.Errorf("missing realm in bearer auth challenge")
+				}
+				service, _ := challenge.Parameters["service"] // Will be "" if not present
+				var scope string
+				if c.scope.remoteName != "" && c.scope.actions != "" {
+					scope = fmt.Sprintf("repository:%s:%s", c.scope.remoteName, c.scope.actions)
+				}
+				token, err := c.getBearerToken(req.Context(), realm, service, scope)
+				if err != nil {
+					return err
+				}
+				c.token = token
+				c.tokenExpiration = token.IssuedAt.Add(time.Duration(token.ExpiresIn) * time.Second)
 			}
-			service, _ := challenge.Parameters["service"] // Will be "" if not present
-			scope := fmt.Sprintf("repository:%s:%s", c.scope.remoteName, c.scope.actions)
-			token, err := c.getBearerToken(realm, service, scope)
-			if err != nil {
-				return err
-			}
-			c.token = token
-			c.tokenExpiration = token.IssuedAt.Add(time.Duration(token.ExpiresIn) * time.Second)
+			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.token.Token))
+			return nil
+		default:
+			logrus.Debugf("no handler for %s authentication", challenge.Scheme)
 		}
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.token.Token))
-		return nil
 	}
-	return errors.Errorf("no handler for %s authentication", challenge.Scheme)
+	logrus.Infof("None of the challenges sent by server (%s) are supported, trying an unauthenticated request anyway", strings.Join(schemeNames, ", "))
+	return nil
 }
 
-func (c *dockerClient) getBearerToken(realm, service, scope string) (*bearerToken, error) {
+func (c *dockerClient) getBearerToken(ctx context.Context, realm, service, scope string) (*bearerToken, error) {
 	authReq, err := http.NewRequest("GET", realm, nil)
 	if err != nil {
 		return nil, err
 	}
+	authReq = authReq.WithContext(ctx)
 	getParams := authReq.URL.Query()
 	if service != "" {
 		getParams.Add("service", service)
@@ -351,7 +311,7 @@ func (c *dockerClient) getBearerToken(realm, service, scope string) (*bearerToke
 	if c.username != "" && c.password != "" {
 		authReq.SetBasicAuth(c.username, c.password)
 	}
-	tr := newTransport()
+	tr := tlsclientconfig.NewTransport()
 	// TODO(runcom): insecure for now to contact the external token service
 	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	client := &http.Client{Transport: tr}
@@ -362,7 +322,7 @@ func (c *dockerClient) getBearerToken(realm, service, scope string) (*bearerToke
 	defer res.Body.Close()
 	switch res.StatusCode {
 	case http.StatusUnauthorized:
-		return nil, errors.Errorf("unable to retrieve auth token: 401 unauthorized")
+		return nil, ErrUnauthorizedForCredentials
 	case http.StatusOK:
 		break
 	default:
@@ -386,70 +346,16 @@ func (c *dockerClient) getBearerToken(realm, service, scope string) (*bearerToke
 	return &token, nil
 }
 
-func getAuth(ctx *types.SystemContext, registry string) (string, string, error) {
-	if ctx != nil && ctx.DockerAuthConfig != nil {
-		return ctx.DockerAuthConfig.Username, ctx.DockerAuthConfig.Password, nil
-	}
-	var dockerAuth dockerConfigFile
-	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
-	if _, err := os.Stat(dockerCfgPath); err == nil {
-		j, err := ioutil.ReadFile(dockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		if err := json.Unmarshal(j, &dockerAuth); err != nil {
-			return "", "", err
-		}
-
-	} else if os.IsNotExist(err) {
-		// try old config path
-		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
-		if _, err := os.Stat(oldDockerCfgPath); err != nil {
-			if os.IsNotExist(err) {
-				return "", "", nil
-			}
-			return "", "", errors.Wrap(err, oldDockerCfgPath)
-		}
-
-		j, err := ioutil.ReadFile(oldDockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		if err := json.Unmarshal(j, &dockerAuth.AuthConfigs); err != nil {
-			return "", "", err
-		}
-
-	} else if err != nil {
-		return "", "", errors.Wrap(err, dockerCfgPath)
-	}
-
-	// I'm feeling lucky
-	if c, exists := dockerAuth.AuthConfigs[registry]; exists {
-		return decodeDockerAuth(c.Auth)
-	}
-
-	// bad luck; let's normalize the entries first
-	registry = normalizeRegistry(registry)
-	normalizedAuths := map[string]dockerAuthConfig{}
-	for k, v := range dockerAuth.AuthConfigs {
-		normalizedAuths[normalizeRegistry(k)] = v
-	}
-	if c, exists := normalizedAuths[registry]; exists {
-		return decodeDockerAuth(c.Auth)
-	}
-	return "", "", nil
-}
-
 // detectProperties detects various properties of the registry.
 // See the dockerClient documentation for members which are affected by this.
-func (c *dockerClient) detectProperties() error {
+func (c *dockerClient) detectProperties(ctx context.Context) error {
 	if c.scheme != "" {
 		return nil
 	}
 
 	ping := func(scheme string) error {
 		url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
-		resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+		resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, true)
 		logrus.Debugf("Ping %s err %#v", url, err)
 		if err != nil {
 			return err
@@ -476,7 +382,7 @@ func (c *dockerClient) detectProperties() error {
 		// best effort to understand if we're talking to a V1 registry
 		pingV1 := func(scheme string) bool {
 			url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
-			resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+			resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, true)
 			logrus.Debugf("Ping %s err %#v", url, err)
 			if err != nil {
 				return false
@@ -501,9 +407,9 @@ func (c *dockerClient) detectProperties() error {
 
 // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
 // using the original data structures.
-func (c *dockerClient) getExtensionsSignatures(ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
+func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
 	path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
-	res, err := c.makeRequest("GET", path, nil, nil)
+	res, err := c.makeRequest(ctx, "GET", path, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -522,55 +428,3 @@ func (c *dockerClient) getExtensionsSignatures(ref dockerReference, manifestDige
 	}
 	return &parsedBody, nil
 }
-
-func getDefaultConfigDir(confPath string) string {
-	return filepath.Join(homedir.Get(), confPath)
-}
-
-type dockerAuthConfig struct {
-	Auth string `json:"auth,omitempty"`
-}
-
-type dockerConfigFile struct {
-	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
-}
-
-func decodeDockerAuth(s string) (string, string, error) {
-	decoded, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return "", "", err
-	}
-	parts := strings.SplitN(string(decoded), ":", 2)
-	if len(parts) != 2 {
-		// if it's invalid just skip, as docker does
-		return "", "", nil
-	}
-	user := parts[0]
-	password := strings.Trim(parts[1], "\x00")
-	return user, password, nil
-}
-
-// convertToHostname converts a registry url which has http|https prepended
-// to just an hostname.
-// Copied from github.com/docker/docker/registry/auth.go
-func convertToHostname(url string) string {
-	stripped := url
-	if strings.HasPrefix(url, "http://") {
-		stripped = strings.TrimPrefix(url, "http://")
-	} else if strings.HasPrefix(url, "https://") {
-		stripped = strings.TrimPrefix(url, "https://")
-	}
-
-	nameParts := strings.SplitN(stripped, "/", 2)
-
-	return nameParts[0]
-}
-
-func normalizeRegistry(registry string) string {
-	normalized := convertToHostname(registry)
-	switch normalized {
-	case "registry-1.docker.io", "docker.io":
-		return "index.docker.io"
-	}
-	return normalized
-}

vendor/github.com/containers/image/docker/docker_image.go

@@ -1,6 +1,7 @@
 package docker
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -11,26 +12,26 @@ import (
 	"github.com/pkg/errors"
 )
 
-// Image is a Docker-specific implementation of types.Image with a few extra methods
+// Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
 // which are specific to Docker.
 type Image struct {
-	types.Image
+	types.ImageCloser
 	src *dockerImageSource
 }
 
 // newImage returns a new Image interface type after setting up
 // a client to the registry hosting the given image.
 // The caller must call .Close() on the returned Image.
-func newImage(ctx *types.SystemContext, ref dockerReference) (types.Image, error) {
-	s, err := newImageSource(ctx, ref, nil)
+func newImage(ctx *types.SystemContext, ref dockerReference) (types.ImageCloser, error) {
+	s, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
-	img, err := image.FromSource(s)
+	img, err := image.FromSource(ctx, s)
 	if err != nil {
 		return nil, err
 	}
-	return &Image{Image: img, src: s}, nil
+	return &Image{ImageCloser: img, src: s}, nil
 }
 
 // SourceRefFullName returns a fully expanded name for the repository this image is in.
@@ -41,7 +42,8 @@ func (i *Image) SourceRefFullName() string {
 // GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
 func (i *Image) GetRepositoryTags() ([]string, error) {
 	path := fmt.Sprintf(tagsPath, reference.Path(i.src.ref.ref))
-	res, err := i.src.c.makeRequest("GET", path, nil, nil)
+	// FIXME: Pass the context.Context
+	res, err := i.src.c.makeRequest(context.TODO(), "GET", path, nil, nil)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/image/docker/docker_image_dest.go

@@ -2,6 +2,7 @@ package docker
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
@@ -12,7 +13,6 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
@@ -20,24 +20,11 @@ import (
 	"github.com/docker/distribution/registry/api/v2"
 	"github.com/docker/distribution/registry/client"
 	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
-var manifestMIMETypes = []string{
-	// TODO(runcom): we'll add OCI as part of another PR here
-	manifest.DockerV2Schema2MediaType,
-	manifest.DockerV2Schema1SignedMediaType,
-	manifest.DockerV2Schema1MediaType,
-}
-
-func supportedManifestMIMETypesMap() map[string]bool {
-	m := make(map[string]bool, len(manifestMIMETypes))
-	for _, mt := range manifestMIMETypes {
-		m[mt] = true
-	}
-	return m
-}
-
 type dockerImageDestination struct {
 	ref dockerReference
 	c   *dockerClient
@@ -47,7 +34,7 @@ type dockerImageDestination struct {
 
 // newImageDestination creates a new ImageDestination for the specified image reference.
 func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
-	c, err := newDockerClient(ctx, ref, true, "pull,push")
+	c, err := newDockerClientFromRef(ctx, ref, true, "pull,push")
 	if err != nil {
 		return nil, err
 	}
@@ -69,13 +56,18 @@ func (d *dockerImageDestination) Close() error {
 }
 
 func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
-	return manifestMIMETypes
+	return []string{
+		imgspecv1.MediaTypeImageManifest,
+		manifest.DockerV2Schema2MediaType,
+		manifest.DockerV2Schema1SignedMediaType,
+		manifest.DockerV2Schema1MediaType,
+	}
 }
 
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
 func (d *dockerImageDestination) SupportsSignatures() error {
-	if err := d.c.detectProperties(); err != nil {
+	if err := d.c.detectProperties(context.TODO()); err != nil {
 		return err
 	}
 	switch {
@@ -132,14 +124,14 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// FIXME? Chunked upload, progress reporting, etc.
 	uploadPath := fmt.Sprintf(blobUploadPath, reference.Path(d.ref.ref))
 	logrus.Debugf("Uploading %s", uploadPath)
-	res, err := d.c.makeRequest("POST", uploadPath, nil, nil)
+	res, err := d.c.makeRequest(context.TODO(), "POST", uploadPath, nil, nil)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusAccepted {
 		logrus.Debugf("Error initiating layer upload, response %#v", *res)
-		return types.BlobInfo{}, errors.Errorf("Error initiating layer upload to %s, status %d", uploadPath, res.StatusCode)
+		return types.BlobInfo{}, errors.Wrapf(client.HandleErrorResponse(res), "Error initiating layer upload to %s", uploadPath)
 	}
 	uploadLocation, err := res.Location()
 	if err != nil {
@@ -149,7 +141,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	digester := digest.Canonical.Digester()
 	sizeCounter := &sizeCounter{}
 	tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter))
-	res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
+	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
 	if err != nil {
 		logrus.Debugf("Error uploading layer chunked, response %#v", res)
 		return types.BlobInfo{}, err
@@ -168,14 +160,14 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// TODO: check inputInfo.Digest == computedDigest https://github.com/containers/image/pull/70#discussion_r77646717
 	locationQuery.Set("digest", computedDigest.String())
 	uploadLocation.RawQuery = locationQuery.Encode()
-	res, err = d.c.makeRequestToResolvedURL("PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
+	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusCreated {
 		logrus.Debugf("Error uploading layer, response %#v", *res)
-		return types.BlobInfo{}, errors.Errorf("Error uploading layer to %s, status %d", uploadLocation, res.StatusCode)
+		return types.BlobInfo{}, errors.Wrapf(client.HandleErrorResponse(res), "Error uploading layer to %s", uploadLocation)
 	}
 
 	logrus.Debugf("Upload of layer %s complete", computedDigest)
@@ -193,7 +185,7 @@ func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
 	checkPath := fmt.Sprintf(blobsPath, reference.Path(d.ref.ref), info.Digest.String())
 
 	logrus.Debugf("Checking %s", checkPath)
-	res, err := d.c.makeRequest("HEAD", checkPath, nil, nil)
+	res, err := d.c.makeRequest(context.TODO(), "HEAD", checkPath, nil, nil)
 	if err != nil {
 		return false, -1, err
 	}
@@ -239,12 +231,12 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
 	if mimeType != "" {
 		headers["Content-Type"] = []string{mimeType}
 	}
-	res, err := d.c.makeRequest("PUT", path, headers, bytes.NewReader(m))
+	res, err := d.c.makeRequest(context.TODO(), "PUT", path, headers, bytes.NewReader(m))
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
+	if !successStatus(res.StatusCode) {
 		err = errors.Wrapf(client.HandleErrorResponse(res), "Error uploading manifest to %s", path)
 		if isManifestInvalidError(errors.Cause(err)) {
 			err = types.ManifestTypeRejectedError{Err: err}
@@ -254,6 +246,12 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
 	return nil
 }
 
+// successStatus returns true if the argument is a successful HTTP response
+// code (in the range 200 - 399 inclusive).
+func successStatus(status int) bool {
+	return status >= 200 && status <= 399
+}
+
 // isManifestInvalidError returns true iff err from client.HandleErrorReponse is a “manifest invalid” error.
 func isManifestInvalidError(err error) bool {
 	errors, ok := err.(errcode.Errors)
@@ -275,7 +273,7 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
 	if len(signatures) == 0 {
 		return nil
 	}
-	if err := d.c.detectProperties(); err != nil {
+	if err := d.c.detectProperties(context.TODO()); err != nil {
 		return err
 	}
 	switch {
@@ -396,7 +394,7 @@ func (d *dockerImageDestination) putSignaturesToAPIExtension(signatures [][]byte
 	// always adds signatures.  Eventually we should also allow removing signatures,
 	// but the X-Registry-Supports-Signatures API extension does not support that yet.
 
-	existingSignatures, err := d.c.getExtensionsSignatures(d.ref, d.manifestDigest)
+	existingSignatures, err := d.c.getExtensionsSignatures(context.TODO(), d.ref, d.manifestDigest)
 	if err != nil {
 		return err
 	}
@@ -438,7 +436,7 @@ sigExists:
 		}
 
 		path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), d.manifestDigest.String())
-		res, err := d.c.makeRequest("PUT", path, nil, bytes.NewReader(body))
+		res, err := d.c.makeRequest(context.TODO(), "PUT", path, nil, bytes.NewReader(body))
 		if err != nil {
 			return err
 		}
@@ -449,7 +447,7 @@ sigExists:
 				logrus.Debugf("Error body %s", string(body))
 			}
 			logrus.Debugf("Error uploading signature, status %d, %#v", res.StatusCode, res)
-			return errors.Errorf("Error uploading signature to %s, status %d", path, res.StatusCode)
+			return errors.Wrapf(client.HandleErrorResponse(res), "Error uploading signature to %s", path)
 		}
 	}
 

vendor/github.com/containers/image/docker/docker_image_src.go

@@ -1,6 +1,7 @@
 package docker
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -10,51 +11,33 @@ import (
 	"os"
 	"strconv"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/docker/distribution/registry/client"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 type dockerImageSource struct {
-	ref                        dockerReference
-	requestedManifestMIMETypes []string
-	c                          *dockerClient
+	ref dockerReference
+	c   *dockerClient
 	// State
 	cachedManifest         []byte // nil if not loaded yet
 	cachedManifestMIMEType string // Only valid if cachedManifest != nil
 }
 
-// newImageSource creates a new ImageSource for the specified image reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// newImageSource creates a new ImageSource for the specified image reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref dockerReference, requestedManifestMIMETypes []string) (*dockerImageSource, error) {
-	c, err := newDockerClient(ctx, ref, false, "pull")
+func newImageSource(ctx *types.SystemContext, ref dockerReference) (*dockerImageSource, error) {
+	c, err := newDockerClientFromRef(ctx, ref, false, "pull")
 	if err != nil {
 		return nil, err
 	}
-	if requestedManifestMIMETypes == nil {
-		requestedManifestMIMETypes = manifest.DefaultRequestedManifestMIMETypes
-	}
-	supportedMIMEs := supportedManifestMIMETypesMap()
-	acceptableRequestedMIMEs := false
-	for _, mtrequested := range requestedManifestMIMETypes {
-		if supportedMIMEs[mtrequested] {
-			acceptableRequestedMIMEs = true
-			break
-		}
-	}
-	if !acceptableRequestedMIMEs {
-		requestedManifestMIMETypes = manifest.DefaultRequestedManifestMIMETypes
-	}
 	return &dockerImageSource{
 		ref: ref,
-		requestedManifestMIMETypes: requestedManifestMIMETypes,
-		c: c,
+		c:   c,
 	}, nil
 }
 
@@ -69,6 +52,11 @@ func (s *dockerImageSource) Close() error {
 	return nil
 }
 
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *dockerImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}
+
 // simplifyContentType drops parameters from a HTTP media type (see https://tools.ietf.org/html/rfc7231#section-3.1.1.1)
 // Alternatively, an empty string is returned unchanged, and invalid values are "simplified" to an empty string.
 func simplifyContentType(contentType string) string {
@@ -84,19 +72,24 @@ func simplifyContentType(contentType string) string {
 
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *dockerImageSource) GetManifest() ([]byte, string, error) {
-	err := s.ensureManifestIsLoaded()
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *dockerImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if instanceDigest != nil {
+		return s.fetchManifest(context.TODO(), instanceDigest.String())
+	}
+	err := s.ensureManifestIsLoaded(context.TODO())
 	if err != nil {
 		return nil, "", err
 	}
 	return s.cachedManifest, s.cachedManifestMIMEType, nil
 }
 
-func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, error) {
+func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest string) ([]byte, string, error) {
 	path := fmt.Sprintf(manifestPath, reference.Path(s.ref.ref), tagOrDigest)
 	headers := make(map[string][]string)
-	headers["Accept"] = s.requestedManifestMIMETypes
-	res, err := s.c.makeRequest("GET", path, headers, nil)
+	headers["Accept"] = manifest.DefaultRequestedManifestMIMETypes
+	res, err := s.c.makeRequest(ctx, "GET", path, headers, nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -111,20 +104,14 @@ func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, e
 	return manblob, simplifyContentType(res.Header.Get("Content-Type")), nil
 }
 
-// GetTargetManifest returns an image's manifest given a digest.
-// This is mainly used to retrieve a single image's manifest out of a manifest list.
-func (s *dockerImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	return s.fetchManifest(digest.String())
-}
-
 // ensureManifestIsLoaded sets s.cachedManifest and s.cachedManifestMIMEType
 //
 // ImageSource implementations are not required or expected to do any caching,
 // but because our signatures are “attached” to the manifest digest,
-// we need to ensure that the digest of the manifest returned by GetManifest
-// and used by GetSignatures are consistent, otherwise we would get spurious
+// we need to ensure that the digest of the manifest returned by GetManifest(nil)
+// and used by GetSignatures(ctx, nil) are consistent, otherwise we would get spurious
 // signature verification failures when pulling while a tag is being updated.
-func (s *dockerImageSource) ensureManifestIsLoaded() error {
+func (s *dockerImageSource) ensureManifestIsLoaded(ctx context.Context) error {
 	if s.cachedManifest != nil {
 		return nil
 	}
@@ -134,7 +121,7 @@ func (s *dockerImageSource) ensureManifestIsLoaded() error {
 		return err
 	}
 
-	manblob, mt, err := s.fetchManifest(reference)
+	manblob, mt, err := s.fetchManifest(ctx, reference)
 	if err != nil {
 		return err
 	}
@@ -150,13 +137,14 @@ func (s *dockerImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64
 		err  error
 	)
 	for _, url := range urls {
-		resp, err = s.c.makeRequestToResolvedURL("GET", url, nil, nil, -1, false)
+		resp, err = s.c.makeRequestToResolvedURL(context.TODO(), "GET", url, nil, nil, -1, false)
 		if err == nil {
 			if resp.StatusCode != http.StatusOK {
 				err = errors.Errorf("error fetching external blob from %q: %d", url, resp.StatusCode)
 				logrus.Debug(err)
 				continue
 			}
+			break
 		}
 	}
 	if resp.Body != nil && err == nil {
@@ -181,7 +169,7 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
 
 	path := fmt.Sprintf(blobsPath, reference.Path(s.ref.ref), info.Digest.String())
 	logrus.Debugf("Downloading %s", path)
-	res, err := s.c.makeRequest("GET", path, nil, nil)
+	res, err := s.c.makeRequest(context.TODO(), "GET", path, nil, nil)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -192,27 +180,46 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
 	return res.Body, getBlobSize(res), nil
 }
 
-func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
-	if err := s.c.detectProperties(); err != nil {
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *dockerImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	if err := s.c.detectProperties(ctx); err != nil {
 		return nil, err
 	}
 	switch {
 	case s.c.signatureBase != nil:
-		return s.getSignaturesFromLookaside()
+		return s.getSignaturesFromLookaside(ctx, instanceDigest)
 	case s.c.supportsSignatures:
-		return s.getSignaturesFromAPIExtension()
+		return s.getSignaturesFromAPIExtension(ctx, instanceDigest)
 	default:
 		return [][]byte{}, nil
 	}
 }
 
+// manifestDigest returns a digest of the manifest, from instanceDigest if non-nil; or from the supplied reference,
+// or finally, from a fetched manifest.
+func (s *dockerImageSource) manifestDigest(ctx context.Context, instanceDigest *digest.Digest) (digest.Digest, error) {
+	if instanceDigest != nil {
+		return *instanceDigest, nil
+	}
+	if digested, ok := s.ref.ref.(reference.Digested); ok {
+		d := digested.Digest()
+		if d.Algorithm() == digest.Canonical {
+			return d, nil
+		}
+	}
+	if err := s.ensureManifestIsLoaded(ctx); err != nil {
+		return "", err
+	}
+	return manifest.Digest(s.cachedManifest)
+}
+
 // getSignaturesFromLookaside implements GetSignatures() from the lookaside location configured in s.c.signatureBase,
 // which is not nil.
-func (s *dockerImageSource) getSignaturesFromLookaside() ([][]byte, error) {
-	if err := s.ensureManifestIsLoaded(); err != nil {
-		return nil, err
-	}
-	manifestDigest, err := manifest.Digest(s.cachedManifest)
+func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	manifestDigest, err := s.manifestDigest(ctx, instanceDigest)
 	if err != nil {
 		return nil, err
 	}
@@ -224,7 +231,7 @@ func (s *dockerImageSource) getSignaturesFromLookaside() ([][]byte, error) {
 		if url == nil {
 			return nil, errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
-		signature, missing, err := s.getOneSignature(url)
+		signature, missing, err := s.getOneSignature(ctx, url)
 		if err != nil {
 			return nil, err
 		}
@@ -239,7 +246,7 @@ func (s *dockerImageSource) getSignaturesFromLookaside() ([][]byte, error) {
 // getOneSignature downloads one signature from url.
 // If it successfully determines that the signature does not exist, returns with missing set to true and error set to nil.
 // NOTE: Keep this in sync with docs/signature-protocols.md!
-func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, missing bool, err error) {
+func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (signature []byte, missing bool, err error) {
 	switch url.Scheme {
 	case "file":
 		logrus.Debugf("Reading %s", url.Path)
@@ -254,7 +261,12 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis
 
 	case "http", "https":
 		logrus.Debugf("GET %s", url)
-		res, err := s.c.client.Get(url.String())
+		req, err := http.NewRequest("GET", url.String(), nil)
+		if err != nil {
+			return nil, false, err
+		}
+		req = req.WithContext(ctx)
+		res, err := s.c.client.Do(req)
 		if err != nil {
 			return nil, false, err
 		}
@@ -276,16 +288,13 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis
 }
 
 // getSignaturesFromAPIExtension implements GetSignatures() using the X-Registry-Supports-Signatures API extension.
-func (s *dockerImageSource) getSignaturesFromAPIExtension() ([][]byte, error) {
-	if err := s.ensureManifestIsLoaded(); err != nil {
-		return nil, err
-	}
-	manifestDigest, err := manifest.Digest(s.cachedManifest)
+func (s *dockerImageSource) getSignaturesFromAPIExtension(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	manifestDigest, err := s.manifestDigest(ctx, instanceDigest)
 	if err != nil {
 		return nil, err
 	}
 
-	parsedBody, err := s.c.getExtensionsSignatures(s.ref, manifestDigest)
+	parsedBody, err := s.c.getExtensionsSignatures(ctx, s.ref, manifestDigest)
 	if err != nil {
 		return nil, err
 	}
@@ -301,7 +310,7 @@ func (s *dockerImageSource) getSignaturesFromAPIExtension() ([][]byte, error) {
 
 // deleteImage deletes the named image from the registry, if supported.
 func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
-	c, err := newDockerClient(ctx, ref, true, "push")
+	c, err := newDockerClientFromRef(ctx, ref, true, "push")
 	if err != nil {
 		return err
 	}
@@ -316,7 +325,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 		return err
 	}
 	getPath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), refTail)
-	get, err := c.makeRequest("GET", getPath, headers, nil)
+	get, err := c.makeRequest(context.TODO(), "GET", getPath, headers, nil)
 	if err != nil {
 		return err
 	}
@@ -338,7 +347,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 
 	// When retrieving the digest from a registry >= 2.3 use the following header:
 	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
-	delete, err := c.makeRequest("DELETE", deletePath, headers, nil)
+	delete, err := c.makeRequest(context.TODO(), "DELETE", deletePath, headers, nil)
 	if err != nil {
 		return err
 	}

vendor/github.com/containers/image/docker/docker_transport.go

@@ -122,20 +122,19 @@ func (ref dockerReference) PolicyConfigurationNamespaces() []string {
 	return policyconfiguration.DockerReferenceNamespaces(ref.ref)
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
 	return newImage(ctx, ref)
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dockerReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	return newImageSource(ctx, ref, requestedManifestMIMETypes)
+func (ref dockerReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
 }
 
 // NewImageDestination returns a types.ImageDestination for this reference.

vendor/github.com/containers/image/docker/lookaside.go

@@ -9,12 +9,12 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/types"
 	"github.com/ghodss/yaml"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage.

vendor/github.com/containers/image/docker/tarfile/dest.go

@@ -10,16 +10,15 @@ import (
 	"os"
 	"time"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/internal/tmpdir"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
-const temporaryDirectoryForBigFiles = "/var/tmp" // Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs.
-
 // Destination is a partial implementation of types.ImageDestination for writing to an io.Writer.
 type Destination struct {
 	writer  io.Writer
@@ -107,7 +106,7 @@ func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types
 
 	if inputInfo.Size == -1 { // Ouch, we need to stream the blob into a temporary file just to determine the size.
 		logrus.Debugf("docker tarfile: input with unknown size, streaming to disk first ...")
-		streamCopy, err := ioutil.TempFile(temporaryDirectoryForBigFiles, "docker-tarfile-blob")
+		streamCopy, err := ioutil.TempFile(tmpdir.TemporaryDirectoryForBigFiles(), "docker-tarfile-blob")
 		if err != nil {
 			return types.BlobInfo{}, err
 		}
@@ -168,7 +167,7 @@ func (d *Destination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
 func (d *Destination) PutManifest(m []byte) error {
 	// We do not bother with types.ManifestTypeRejectedError; our .SupportedManifestMIMETypes() above is already providing only one alternative,
 	// so the caller trying a different manifest kind would be pointless.
-	var man schema2Manifest
+	var man manifest.Schema2
 	if err := json.Unmarshal(m, &man); err != nil {
 		return errors.Wrap(err, "Error parsing manifest")
 	}
@@ -177,12 +176,12 @@ func (d *Destination) PutManifest(m []byte) error {
 	}
 
 	layerPaths := []string{}
-	for _, l := range man.Layers {
+	for _, l := range man.LayersDescriptors {
 		layerPaths = append(layerPaths, l.Digest.String())
 	}
 
-	items := []manifestItem{{
-		Config:       man.Config.Digest.String(),
+	items := []ManifestItem{{
+		Config:       man.ConfigDescriptor.Digest.String(),
 		RepoTags:     []string{d.repoTag},
 		Layers:       layerPaths,
 		Parent:       "",

vendor/github.com/containers/image/docker/tarfile/src.go

@@ -3,6 +3,7 @@ package tarfile
 import (
 	"archive/tar"
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"io/ioutil"
@@ -20,11 +21,11 @@ import (
 type Source struct {
 	tarPath string
 	// The following data is only available after ensureCachedDataIsPresent() succeeds
-	tarManifest       *manifestItem // nil if not available yet.
+	tarManifest       *ManifestItem // nil if not available yet.
 	configBytes       []byte
 	configDigest      digest.Digest
-	orderedDiffIDList []diffID
-	knownLayers       map[diffID]*layerInfo
+	orderedDiffIDList []digest.Digest
+	knownLayers       map[digest.Digest]*layerInfo
 	// Other state
 	generatedManifest []byte // Private cache for GetManifest(), nil if not set yet.
 }
@@ -145,23 +146,28 @@ func (s *Source) ensureCachedDataIsPresent() error {
 		return err
 	}
 
+	// Check to make sure length is 1
+	if len(tarManifest) != 1 {
+		return errors.Errorf("Unexpected tar manifest.json: expected 1 item, got %d", len(tarManifest))
+	}
+
 	// Read and parse config.
-	configBytes, err := s.readTarComponent(tarManifest.Config)
+	configBytes, err := s.readTarComponent(tarManifest[0].Config)
 	if err != nil {
 		return err
 	}
-	var parsedConfig image // Most fields ommitted, we only care about layer DiffIDs.
+	var parsedConfig manifest.Schema2Image // There's a lot of info there, but we only really care about layer DiffIDs.
 	if err := json.Unmarshal(configBytes, &parsedConfig); err != nil {
-		return errors.Wrapf(err, "Error decoding tar config %s", tarManifest.Config)
+		return errors.Wrapf(err, "Error decoding tar config %s", tarManifest[0].Config)
 	}
 
-	knownLayers, err := s.prepareLayerData(tarManifest, &parsedConfig)
+	knownLayers, err := s.prepareLayerData(&tarManifest[0], &parsedConfig)
 	if err != nil {
 		return err
 	}
 
 	// Success; commit.
-	s.tarManifest = tarManifest
+	s.tarManifest = &tarManifest[0]
 	s.configBytes = configBytes
 	s.configDigest = digest.FromBytes(configBytes)
 	s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
@@ -170,28 +176,30 @@ func (s *Source) ensureCachedDataIsPresent() error {
 }
 
 // loadTarManifest loads and decodes the manifest.json.
-func (s *Source) loadTarManifest() (*manifestItem, error) {
+func (s *Source) loadTarManifest() ([]ManifestItem, error) {
 	// FIXME? Do we need to deal with the legacy format?
 	bytes, err := s.readTarComponent(manifestFileName)
 	if err != nil {
 		return nil, err
 	}
-	var items []manifestItem
+	var items []ManifestItem
 	if err := json.Unmarshal(bytes, &items); err != nil {
 		return nil, errors.Wrap(err, "Error decoding tar manifest.json")
 	}
-	if len(items) != 1 {
-		return nil, errors.Errorf("Unexpected tar manifest.json: expected 1 item, got %d", len(items))
-	}
-	return &items[0], nil
+	return items, nil
 }
 
-func (s *Source) prepareLayerData(tarManifest *manifestItem, parsedConfig *image) (map[diffID]*layerInfo, error) {
+// LoadTarManifest loads and decodes the manifest.json
+func (s *Source) LoadTarManifest() ([]ManifestItem, error) {
+	return s.loadTarManifest()
+}
+
+func (s *Source) prepareLayerData(tarManifest *ManifestItem, parsedConfig *manifest.Schema2Image) (map[digest.Digest]*layerInfo, error) {
 	// Collect layer data available in manifest and config.
 	if len(tarManifest.Layers) != len(parsedConfig.RootFS.DiffIDs) {
 		return nil, errors.Errorf("Inconsistent layer count: %d in manifest, %d in config", len(tarManifest.Layers), len(parsedConfig.RootFS.DiffIDs))
 	}
-	knownLayers := map[diffID]*layerInfo{}
+	knownLayers := map[digest.Digest]*layerInfo{}
 	unknownLayerSizes := map[string]*layerInfo{} // Points into knownLayers, a "to do list" of items with unknown sizes.
 	for i, diffID := range parsedConfig.RootFS.DiffIDs {
 		if _, ok := knownLayers[diffID]; ok {
@@ -241,28 +249,34 @@ func (s *Source) prepareLayerData(tarManifest *manifestItem, parsedConfig *image
 
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *Source) GetManifest() ([]byte, string, error) {
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *Source) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if instanceDigest != nil {
+		// How did we even get here? GetManifest(nil) has returned a manifest.DockerV2Schema2MediaType.
+		return nil, "", errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
+	}
 	if s.generatedManifest == nil {
 		if err := s.ensureCachedDataIsPresent(); err != nil {
 			return nil, "", err
 		}
-		m := schema2Manifest{
+		m := manifest.Schema2{
 			SchemaVersion: 2,
 			MediaType:     manifest.DockerV2Schema2MediaType,
-			Config: distributionDescriptor{
+			ConfigDescriptor: manifest.Schema2Descriptor{
 				MediaType: manifest.DockerV2Schema2ConfigMediaType,
 				Size:      int64(len(s.configBytes)),
 				Digest:    s.configDigest,
 			},
-			Layers: []distributionDescriptor{},
+			LayersDescriptors: []manifest.Schema2Descriptor{},
 		}
 		for _, diffID := range s.orderedDiffIDList {
 			li, ok := s.knownLayers[diffID]
 			if !ok {
 				return nil, "", errors.Errorf("Internal inconsistency: Information about layer %s missing", diffID)
 			}
-			m.Layers = append(m.Layers, distributionDescriptor{
-				Digest:    digest.Digest(diffID), // diffID is a digest of the uncompressed tarball
+			m.LayersDescriptors = append(m.LayersDescriptors, manifest.Schema2Descriptor{
+				Digest:    diffID, // diffID is a digest of the uncompressed tarball
 				MediaType: manifest.DockerV2Schema2LayerMediaType,
 				Size:      li.size,
 			})
@@ -276,13 +290,6 @@ func (s *Source) GetManifest() ([]byte, string, error) {
 	return s.generatedManifest, manifest.DockerV2Schema2MediaType, nil
 }
 
-// GetTargetManifest returns an image's manifest given a digest. This is mainly used to retrieve a single image's manifest
-// out of a manifest list.
-func (s *Source) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	// How did we even get here? GetManifest() above has returned a manifest.DockerV2Schema2MediaType.
-	return nil, "", errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
-}
-
 type readCloseWrapper struct {
 	io.Reader
 	closeFunc func() error
@@ -305,7 +312,7 @@ func (s *Source) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
 		return ioutil.NopCloser(bytes.NewReader(s.configBytes)), int64(len(s.configBytes)), nil
 	}
 
-	if li, ok := s.knownLayers[diffID(info.Digest)]; ok { // diffID is a digest of the uncompressed tarball,
+	if li, ok := s.knownLayers[info.Digest]; ok { // diffID is a digest of the uncompressed tarball,
 		stream, err := s.openTarComponent(li.path)
 		if err != nil {
 			return nil, 0, err
@@ -347,6 +354,13 @@ func (s *Source) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
 }
 
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
-func (s *Source) GetSignatures() ([][]byte, error) {
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *Source) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	if instanceDigest != nil {
+		// How did we even get here? GetManifest(nil) has returned a manifest.DockerV2Schema2MediaType.
+		return nil, errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
+	}
 	return [][]byte{}, nil
 }

vendor/github.com/containers/image/docker/tarfile/types.go

@@ -1,6 +1,9 @@
 package tarfile
 
-import "github.com/opencontainers/go-digest"
+import (
+	"github.com/containers/image/manifest"
+	"github.com/opencontainers/go-digest"
+)
 
 // Various data structures.
 
@@ -13,41 +16,13 @@ const (
 	// legacyRepositoriesFileName = "repositories"
 )
 
-type manifestItem struct {
+// ManifestItem is an element of the array stored in the top-level manifest.json file.
+type ManifestItem struct {
 	Config       string
 	RepoTags     []string
 	Layers       []string
-	Parent       imageID                           `json:",omitempty"`
-	LayerSources map[diffID]distributionDescriptor `json:",omitempty"`
+	Parent       imageID                                      `json:",omitempty"`
+	LayerSources map[digest.Digest]manifest.Schema2Descriptor `json:",omitempty"`
 }
 
 type imageID string
-type diffID digest.Digest
-
-// Based on github.com/docker/distribution/blobs.go
-type distributionDescriptor struct {
-	MediaType string        `json:"mediaType,omitempty"`
-	Size      int64         `json:"size,omitempty"`
-	Digest    digest.Digest `json:"digest,omitempty"`
-	URLs      []string      `json:"urls,omitempty"`
-}
-
-// Based on github.com/docker/distribution/manifest/schema2/manifest.go
-// FIXME: We are repeating this all over the place; make a public copy?
-type schema2Manifest struct {
-	SchemaVersion int                      `json:"schemaVersion"`
-	MediaType     string                   `json:"mediaType,omitempty"`
-	Config        distributionDescriptor   `json:"config"`
-	Layers        []distributionDescriptor `json:"layers"`
-}
-
-// Based on github.com/docker/docker/image/image.go
-// MOST CONTENT OMITTED AS UNNECESSARY
-type image struct {
-	RootFS *rootFS `json:"rootfs,omitempty"`
-}
-
-type rootFS struct {
-	Type    string   `json:"type"`
-	DiffIDs []diffID `json:"diff_ids,omitempty"`
-}

vendor/github.com/containers/image/image/docker_list.go

@@ -2,6 +2,7 @@ package image
 
 import (
 	"encoding/json"
+	"fmt"
 	"runtime"
 
 	"github.com/containers/image/manifest"
@@ -16,12 +17,12 @@ type platformSpec struct {
 	OSVersion    string   `json:"os.version,omitempty"`
 	OSFeatures   []string `json:"os.features,omitempty"`
 	Variant      string   `json:"variant,omitempty"`
-	Features     []string `json:"features,omitempty"`
+	Features     []string `json:"features,omitempty"` // removed in OCI
 }
 
 // A manifestDescriptor references a platform-specific manifest.
 type manifestDescriptor struct {
-	descriptor
+	manifest.Schema2Descriptor
 	Platform platformSpec `json:"platform"`
 }
 
@@ -31,22 +32,36 @@ type manifestList struct {
 	Manifests     []manifestDescriptor `json:"manifests"`
 }
 
-func manifestSchema2FromManifestList(src types.ImageSource, manblob []byte) (genericManifest, error) {
-	list := manifestList{}
-	if err := json.Unmarshal(manblob, &list); err != nil {
-		return nil, err
+// chooseDigestFromManifestList parses blob as a schema2 manifest list,
+// and returns the digest of the image appropriate for the current environment.
+func chooseDigestFromManifestList(ctx *types.SystemContext, blob []byte) (digest.Digest, error) {
+	wantedArch := runtime.GOARCH
+	if ctx != nil && ctx.ArchitectureChoice != "" {
+		wantedArch = ctx.ArchitectureChoice
+	}
+	wantedOS := runtime.GOOS
+	if ctx != nil && ctx.OSChoice != "" {
+		wantedOS = ctx.OSChoice
+	}
+
+	list := manifestList{}
+	if err := json.Unmarshal(blob, &list); err != nil {
+		return "", err
 	}
-	var targetManifestDigest digest.Digest
 	for _, d := range list.Manifests {
-		if d.Platform.Architecture == runtime.GOARCH && d.Platform.OS == runtime.GOOS {
-			targetManifestDigest = d.Digest
-			break
+		if d.Platform.Architecture == wantedArch && d.Platform.OS == wantedOS {
+			return d.Digest, nil
 		}
 	}
-	if targetManifestDigest == "" {
-		return nil, errors.New("no supported platform found in manifest list")
+	return "", fmt.Errorf("no image found in manifest list for architecture %s, OS %s", wantedArch, wantedOS)
+}
+
+func manifestSchema2FromManifestList(ctx *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
+	targetManifestDigest, err := chooseDigestFromManifestList(ctx, manblob)
+	if err != nil {
+		return nil, err
 	}
-	manblob, mt, err := src.GetTargetManifest(targetManifestDigest)
+	manblob, mt, err := src.GetManifest(&targetManifestDigest)
 	if err != nil {
 		return nil, err
 	}
@@ -59,5 +74,20 @@ func manifestSchema2FromManifestList(src types.ImageSource, manblob []byte) (gen
 		return nil, errors.Errorf("Manifest image does not match selected manifest digest %s", targetManifestDigest)
 	}
 
-	return manifestInstanceFromBlob(src, manblob, mt)
+	return manifestInstanceFromBlob(ctx, src, manblob, mt)
+}
+
+// ChooseManifestInstanceFromManifestList returns a digest of a manifest appropriate
+// for the current system from the manifest available from src.
+func ChooseManifestInstanceFromManifestList(ctx *types.SystemContext, src types.UnparsedImage) (digest.Digest, error) {
+	// For now this only handles manifest.DockerV2ListMediaType; we can generalize it later,
+	// probably along with manifest list editing.
+	blob, mt, err := src.Manifest()
+	if err != nil {
+		return "", err
+	}
+	if mt != manifest.DockerV2ListMediaType {
+		return "", fmt.Errorf("Internal error: Trying to select an image from a non-manifest-list manifest type %s", mt)
+	}
+	return chooseDigestFromManifestList(ctx, blob)
 }

vendor/github.com/containers/image/image/docker_schema1.go

@@ -2,9 +2,6 @@ package image
 
 import (
 	"encoding/json"
-	"regexp"
-	"strings"
-	"time"
 
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
@@ -14,87 +11,25 @@ import (
 	"github.com/pkg/errors"
 )
 
-var (
-	validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
-)
-
-type fsLayersSchema1 struct {
-	BlobSum digest.Digest `json:"blobSum"`
-}
-
-type historySchema1 struct {
-	V1Compatibility string `json:"v1Compatibility"`
-}
-
-// historySchema1 is a string containing this.  It is similar to v1Image but not the same, in particular note the ThrowAway field.
-type v1Compatibility struct {
-	ID              string    `json:"id"`
-	Parent          string    `json:"parent,omitempty"`
-	Comment         string    `json:"comment,omitempty"`
-	Created         time.Time `json:"created"`
-	ContainerConfig struct {
-		Cmd []string
-	} `json:"container_config,omitempty"`
-	Author    string `json:"author,omitempty"`
-	ThrowAway bool   `json:"throwaway,omitempty"`
-}
-
 type manifestSchema1 struct {
-	Name          string            `json:"name"`
-	Tag           string            `json:"tag"`
-	Architecture  string            `json:"architecture"`
-	FSLayers      []fsLayersSchema1 `json:"fsLayers"`
-	History       []historySchema1  `json:"history"`
-	SchemaVersion int               `json:"schemaVersion"`
+	m *manifest.Schema1
 }
 
-func manifestSchema1FromManifest(manifest []byte) (genericManifest, error) {
-	mschema1 := &manifestSchema1{}
-	if err := json.Unmarshal(manifest, mschema1); err != nil {
-		return nil, err
-	}
-	if mschema1.SchemaVersion != 1 {
-		return nil, errors.Errorf("unsupported schema version %d", mschema1.SchemaVersion)
-	}
-	if len(mschema1.FSLayers) != len(mschema1.History) {
-		return nil, errors.New("length of history not equal to number of layers")
-	}
-	if len(mschema1.FSLayers) == 0 {
-		return nil, errors.New("no FSLayers in manifest")
-	}
-
-	if err := fixManifestLayers(mschema1); err != nil {
-		return nil, err
-	}
-	return mschema1, nil
-}
-
-// manifestSchema1FromComponents builds a new manifestSchema1 from the supplied data.
-func manifestSchema1FromComponents(ref reference.Named, fsLayers []fsLayersSchema1, history []historySchema1, architecture string) genericManifest {
-	var name, tag string
-	if ref != nil { // Well, what to do if it _is_ nil? Most consumers actually don't use these fields nowadays, so we might as well try not supplying them.
-		name = reference.Path(ref)
-		if tagged, ok := ref.(reference.NamedTagged); ok {
-			tag = tagged.Tag()
-		}
-	}
-	return &manifestSchema1{
-		Name:          name,
-		Tag:           tag,
-		Architecture:  architecture,
-		FSLayers:      fsLayers,
-		History:       history,
-		SchemaVersion: 1,
-	}
-}
-
-func (m *manifestSchema1) serialize() ([]byte, error) {
-	// docker/distribution requires a signature even if the incoming data uses the nominally unsigned DockerV2Schema1MediaType.
-	unsigned, err := json.Marshal(*m)
+func manifestSchema1FromManifest(manifestBlob []byte) (genericManifest, error) {
+	m, err := manifest.Schema1FromManifest(manifestBlob)
 	if err != nil {
 		return nil, err
 	}
-	return manifest.AddDummyV2S1Signature(unsigned)
+	return &manifestSchema1{m: m}, nil
+}
+
+// manifestSchema1FromComponents builds a new manifestSchema1 from the supplied data.
+func manifestSchema1FromComponents(ref reference.Named, fsLayers []manifest.Schema1FSLayers, history []manifest.Schema1History, architecture string) genericManifest {
+	return &manifestSchema1{m: manifest.Schema1FromComponents(ref, fsLayers, history, architecture)}
+}
+
+func (m *manifestSchema1) serialize() ([]byte, error) {
+	return m.m.Serialize()
 }
 
 func (m *manifestSchema1) manifestMIMEType() string {
@@ -104,7 +39,7 @@ func (m *manifestSchema1) manifestMIMEType() string {
 // ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
 // Note that the config object may not exist in the underlying storage in the return value of UpdatedImage! Use ConfigBlob() below.
 func (m *manifestSchema1) ConfigInfo() types.BlobInfo {
-	return types.BlobInfo{}
+	return m.m.ConfigInfo()
 }
 
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
@@ -128,11 +63,7 @@ func (m *manifestSchema1) OCIConfig() (*imgspecv1.Image, error) {
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
 func (m *manifestSchema1) LayerInfos() []types.BlobInfo {
-	layers := make([]types.BlobInfo, len(m.FSLayers))
-	for i, layer := range m.FSLayers { // NOTE: This includes empty layers (where m.History.V1Compatibility->ThrowAway)
-		layers[(len(m.FSLayers)-1)-i] = types.BlobInfo{Digest: layer.BlobSum, Size: -1}
-	}
-	return layers
+	return m.m.LayerInfos()
 }
 
 // EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
@@ -153,22 +84,11 @@ func (m *manifestSchema1) EmbeddedDockerReferenceConflicts(ref reference.Named)
 	} else {
 		tag = ""
 	}
-	return m.Name != name || m.Tag != tag
+	return m.m.Name != name || m.m.Tag != tag
 }
 
 func (m *manifestSchema1) imageInspectInfo() (*types.ImageInspectInfo, error) {
-	v1 := &v1Image{}
-	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), v1); err != nil {
-		return nil, err
-	}
-	return &types.ImageInspectInfo{
-		Tag:           m.Tag,
-		DockerVersion: v1.DockerVersion,
-		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-	}, nil
+	return m.m.Inspect(nil)
 }
 
 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -181,25 +101,18 @@ func (m *manifestSchema1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
 func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
-	copy := *m
+	copy := manifestSchema1{m: manifest.Schema1Clone(m.m)}
 	if options.LayerInfos != nil {
-		// Our LayerInfos includes empty layers (where m.History.V1Compatibility->ThrowAway), so expect them to be included here as well.
-		if len(copy.FSLayers) != len(options.LayerInfos) {
-			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.FSLayers), len(options.LayerInfos))
-		}
-		for i, info := range options.LayerInfos {
-			// (docker push) sets up m.History.V1Compatibility->{Id,Parent} based on values of info.Digest,
-			// but (docker pull) ignores them in favor of computing DiffIDs from uncompressed data, except verifying the child->parent links and uniqueness.
-			// So, we don't bother recomputing the IDs in m.History.V1Compatibility.
-			copy.FSLayers[(len(options.LayerInfos)-1)-i].BlobSum = info.Digest
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
 		}
 	}
 	if options.EmbeddedDockerReference != nil {
-		copy.Name = reference.Path(options.EmbeddedDockerReference)
+		copy.m.Name = reference.Path(options.EmbeddedDockerReference)
 		if tagged, isTagged := options.EmbeddedDockerReference.(reference.NamedTagged); isTagged {
-			copy.Tag = tagged.Tag()
+			copy.m.Tag = tagged.Tag()
 		} else {
-			copy.Tag = ""
+			copy.m.Tag = ""
 		}
 	}
 
@@ -209,7 +122,21 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	// We have 2 MIME types for schema 1, which are basically equivalent (even the un-"Signed" MIME type will be rejected if there isn’t a signature; so,
 	// handle conversions between them by doing nothing.
 	case manifest.DockerV2Schema2MediaType:
-		return copy.convertToManifestSchema2(options.InformationOnly.LayerInfos, options.InformationOnly.LayerDiffIDs)
+		m2, err := copy.convertToManifestSchema2(options.InformationOnly.LayerInfos, options.InformationOnly.LayerDiffIDs)
+		if err != nil {
+			return nil, err
+		}
+		return memoryImageFromManifest(m2), nil
+	case imgspecv1.MediaTypeImageManifest:
+		// We can't directly convert to OCI, but we can transitively convert via a Docker V2.2 Distribution manifest
+		m2, err := copy.convertToManifestSchema2(options.InformationOnly.LayerInfos, options.InformationOnly.LayerDiffIDs)
+		if err != nil {
+			return nil, err
+		}
+		return m2.UpdatedImage(types.ManifestUpdateOptions{
+			ManifestMIMEType: imgspecv1.MediaTypeImageManifest,
+			InformationOnly:  options.InformationOnly,
+		})
 	default:
 		return nil, errors.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema1SignedMediaType, options.ManifestMIMEType)
 	}
@@ -217,102 +144,32 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	return memoryImageFromManifest(&copy), nil
 }
 
-// fixManifestLayers, after validating the supplied manifest
-// (to use correctly-formatted IDs, and to not have non-consecutive ID collisions in manifest.History),
-// modifies manifest to only have one entry for each layer ID in manifest.History (deleting the older duplicates,
-// both from manifest.History and manifest.FSLayers).
-// Note that even after this succeeds, manifest.FSLayers may contain duplicate entries
-// (for Dockerfile operations which change the configuration but not the filesystem).
-func fixManifestLayers(manifest *manifestSchema1) error {
-	type imageV1 struct {
-		ID     string
-		Parent string
-	}
-	// Per the specification, we can assume that len(manifest.FSLayers) == len(manifest.History)
-	imgs := make([]*imageV1, len(manifest.FSLayers))
-	for i := range manifest.FSLayers {
-		img := &imageV1{}
-
-		if err := json.Unmarshal([]byte(manifest.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := validateV1ID(img.ID); err != nil {
-			return err
-		}
-	}
-	if imgs[len(imgs)-1].Parent != "" {
-		return errors.New("Invalid parent ID in the base layer of the image")
-	}
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return errors.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
-			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return errors.Errorf("Invalid parent ID. Expected %v, got %v", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-	return nil
-}
-
-func validateV1ID(id string) error {
-	if ok := validHex.MatchString(id); !ok {
-		return errors.Errorf("image ID %q is invalid", id)
-	}
-	return nil
-}
-
 // Based on github.com/docker/docker/distribution/pull_v2.go
-func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.BlobInfo, layerDiffIDs []digest.Digest) (types.Image, error) {
-	if len(m.History) == 0 {
+func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.BlobInfo, layerDiffIDs []digest.Digest) (genericManifest, error) {
+	if len(m.m.History) == 0 {
 		// What would this even mean?! Anyhow, the rest of the code depends on fsLayers[0] and history[0] existing.
 		return nil, errors.Errorf("Cannot convert an image with 0 history entries to %s", manifest.DockerV2Schema2MediaType)
 	}
-	if len(m.History) != len(m.FSLayers) {
-		return nil, errors.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.History), len(m.FSLayers))
+	if len(m.m.History) != len(m.m.FSLayers) {
+		return nil, errors.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.m.History), len(m.m.FSLayers))
 	}
-	if uploadedLayerInfos != nil && len(uploadedLayerInfos) != len(m.FSLayers) {
-		return nil, errors.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.FSLayers))
+	if uploadedLayerInfos != nil && len(uploadedLayerInfos) != len(m.m.FSLayers) {
+		return nil, errors.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.m.FSLayers))
 	}
-	if layerDiffIDs != nil && len(layerDiffIDs) != len(m.FSLayers) {
-		return nil, errors.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.FSLayers))
+	if layerDiffIDs != nil && len(layerDiffIDs) != len(m.m.FSLayers) {
+		return nil, errors.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.m.FSLayers))
 	}
 
-	rootFS := rootFS{
-		Type:      "layers",
-		DiffIDs:   []digest.Digest{},
-		BaseLayer: "",
-	}
-	var layers []descriptor
-	history := make([]imageHistory, len(m.History))
-	for v1Index := len(m.History) - 1; v1Index >= 0; v1Index-- {
-		v2Index := (len(m.History) - 1) - v1Index
+	// Build a list of the diffIDs for the non-empty layers.
+	diffIDs := []digest.Digest{}
+	var layers []manifest.Schema2Descriptor
+	for v1Index := len(m.m.History) - 1; v1Index >= 0; v1Index-- {
+		v2Index := (len(m.m.History) - 1) - v1Index
 
-		var v1compat v1Compatibility
-		if err := json.Unmarshal([]byte(m.History[v1Index].V1Compatibility), &v1compat); err != nil {
+		var v1compat manifest.Schema1V1Compatibility
+		if err := json.Unmarshal([]byte(m.m.History[v1Index].V1Compatibility), &v1compat); err != nil {
 			return nil, errors.Wrapf(err, "Error decoding history entry %d", v1Index)
 		}
-		history[v2Index] = imageHistory{
-			Created:    v1compat.Created,
-			Author:     v1compat.Author,
-			CreatedBy:  strings.Join(v1compat.ContainerConfig.Cmd, " "),
-			Comment:    v1compat.Comment,
-			EmptyLayer: v1compat.ThrowAway,
-		}
-
 		if !v1compat.ThrowAway {
 			var size int64
 			if uploadedLayerInfos != nil {
@@ -322,54 +179,23 @@ func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.Bl
 			if layerDiffIDs != nil {
 				d = layerDiffIDs[v2Index]
 			}
-			layers = append(layers, descriptor{
+			layers = append(layers, manifest.Schema2Descriptor{
 				MediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip",
 				Size:      size,
-				Digest:    m.FSLayers[v1Index].BlobSum,
+				Digest:    m.m.FSLayers[v1Index].BlobSum,
 			})
-			rootFS.DiffIDs = append(rootFS.DiffIDs, d)
+			diffIDs = append(diffIDs, d)
 		}
 	}
-	configJSON, err := configJSONFromV1Config([]byte(m.History[0].V1Compatibility), rootFS, history)
+	configJSON, err := m.m.ToSchema2(diffIDs)
 	if err != nil {
 		return nil, err
 	}
-	configDescriptor := descriptor{
+	configDescriptor := manifest.Schema2Descriptor{
 		MediaType: "application/vnd.docker.container.image.v1+json",
 		Size:      int64(len(configJSON)),
 		Digest:    digest.FromBytes(configJSON),
 	}
 
-	m2 := manifestSchema2FromComponents(configDescriptor, nil, configJSON, layers)
-	return memoryImageFromManifest(m2), nil
-}
-
-func configJSONFromV1Config(v1ConfigJSON []byte, rootFS rootFS, history []imageHistory) ([]byte, error) {
-	// github.com/docker/docker/image/v1/imagev1.go:MakeConfigFromV1Config unmarshals and re-marshals the input if docker_version is < 1.8.3 to remove blank fields;
-	// we don't do that here. FIXME? Should we? AFAICT it would only affect the digest value of the schema2 manifest, and we don't particularly need that to be
-	// a consistently reproducible value.
-
-	// Preserve everything we don't specifically know about.
-	// (This must be a *json.RawMessage, even though *[]byte is fairly redundant, because only *RawMessage implements json.Marshaler.)
-	rawContents := map[string]*json.RawMessage{}
-	if err := json.Unmarshal(v1ConfigJSON, &rawContents); err != nil { // We have already unmarshaled it before, using a more detailed schema?!
-		return nil, err
-	}
-
-	delete(rawContents, "id")
-	delete(rawContents, "parent")
-	delete(rawContents, "Size")
-	delete(rawContents, "parent_id")
-	delete(rawContents, "layer_id")
-	delete(rawContents, "throwaway")
-
-	updates := map[string]interface{}{"rootfs": rootFS, "history": history}
-	for field, value := range updates {
-		encoded, err := json.Marshal(value)
-		if err != nil {
-			return nil, err
-		}
-		rawContents[field] = (*json.RawMessage)(&encoded)
-	}
-	return json.Marshal(rawContents)
+	return manifestSchema2FromComponents(configDescriptor, nil, configJSON, layers), nil
 }

vendor/github.com/containers/image/image/docker_schema2.go

@@ -8,13 +8,13 @@ import (
 	"io/ioutil"
 	"strings"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // gzippedEmptyLayer is a gzip-compressed version of an empty tar file (1024 NULL bytes)
@@ -29,54 +29,44 @@ var gzippedEmptyLayer = []byte{
 // gzippedEmptyLayerDigest is a digest of gzippedEmptyLayer
 const gzippedEmptyLayerDigest = digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")
 
-type descriptor struct {
-	MediaType string        `json:"mediaType"`
-	Size      int64         `json:"size"`
-	Digest    digest.Digest `json:"digest"`
-	URLs      []string      `json:"urls,omitempty"`
-}
-
 type manifestSchema2 struct {
-	src               types.ImageSource // May be nil if configBlob is not nil
-	configBlob        []byte            // If set, corresponds to contents of ConfigDescriptor.
-	SchemaVersion     int               `json:"schemaVersion"`
-	MediaType         string            `json:"mediaType"`
-	ConfigDescriptor  descriptor        `json:"config"`
-	LayersDescriptors []descriptor      `json:"layers"`
+	src        types.ImageSource // May be nil if configBlob is not nil
+	configBlob []byte            // If set, corresponds to contents of ConfigDescriptor.
+	m          *manifest.Schema2
 }
 
-func manifestSchema2FromManifest(src types.ImageSource, manifest []byte) (genericManifest, error) {
-	v2s2 := manifestSchema2{src: src}
-	if err := json.Unmarshal(manifest, &v2s2); err != nil {
+func manifestSchema2FromManifest(src types.ImageSource, manifestBlob []byte) (genericManifest, error) {
+	m, err := manifest.Schema2FromManifest(manifestBlob)
+	if err != nil {
 		return nil, err
 	}
-	return &v2s2, nil
+	return &manifestSchema2{
+		src: src,
+		m:   m,
+	}, nil
 }
 
 // manifestSchema2FromComponents builds a new manifestSchema2 from the supplied data:
-func manifestSchema2FromComponents(config descriptor, src types.ImageSource, configBlob []byte, layers []descriptor) genericManifest {
+func manifestSchema2FromComponents(config manifest.Schema2Descriptor, src types.ImageSource, configBlob []byte, layers []manifest.Schema2Descriptor) genericManifest {
 	return &manifestSchema2{
-		src:               src,
-		configBlob:        configBlob,
-		SchemaVersion:     2,
-		MediaType:         manifest.DockerV2Schema2MediaType,
-		ConfigDescriptor:  config,
-		LayersDescriptors: layers,
+		src:        src,
+		configBlob: configBlob,
+		m:          manifest.Schema2FromComponents(config, layers),
 	}
 }
 
 func (m *manifestSchema2) serialize() ([]byte, error) {
-	return json.Marshal(*m)
+	return m.m.Serialize()
 }
 
 func (m *manifestSchema2) manifestMIMEType() string {
-	return m.MediaType
+	return m.m.MediaType
 }
 
 // ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
 // Note that the config object may not exist in the underlying storage in the return value of UpdatedImage! Use ConfigBlob() below.
 func (m *manifestSchema2) ConfigInfo() types.BlobInfo {
-	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
+	return m.m.ConfigInfo()
 }
 
 // OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
@@ -105,9 +95,9 @@ func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
 			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestSchema2")
 		}
 		stream, _, err := m.src.GetBlob(types.BlobInfo{
-			Digest: m.ConfigDescriptor.Digest,
-			Size:   m.ConfigDescriptor.Size,
-			URLs:   m.ConfigDescriptor.URLs,
+			Digest: m.m.ConfigDescriptor.Digest,
+			Size:   m.m.ConfigDescriptor.Size,
+			URLs:   m.m.ConfigDescriptor.URLs,
 		})
 		if err != nil {
 			return nil, err
@@ -118,8 +108,8 @@ func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
 			return nil, err
 		}
 		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.ConfigDescriptor.Digest {
-			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
+		if computedDigest != m.m.ConfigDescriptor.Digest {
+			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)
 		}
 		m.configBlob = blob
 	}
@@ -130,15 +120,7 @@ func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
 func (m *manifestSchema2) LayerInfos() []types.BlobInfo {
-	blobs := []types.BlobInfo{}
-	for _, layer := range m.LayersDescriptors {
-		blobs = append(blobs, types.BlobInfo{
-			Digest: layer.Digest,
-			Size:   layer.Size,
-			URLs:   layer.URLs,
-		})
-	}
-	return blobs
+	return m.m.LayerInfos()
 }
 
 // EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
@@ -149,21 +131,18 @@ func (m *manifestSchema2) EmbeddedDockerReferenceConflicts(ref reference.Named)
 }
 
 func (m *manifestSchema2) imageInspectInfo() (*types.ImageInspectInfo, error) {
-	config, err := m.ConfigBlob()
-	if err != nil {
-		return nil, err
+	getter := func(info types.BlobInfo) ([]byte, error) {
+		if info.Digest != m.ConfigInfo().Digest {
+			// Shouldn't ever happen
+			return nil, errors.New("asked for a different config blob")
+		}
+		config, err := m.ConfigBlob()
+		if err != nil {
+			return nil, err
+		}
+		return config, nil
 	}
-	v1 := &v1Image{}
-	if err := json.Unmarshal(config, v1); err != nil {
-		return nil, err
-	}
-	return &types.ImageInspectInfo{
-		DockerVersion: v1.DockerVersion,
-		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-	}, nil
+	return m.m.Inspect(getter)
 }
 
 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -176,16 +155,14 @@ func (m *manifestSchema2) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
 func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
-	copy := *m // NOTE: This is not a deep copy, it still shares slices etc.
+	copy := manifestSchema2{ // NOTE: This is not a deep copy, it still shares slices etc.
+		src:        m.src,
+		configBlob: m.configBlob,
+		m:          manifest.Schema2Clone(m.m),
+	}
 	if options.LayerInfos != nil {
-		if len(copy.LayersDescriptors) != len(options.LayerInfos) {
-			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
-		}
-		copy.LayersDescriptors = make([]descriptor, len(options.LayerInfos))
-		for i, info := range options.LayerInfos {
-			copy.LayersDescriptors[i].Digest = info.Digest
-			copy.LayersDescriptors[i].Size = info.Size
-			copy.LayersDescriptors[i].URLs = info.URLs
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
 		}
 	}
 	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1 to schema2, but we really don't care.
@@ -203,6 +180,15 @@ func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	return memoryImageFromManifest(&copy), nil
 }
 
+func oci1DescriptorFromSchema2Descriptor(d manifest.Schema2Descriptor) imgspecv1.Descriptor {
+	return imgspecv1.Descriptor{
+		MediaType: d.MediaType,
+		Size:      d.Size,
+		Digest:    d.Digest,
+		URLs:      d.URLs,
+	}
+}
+
 func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
 	configOCI, err := m.OCIConfig()
 	if err != nil {
@@ -213,16 +199,16 @@ func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
 		return nil, err
 	}
 
-	config := descriptor{
+	config := imgspecv1.Descriptor{
 		MediaType: imgspecv1.MediaTypeImageConfig,
 		Size:      int64(len(configOCIBytes)),
 		Digest:    digest.FromBytes(configOCIBytes),
 	}
 
-	layers := make([]descriptor, len(m.LayersDescriptors))
+	layers := make([]imgspecv1.Descriptor, len(m.m.LayersDescriptors))
 	for idx := range layers {
-		layers[idx] = m.LayersDescriptors[idx]
-		if m.LayersDescriptors[idx].MediaType == manifest.DockerV2Schema2ForeignLayerMediaType {
+		layers[idx] = oci1DescriptorFromSchema2Descriptor(m.m.LayersDescriptors[idx])
+		if m.m.LayersDescriptors[idx].MediaType == manifest.DockerV2Schema2ForeignLayerMediaType {
 			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerNonDistributable
 		} else {
 			// we assume layers are gzip'ed because docker v2s2 only deals with
@@ -241,14 +227,14 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 	if err != nil {
 		return nil, err
 	}
-	imageConfig := &image{}
+	imageConfig := &manifest.Schema2Image{}
 	if err := json.Unmarshal(configBytes, imageConfig); err != nil {
 		return nil, err
 	}
 
 	// Build fsLayers and History, discarding all configs. We will patch the top-level config in later.
-	fsLayers := make([]fsLayersSchema1, len(imageConfig.History))
-	history := make([]historySchema1, len(imageConfig.History))
+	fsLayers := make([]manifest.Schema1FSLayers, len(imageConfig.History))
+	history := make([]manifest.Schema1History, len(imageConfig.History))
 	nonemptyLayerIndex := 0
 	var parentV1ID string // Set in the loop
 	v1ID := ""
@@ -276,10 +262,10 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 			}
 			blobDigest = gzippedEmptyLayerDigest
 		} else {
-			if nonemptyLayerIndex >= len(m.LayersDescriptors) {
-				return nil, errors.Errorf("Invalid image configuration, needs more than the %d distributed layers", len(m.LayersDescriptors))
+			if nonemptyLayerIndex >= len(m.m.LayersDescriptors) {
+				return nil, errors.Errorf("Invalid image configuration, needs more than the %d distributed layers", len(m.m.LayersDescriptors))
 			}
-			blobDigest = m.LayersDescriptors[nonemptyLayerIndex].Digest
+			blobDigest = m.m.LayersDescriptors[nonemptyLayerIndex].Digest
 			nonemptyLayerIndex++
 		}
 
@@ -290,7 +276,7 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 		}
 		v1ID = v
 
-		fakeImage := v1Compatibility{
+		fakeImage := manifest.Schema1V1Compatibility{
 			ID:        v1ID,
 			Parent:    parentV1ID,
 			Comment:   historyEntry.Comment,
@@ -304,8 +290,8 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 			return nil, errors.Errorf("Internal error: Error creating v1compatibility for %#v", fakeImage)
 		}
 
-		fsLayers[v1Index] = fsLayersSchema1{BlobSum: blobDigest}
-		history[v1Index] = historySchema1{V1Compatibility: string(v1CompatibilityBytes)}
+		fsLayers[v1Index] = manifest.Schema1FSLayers{BlobSum: blobDigest}
+		history[v1Index] = manifest.Schema1History{V1Compatibility: string(v1CompatibilityBytes)}
 		// Note that parentV1ID of the top layer is preserved when exiting this loop
 	}
 

vendor/github.com/containers/image/image/manifest.go

@@ -1,57 +1,14 @@
 package image
 
 import (
-	"time"
+	"fmt"
 
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/strslice"
 	"github.com/containers/image/types"
-	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
-type config struct {
-	Cmd    strslice.StrSlice
-	Labels map[string]string
-}
-
-type v1Image struct {
-	ID              string    `json:"id,omitempty"`
-	Parent          string    `json:"parent,omitempty"`
-	Comment         string    `json:"comment,omitempty"`
-	Created         time.Time `json:"created"`
-	ContainerConfig *config   `json:"container_config,omitempty"`
-	DockerVersion   string    `json:"docker_version,omitempty"`
-	Author          string    `json:"author,omitempty"`
-	// Config is the configuration of the container received from the client
-	Config *config `json:"config,omitempty"`
-	// Architecture is the hardware that the image is build and runs on
-	Architecture string `json:"architecture,omitempty"`
-	// OS is the operating system used to build and run the image
-	OS string `json:"os,omitempty"`
-}
-
-type image struct {
-	v1Image
-	History []imageHistory `json:"history,omitempty"`
-	RootFS  *rootFS        `json:"rootfs,omitempty"`
-}
-
-type imageHistory struct {
-	Created    time.Time `json:"created"`
-	Author     string    `json:"author,omitempty"`
-	CreatedBy  string    `json:"created_by,omitempty"`
-	Comment    string    `json:"comment,omitempty"`
-	EmptyLayer bool      `json:"empty_layer,omitempty"`
-}
-
-type rootFS struct {
-	Type      string          `json:"type"`
-	DiffIDs   []digest.Digest `json:"diff_ids,omitempty"`
-	BaseLayer string          `json:"base_layer,omitempty"`
-}
-
 // genericManifest is an interface for parsing, modifying image manifests and related data.
 // Note that the public methods are intended to be a subset of types.Image
 // so that embedding a genericManifest into structs works.
@@ -87,43 +44,24 @@ type genericManifest interface {
 	UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error)
 }
 
-func manifestInstanceFromBlob(src types.ImageSource, manblob []byte, mt string) (genericManifest, error) {
-	switch mt {
-	// "application/json" is a valid v2s1 value per https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-1.md .
-	// This works for now, when nothing else seems to return "application/json"; if that were not true, the mapping/detection might
-	// need to happen within the ImageSource.
-	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType, "application/json":
+// manifestInstanceFromBlob returns a genericManifest implementation for (manblob, mt) in src.
+// If manblob is a manifest list, it implicitly chooses an appropriate image from the list.
+func manifestInstanceFromBlob(ctx *types.SystemContext, src types.ImageSource, manblob []byte, mt string) (genericManifest, error) {
+	switch manifest.NormalizedMIMEType(mt) {
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
 		return manifestSchema1FromManifest(manblob)
 	case imgspecv1.MediaTypeImageManifest:
 		return manifestOCI1FromManifest(src, manblob)
 	case manifest.DockerV2Schema2MediaType:
 		return manifestSchema2FromManifest(src, manblob)
 	case manifest.DockerV2ListMediaType:
-		return manifestSchema2FromManifestList(src, manblob)
-	default:
-		// If it's not a recognized manifest media type, or we have failed determining the type, we'll try one last time
-		// to deserialize using v2s1 as per https://github.com/docker/distribution/blob/master/manifests.go#L108
-		// and https://github.com/docker/distribution/blob/master/manifest/schema1/manifest.go#L50
-		//
-		// Crane registries can also return "text/plain", or pretty much anything else depending on a file extension “recognized” in the tag.
-		// This makes no real sense, but it happens
-		// because requests for manifests are
-		// redirected to a content distribution
-		// network which is configured that way. See https://bugzilla.redhat.com/show_bug.cgi?id=1389442
-		return manifestSchema1FromManifest(manblob)
+		return manifestSchema2FromManifestList(ctx, src, manblob)
+	default: // Note that this may not be reachable, manifest.NormalizedMIMEType has a default for unknown values.
+		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", mt)
 	}
 }
 
 // inspectManifest is an implementation of types.Image.Inspect
 func inspectManifest(m genericManifest) (*types.ImageInspectInfo, error) {
-	info, err := m.imageInspectInfo()
-	if err != nil {
-		return nil, err
-	}
-	layers := m.LayerInfos()
-	info.Layers = make([]string, len(layers))
-	for i, layer := range layers {
-		info.Layers[i] = layer.Digest.String()
-	}
-	return info, nil
+	return m.imageInspectInfo()
 }

vendor/github.com/containers/image/image/memory.go

@@ -1,6 +1,8 @@
 package image
 
 import (
+	"context"
+
 	"github.com/pkg/errors"
 
 	"github.com/containers/image/types"
@@ -31,11 +33,6 @@ func (i *memoryImage) Reference() types.ImageReference {
 	return nil
 }
 
-// Close removes resources associated with an initialized UnparsedImage, if any.
-func (i *memoryImage) Close() error {
-	return nil
-}
-
 // Size returns the size of the image as stored, if known, or -1 if not.
 func (i *memoryImage) Size() (int64, error) {
 	return -1, nil
@@ -54,7 +51,7 @@ func (i *memoryImage) Manifest() ([]byte, string, error) {
 }
 
 // Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-func (i *memoryImage) Signatures() ([][]byte, error) {
+func (i *memoryImage) Signatures(ctx context.Context) ([][]byte, error) {
 	// Modifying an image invalidates signatures; a caller asking the updated image for signatures
 	// is probably confused.
 	return nil, errors.New("Internal error: Image.Signatures() is not supported for images modified in memory")
@@ -65,7 +62,9 @@ func (i *memoryImage) Inspect() (*types.ImageInspectInfo, error) {
 	return inspectManifest(i.genericManifest)
 }
 
-// IsMultiImage returns true if the image's manifest is a list of images, false otherwise.
-func (i *memoryImage) IsMultiImage() bool {
-	return false
+// LayerInfosForCopy returns an updated set of layer blob information which may not match the manifest.
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (i *memoryImage) LayerInfosForCopy() []types.BlobInfo {
+	return nil
 }

vendor/github.com/containers/image/image/oci.go

@@ -13,34 +13,33 @@ import (
 )
 
 type manifestOCI1 struct {
-	src               types.ImageSource // May be nil if configBlob is not nil
-	configBlob        []byte            // If set, corresponds to contents of ConfigDescriptor.
-	SchemaVersion     int               `json:"schemaVersion"`
-	ConfigDescriptor  descriptor        `json:"config"`
-	LayersDescriptors []descriptor      `json:"layers"`
+	src        types.ImageSource // May be nil if configBlob is not nil
+	configBlob []byte            // If set, corresponds to contents of m.Config.
+	m          *manifest.OCI1
 }
 
-func manifestOCI1FromManifest(src types.ImageSource, manifest []byte) (genericManifest, error) {
-	oci := manifestOCI1{src: src}
-	if err := json.Unmarshal(manifest, &oci); err != nil {
+func manifestOCI1FromManifest(src types.ImageSource, manifestBlob []byte) (genericManifest, error) {
+	m, err := manifest.OCI1FromManifest(manifestBlob)
+	if err != nil {
 		return nil, err
 	}
-	return &oci, nil
+	return &manifestOCI1{
+		src: src,
+		m:   m,
+	}, nil
 }
 
 // manifestOCI1FromComponents builds a new manifestOCI1 from the supplied data:
-func manifestOCI1FromComponents(config descriptor, src types.ImageSource, configBlob []byte, layers []descriptor) genericManifest {
+func manifestOCI1FromComponents(config imgspecv1.Descriptor, src types.ImageSource, configBlob []byte, layers []imgspecv1.Descriptor) genericManifest {
 	return &manifestOCI1{
-		src:               src,
-		configBlob:        configBlob,
-		SchemaVersion:     2,
-		ConfigDescriptor:  config,
-		LayersDescriptors: layers,
+		src:        src,
+		configBlob: configBlob,
+		m:          manifest.OCI1FromComponents(config, layers),
 	}
 }
 
 func (m *manifestOCI1) serialize() ([]byte, error) {
-	return json.Marshal(*m)
+	return m.m.Serialize()
 }
 
 func (m *manifestOCI1) manifestMIMEType() string {
@@ -50,7 +49,7 @@ func (m *manifestOCI1) manifestMIMEType() string {
 // ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
 // Note that the config object may not exist in the underlying storage in the return value of UpdatedImage! Use ConfigBlob() below.
 func (m *manifestOCI1) ConfigInfo() types.BlobInfo {
-	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
+	return m.m.ConfigInfo()
 }
 
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
@@ -61,9 +60,9 @@ func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
 			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestOCI1")
 		}
 		stream, _, err := m.src.GetBlob(types.BlobInfo{
-			Digest: m.ConfigDescriptor.Digest,
-			Size:   m.ConfigDescriptor.Size,
-			URLs:   m.ConfigDescriptor.URLs,
+			Digest: m.m.Config.Digest,
+			Size:   m.m.Config.Size,
+			URLs:   m.m.Config.URLs,
 		})
 		if err != nil {
 			return nil, err
@@ -74,8 +73,8 @@ func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
 			return nil, err
 		}
 		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.ConfigDescriptor.Digest {
-			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
+		if computedDigest != m.m.Config.Digest {
+			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest)
 		}
 		m.configBlob = blob
 	}
@@ -101,11 +100,7 @@ func (m *manifestOCI1) OCIConfig() (*imgspecv1.Image, error) {
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
 func (m *manifestOCI1) LayerInfos() []types.BlobInfo {
-	blobs := []types.BlobInfo{}
-	for _, layer := range m.LayersDescriptors {
-		blobs = append(blobs, types.BlobInfo{Digest: layer.Digest, Size: layer.Size})
-	}
-	return blobs
+	return m.m.LayerInfos()
 }
 
 // EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
@@ -116,21 +111,18 @@ func (m *manifestOCI1) EmbeddedDockerReferenceConflicts(ref reference.Named) boo
 }
 
 func (m *manifestOCI1) imageInspectInfo() (*types.ImageInspectInfo, error) {
-	config, err := m.ConfigBlob()
-	if err != nil {
-		return nil, err
+	getter := func(info types.BlobInfo) ([]byte, error) {
+		if info.Digest != m.ConfigInfo().Digest {
+			// Shouldn't ever happen
+			return nil, errors.New("asked for a different config blob")
+		}
+		config, err := m.ConfigBlob()
+		if err != nil {
+			return nil, err
+		}
+		return config, nil
 	}
-	v1 := &v1Image{}
-	if err := json.Unmarshal(config, v1); err != nil {
-		return nil, err
-	}
-	return &types.ImageInspectInfo{
-		DockerVersion: v1.DockerVersion,
-		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-	}, nil
+	return m.m.Inspect(getter)
 }
 
 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -143,21 +135,30 @@ func (m *manifestOCI1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUpdat
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
 func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
-	copy := *m // NOTE: This is not a deep copy, it still shares slices etc.
+	copy := manifestOCI1{ // NOTE: This is not a deep copy, it still shares slices etc.
+		src:        m.src,
+		configBlob: m.configBlob,
+		m:          manifest.OCI1Clone(m.m),
+	}
 	if options.LayerInfos != nil {
-		if len(copy.LayersDescriptors) != len(options.LayerInfos) {
-			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
-		}
-		copy.LayersDescriptors = make([]descriptor, len(options.LayerInfos))
-		for i, info := range options.LayerInfos {
-			copy.LayersDescriptors[i].Digest = info.Digest
-			copy.LayersDescriptors[i].Size = info.Size
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
 		}
 	}
 	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1, but we really don't care.
 
 	switch options.ManifestMIMEType {
 	case "": // No conversion, OK
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		// We can't directly convert to V1, but we can transitively convert via a V2 image
+		m2, err := copy.convertToManifestSchema2()
+		if err != nil {
+			return nil, err
+		}
+		return m2.UpdatedImage(types.ManifestUpdateOptions{
+			ManifestMIMEType: options.ManifestMIMEType,
+			InformationOnly:  options.InformationOnly,
+		})
 	case manifest.DockerV2Schema2MediaType:
 		return copy.convertToManifestSchema2()
 	default:
@@ -167,17 +168,26 @@ func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.
 	return memoryImageFromManifest(&copy), nil
 }
 
+func schema2DescriptorFromOCI1Descriptor(d imgspecv1.Descriptor) manifest.Schema2Descriptor {
+	return manifest.Schema2Descriptor{
+		MediaType: d.MediaType,
+		Size:      d.Size,
+		Digest:    d.Digest,
+		URLs:      d.URLs,
+	}
+}
+
 func (m *manifestOCI1) convertToManifestSchema2() (types.Image, error) {
 	// Create a copy of the descriptor.
-	config := m.ConfigDescriptor
+	config := schema2DescriptorFromOCI1Descriptor(m.m.Config)
 
 	// The only difference between OCI and DockerSchema2 is the mediatypes. The
 	// media type of the manifest is handled by manifestSchema2FromComponents.
 	config.MediaType = manifest.DockerV2Schema2ConfigMediaType
 
-	layers := make([]descriptor, len(m.LayersDescriptors))
+	layers := make([]manifest.Schema2Descriptor, len(m.m.Layers))
 	for idx := range layers {
-		layers[idx] = m.LayersDescriptors[idx]
+		layers[idx] = schema2DescriptorFromOCI1Descriptor(m.m.Layers[idx])
 		layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
 	}
 

vendor/github.com/containers/image/image/sourced.go

@@ -4,12 +4,22 @@
 package image
 
 import (
-	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 )
 
-// FromSource returns a types.Image implementation for source.
-// The caller must call .Close() on the returned Image.
+// imageCloser implements types.ImageCloser, perhaps allowing simple users
+// to use a single object without having keep a reference to a types.ImageSource
+// only to call types.ImageSource.Close().
+type imageCloser struct {
+	types.Image
+	src types.ImageSource
+}
+
+// FromSource returns a types.ImageCloser implementation for the default instance of source.
+// If source is a manifest list, .Manifest() still returns the manifest list,
+// but other methods transparently return data from an appropriate image instance.
+//
+// The caller must call .Close() on the returned ImageCloser.
 //
 // FromSource “takes ownership” of the input ImageSource and will call src.Close()
 // when the image is closed.  (This does not prevent callers from using both the
@@ -18,8 +28,19 @@ import (
 //
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage instead of calling this function.
-func FromSource(src types.ImageSource) (types.Image, error) {
-	return FromUnparsedImage(UnparsedFromSource(src))
+func FromSource(ctx *types.SystemContext, src types.ImageSource) (types.ImageCloser, error) {
+	img, err := FromUnparsedImage(ctx, UnparsedInstance(src, nil))
+	if err != nil {
+		return nil, err
+	}
+	return &imageCloser{
+		Image: img,
+		src:   src,
+	}, nil
+}
+
+func (ic *imageCloser) Close() error {
+	return ic.src.Close()
 }
 
 // sourcedImage is a general set of utilities for working with container images,
@@ -38,27 +59,22 @@ type sourcedImage struct {
 }
 
 // FromUnparsedImage returns a types.Image implementation for unparsed.
-// The caller must call .Close() on the returned Image.
+// If unparsed represents a manifest list, .Manifest() still returns the manifest list,
+// but other methods transparently return data from an appropriate single image.
 //
-// FromSource “takes ownership” of the input UnparsedImage and will call uparsed.Close()
-// when the image is closed.  (This does not prevent callers from using both the
-// UnparsedImage and ImageSource objects simultaneously, but it means that they only need to
-// keep a reference to the Image.)
-func FromUnparsedImage(unparsed *UnparsedImage) (types.Image, error) {
+// The Image must not be used after the underlying ImageSource is Close()d.
+func FromUnparsedImage(ctx *types.SystemContext, unparsed *UnparsedImage) (types.Image, error) {
 	// Note that the input parameter above is specifically *image.UnparsedImage, not types.UnparsedImage:
 	// we want to be able to use unparsed.src.  We could make that an explicit interface, but, well,
 	// this is the only UnparsedImage implementation around, anyway.
 
-	// Also, we do not explicitly implement types.Image.Close; we let the implementation fall through to
-	// unparsed.Close.
-
 	// NOTE: It is essential for signature verification that all parsing done in this object happens on the same manifest which is returned by unparsed.Manifest().
 	manifestBlob, manifestMIMEType, err := unparsed.Manifest()
 	if err != nil {
 		return nil, err
 	}
 
-	parsedManifest, err := manifestInstanceFromBlob(unparsed.src, manifestBlob, manifestMIMEType)
+	parsedManifest, err := manifestInstanceFromBlob(ctx, unparsed.src, manifestBlob, manifestMIMEType)
 	if err != nil {
 		return nil, err
 	}
@@ -85,6 +101,6 @@ func (i *sourcedImage) Inspect() (*types.ImageInspectInfo, error) {
 	return inspectManifest(i.genericManifest)
 }
 
-func (i *sourcedImage) IsMultiImage() bool {
-	return i.manifestMIMEType == manifest.DockerV2ListMediaType
+func (i *sourcedImage) LayerInfosForCopy() []types.BlobInfo {
+	return i.UnparsedImage.LayerInfosForCopy()
 }

vendor/github.com/containers/image/image/unparsed.go

@@ -1,6 +1,8 @@
 package image
 
 import (
+	"context"
+
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
@@ -9,8 +11,10 @@ import (
 )
 
 // UnparsedImage implements types.UnparsedImage .
+// An UnparsedImage is a pair of (ImageSource, instance digest); it can represent either a manifest list or a single image instance.
 type UnparsedImage struct {
 	src            types.ImageSource
+	instanceDigest *digest.Digest
 	cachedManifest []byte // A private cache for Manifest(); nil if not yet known.
 	// A private cache for Manifest(), may be the empty string if guessing failed.
 	// Valid iff cachedManifest is not nil.
@@ -18,49 +22,41 @@ type UnparsedImage struct {
 	cachedSignatures       [][]byte // A private cache for Signatures(); nil if not yet known.
 }
 
-// UnparsedFromSource returns a types.UnparsedImage implementation for source.
-// The caller must call .Close() on the returned UnparsedImage.
+// UnparsedInstance returns a types.UnparsedImage implementation for (source, instanceDigest).
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list).
 //
-// UnparsedFromSource “takes ownership” of the input ImageSource and will call src.Close()
-// when the image is closed.  (This does not prevent callers from using both the
-// UnparsedImage and ImageSource objects simultaneously, but it means that they only need to
-// keep a reference to the UnparsedImage.)
-func UnparsedFromSource(src types.ImageSource) *UnparsedImage {
-	return &UnparsedImage{src: src}
+// The UnparsedImage must not be used after the underlying ImageSource is Close()d.
+func UnparsedInstance(src types.ImageSource, instanceDigest *digest.Digest) *UnparsedImage {
+	return &UnparsedImage{
+		src:            src,
+		instanceDigest: instanceDigest,
+	}
 }
 
 // Reference returns the reference used to set up this source, _as specified by the user_
 // (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
 func (i *UnparsedImage) Reference() types.ImageReference {
+	// Note that this does not depend on instanceDigest; e.g. all instances within a manifest list need to be signed with the manifest list identity.
 	return i.src.Reference()
 }
 
-// Close removes resources associated with an initialized UnparsedImage, if any.
-func (i *UnparsedImage) Close() error {
-	return i.src.Close()
-}
-
 // Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
 func (i *UnparsedImage) Manifest() ([]byte, string, error) {
 	if i.cachedManifest == nil {
-		m, mt, err := i.src.GetManifest()
+		m, mt, err := i.src.GetManifest(i.instanceDigest)
 		if err != nil {
 			return nil, "", err
 		}
 
 		// ImageSource.GetManifest does not do digest verification, but we do;
 		// this immediately protects also any user of types.Image.
-		ref := i.Reference().DockerReference()
-		if ref != nil {
-			if canonical, ok := ref.(reference.Canonical); ok {
-				digest := digest.Digest(canonical.Digest())
-				matches, err := manifest.MatchesDigest(m, digest)
-				if err != nil {
-					return nil, "", errors.Wrap(err, "Error computing manifest digest")
-				}
-				if !matches {
-					return nil, "", errors.Errorf("Manifest does not match provided manifest digest %s", digest)
-				}
+		if digest, haveDigest := i.expectedManifestDigest(); haveDigest {
+			matches, err := manifest.MatchesDigest(m, digest)
+			if err != nil {
+				return nil, "", errors.Wrap(err, "Error computing manifest digest")
+			}
+			if !matches {
+				return nil, "", errors.Errorf("Manifest does not match provided manifest digest %s", digest)
 			}
 		}
 
@@ -70,10 +66,26 @@ func (i *UnparsedImage) Manifest() ([]byte, string, error) {
 	return i.cachedManifest, i.cachedManifestMIMEType, nil
 }
 
+// expectedManifestDigest returns a the expected value of the manifest digest, and an indicator whether it is known.
+// The bool return value seems redundant with digest != ""; it is used explicitly
+// to refuse (unexpected) situations when the digest exists but is "".
+func (i *UnparsedImage) expectedManifestDigest() (digest.Digest, bool) {
+	if i.instanceDigest != nil {
+		return *i.instanceDigest, true
+	}
+	ref := i.Reference().DockerReference()
+	if ref != nil {
+		if canonical, ok := ref.(reference.Canonical); ok {
+			return canonical.Digest(), true
+		}
+	}
+	return "", false
+}
+
 // Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-func (i *UnparsedImage) Signatures() ([][]byte, error) {
+func (i *UnparsedImage) Signatures(ctx context.Context) ([][]byte, error) {
 	if i.cachedSignatures == nil {
-		sigs, err := i.src.GetSignatures()
+		sigs, err := i.src.GetSignatures(ctx, i.instanceDigest)
 		if err != nil {
 			return nil, err
 		}
@@ -81,3 +93,10 @@ func (i *UnparsedImage) Signatures() ([][]byte, error) {
 	}
 	return i.cachedSignatures, nil
 }
+
+// LayerInfosForCopy returns an updated set of layer blob information which may not match the manifest.
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (i *UnparsedImage) LayerInfosForCopy() []types.BlobInfo {
+	return i.src.LayerInfosForCopy()
+}

vendor/github.com/containers/image/internal/tmpdir/tmpdir.go

@@ -0,0 +1,19 @@
+package tmpdir
+
+import (
+	"os"
+	"runtime"
+)
+
+// TemporaryDirectoryForBigFiles returns a directory for temporary (big) files.
+// On non Windows systems it avoids the use of os.TempDir(), because the default temporary directory usually falls under /tmp
+// which on systemd based systems could be the unsuitable tmpfs filesystem.
+func TemporaryDirectoryForBigFiles() string {
+	var temporaryDirectoryForBigFiles string
+	if runtime.GOOS == "windows" {
+		temporaryDirectoryForBigFiles = os.TempDir()
+	} else {
+		temporaryDirectoryForBigFiles = "/var/tmp"
+	}
+	return temporaryDirectoryForBigFiles
+}

vendor/github.com/containers/image/manifest/docker_schema1.go

@@ -0,0 +1,310 @@
+package manifest
+
+import (
+	"encoding/json"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// Schema1FSLayers is an entry of the "fsLayers" array in docker/distribution schema 1.
+type Schema1FSLayers struct {
+	BlobSum digest.Digest `json:"blobSum"`
+}
+
+// Schema1History is an entry of the "history" array in docker/distribution schema 1.
+type Schema1History struct {
+	V1Compatibility string `json:"v1Compatibility"`
+}
+
+// Schema1 is a manifest in docker/distribution schema 1.
+type Schema1 struct {
+	Name          string            `json:"name"`
+	Tag           string            `json:"tag"`
+	Architecture  string            `json:"architecture"`
+	FSLayers      []Schema1FSLayers `json:"fsLayers"`
+	History       []Schema1History  `json:"history"`
+	SchemaVersion int               `json:"schemaVersion"`
+}
+
+// Schema1V1Compatibility is a v1Compatibility in docker/distribution schema 1.
+type Schema1V1Compatibility struct {
+	ID              string    `json:"id"`
+	Parent          string    `json:"parent,omitempty"`
+	Comment         string    `json:"comment,omitempty"`
+	Created         time.Time `json:"created"`
+	ContainerConfig struct {
+		Cmd []string
+	} `json:"container_config,omitempty"`
+	Author    string `json:"author,omitempty"`
+	ThrowAway bool   `json:"throwaway,omitempty"`
+}
+
+// Schema1FromManifest creates a Schema1 manifest instance from a manifest blob.
+// (NOTE: The instance is not necessary a literal representation of the original blob,
+// layers with duplicate IDs are eliminated.)
+func Schema1FromManifest(manifest []byte) (*Schema1, error) {
+	s1 := Schema1{}
+	if err := json.Unmarshal(manifest, &s1); err != nil {
+		return nil, err
+	}
+	if s1.SchemaVersion != 1 {
+		return nil, errors.Errorf("unsupported schema version %d", s1.SchemaVersion)
+	}
+	if len(s1.FSLayers) != len(s1.History) {
+		return nil, errors.New("length of history not equal to number of layers")
+	}
+	if len(s1.FSLayers) == 0 {
+		return nil, errors.New("no FSLayers in manifest")
+	}
+	if err := s1.fixManifestLayers(); err != nil {
+		return nil, err
+	}
+	return &s1, nil
+}
+
+// Schema1FromComponents creates an Schema1 manifest instance from the supplied data.
+func Schema1FromComponents(ref reference.Named, fsLayers []Schema1FSLayers, history []Schema1History, architecture string) *Schema1 {
+	var name, tag string
+	if ref != nil { // Well, what to do if it _is_ nil? Most consumers actually don't use these fields nowadays, so we might as well try not supplying them.
+		name = reference.Path(ref)
+		if tagged, ok := ref.(reference.NamedTagged); ok {
+			tag = tagged.Tag()
+		}
+	}
+	return &Schema1{
+		Name:          name,
+		Tag:           tag,
+		Architecture:  architecture,
+		FSLayers:      fsLayers,
+		History:       history,
+		SchemaVersion: 1,
+	}
+}
+
+// Schema1Clone creates a copy of the supplied Schema1 manifest.
+func Schema1Clone(src *Schema1) *Schema1 {
+	copy := *src
+	return &copy
+}
+
+// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+func (m *Schema1) ConfigInfo() types.BlobInfo {
+	return types.BlobInfo{}
+}
+
+// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (m *Schema1) LayerInfos() []types.BlobInfo {
+	layers := make([]types.BlobInfo, len(m.FSLayers))
+	for i, layer := range m.FSLayers { // NOTE: This includes empty layers (where m.History.V1Compatibility->ThrowAway)
+		layers[(len(m.FSLayers)-1)-i] = types.BlobInfo{Digest: layer.BlobSum, Size: -1}
+	}
+	return layers
+}
+
+// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
+func (m *Schema1) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
+	// Our LayerInfos includes empty layers (where m.History.V1Compatibility->ThrowAway), so expect them to be included here as well.
+	if len(m.FSLayers) != len(layerInfos) {
+		return errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(m.FSLayers), len(layerInfos))
+	}
+	for i, info := range layerInfos {
+		// (docker push) sets up m.History.V1Compatibility->{Id,Parent} based on values of info.Digest,
+		// but (docker pull) ignores them in favor of computing DiffIDs from uncompressed data, except verifying the child->parent links and uniqueness.
+		// So, we don't bother recomputing the IDs in m.History.V1Compatibility.
+		m.FSLayers[(len(layerInfos)-1)-i].BlobSum = info.Digest
+	}
+	return nil
+}
+
+// Serialize returns the manifest in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (m *Schema1) Serialize() ([]byte, error) {
+	// docker/distribution requires a signature even if the incoming data uses the nominally unsigned DockerV2Schema1MediaType.
+	unsigned, err := json.Marshal(*m)
+	if err != nil {
+		return nil, err
+	}
+	return AddDummyV2S1Signature(unsigned)
+}
+
+// fixManifestLayers, after validating the supplied manifest
+// (to use correctly-formatted IDs, and to not have non-consecutive ID collisions in m.History),
+// modifies manifest to only have one entry for each layer ID in m.History (deleting the older duplicates,
+// both from m.History and m.FSLayers).
+// Note that even after this succeeds, m.FSLayers may contain duplicate entries
+// (for Dockerfile operations which change the configuration but not the filesystem).
+func (m *Schema1) fixManifestLayers() error {
+	type imageV1 struct {
+		ID     string
+		Parent string
+	}
+	// Per the specification, we can assume that len(m.FSLayers) == len(m.History)
+	imgs := make([]*imageV1, len(m.FSLayers))
+	for i := range m.FSLayers {
+		img := &imageV1{}
+
+		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), img); err != nil {
+			return err
+		}
+
+		imgs[i] = img
+		if err := validateV1ID(img.ID); err != nil {
+			return err
+		}
+	}
+	if imgs[len(imgs)-1].Parent != "" {
+		return errors.New("Invalid parent ID in the base layer of the image")
+	}
+	// check general duplicates to error instead of a deadlock
+	idmap := make(map[string]struct{})
+	var lastID string
+	for _, img := range imgs {
+		// skip IDs that appear after each other, we handle those later
+		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
+			return errors.Errorf("ID %+v appears multiple times in manifest", img.ID)
+		}
+		lastID = img.ID
+		idmap[lastID] = struct{}{}
+	}
+	// backwards loop so that we keep the remaining indexes after removing items
+	for i := len(imgs) - 2; i >= 0; i-- {
+		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
+			m.FSLayers = append(m.FSLayers[:i], m.FSLayers[i+1:]...)
+			m.History = append(m.History[:i], m.History[i+1:]...)
+		} else if imgs[i].Parent != imgs[i+1].ID {
+			return errors.Errorf("Invalid parent ID. Expected %v, got %v", imgs[i+1].ID, imgs[i].Parent)
+		}
+	}
+	return nil
+}
+
+var validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
+
+func validateV1ID(id string) error {
+	if ok := validHex.MatchString(id); !ok {
+		return errors.Errorf("image ID %q is invalid", id)
+	}
+	return nil
+}
+
+// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
+func (m *Schema1) Inspect(_ func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error) {
+	s1 := &Schema2V1Image{}
+	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), s1); err != nil {
+		return nil, err
+	}
+	return &types.ImageInspectInfo{
+		Tag:           m.Tag,
+		Created:       s1.Created,
+		DockerVersion: s1.DockerVersion,
+		Labels:        make(map[string]string),
+		Architecture:  s1.Architecture,
+		Os:            s1.OS,
+		Layers:        LayerInfosToStrings(m.LayerInfos()),
+	}, nil
+}
+
+// ToSchema2 builds a schema2-style configuration blob using the supplied diffIDs.
+func (m *Schema1) ToSchema2(diffIDs []digest.Digest) ([]byte, error) {
+	// Convert the schema 1 compat info into a schema 2 config, constructing some of the fields
+	// that aren't directly comparable using info from the manifest.
+	if len(m.History) == 0 {
+		return nil, errors.New("image has no layers")
+	}
+	s2 := struct {
+		Schema2Image
+		ID        string `json:"id,omitempty"`
+		Parent    string `json:"parent,omitempty"`
+		ParentID  string `json:"parent_id,omitempty"`
+		LayerID   string `json:"layer_id,omitempty"`
+		ThrowAway bool   `json:"throwaway,omitempty"`
+		Size      int64  `json:",omitempty"`
+	}{}
+	config := []byte(m.History[0].V1Compatibility)
+	err := json.Unmarshal(config, &s2)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error decoding configuration")
+	}
+	// Images created with versions prior to 1.8.3 require us to re-encode the encoded object,
+	// adding some fields that aren't "omitempty".
+	if s2.DockerVersion != "" && versions.LessThan(s2.DockerVersion, "1.8.3") {
+		config, err = json.Marshal(&s2)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error re-encoding compat image config %#v", s2)
+		}
+	}
+	// Build the history.
+	convertedHistory := []Schema2History{}
+	for _, h := range m.History {
+		compat := Schema1V1Compatibility{}
+		if err := json.Unmarshal([]byte(h.V1Compatibility), &compat); err != nil {
+			return nil, errors.Wrapf(err, "error decoding history information")
+		}
+		hitem := Schema2History{
+			Created:    compat.Created,
+			CreatedBy:  strings.Join(compat.ContainerConfig.Cmd, " "),
+			Author:     compat.Author,
+			Comment:    compat.Comment,
+			EmptyLayer: compat.ThrowAway,
+		}
+		convertedHistory = append([]Schema2History{hitem}, convertedHistory...)
+	}
+	// Build the rootfs information.  We need the decompressed sums that we've been
+	// calculating to fill in the DiffIDs.  It's expected (but not enforced by us)
+	// that the number of diffIDs corresponds to the number of non-EmptyLayer
+	// entries in the history.
+	rootFS := &Schema2RootFS{
+		Type:    "layers",
+		DiffIDs: diffIDs,
+	}
+	// And now for some raw manipulation.
+	raw := make(map[string]*json.RawMessage)
+	err = json.Unmarshal(config, &raw)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error re-decoding compat image config %#v: %v", s2)
+	}
+	// Drop some fields.
+	delete(raw, "id")
+	delete(raw, "parent")
+	delete(raw, "parent_id")
+	delete(raw, "layer_id")
+	delete(raw, "throwaway")
+	delete(raw, "Size")
+	// Add the history and rootfs information.
+	rootfs, err := json.Marshal(rootFS)
+	if err != nil {
+		return nil, errors.Errorf("error encoding rootfs information %#v: %v", rootFS, err)
+	}
+	rawRootfs := json.RawMessage(rootfs)
+	raw["rootfs"] = &rawRootfs
+	history, err := json.Marshal(convertedHistory)
+	if err != nil {
+		return nil, errors.Errorf("error encoding history information %#v: %v", convertedHistory, err)
+	}
+	rawHistory := json.RawMessage(history)
+	raw["history"] = &rawHistory
+	// Encode the result.
+	config, err = json.Marshal(raw)
+	if err != nil {
+		return nil, errors.Errorf("error re-encoding compat image config %#v: %v", s2, err)
+	}
+	return config, nil
+}
+
+// ImageID computes an ID which can uniquely identify this image by its contents.
+func (m *Schema1) ImageID(diffIDs []digest.Digest) (string, error) {
+	image, err := m.ToSchema2(diffIDs)
+	if err != nil {
+		return "", err
+	}
+	return digest.FromBytes(image).Hex(), nil
+}

vendor/github.com/containers/image/manifest/docker_schema2.go

@@ -0,0 +1,251 @@
+package manifest
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/containers/image/pkg/strslice"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// Schema2Descriptor is a “descriptor” in docker/distribution schema 2.
+type Schema2Descriptor struct {
+	MediaType string        `json:"mediaType"`
+	Size      int64         `json:"size"`
+	Digest    digest.Digest `json:"digest"`
+	URLs      []string      `json:"urls,omitempty"`
+}
+
+// Schema2 is a manifest in docker/distribution schema 2.
+type Schema2 struct {
+	SchemaVersion     int                 `json:"schemaVersion"`
+	MediaType         string              `json:"mediaType"`
+	ConfigDescriptor  Schema2Descriptor   `json:"config"`
+	LayersDescriptors []Schema2Descriptor `json:"layers"`
+}
+
+// Schema2Port is a Port, a string containing port number and protocol in the
+// format "80/tcp", from docker/go-connections/nat.
+type Schema2Port string
+
+// Schema2PortSet is a PortSet, a collection of structs indexed by Port, from
+// docker/go-connections/nat.
+type Schema2PortSet map[Schema2Port]struct{}
+
+// Schema2HealthConfig is a HealthConfig, which holds configuration settings
+// for the HEALTHCHECK feature, from docker/docker/api/types/container.
+type Schema2HealthConfig struct {
+	// Test is the test to perform to check that the container is healthy.
+	// An empty slice means to inherit the default.
+	// The options are:
+	// {} : inherit healthcheck
+	// {"NONE"} : disable healthcheck
+	// {"CMD", args...} : exec arguments directly
+	// {"CMD-SHELL", command} : run command with system's default shell
+	Test []string `json:",omitempty"`
+
+	// Zero means to inherit. Durations are expressed as integer nanoseconds.
+	Interval time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Timeout  time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+
+	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
+	// Zero means inherit.
+	Retries int `json:",omitempty"`
+}
+
+// Schema2Config is a Config in docker/docker/api/types/container.
+type Schema2Config struct {
+	Hostname        string               // Hostname
+	Domainname      string               // Domainname
+	User            string               // User that will run the command(s) inside the container, also support user:group
+	AttachStdin     bool                 // Attach the standard input, makes possible user interaction
+	AttachStdout    bool                 // Attach the standard output
+	AttachStderr    bool                 // Attach the standard error
+	ExposedPorts    Schema2PortSet       `json:",omitempty"` // List of exposed ports
+	Tty             bool                 // Attach standard streams to a tty, including stdin if it is not closed.
+	OpenStdin       bool                 // Open stdin
+	StdinOnce       bool                 // If true, close stdin after the 1 attached client disconnects.
+	Env             []string             // List of environment variable to set in the container
+	Cmd             strslice.StrSlice    // Command to run when starting the container
+	Healthcheck     *Schema2HealthConfig `json:",omitempty"` // Healthcheck describes how to check the container is healthy
+	ArgsEscaped     bool                 `json:",omitempty"` // True if command is already escaped (Windows specific)
+	Image           string               // Name of the image as it was passed by the operator (e.g. could be symbolic)
+	Volumes         map[string]struct{}  // List of volumes (mounts) used for the container
+	WorkingDir      string               // Current directory (PWD) in the command will be launched
+	Entrypoint      strslice.StrSlice    // Entrypoint to run when starting the container
+	NetworkDisabled bool                 `json:",omitempty"` // Is network disabled
+	MacAddress      string               `json:",omitempty"` // Mac Address of the container
+	OnBuild         []string             // ONBUILD metadata that were defined on the image Dockerfile
+	Labels          map[string]string    // List of labels set to this container
+	StopSignal      string               `json:",omitempty"` // Signal to stop a container
+	StopTimeout     *int                 `json:",omitempty"` // Timeout (in seconds) to stop a container
+	Shell           strslice.StrSlice    `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
+}
+
+// Schema2V1Image is a V1Image in docker/docker/image.
+type Schema2V1Image struct {
+	// ID is a unique 64 character identifier of the image
+	ID string `json:"id,omitempty"`
+	// Parent is the ID of the parent image
+	Parent string `json:"parent,omitempty"`
+	// Comment is the commit message that was set when committing the image
+	Comment string `json:"comment,omitempty"`
+	// Created is the timestamp at which the image was created
+	Created time.Time `json:"created"`
+	// Container is the id of the container used to commit
+	Container string `json:"container,omitempty"`
+	// ContainerConfig is the configuration of the container that is committed into the image
+	ContainerConfig Schema2Config `json:"container_config,omitempty"`
+	// DockerVersion specifies the version of Docker that was used to build the image
+	DockerVersion string `json:"docker_version,omitempty"`
+	// Author is the name of the author that was specified when committing the image
+	Author string `json:"author,omitempty"`
+	// Config is the configuration of the container received from the client
+	Config *Schema2Config `json:"config,omitempty"`
+	// Architecture is the hardware that the image is build and runs on
+	Architecture string `json:"architecture,omitempty"`
+	// OS is the operating system used to build and run the image
+	OS string `json:"os,omitempty"`
+	// Size is the total size of the image including all layers it is composed of
+	Size int64 `json:",omitempty"`
+}
+
+// Schema2RootFS is a description of how to build up an image's root filesystem, from docker/docker/image.
+type Schema2RootFS struct {
+	Type    string          `json:"type"`
+	DiffIDs []digest.Digest `json:"diff_ids,omitempty"`
+}
+
+// Schema2History stores build commands that were used to create an image, from docker/docker/image.
+type Schema2History struct {
+	// Created is the timestamp at which the image was created
+	Created time.Time `json:"created"`
+	// Author is the name of the author that was specified when committing the image
+	Author string `json:"author,omitempty"`
+	// CreatedBy keeps the Dockerfile command used while building the image
+	CreatedBy string `json:"created_by,omitempty"`
+	// Comment is the commit message that was set when committing the image
+	Comment string `json:"comment,omitempty"`
+	// EmptyLayer is set to true if this history item did not generate a
+	// layer. Otherwise, the history item is associated with the next
+	// layer in the RootFS section.
+	EmptyLayer bool `json:"empty_layer,omitempty"`
+}
+
+// Schema2Image is an Image in docker/docker/image.
+type Schema2Image struct {
+	Schema2V1Image
+	Parent     digest.Digest    `json:"parent,omitempty"`
+	RootFS     *Schema2RootFS   `json:"rootfs,omitempty"`
+	History    []Schema2History `json:"history,omitempty"`
+	OSVersion  string           `json:"os.version,omitempty"`
+	OSFeatures []string         `json:"os.features,omitempty"`
+
+	// rawJSON caches the immutable JSON associated with this image.
+	rawJSON []byte
+
+	// computedID is the ID computed from the hash of the image config.
+	// Not to be confused with the legacy V1 ID in V1Image.
+	computedID digest.Digest
+}
+
+// Schema2FromManifest creates a Schema2 manifest instance from a manifest blob.
+func Schema2FromManifest(manifest []byte) (*Schema2, error) {
+	s2 := Schema2{}
+	if err := json.Unmarshal(manifest, &s2); err != nil {
+		return nil, err
+	}
+	return &s2, nil
+}
+
+// Schema2FromComponents creates an Schema2 manifest instance from the supplied data.
+func Schema2FromComponents(config Schema2Descriptor, layers []Schema2Descriptor) *Schema2 {
+	return &Schema2{
+		SchemaVersion:     2,
+		MediaType:         DockerV2Schema2MediaType,
+		ConfigDescriptor:  config,
+		LayersDescriptors: layers,
+	}
+}
+
+// Schema2Clone creates a copy of the supplied Schema2 manifest.
+func Schema2Clone(src *Schema2) *Schema2 {
+	copy := *src
+	return &copy
+}
+
+// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+func (m *Schema2) ConfigInfo() types.BlobInfo {
+	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
+}
+
+// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (m *Schema2) LayerInfos() []types.BlobInfo {
+	blobs := []types.BlobInfo{}
+	for _, layer := range m.LayersDescriptors {
+		blobs = append(blobs, types.BlobInfo{
+			Digest: layer.Digest,
+			Size:   layer.Size,
+			URLs:   layer.URLs,
+		})
+	}
+	return blobs
+}
+
+// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
+func (m *Schema2) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
+	if len(m.LayersDescriptors) != len(layerInfos) {
+		return errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(m.LayersDescriptors), len(layerInfos))
+	}
+	original := m.LayersDescriptors
+	m.LayersDescriptors = make([]Schema2Descriptor, len(layerInfos))
+	for i, info := range layerInfos {
+		m.LayersDescriptors[i].MediaType = original[i].MediaType
+		m.LayersDescriptors[i].Digest = info.Digest
+		m.LayersDescriptors[i].Size = info.Size
+		m.LayersDescriptors[i].URLs = info.URLs
+	}
+	return nil
+}
+
+// Serialize returns the manifest in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (m *Schema2) Serialize() ([]byte, error) {
+	return json.Marshal(*m)
+}
+
+// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
+func (m *Schema2) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error) {
+	config, err := configGetter(m.ConfigInfo())
+	if err != nil {
+		return nil, err
+	}
+	s2 := &Schema2Image{}
+	if err := json.Unmarshal(config, s2); err != nil {
+		return nil, err
+	}
+	i := &types.ImageInspectInfo{
+		Tag:           "",
+		Created:       s2.Created,
+		DockerVersion: s2.DockerVersion,
+		Architecture:  s2.Architecture,
+		Os:            s2.OS,
+		Layers:        LayerInfosToStrings(m.LayerInfos()),
+	}
+	if s2.Config != nil {
+		i.Labels = s2.Config.Labels
+	}
+	return i, nil
+}
+
+// ImageID computes an ID which can uniquely identify this image by its contents.
+func (m *Schema2) ImageID([]digest.Digest) (string, error) {
+	if err := m.ConfigDescriptor.Digest.Validate(); err != nil {
+		return "", err
+	}
+	return m.ConfigDescriptor.Digest.Hex(), nil
+}

vendor/github.com/containers/image/manifest/manifest.go

@@ -2,7 +2,9 @@ package manifest
 
 import (
 	"encoding/json"
+	"fmt"
 
+	"github.com/containers/image/types"
 	"github.com/docker/libtrust"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -38,6 +40,39 @@ var DefaultRequestedManifestMIMETypes = []string{
 	DockerV2ListMediaType,
 }
 
+// Manifest is an interface for parsing, modifying image manifests in isolation.
+// Callers can either use this abstract interface without understanding the details of the formats,
+// or instantiate a specific implementation (e.g. manifest.OCI1) and access the public members
+// directly.
+//
+// See types.Image for functionality not limited to manifests, including format conversions and config parsing.
+// This interface is similar to, but not strictly equivalent to, the equivalent methods in types.Image.
+type Manifest interface {
+	// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+	ConfigInfo() types.BlobInfo
+	// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+	// The Digest field is guaranteed to be provided; Size may be -1.
+	// WARNING: The list may contain duplicates, and they are semantically relevant.
+	LayerInfos() []types.BlobInfo
+	// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
+	UpdateLayerInfos(layerInfos []types.BlobInfo) error
+
+	// ImageID computes an ID which can uniquely identify this image by its contents, irrespective
+	// of which (of possibly more than one simultaneously valid) reference was used to locate the
+	// image, and unchanged by whether or how the layers are compressed.  The result takes the form
+	// of the hexadecimal portion of a digest.Digest.
+	ImageID(diffIDs []digest.Digest) (string, error)
+
+	// Inspect returns various information for (skopeo inspect) parsed from the manifest,
+	// incorporating information from a configuration blob returned by configGetter, if
+	// the underlying image format is expected to include a configuration blob.
+	Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error)
+
+	// Serialize returns the manifest in a blob format.
+	// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+	Serialize() ([]byte, error)
+}
+
 // GuessMIMEType guesses MIME type of a manifest and returns it _if it is recognized_, or "" if unknown or unrecognized.
 // FIXME? We should, in general, prefer out-of-band MIME type instead of blindly parsing the manifest,
 // but we may not have such metadata available (e.g. when the manifest is a local file).
@@ -142,3 +177,62 @@ func AddDummyV2S1Signature(manifest []byte) ([]byte, error) {
 	}
 	return js.PrettySignature("signatures")
 }
+
+// MIMETypeIsMultiImage returns true if mimeType is a list of images
+func MIMETypeIsMultiImage(mimeType string) bool {
+	return mimeType == DockerV2ListMediaType
+}
+
+// NormalizedMIMEType returns the effective MIME type of a manifest MIME type returned by a server,
+// centralizing various workarounds.
+func NormalizedMIMEType(input string) string {
+	switch input {
+	// "application/json" is a valid v2s1 value per https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-1.md .
+	// This works for now, when nothing else seems to return "application/json"; if that were not true, the mapping/detection might
+	// need to happen within the ImageSource.
+	case "application/json":
+		return DockerV2Schema1SignedMediaType
+	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType,
+		imgspecv1.MediaTypeImageManifest,
+		DockerV2Schema2MediaType,
+		DockerV2ListMediaType:
+		return input
+	default:
+		// If it's not a recognized manifest media type, or we have failed determining the type, we'll try one last time
+		// to deserialize using v2s1 as per https://github.com/docker/distribution/blob/master/manifests.go#L108
+		// and https://github.com/docker/distribution/blob/master/manifest/schema1/manifest.go#L50
+		//
+		// Crane registries can also return "text/plain", or pretty much anything else depending on a file extension “recognized” in the tag.
+		// This makes no real sense, but it happens
+		// because requests for manifests are
+		// redirected to a content distribution
+		// network which is configured that way. See https://bugzilla.redhat.com/show_bug.cgi?id=1389442
+		return DockerV2Schema1SignedMediaType
+	}
+}
+
+// FromBlob returns a Manifest instance for the specified manifest blob and the corresponding MIME type
+func FromBlob(manblob []byte, mt string) (Manifest, error) {
+	switch NormalizedMIMEType(mt) {
+	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType:
+		return Schema1FromManifest(manblob)
+	case imgspecv1.MediaTypeImageManifest:
+		return OCI1FromManifest(manblob)
+	case DockerV2Schema2MediaType:
+		return Schema2FromManifest(manblob)
+	case DockerV2ListMediaType:
+		return nil, fmt.Errorf("Treating manifest lists as individual manifests is not implemented")
+	default: // Note that this may not be reachable, NormalizedMIMEType has a default for unknown values.
+		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", mt)
+	}
+}
+
+// LayerInfosToStrings converts a list of layer infos, presumably obtained from a Manifest.LayerInfos()
+// method call, into a format suitable for inclusion in a types.ImageInspectInfo structure.
+func LayerInfosToStrings(infos []types.BlobInfo) []string {
+	layers := make([]string, len(infos))
+	for i, info := range infos {
+		layers[i] = info.Digest.String()
+	}
+	return layers
+}

vendor/github.com/containers/image/manifest/oci.go

@@ -0,0 +1,120 @@
+package manifest
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// OCI1 is a manifest.Manifest implementation for OCI images.
+// The underlying data from imgspecv1.Manifest is also available.
+type OCI1 struct {
+	imgspecv1.Manifest
+}
+
+// OCI1FromManifest creates an OCI1 manifest instance from a manifest blob.
+func OCI1FromManifest(manifest []byte) (*OCI1, error) {
+	oci1 := OCI1{}
+	if err := json.Unmarshal(manifest, &oci1); err != nil {
+		return nil, err
+	}
+	return &oci1, nil
+}
+
+// OCI1FromComponents creates an OCI1 manifest instance from the supplied data.
+func OCI1FromComponents(config imgspecv1.Descriptor, layers []imgspecv1.Descriptor) *OCI1 {
+	return &OCI1{
+		imgspecv1.Manifest{
+			Versioned: specs.Versioned{SchemaVersion: 2},
+			Config:    config,
+			Layers:    layers,
+		},
+	}
+}
+
+// OCI1Clone creates a copy of the supplied OCI1 manifest.
+func OCI1Clone(src *OCI1) *OCI1 {
+	return &OCI1{
+		Manifest: src.Manifest,
+	}
+}
+
+// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+func (m *OCI1) ConfigInfo() types.BlobInfo {
+	return types.BlobInfo{Digest: m.Config.Digest, Size: m.Config.Size, Annotations: m.Config.Annotations}
+}
+
+// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (m *OCI1) LayerInfos() []types.BlobInfo {
+	blobs := []types.BlobInfo{}
+	for _, layer := range m.Layers {
+		blobs = append(blobs, types.BlobInfo{Digest: layer.Digest, Size: layer.Size, Annotations: layer.Annotations, URLs: layer.URLs, MediaType: layer.MediaType})
+	}
+	return blobs
+}
+
+// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
+func (m *OCI1) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
+	if len(m.Layers) != len(layerInfos) {
+		return errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(m.Layers), len(layerInfos))
+	}
+	original := m.Layers
+	m.Layers = make([]imgspecv1.Descriptor, len(layerInfos))
+	for i, info := range layerInfos {
+		m.Layers[i].MediaType = original[i].MediaType
+		m.Layers[i].Digest = info.Digest
+		m.Layers[i].Size = info.Size
+		m.Layers[i].Annotations = info.Annotations
+		m.Layers[i].URLs = info.URLs
+	}
+	return nil
+}
+
+// Serialize returns the manifest in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (m *OCI1) Serialize() ([]byte, error) {
+	return json.Marshal(*m)
+}
+
+// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
+func (m *OCI1) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error) {
+	config, err := configGetter(m.ConfigInfo())
+	if err != nil {
+		return nil, err
+	}
+	v1 := &imgspecv1.Image{}
+	if err := json.Unmarshal(config, v1); err != nil {
+		return nil, err
+	}
+	d1 := &Schema2V1Image{}
+	json.Unmarshal(config, d1)
+	created := time.Time{}
+	if v1.Created != nil {
+		created = *v1.Created
+	}
+	i := &types.ImageInspectInfo{
+		Tag:           "",
+		Created:       created,
+		DockerVersion: d1.DockerVersion,
+		Labels:        v1.Config.Labels,
+		Architecture:  v1.Architecture,
+		Os:            v1.OS,
+		Layers:        LayerInfosToStrings(m.LayerInfos()),
+	}
+	return i, nil
+}
+
+// ImageID computes an ID which can uniquely identify this image by its contents.
+func (m *OCI1) ImageID([]digest.Digest) (string, error) {
+	if err := m.Config.Digest.Validate(); err != nil {
+		return "", err
+	}
+	return m.Config.Digest.Hex(), nil
+}

vendor/github.com/containers/image/oci/archive/oci_dest.go

@@ -0,0 +1,131 @@
+package archive
+
+import (
+	"io"
+	"os"
+
+	"github.com/containers/image/types"
+	"github.com/containers/storage/pkg/archive"
+	"github.com/pkg/errors"
+)
+
+type ociArchiveImageDestination struct {
+	ref          ociArchiveReference
+	unpackedDest types.ImageDestination
+	tempDirRef   tempDirOCIRef
+}
+
+// newImageDestination returns an ImageDestination for writing to an existing directory.
+func newImageDestination(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageDestination, error) {
+	tempDirRef, err := createOCIRef(ref.image)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error creating oci reference")
+	}
+	unpackedDest, err := tempDirRef.ociRefExtracted.NewImageDestination(ctx)
+	if err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
+		}
+		return nil, err
+	}
+	return &ociArchiveImageDestination{ref: ref,
+		unpackedDest: unpackedDest,
+		tempDirRef:   tempDirRef}, nil
+}
+
+// Reference returns the reference used to set up this destination.
+func (d *ociArchiveImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any
+// Close deletes the temp directory of the oci-archive image
+func (d *ociArchiveImageDestination) Close() error {
+	defer d.tempDirRef.deleteTempDir()
+	return d.unpackedDest.Close()
+}
+
+func (d *ociArchiveImageDestination) SupportedManifestMIMETypes() []string {
+	return d.unpackedDest.SupportedManifestMIMETypes()
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures
+func (d *ociArchiveImageDestination) SupportsSignatures() error {
+	return d.unpackedDest.SupportsSignatures()
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination
+func (d *ociArchiveImageDestination) ShouldCompressLayers() bool {
+	return d.unpackedDest.ShouldCompressLayers()
+}
+
+// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
+// uploaded to the image destination, true otherwise.
+func (d *ociArchiveImageDestination) AcceptsForeignLayerURLs() bool {
+	return d.unpackedDest.AcceptsForeignLayerURLs()
+}
+
+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise
+func (d *ociArchiveImageDestination) MustMatchRuntimeOS() bool {
+	return d.unpackedDest.MustMatchRuntimeOS()
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+func (d *ociArchiveImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	return d.unpackedDest.PutBlob(stream, inputInfo)
+}
+
+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob
+func (d *ociArchiveImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	return d.unpackedDest.HasBlob(info)
+}
+
+func (d *ociArchiveImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return d.unpackedDest.ReapplyBlob(info)
+}
+
+// PutManifest writes manifest to the destination
+func (d *ociArchiveImageDestination) PutManifest(m []byte) error {
+	return d.unpackedDest.PutManifest(m)
+}
+
+func (d *ociArchiveImageDestination) PutSignatures(signatures [][]byte) error {
+	return d.unpackedDest.PutSignatures(signatures)
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted
+// after the directory is made, it is tarred up into a file and the directory is deleted
+func (d *ociArchiveImageDestination) Commit() error {
+	if err := d.unpackedDest.Commit(); err != nil {
+		return errors.Wrapf(err, "error storing image %q", d.ref.image)
+	}
+
+	// path of directory to tar up
+	src := d.tempDirRef.tempDirectory
+	// path to save tarred up file
+	dst := d.ref.resolvedFile
+	return tarDirectory(src, dst)
+}
+
+// tar converts the directory at src and saves it to dst
+func tarDirectory(src, dst string) error {
+	// input is a stream of bytes from the archive of the directory at path
+	input, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		return errors.Wrapf(err, "error retrieving stream of bytes from %q", src)
+	}
+
+	// creates the tar file
+	outFile, err := os.Create(dst)
+	if err != nil {
+		return errors.Wrapf(err, "error creating tar file %q", dst)
+	}
+	defer outFile.Close()
+
+	// copies the contents of the directory to the tar file
+	_, err = io.Copy(outFile, input)
+
+	return err
+}

vendor/github.com/containers/image/oci/archive/oci_src.go

@@ -0,0 +1,95 @@
+package archive
+
+import (
+	"context"
+	"io"
+
+	ocilayout "github.com/containers/image/oci/layout"
+	"github.com/containers/image/types"
+	digest "github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type ociArchiveImageSource struct {
+	ref         ociArchiveReference
+	unpackedSrc types.ImageSource
+	tempDirRef  tempDirOCIRef
+}
+
+// newImageSource returns an ImageSource for reading from an existing directory.
+// newImageSource untars the file and saves it in a temp directory
+func newImageSource(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageSource, error) {
+	tempDirRef, err := createUntarTempDir(ref)
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating temp directory")
+	}
+
+	unpackedSrc, err := tempDirRef.ociRefExtracted.NewImageSource(ctx)
+	if err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
+		}
+		return nil, err
+	}
+	return &ociArchiveImageSource{ref: ref,
+		unpackedSrc: unpackedSrc,
+		tempDirRef:  tempDirRef}, nil
+}
+
+// LoadManifestDescriptor loads the manifest
+func LoadManifestDescriptor(imgRef types.ImageReference) (imgspecv1.Descriptor, error) {
+	ociArchRef, ok := imgRef.(ociArchiveReference)
+	if !ok {
+		return imgspecv1.Descriptor{}, errors.Errorf("error typecasting, need type ociArchiveReference")
+	}
+	tempDirRef, err := createUntarTempDir(ociArchRef)
+	if err != nil {
+		return imgspecv1.Descriptor{}, errors.Wrap(err, "error creating temp directory")
+	}
+	defer tempDirRef.deleteTempDir()
+
+	descriptor, err := ocilayout.LoadManifestDescriptor(tempDirRef.ociRefExtracted)
+	if err != nil {
+		return imgspecv1.Descriptor{}, errors.Wrap(err, "error loading index")
+	}
+	return descriptor, nil
+}
+
+// Reference returns the reference used to set up this source.
+func (s *ociArchiveImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+// Close deletes the temporary directory at dst
+func (s *ociArchiveImageSource) Close() error {
+	defer s.tempDirRef.deleteTempDir()
+	return s.unpackedSrc.Close()
+}
+
+// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
+// It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *ociArchiveImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	return s.unpackedSrc.GetManifest(instanceDigest)
+}
+
+// GetBlob returns a stream for the specified blob, and the blob's size.
+func (s *ociArchiveImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+	return s.unpackedSrc.GetBlob(info)
+}
+
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *ociArchiveImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	return s.unpackedSrc.GetSignatures(ctx, instanceDigest)
+}
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *ociArchiveImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/oci/archive/oci_transport.go

@@ -0,0 +1,190 @@
+package archive
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/image/directory/explicitfilepath"
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
+	"github.com/containers/image/internal/tmpdir"
+	"github.com/containers/image/oci/internal"
+	ocilayout "github.com/containers/image/oci/layout"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/containers/storage/pkg/archive"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for OCI archive
+// it creates an oci-archive tar file by calling into the OCI transport
+// tarring the directory created by oci and deleting the directory
+var Transport = ociArchiveTransport{}
+
+type ociArchiveTransport struct{}
+
+// ociArchiveReference is an ImageReference for OCI Archive paths
+type ociArchiveReference struct {
+	file         string
+	resolvedFile string
+	image        string
+}
+
+func (t ociArchiveTransport) Name() string {
+	return "oci-archive"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix
+// into an ImageReference.
+func (t ociArchiveTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+func (t ociArchiveTransport) ValidatePolicyConfigurationScope(scope string) error {
+	return internal.ValidateScope(scope)
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an OCI ImageReference.
+func ParseReference(reference string) (types.ImageReference, error) {
+	file, image := internal.SplitPathAndImage(reference)
+	return NewReference(file, image)
+}
+
+// NewReference returns an OCI reference for a file and a image.
+func NewReference(file, image string) (types.ImageReference, error) {
+	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(file)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := internal.ValidateOCIPath(file); err != nil {
+		return nil, err
+	}
+
+	if err := internal.ValidateImageName(image); err != nil {
+		return nil, err
+	}
+
+	return ociArchiveReference{file: file, resolvedFile: resolved, image: image}, nil
+}
+
+func (ref ociArchiveReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+func (ref ociArchiveReference) StringWithinTransport() string {
+	return fmt.Sprintf("%s:%s", ref.file, ref.image)
+}
+
+// DockerReference returns a Docker reference associated with this reference
+func (ref ociArchiveReference) DockerReference() reference.Named {
+	return nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+func (ref ociArchiveReference) PolicyConfigurationIdentity() string {
+	// NOTE: ref.image is not a part of the image identity, because "$dir:$someimage" and "$dir:" may mean the
+	// same image and the two can’t be statically disambiguated.  Using at least the repository directory is
+	// less granular but hopefully still useful.
+	return fmt.Sprintf("%s", ref.resolvedFile)
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set
+func (ref ociArchiveReference) PolicyConfigurationNamespaces() []string {
+	res := []string{}
+	path := ref.resolvedFile
+	for {
+		lastSlash := strings.LastIndex(path, "/")
+		// Note that we do not include "/"; it is redundant with the default "" global default,
+		// and rejected by ociTransport.ValidatePolicyConfigurationScope above.
+		if lastSlash == -1 || path == "/" {
+			break
+		}
+		res = append(res, path)
+		path = path[:lastSlash]
+	}
+	return res
+}
+
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref ociArchiveReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	src, err := newImageSource(ctx, ref)
+	if err != nil {
+		return nil, err
+	}
+	return image.FromSource(ctx, src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference.
+// The caller must call .Close() on the returned ImageSource.
+func (ref ociArchiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref ociArchiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref ociArchiveReference) DeleteImage(ctx *types.SystemContext) error {
+	return errors.Errorf("Deleting images not implemented for oci: images")
+}
+
+// struct to store the ociReference and temporary directory returned by createOCIRef
+type tempDirOCIRef struct {
+	tempDirectory   string
+	ociRefExtracted types.ImageReference
+}
+
+// deletes the temporary directory created
+func (t *tempDirOCIRef) deleteTempDir() error {
+	return os.RemoveAll(t.tempDirectory)
+}
+
+// createOCIRef creates the oci reference of the image
+func createOCIRef(image string) (tempDirOCIRef, error) {
+	dir, err := ioutil.TempDir(tmpdir.TemporaryDirectoryForBigFiles(), "oci")
+	if err != nil {
+		return tempDirOCIRef{}, errors.Wrapf(err, "error creating temp directory")
+	}
+	ociRef, err := ocilayout.NewReference(dir, image)
+	if err != nil {
+		return tempDirOCIRef{}, err
+	}
+
+	tempDirRef := tempDirOCIRef{tempDirectory: dir, ociRefExtracted: ociRef}
+	return tempDirRef, nil
+}
+
+// creates the temporary directory and copies the tarred content to it
+func createUntarTempDir(ref ociArchiveReference) (tempDirOCIRef, error) {
+	tempDirRef, err := createOCIRef(ref.image)
+	if err != nil {
+		return tempDirOCIRef{}, errors.Wrap(err, "error creating oci reference")
+	}
+	src := ref.resolvedFile
+	dst := tempDirRef.tempDirectory
+	if err := archive.UntarPath(src, dst); err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return tempDirOCIRef{}, errors.Wrapf(err, "error deleting temp directory %q", tempDirRef.tempDirectory)
+		}
+		return tempDirOCIRef{}, errors.Wrapf(err, "error untarring file %q", tempDirRef.tempDirectory)
+	}
+	return tempDirRef, nil
+}

vendor/github.com/containers/image/oci/internal/oci_util.go

@@ -0,0 +1,126 @@
+package internal
+
+import (
+	"github.com/pkg/errors"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+)
+
+// annotation spex from https://github.com/opencontainers/image-spec/blob/master/annotations.md#pre-defined-annotation-keys
+const (
+	separator = `(?:[-._:@+]|--)`
+	alphanum  = `(?:[A-Za-z0-9]+)`
+	component = `(?:` + alphanum + `(?:` + separator + alphanum + `)*)`
+)
+
+var refRegexp = regexp.MustCompile(`^` + component + `(?:/` + component + `)*$`)
+var windowsRefRegexp = regexp.MustCompile(`^([a-zA-Z]:\\.+?):(.*)$`)
+
+// ValidateImageName returns nil if the image name is empty or matches the open-containers image name specs.
+// In any other case an error is returned.
+func ValidateImageName(image string) error {
+	if len(image) == 0 {
+		return nil
+	}
+
+	var err error
+	if !refRegexp.MatchString(image) {
+		err = errors.Errorf("Invalid image %s", image)
+	}
+	return err
+}
+
+// SplitPathAndImage tries to split the provided OCI reference into the OCI path and image.
+// Neither path nor image parts are validated at this stage.
+func SplitPathAndImage(reference string) (string, string) {
+	if runtime.GOOS == "windows" {
+		return splitPathAndImageWindows(reference)
+	}
+	return splitPathAndImageNonWindows(reference)
+}
+
+func splitPathAndImageWindows(reference string) (string, string) {
+	groups := windowsRefRegexp.FindStringSubmatch(reference)
+	// nil group means no match
+	if groups == nil {
+		return reference, ""
+	}
+
+	// we expect three elements. First one full match, second the capture group for the path and
+	// the third the capture group for the image
+	if len(groups) != 3 {
+		return reference, ""
+	}
+	return groups[1], groups[2]
+}
+
+func splitPathAndImageNonWindows(reference string) (string, string) {
+	sep := strings.SplitN(reference, ":", 2)
+	path := sep[0]
+
+	var image string
+	if len(sep) == 2 {
+		image = sep[1]
+	}
+	return path, image
+}
+
+// ValidateOCIPath takes the OCI path and validates it.
+func ValidateOCIPath(path string) error {
+	if runtime.GOOS == "windows" {
+		// On Windows we must allow for a ':' as part of the path
+		if strings.Count(path, ":") > 1 {
+			return errors.Errorf("Invalid OCI reference: path %s contains more than one colon", path)
+		}
+	} else {
+		if strings.Contains(path, ":") {
+			return errors.Errorf("Invalid OCI reference: path %s contains a colon", path)
+		}
+	}
+	return nil
+}
+
+// ValidateScope validates a policy configuration scope for an OCI transport.
+func ValidateScope(scope string) error {
+	var err error
+	if runtime.GOOS == "windows" {
+		err = validateScopeWindows(scope)
+	} else {
+		err = validateScopeNonWindows(scope)
+	}
+	if err != nil {
+		return err
+	}
+
+	cleaned := filepath.Clean(scope)
+	if cleaned != scope {
+		return errors.Errorf(`Invalid scope %s: Uses non-canonical path format, perhaps try with path %s`, scope, cleaned)
+	}
+
+	return nil
+}
+
+func validateScopeWindows(scope string) error {
+	matched, _ := regexp.Match(`^[a-zA-Z]:\\`, []byte(scope))
+	if !matched {
+		return errors.Errorf("Invalid scope '%s'. Must be an absolute path", scope)
+	}
+
+	return nil
+}
+
+func validateScopeNonWindows(scope string) error {
+	if !strings.HasPrefix(scope, "/") {
+		return errors.Errorf("Invalid scope %s: must be an absolute path", scope)
+	}
+
+	// Refuse also "/", otherwise "/" and "" would have the same semantics,
+	// and "" could be unexpectedly shadowed by the "/" entry.
+	if scope == "/" {
+		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
+	}
+
+	return nil
+}

vendor/github.com/containers/image/oci/layout/oci_dest.go

@@ -18,18 +18,47 @@ import (
 )
 
 type ociImageDestination struct {
-	ref   ociReference
-	index imgspecv1.Index
+	ref           ociReference
+	index         imgspecv1.Index
+	sharedBlobDir string
 }
 
 // newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ref ociReference) types.ImageDestination {
-	index := imgspecv1.Index{
-		Versioned: imgspec.Versioned{
-			SchemaVersion: 2,
-		},
+func newImageDestination(ctx *types.SystemContext, ref ociReference) (types.ImageDestination, error) {
+	if ref.image == "" {
+		return nil, errors.Errorf("cannot save image with empty image.ref.name")
 	}
-	return &ociImageDestination{ref: ref, index: index}
+
+	var index *imgspecv1.Index
+	if indexExists(ref) {
+		var err error
+		index, err = ref.getIndex()
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		index = &imgspecv1.Index{
+			Versioned: imgspec.Versioned{
+				SchemaVersion: 2,
+			},
+		}
+	}
+
+	d := &ociImageDestination{ref: ref, index: *index}
+	if ctx != nil {
+		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+	}
+
+	if err := ensureDirectoryExists(d.ref.dir); err != nil {
+		return nil, err
+	}
+	// Per the OCI image specification, layouts MUST have a "blobs" subdirectory,
+	// but it MAY be empty (e.g. if we never end up calling PutBlob)
+	// https://github.com/opencontainers/image-spec/blame/7c889fafd04a893f5c5f50b7ab9963d5d64e5242/image-layout.md#L19
+	if err := ensureDirectoryExists(filepath.Join(d.ref.dir, "blobs")); err != nil {
+		return nil, err
+	}
+	return d, nil
 }
 
 // Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
@@ -63,7 +92,7 @@ func (d *ociImageDestination) ShouldCompressLayers() bool {
 // AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
 // uploaded to the image destination, true otherwise.
 func (d *ociImageDestination) AcceptsForeignLayerURLs() bool {
-	return false
+	return true
 }
 
 // MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
@@ -78,16 +107,16 @@ func (d *ociImageDestination) MustMatchRuntimeOS() bool {
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
 func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
-	if err := ensureDirectoryExists(d.ref.dir); err != nil {
-		return types.BlobInfo{}, err
-	}
 	blobFile, err := ioutil.TempFile(d.ref.dir, "oci-put-blob")
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	succeeded := false
+	explicitClosed := false
 	defer func() {
-		blobFile.Close()
+		if !explicitClosed {
+			blobFile.Close()
+		}
 		if !succeeded {
 			os.Remove(blobFile.Name())
 		}
@@ -107,17 +136,28 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	if err := blobFile.Sync(); err != nil {
 		return types.BlobInfo{}, err
 	}
-	if err := blobFile.Chmod(0644); err != nil {
-		return types.BlobInfo{}, err
+
+	// On POSIX systems, blobFile was created with mode 0600, so we need to make it readable.
+	// On Windows, the “permissions of newly created files” argument to syscall.Open is
+	// ignored and the file is already readable; besides, blobFile.Chmod, i.e. syscall.Fchmod,
+	// always fails on Windows.
+	if runtime.GOOS != "windows" {
+		if err := blobFile.Chmod(0644); err != nil {
+			return types.BlobInfo{}, err
+		}
 	}
 
-	blobPath, err := d.ref.blobPath(computedDigest)
+	blobPath, err := d.ref.blobPath(computedDigest, d.sharedBlobDir)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	if err := ensureParentDirectoryExists(blobPath); err != nil {
 		return types.BlobInfo{}, err
 	}
+
+	// need to explicitly close the file, since a rename won't otherwise not work on Windows
+	blobFile.Close()
+	explicitClosed = true
 	if err := os.Rename(blobFile.Name(), blobPath); err != nil {
 		return types.BlobInfo{}, err
 	}
@@ -133,7 +173,7 @@ func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error)
 	if info.Digest == "" {
 		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
 	}
-	blobPath, err := d.ref.blobPath(info.Digest)
+	blobPath, err := d.ref.blobPath(info.Digest, d.sharedBlobDir)
 	if err != nil {
 		return false, -1, err
 	}
@@ -166,7 +206,7 @@ func (d *ociImageDestination) PutManifest(m []byte) error {
 	desc.MediaType = imgspecv1.MediaTypeImageManifest
 	desc.Size = int64(len(m))
 
-	blobPath, err := d.ref.blobPath(digest)
+	blobPath, err := d.ref.blobPath(digest, d.sharedBlobDir)
 	if err != nil {
 		return err
 	}
@@ -177,30 +217,31 @@ func (d *ociImageDestination) PutManifest(m []byte) error {
 		return err
 	}
 
+	if d.ref.image == "" {
+		return errors.Errorf("cannot save image with empyt image.ref.name")
+	}
+
 	annotations := make(map[string]string)
-	annotations["org.opencontainers.image.ref.name"] = d.ref.tag
+	annotations["org.opencontainers.image.ref.name"] = d.ref.image
 	desc.Annotations = annotations
 	desc.Platform = &imgspecv1.Platform{
 		Architecture: runtime.GOARCH,
 		OS:           runtime.GOOS,
 	}
-	d.index.Manifests = append(d.index.Manifests, desc)
+	d.addManifest(&desc)
 
 	return nil
 }
 
-func ensureDirectoryExists(path string) error {
-	if _, err := os.Stat(path); err != nil && os.IsNotExist(err) {
-		if err := os.MkdirAll(path, 0755); err != nil {
-			return err
+func (d *ociImageDestination) addManifest(desc *imgspecv1.Descriptor) {
+	for i, manifest := range d.index.Manifests {
+		if manifest.Annotations["org.opencontainers.image.ref.name"] == desc.Annotations["org.opencontainers.image.ref.name"] {
+			// TODO Should there first be a cleanup based on the descriptor we are going to replace?
+			d.index.Manifests[i] = *desc
+			return
 		}
 	}
-	return nil
-}
-
-// ensureParentDirectoryExists ensures the parent of the supplied path exists.
-func ensureParentDirectoryExists(path string) error {
-	return ensureDirectoryExists(filepath.Dir(path))
+	d.index.Manifests = append(d.index.Manifests, *desc)
 }
 
 func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
@@ -224,3 +265,30 @@ func (d *ociImageDestination) Commit() error {
 	}
 	return ioutil.WriteFile(d.ref.indexPath(), indexJSON, 0644)
 }
+
+func ensureDirectoryExists(path string) error {
+	if _, err := os.Stat(path); err != nil && os.IsNotExist(err) {
+		if err := os.MkdirAll(path, 0755); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ensureParentDirectoryExists ensures the parent of the supplied path exists.
+func ensureParentDirectoryExists(path string) error {
+	return ensureDirectoryExists(filepath.Dir(path))
+}
+
+// indexExists checks whether the index location specified in the OCI reference exists.
+// The implementation is opinionated, since in case of unexpected errors false is returned
+func indexExists(ref ociReference) bool {
+	_, err := os.Stat(ref.indexPath())
+	if err == nil {
+		return true
+	}
+	if os.IsNotExist(err) {
+		return false
+	}
+	return true
+}

vendor/github.com/containers/image/oci/layout/oci_src.go

@@ -1,27 +1,52 @@
 package layout
 
 import (
+	"context"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"os"
+	"strconv"
 
+	"github.com/containers/image/pkg/tlsclientconfig"
 	"github.com/containers/image/types"
+	"github.com/docker/go-connections/tlsconfig"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )
 
 type ociImageSource struct {
-	ref        ociReference
-	descriptor imgspecv1.Descriptor
+	ref           ociReference
+	descriptor    imgspecv1.Descriptor
+	client        *http.Client
+	sharedBlobDir string
 }
 
 // newImageSource returns an ImageSource for reading from an existing directory.
-func newImageSource(ref ociReference) (types.ImageSource, error) {
+func newImageSource(ctx *types.SystemContext, ref ociReference) (types.ImageSource, error) {
+	tr := tlsclientconfig.NewTransport()
+	tr.TLSClientConfig = tlsconfig.ServerDefault()
+
+	if ctx != nil && ctx.OCICertPath != "" {
+		if err := tlsclientconfig.SetupCertificates(ctx.OCICertPath, tr.TLSClientConfig); err != nil {
+			return nil, err
+		}
+		tr.TLSClientConfig.InsecureSkipVerify = ctx.OCIInsecureSkipTLSVerify
+	}
+
+	client := &http.Client{}
+	client.Transport = tr
 	descriptor, err := ref.getManifestDescriptor()
 	if err != nil {
 		return nil, err
 	}
-	return &ociImageSource{ref: ref, descriptor: descriptor}, nil
+	d := &ociImageSource{ref: ref, descriptor: descriptor, client: client}
+	if ctx != nil {
+		// TODO(jonboulle): check dir existence?
+		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+	}
+	return d, nil
 }
 
 // Reference returns the reference used to set up this source.
@@ -36,8 +61,26 @@ func (s *ociImageSource) Close() error {
 
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *ociImageSource) GetManifest() ([]byte, string, error) {
-	manifestPath, err := s.ref.blobPath(digest.Digest(s.descriptor.Digest))
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *ociImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	var dig digest.Digest
+	var mimeType string
+	if instanceDigest == nil {
+		dig = digest.Digest(s.descriptor.Digest)
+		mimeType = s.descriptor.MediaType
+	} else {
+		dig = *instanceDigest
+		// XXX: instanceDigest means that we don't immediately have the context of what
+		//      mediaType the manifest has. In OCI this means that we don't know
+		//      what reference it came from, so we just *assume* that its
+		//      MediaTypeImageManifest.
+		// FIXME: We should actually be able to look up the manifest in the index,
+		// and see the MIME type there.
+		mimeType = imgspecv1.MediaTypeImageManifest
+	}
+
+	manifestPath, err := s.ref.blobPath(dig, s.sharedBlobDir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -46,30 +89,16 @@ func (s *ociImageSource) GetManifest() ([]byte, string, error) {
 		return nil, "", err
 	}
 
-	return m, s.descriptor.MediaType, nil
-}
-
-func (s *ociImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	manifestPath, err := s.ref.blobPath(digest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	m, err := ioutil.ReadFile(manifestPath)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// XXX: GetTargetManifest means that we don't have the context of what
-	//      mediaType the manifest has. In OCI this means that we don't know
-	//      what reference it came from, so we just *assume* that its
-	//      MediaTypeImageManifest.
-	return m, imgspecv1.MediaTypeImageManifest, nil
+	return m, mimeType, nil
 }
 
 // GetBlob returns a stream for the specified blob, and the blob's size.
 func (s *ociImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
-	path, err := s.ref.blobPath(info.Digest)
+	if len(info.URLs) != 0 {
+		return s.getExternalBlob(info.URLs)
+	}
+
+	path, err := s.ref.blobPath(info.Digest, s.sharedBlobDir)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -85,6 +114,44 @@ func (s *ociImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, err
 	return r, fi.Size(), nil
 }
 
-func (s *ociImageSource) GetSignatures() ([][]byte, error) {
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *ociImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
 	return [][]byte{}, nil
 }
+
+func (s *ociImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, error) {
+	errWrap := errors.New("failed fetching external blob from all urls")
+	for _, url := range urls {
+		resp, err := s.client.Get(url)
+		if err != nil {
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
+			continue
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			resp.Body.Close()
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed, response code not 200", url)
+			continue
+		}
+
+		return resp.Body, getBlobSize(resp), nil
+	}
+
+	return nil, 0, errWrap
+}
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *ociImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}
+
+func getBlobSize(resp *http.Response) int64 {
+	size, err := strconv.ParseInt(resp.Header.Get("Content-Length"), 10, 64)
+	if err != nil {
+		size = -1
+	}
+	return size
+}

vendor/github.com/containers/image/oci/layout/oci_transport.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"regexp"
 	"strings"
 
 	"github.com/containers/image/directory/explicitfilepath"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/image"
+	"github.com/containers/image/oci/internal"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
@@ -36,43 +36,12 @@ func (t ociTransport) ParseReference(reference string) (types.ImageReference, er
 	return ParseReference(reference)
 }
 
-var refRegexp = regexp.MustCompile(`^([A-Za-z0-9._-]+)+$`)
-
 // ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
 // (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
 // It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
 // scope passed to this function will not be "", that value is always allowed.
 func (t ociTransport) ValidatePolicyConfigurationScope(scope string) error {
-	var dir string
-	sep := strings.LastIndex(scope, ":")
-	if sep == -1 {
-		dir = scope
-	} else {
-		dir = scope[:sep]
-		tag := scope[sep+1:]
-		if !refRegexp.MatchString(tag) {
-			return errors.Errorf("Invalid tag %s", tag)
-		}
-	}
-
-	if strings.Contains(dir, ":") {
-		return errors.Errorf("Invalid OCI reference %s: path contains a colon", scope)
-	}
-
-	if !strings.HasPrefix(dir, "/") {
-		return errors.Errorf("Invalid scope %s: must be an absolute path", scope)
-	}
-	// Refuse also "/", otherwise "/" and "" would have the same semantics,
-	// and "" could be unexpectedly shadowed by the "/" entry.
-	// (Note: we do allow "/:sometag", a bit ridiculous but why refuse it?)
-	if scope == "/" {
-		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
-	}
-	cleaned := filepath.Clean(dir)
-	if cleaned != dir {
-		return errors.Errorf(`Invalid scope %s: Uses non-canonical path format, perhaps try with path %s`, scope, cleaned)
-	}
-	return nil
+	return internal.ValidateScope(scope)
 }
 
 // ociReference is an ImageReference for OCI directory paths.
@@ -85,41 +54,34 @@ type ociReference struct {
 	// (But in general, we make no attempt to be completely safe against concurrent hostile filesystem modifications.)
 	dir         string // As specified by the user. May be relative, contain symlinks, etc.
 	resolvedDir string // Absolute path with no symlinks, at least at the time of its creation. Primarily used for policy namespaces.
-	tag         string
+	image       string // If image=="", it means the only image in the index.json is used
 }
 
 // ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an OCI ImageReference.
 func ParseReference(reference string) (types.ImageReference, error) {
-	var dir, tag string
-	sep := strings.LastIndex(reference, ":")
-	if sep == -1 {
-		dir = reference
-		tag = "latest"
-	} else {
-		dir = reference[:sep]
-		tag = reference[sep+1:]
-	}
-	return NewReference(dir, tag)
+	dir, image := internal.SplitPathAndImage(reference)
+	return NewReference(dir, image)
 }
 
-// NewReference returns an OCI reference for a directory and a tag.
+// NewReference returns an OCI reference for a directory and a image.
 //
 // We do not expose an API supplying the resolvedDir; we could, but recomputing it
 // is generally cheap enough that we prefer being confident about the properties of resolvedDir.
-func NewReference(dir, tag string) (types.ImageReference, error) {
+func NewReference(dir, image string) (types.ImageReference, error) {
 	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(dir)
 	if err != nil {
 		return nil, err
 	}
-	// This is necessary to prevent directory paths returned by PolicyConfigurationNamespaces
-	// from being ambiguous with values of PolicyConfigurationIdentity.
-	if strings.Contains(resolved, ":") {
-		return nil, errors.Errorf("Invalid OCI reference %s:%s: path %s contains a colon", dir, tag, resolved)
+
+	if err := internal.ValidateOCIPath(dir); err != nil {
+		return nil, err
 	}
-	if !refRegexp.MatchString(tag) {
-		return nil, errors.Errorf("Invalid tag %s", tag)
+
+	if err = internal.ValidateImageName(image); err != nil {
+		return nil, err
 	}
-	return ociReference{dir: dir, resolvedDir: resolved, tag: tag}, nil
+
+	return ociReference{dir: dir, resolvedDir: resolved, image: image}, nil
 }
 
 func (ref ociReference) Transport() types.ImageTransport {
@@ -132,7 +94,7 @@ func (ref ociReference) Transport() types.ImageTransport {
 // e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
 // WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
 func (ref ociReference) StringWithinTransport() string {
-	return fmt.Sprintf("%s:%s", ref.dir, ref.tag)
+	return fmt.Sprintf("%s:%s", ref.dir, ref.image)
 }
 
 // DockerReference returns a Docker reference associated with this reference
@@ -150,7 +112,10 @@ func (ref ociReference) DockerReference() reference.Named {
 // not required/guaranteed that it will be a valid input to Transport().ParseReference().
 // Returns "" if configuration identities for these references are not supported.
 func (ref ociReference) PolicyConfigurationIdentity() string {
-	return fmt.Sprintf("%s:%s", ref.resolvedDir, ref.tag)
+	// NOTE: ref.image is not a part of the image identity, because "$dir:$someimage" and "$dir:" may mean the
+	// same image and the two can’t be statically disambiguated.  Using at least the repository directory is
+	// less granular but hopefully still useful.
+	return fmt.Sprintf("%s", ref.resolvedDir)
 }
 
 // PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
@@ -174,60 +139,92 @@ func (ref ociReference) PolicyConfigurationNamespaces() []string {
 	return res
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref ociReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
-	src, err := newImageSource(ref)
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref ociReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	src, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(src)
+	return image.FromSource(ctx, src)
+}
+
+// getIndex returns a pointer to the index references by this ociReference. If an error occurs opening an index nil is returned together
+// with an error.
+func (ref ociReference) getIndex() (*imgspecv1.Index, error) {
+	indexJSON, err := os.Open(ref.indexPath())
+	if err != nil {
+		return nil, err
+	}
+	defer indexJSON.Close()
+
+	index := &imgspecv1.Index{}
+	if err := json.NewDecoder(indexJSON).Decode(index); err != nil {
+		return nil, err
+	}
+	return index, nil
 }
 
 func (ref ociReference) getManifestDescriptor() (imgspecv1.Descriptor, error) {
-	indexJSON, err := os.Open(ref.indexPath())
+	index, err := ref.getIndex()
 	if err != nil {
 		return imgspecv1.Descriptor{}, err
 	}
-	defer indexJSON.Close()
-	index := imgspecv1.Index{}
-	if err := json.NewDecoder(indexJSON).Decode(&index); err != nil {
-		return imgspecv1.Descriptor{}, err
-	}
+
 	var d *imgspecv1.Descriptor
-	for _, md := range index.Manifests {
-		if md.MediaType != imgspecv1.MediaTypeImageManifest {
-			continue
+	if ref.image == "" {
+		// return manifest if only one image is in the oci directory
+		if len(index.Manifests) == 1 {
+			d = &index.Manifests[0]
+		} else {
+			// ask user to choose image when more than one image in the oci directory
+			return imgspecv1.Descriptor{}, errors.Wrapf(err, "more than one image in oci, choose an image")
 		}
-		refName, ok := md.Annotations["org.opencontainers.image.ref.name"]
-		if !ok {
-			continue
-		}
-		if refName == ref.tag {
-			d = &md
-			break
+	} else {
+		// if image specified, look through all manifests for a match
+		for _, md := range index.Manifests {
+			if md.MediaType != imgspecv1.MediaTypeImageManifest {
+				continue
+			}
+			refName, ok := md.Annotations["org.opencontainers.image.ref.name"]
+			if !ok {
+				continue
+			}
+			if refName == ref.image {
+				d = &md
+				break
+			}
 		}
 	}
 	if d == nil {
-		return imgspecv1.Descriptor{}, fmt.Errorf("no descriptor found for reference %q", ref.tag)
+		return imgspecv1.Descriptor{}, fmt.Errorf("no descriptor found for reference %q", ref.image)
 	}
 	return *d, nil
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// LoadManifestDescriptor loads the manifest descriptor to be used to retrieve the image name
+// when pulling an image
+func LoadManifestDescriptor(imgRef types.ImageReference) (imgspecv1.Descriptor, error) {
+	ociRef, ok := imgRef.(ociReference)
+	if !ok {
+		return imgspecv1.Descriptor{}, errors.Errorf("error typecasting, need type ociRef")
+	}
+	return ociRef.getManifestDescriptor()
+}
+
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref ociReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	return newImageSource(ref)
+func (ref ociReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
 }
 
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
 func (ref ociReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ref), nil
+	return newImageDestination(ctx, ref)
 }
 
 // DeleteImage deletes the named image from the registry, if supported.
@@ -246,9 +243,13 @@ func (ref ociReference) indexPath() string {
 }
 
 // blobPath returns a path for a blob within a directory using OCI image-layout conventions.
-func (ref ociReference) blobPath(digest digest.Digest) (string, error) {
+func (ref ociReference) blobPath(digest digest.Digest, sharedBlobDir string) (string, error) {
 	if err := digest.Validate(); err != nil {
 		return "", errors.Wrapf(err, "unexpected digest reference %s", digest)
 	}
-	return filepath.Join(ref.dir, "blobs", digest.Algorithm().String(), digest.Hex()), nil
+	blobDir := filepath.Join(ref.dir, "blobs")
+	if sharedBlobDir != "" {
+		blobDir = sharedBlobDir
+	}
+	return filepath.Join(blobDir, digest.Algorithm().String(), digest.Hex()), nil
 }

vendor/github.com/containers/image/openshift/openshift.go

@@ -2,6 +2,7 @@ package openshift
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
@@ -11,7 +12,6 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
@@ -19,6 +19,7 @@ import (
 	"github.com/containers/image/version"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // openshiftClient is configuration for dealing with a single image stream, for reading or writing.
@@ -70,7 +71,7 @@ func newOpenshiftClient(ref openshiftReference) (*openshiftClient, error) {
 }
 
 // doRequest performs a correctly authenticated request to a specified path, and returns response body or an error object.
-func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]byte, error) {
+func (c *openshiftClient) doRequest(ctx context.Context, method, path string, requestBody []byte) ([]byte, error) {
 	url := *c.baseURL
 	url.Path = path
 	var requestBodyReader io.Reader
@@ -82,6 +83,7 @@ func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]
 	if err != nil {
 		return nil, err
 	}
+	req = req.WithContext(ctx)
 
 	if len(c.bearerToken) != 0 {
 		req.Header.Set("Authorization", "Bearer "+c.bearerToken)
@@ -132,10 +134,10 @@ func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]
 }
 
 // getImage loads the specified image object.
-func (c *openshiftClient) getImage(imageStreamImageName string) (*image, error) {
+func (c *openshiftClient) getImage(ctx context.Context, imageStreamImageName string) (*image, error) {
 	// FIXME: validate components per validation.IsValidPathSegmentName?
 	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreamimages/%s@%s", c.ref.namespace, c.ref.stream, imageStreamImageName)
-	body, err := c.doRequest("GET", path, nil)
+	body, err := c.doRequest(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -160,18 +162,15 @@ func (c *openshiftClient) convertDockerImageReference(ref string) (string, error
 type openshiftImageSource struct {
 	client *openshiftClient
 	// Values specific to this image
-	ctx                        *types.SystemContext
-	requestedManifestMIMETypes []string
+	ctx *types.SystemContext
 	// State
 	docker               types.ImageSource // The Docker Registry endpoint, or nil if not resolved yet
 	imageStreamImageName string            // Resolved image identifier, or "" if not known yet
 }
 
-// newImageSource creates a new ImageSource for the specified reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// newImageSource creates a new ImageSource for the specified reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref openshiftReference, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func newImageSource(ctx *types.SystemContext, ref openshiftReference) (types.ImageSource, error) {
 	client, err := newOpenshiftClient(ref)
 	if err != nil {
 		return nil, err
@@ -180,7 +179,6 @@ func newImageSource(ctx *types.SystemContext, ref openshiftReference, requestedM
 	return &openshiftImageSource{
 		client: client,
 		ctx:    ctx,
-		requestedManifestMIMETypes: requestedManifestMIMETypes,
 	}, nil
 }
 
@@ -202,36 +200,40 @@ func (s *openshiftImageSource) Close() error {
 	return nil
 }
 
-func (s *openshiftImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
-		return nil, "", err
-	}
-	return s.docker.GetTargetManifest(digest)
-}
-
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *openshiftImageSource) GetManifest() ([]byte, string, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (s *openshiftImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if err := s.ensureImageIsResolved(context.TODO()); err != nil {
 		return nil, "", err
 	}
-	return s.docker.GetManifest()
+	return s.docker.GetManifest(instanceDigest)
 }
 
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
 func (s *openshiftImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
+	if err := s.ensureImageIsResolved(context.TODO()); err != nil {
 		return nil, 0, err
 	}
 	return s.docker.GetBlob(info)
 }
 
-func (s *openshiftImageSource) GetSignatures() ([][]byte, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
-		return nil, err
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (s *openshiftImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	var imageName string
+	if instanceDigest == nil {
+		if err := s.ensureImageIsResolved(ctx); err != nil {
+			return nil, err
+		}
+		imageName = s.imageStreamImageName
+	} else {
+		imageName = instanceDigest.String()
 	}
-
-	image, err := s.client.getImage(s.imageStreamImageName)
+	image, err := s.client.getImage(ctx, imageName)
 	if err != nil {
 		return nil, err
 	}
@@ -244,15 +246,20 @@ func (s *openshiftImageSource) GetSignatures() ([][]byte, error) {
 	return sigs, nil
 }
 
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *openshiftImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}
+
 // ensureImageIsResolved sets up s.docker and s.imageStreamImageName
-func (s *openshiftImageSource) ensureImageIsResolved() error {
+func (s *openshiftImageSource) ensureImageIsResolved(ctx context.Context) error {
 	if s.docker != nil {
 		return nil
 	}
 
 	// FIXME: validate components per validation.IsValidPathSegmentName?
 	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreams/%s", s.client.ref.namespace, s.client.ref.stream)
-	body, err := s.client.doRequest("GET", path, nil)
+	body, err := s.client.doRequest(ctx, "GET", path, nil)
 	if err != nil {
 		return err
 	}
@@ -284,7 +291,7 @@ func (s *openshiftImageSource) ensureImageIsResolved() error {
 	if err != nil {
 		return err
 	}
-	d, err := dockerRef.NewImageSource(s.ctx, s.requestedManifestMIMETypes)
+	d, err := dockerRef.NewImageSource(s.ctx)
 	if err != nil {
 		return err
 	}
@@ -410,7 +417,7 @@ func (d *openshiftImageDestination) PutSignatures(signatures [][]byte) error {
 		return nil // No need to even read the old state.
 	}
 
-	image, err := d.client.getImage(d.imageStreamImageName)
+	image, err := d.client.getImage(context.TODO(), d.imageStreamImageName)
 	if err != nil {
 		return err
 	}
@@ -451,7 +458,7 @@ sigExists:
 			Content:    newSig,
 		}
 		body, err := json.Marshal(sig)
-		_, err = d.client.doRequest("POST", "/oapi/v1/imagesignatures", body)
+		_, err = d.client.doRequest(context.TODO(), "POST", "/oapi/v1/imagesignatures", body)
 		if err != nil {
 			return err
 		}

vendor/github.com/containers/image/openshift/openshift_transport.go

@@ -125,24 +125,23 @@ func (ref openshiftReference) PolicyConfigurationNamespaces() []string {
 	return policyconfiguration.DockerReferenceNamespaces(ref.dockerReference)
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref openshiftReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
-	src, err := newImageSource(ctx, ref, nil)
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (ref openshiftReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	src, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
-	return genericImage.FromSource(src)
+	return genericImage.FromSource(ctx, src)
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref openshiftReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	return newImageSource(ctx, ref, requestedManifestMIMETypes)
+func (ref openshiftReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
 }
 
 // NewImageDestination returns a types.ImageDestination for this reference.

vendor/github.com/containers/image/ostree/ostree_dest.go

@@ -1,7 +1,11 @@
+// +build !containers_image_ostree_stub
+
 package ostree
 
 import (
 	"bytes"
+	"compress/gzip"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -11,17 +15,32 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
+	"unsafe"
 
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
-
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/ostreedev/ostree-go/pkg/otbuiltin"
+	"github.com/pkg/errors"
+	"github.com/vbatts/tar-split/tar/asm"
+	"github.com/vbatts/tar-split/tar/storage"
 )
 
+// #cgo pkg-config: glib-2.0 gobject-2.0 ostree-1 libselinux
+// #include <glib.h>
+// #include <glib-object.h>
+// #include <gio/gio.h>
+// #include <stdlib.h>
+// #include <ostree.h>
+// #include <gio/ginputstream.h>
+// #include <selinux/selinux.h>
+// #include <selinux/label.h>
+import "C"
+
 type blobToImport struct {
 	Size     int64
 	Digest   digest.Digest
@@ -33,17 +52,24 @@ type descriptor struct {
 	Digest digest.Digest `json:"digest"`
 }
 
+type fsLayersSchema1 struct {
+	BlobSum digest.Digest `json:"blobSum"`
+}
+
 type manifestSchema struct {
-	ConfigDescriptor  descriptor   `json:"config"`
-	LayersDescriptors []descriptor `json:"layers"`
+	LayersDescriptors []descriptor      `json:"layers"`
+	FSLayers          []fsLayersSchema1 `json:"fsLayers"`
 }
 
 type ostreeImageDestination struct {
-	ref        ostreeReference
-	manifest   string
-	schema     manifestSchema
-	tmpDirPath string
-	blobs      map[string]*blobToImport
+	ref           ostreeReference
+	manifest      string
+	schema        manifestSchema
+	tmpDirPath    string
+	blobs         map[string]*blobToImport
+	digest        digest.Digest
+	signaturesLen int
+	repo          *C.struct_OstreeRepo
 }
 
 // newImageDestination returns an ImageDestination for writing to an existing ostree.
@@ -52,7 +78,7 @@ func newImageDestination(ref ostreeReference, tmpDirPath string) (types.ImageDes
 	if err := ensureDirectoryExists(tmpDirPath); err != nil {
 		return nil, err
 	}
-	return &ostreeImageDestination{ref, "", manifestSchema{}, tmpDirPath, map[string]*blobToImport{}}, nil
+	return &ostreeImageDestination{ref, "", manifestSchema{}, tmpDirPath, map[string]*blobToImport{}, "", 0, nil}, nil
 }
 
 // Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
@@ -63,6 +89,9 @@ func (d *ostreeImageDestination) Reference() types.ImageReference {
 
 // Close removes resources associated with an initialized ImageDestination, if any.
 func (d *ostreeImageDestination) Close() error {
+	if d.repo != nil {
+		C.g_object_unref(C.gpointer(d.repo))
+	}
 	return os.RemoveAll(d.tmpDirPath)
 }
 
@@ -127,7 +156,7 @@ func (d *ostreeImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	return types.BlobInfo{Digest: computedDigest, Size: size}, nil
 }
 
-func fixFiles(dir string, usermode bool) error {
+func fixFiles(selinuxHnd *C.struct_selabel_handle, root string, dir string, usermode bool) error {
 	entries, err := ioutil.ReadDir(dir)
 	if err != nil {
 		return err
@@ -141,17 +170,47 @@ func fixFiles(dir string, usermode bool) error {
 			}
 			continue
 		}
+
+		if selinuxHnd != nil {
+			relPath, err := filepath.Rel(root, fullpath)
+			if err != nil {
+				return err
+			}
+			// Handle /exports/hostfs as a special case.  Files under this directory are copied to the host,
+			// thus we benefit from maintaining the same SELinux label they would have on the host as we could
+			// use hard links instead of copying the files.
+			relPath = fmt.Sprintf("/%s", strings.TrimPrefix(relPath, "exports/hostfs/"))
+
+			relPathC := C.CString(relPath)
+			defer C.free(unsafe.Pointer(relPathC))
+			var context *C.char
+
+			res, err := C.selabel_lookup_raw(selinuxHnd, &context, relPathC, C.int(info.Mode()&os.ModePerm))
+			if int(res) < 0 && err != syscall.ENOENT {
+				return errors.Wrapf(err, "cannot selabel_lookup_raw %s", relPath)
+			}
+			if int(res) == 0 {
+				defer C.freecon(context)
+				fullpathC := C.CString(fullpath)
+				defer C.free(unsafe.Pointer(fullpathC))
+				res, err = C.lsetfilecon_raw(fullpathC, context)
+				if int(res) < 0 {
+					return errors.Wrapf(err, "cannot setfilecon_raw %s", fullpath)
+				}
+			}
+		}
+
 		if info.IsDir() {
 			if usermode {
 				if err := os.Chmod(fullpath, info.Mode()|0700); err != nil {
 					return err
 				}
 			}
-			err = fixFiles(fullpath, usermode)
+			err = fixFiles(selinuxHnd, root, fullpath, usermode)
 			if err != nil {
 				return err
 			}
-		} else if usermode && (info.Mode().IsRegular() || (info.Mode()&os.ModeSymlink) != 0) {
+		} else if usermode && (info.Mode().IsRegular()) {
 			if err := os.Chmod(fullpath, info.Mode()|0600); err != nil {
 				return err
 			}
@@ -171,7 +230,36 @@ func (d *ostreeImageDestination) ostreeCommit(repo *otbuiltin.Repo, branch strin
 	return err
 }
 
-func (d *ostreeImageDestination) importBlob(repo *otbuiltin.Repo, blob *blobToImport) error {
+func generateTarSplitMetadata(output *bytes.Buffer, file string) error {
+	mfz := gzip.NewWriter(output)
+	defer mfz.Close()
+	metaPacker := storage.NewJSONPacker(mfz)
+
+	stream, err := os.OpenFile(file, os.O_RDONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+
+	gzReader, err := archive.DecompressStream(stream)
+	if err != nil {
+		return err
+	}
+	defer gzReader.Close()
+
+	its, err := asm.NewInputTarStream(gzReader, metaPacker, nil)
+	if err != nil {
+		return err
+	}
+
+	_, err = io.Copy(ioutil.Discard, its)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (d *ostreeImageDestination) importBlob(selinuxHnd *C.struct_selabel_handle, repo *otbuiltin.Repo, blob *blobToImport) error {
 	ostreeBranch := fmt.Sprintf("ociimage/%s", blob.Digest.Hex())
 	destinationPath := filepath.Join(d.tmpDirPath, blob.Digest.Hex(), "root")
 	if err := ensureDirectoryExists(destinationPath); err != nil {
@@ -182,11 +270,16 @@ func (d *ostreeImageDestination) importBlob(repo *otbuiltin.Repo, blob *blobToIm
 		os.RemoveAll(destinationPath)
 	}()
 
+	var tarSplitOutput bytes.Buffer
+	if err := generateTarSplitMetadata(&tarSplitOutput, blob.BlobPath); err != nil {
+		return err
+	}
+
 	if os.Getuid() == 0 {
 		if err := archive.UntarPath(blob.BlobPath, destinationPath); err != nil {
 			return err
 		}
-		if err := fixFiles(destinationPath, false); err != nil {
+		if err := fixFiles(selinuxHnd, destinationPath, destinationPath, false); err != nil {
 			return err
 		}
 	} else {
@@ -195,32 +288,39 @@ func (d *ostreeImageDestination) importBlob(repo *otbuiltin.Repo, blob *blobToIm
 			return err
 		}
 
-		if err := fixFiles(destinationPath, true); err != nil {
+		if err := fixFiles(selinuxHnd, destinationPath, destinationPath, true); err != nil {
 			return err
 		}
 	}
+	return d.ostreeCommit(repo, ostreeBranch, destinationPath, []string{fmt.Sprintf("docker.size=%d", blob.Size),
+		fmt.Sprintf("tarsplit.output=%s", base64.StdEncoding.EncodeToString(tarSplitOutput.Bytes()))})
+
+}
+
+func (d *ostreeImageDestination) importConfig(repo *otbuiltin.Repo, blob *blobToImport) error {
+	ostreeBranch := fmt.Sprintf("ociimage/%s", blob.Digest.Hex())
+	destinationPath := filepath.Dir(blob.BlobPath)
+
 	return d.ostreeCommit(repo, ostreeBranch, destinationPath, []string{fmt.Sprintf("docker.size=%d", blob.Size)})
 }
 
-func (d *ostreeImageDestination) importConfig(blob *blobToImport) error {
-	ostreeBranch := fmt.Sprintf("ociimage/%s", blob.Digest.Hex())
-
-	return exec.Command("ostree", "commit",
-		"--repo", d.ref.repo,
-		fmt.Sprintf("--add-metadata-string=docker.size=%d", blob.Size),
-		"--branch", ostreeBranch, filepath.Dir(blob.BlobPath)).Run()
-}
-
 func (d *ostreeImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
-	branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex())
-	output, err := exec.Command("ostree", "show", "--repo", d.ref.repo, "--print-metadata-key=docker.size", branch).CombinedOutput()
-	if err != nil {
-		if bytes.Index(output, []byte("not found")) >= 0 || bytes.Index(output, []byte("No such")) >= 0 {
-			return false, -1, nil
+
+	if d.repo == nil {
+		repo, err := openRepo(d.ref.repo)
+		if err != nil {
+			return false, 0, err
 		}
-		return false, -1, err
+		d.repo = repo
 	}
-	size, err := strconv.ParseInt(strings.Trim(string(output), "'\n"), 10, 64)
+	branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex())
+
+	found, data, err := readMetadata(d.repo, branch, "docker.size")
+	if err != nil || !found {
+		return found, -1, err
+	}
+
+	size, err := strconv.ParseInt(data, 10, 64)
 	if err != nil {
 		return false, -1, err
 	}
@@ -236,10 +336,10 @@ func (d *ostreeImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInf
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *ostreeImageDestination) PutManifest(manifest []byte) error {
-	d.manifest = string(manifest)
+func (d *ostreeImageDestination) PutManifest(manifestBlob []byte) error {
+	d.manifest = string(manifestBlob)
 
-	if err := json.Unmarshal(manifest, &d.schema); err != nil {
+	if err := json.Unmarshal(manifestBlob, &d.schema); err != nil {
 		return err
 	}
 
@@ -248,7 +348,13 @@ func (d *ostreeImageDestination) PutManifest(manifest []byte) error {
 		return err
 	}
 
-	return ioutil.WriteFile(manifestPath, manifest, 0644)
+	digest, err := manifest.Digest(manifestBlob)
+	if err != nil {
+		return err
+	}
+	d.digest = digest
+
+	return ioutil.WriteFile(manifestPath, manifestBlob, 0644)
 }
 
 func (d *ostreeImageDestination) PutSignatures(signatures [][]byte) error {
@@ -263,6 +369,7 @@ func (d *ostreeImageDestination) PutSignatures(signatures [][]byte) error {
 			return err
 		}
 	}
+	d.signaturesLen = len(signatures)
 	return nil
 }
 
@@ -277,24 +384,48 @@ func (d *ostreeImageDestination) Commit() error {
 		return err
 	}
 
-	for _, layer := range d.schema.LayersDescriptors {
-		hash := layer.Digest.Hex()
+	var selinuxHnd *C.struct_selabel_handle
+
+	if os.Getuid() == 0 && selinux.GetEnabled() {
+		selinuxHnd, err = C.selabel_open(C.SELABEL_CTX_FILE, nil, 0)
+		if selinuxHnd == nil {
+			return errors.Wrapf(err, "cannot open the SELinux DB")
+		}
+
+		defer C.selabel_close(selinuxHnd)
+	}
+
+	checkLayer := func(hash string) error {
 		blob := d.blobs[hash]
 		// if the blob is not present in d.blobs then it is already stored in OSTree,
 		// and we don't need to import it.
 		if blob == nil {
-			continue
+			return nil
 		}
-		err := d.importBlob(repo, blob)
+		err := d.importBlob(selinuxHnd, repo, blob)
 		if err != nil {
 			return err
 		}
+
+		delete(d.blobs, hash)
+		return nil
+	}
+	for _, layer := range d.schema.LayersDescriptors {
+		hash := layer.Digest.Hex()
+		if err = checkLayer(hash); err != nil {
+			return err
+		}
+	}
+	for _, layer := range d.schema.FSLayers {
+		hash := layer.BlobSum.Hex()
+		if err = checkLayer(hash); err != nil {
+			return err
+		}
 	}
 
-	hash := d.schema.ConfigDescriptor.Digest.Hex()
-	blob := d.blobs[hash]
-	if blob != nil {
-		err := d.importConfig(blob)
+	// Import the other blobs that are not layers
+	for _, blob := range d.blobs {
+		err := d.importConfig(repo, blob)
 		if err != nil {
 			return err
 		}
@@ -302,7 +433,9 @@ func (d *ostreeImageDestination) Commit() error {
 
 	manifestPath := filepath.Join(d.tmpDirPath, "manifest")
 
-	metadata := []string{fmt.Sprintf("docker.manifest=%s", string(d.manifest))}
+	metadata := []string{fmt.Sprintf("docker.manifest=%s", string(d.manifest)),
+		fmt.Sprintf("signatures=%d", d.signaturesLen),
+		fmt.Sprintf("docker.digest=%s", string(d.digest))}
 	err = d.ostreeCommit(repo, fmt.Sprintf("ociimage/%s", d.ref.branchName), manifestPath, metadata)
 
 	_, err = repo.CommitTransaction()

vendor/github.com/containers/image/ostree/ostree_src.go

@@ -0,0 +1,354 @@
+// +build !containers_image_ostree_stub
+
+package ostree
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strconv"
+	"strings"
+	"unsafe"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/containers/storage/pkg/ioutils"
+	"github.com/opencontainers/go-digest"
+	glib "github.com/ostreedev/ostree-go/pkg/glibobject"
+	"github.com/pkg/errors"
+	"github.com/vbatts/tar-split/tar/asm"
+	"github.com/vbatts/tar-split/tar/storage"
+)
+
+// #cgo pkg-config: glib-2.0 gobject-2.0 ostree-1
+// #include <glib.h>
+// #include <glib-object.h>
+// #include <gio/gio.h>
+// #include <stdlib.h>
+// #include <ostree.h>
+// #include <gio/ginputstream.h>
+import "C"
+
+type ostreeImageSource struct {
+	ref    ostreeReference
+	tmpDir string
+	repo   *C.struct_OstreeRepo
+}
+
+// newImageSource returns an ImageSource for reading from an existing directory.
+func newImageSource(ctx *types.SystemContext, tmpDir string, ref ostreeReference) (types.ImageSource, error) {
+	return &ostreeImageSource{ref: ref, tmpDir: tmpDir}, nil
+}
+
+// Reference returns the reference used to set up this source.
+func (s *ostreeImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *ostreeImageSource) Close() error {
+	if s.repo != nil {
+		C.g_object_unref(C.gpointer(s.repo))
+	}
+	return nil
+}
+
+func (s *ostreeImageSource) getLayerSize(blob string) (int64, error) {
+	b := fmt.Sprintf("ociimage/%s", blob)
+	found, data, err := readMetadata(s.repo, b, "docker.size")
+	if err != nil || !found {
+		return 0, err
+	}
+	return strconv.ParseInt(data, 10, 64)
+}
+
+func (s *ostreeImageSource) getLenSignatures() (int64, error) {
+	b := fmt.Sprintf("ociimage/%s", s.ref.branchName)
+	found, data, err := readMetadata(s.repo, b, "signatures")
+	if err != nil {
+		return -1, err
+	}
+	if !found {
+		// if 'signatures' is not present, just return 0 signatures.
+		return 0, nil
+	}
+	return strconv.ParseInt(data, 10, 64)
+}
+
+func (s *ostreeImageSource) getTarSplitData(blob string) ([]byte, error) {
+	b := fmt.Sprintf("ociimage/%s", blob)
+	found, out, err := readMetadata(s.repo, b, "tarsplit.output")
+	if err != nil || !found {
+		return nil, err
+	}
+	return base64.StdEncoding.DecodeString(out)
+}
+
+// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
+// It may use a remote (= slow) service.
+func (s *ostreeImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if instanceDigest != nil {
+		return nil, "", errors.Errorf(`Manifest lists are not supported by "ostree:"`)
+	}
+	if s.repo == nil {
+		repo, err := openRepo(s.ref.repo)
+		if err != nil {
+			return nil, "", err
+		}
+		s.repo = repo
+	}
+
+	b := fmt.Sprintf("ociimage/%s", s.ref.branchName)
+	found, out, err := readMetadata(s.repo, b, "docker.manifest")
+	if err != nil {
+		return nil, "", err
+	}
+	if !found {
+		return nil, "", errors.New("manifest not found")
+	}
+	m := []byte(out)
+	return m, manifest.GuessMIMEType(m), nil
+}
+
+func (s *ostreeImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
+	return nil, "", errors.New("manifest lists are not supported by this transport")
+}
+
+func openRepo(path string) (*C.struct_OstreeRepo, error) {
+	var cerr *C.GError
+	cpath := C.CString(path)
+	defer C.free(unsafe.Pointer(cpath))
+	pathc := C.g_file_new_for_path(cpath)
+	defer C.g_object_unref(C.gpointer(pathc))
+	repo := C.ostree_repo_new(pathc)
+	r := glib.GoBool(glib.GBoolean(C.ostree_repo_open(repo, nil, &cerr)))
+	if !r {
+		C.g_object_unref(C.gpointer(repo))
+		return nil, glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+	return repo, nil
+}
+
+type ostreePathFileGetter struct {
+	repo       *C.struct_OstreeRepo
+	parentRoot *C.GFile
+}
+
+type ostreeReader struct {
+	stream *C.GFileInputStream
+}
+
+func (o ostreeReader) Close() error {
+	C.g_object_unref(C.gpointer(o.stream))
+	return nil
+}
+func (o ostreeReader) Read(p []byte) (int, error) {
+	var cerr *C.GError
+	instanceCast := C.g_type_check_instance_cast((*C.GTypeInstance)(unsafe.Pointer(o.stream)), C.g_input_stream_get_type())
+	stream := (*C.GInputStream)(unsafe.Pointer(instanceCast))
+
+	b := C.g_input_stream_read_bytes(stream, (C.gsize)(cap(p)), nil, &cerr)
+	if b == nil {
+		return 0, glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+	defer C.g_bytes_unref(b)
+
+	count := int(C.g_bytes_get_size(b))
+	if count == 0 {
+		return 0, io.EOF
+	}
+	data := (*[1 << 30]byte)(unsafe.Pointer(C.g_bytes_get_data(b, nil)))[:count:count]
+	copy(p, data)
+	return count, nil
+}
+
+func readMetadata(repo *C.struct_OstreeRepo, commit, key string) (bool, string, error) {
+	var cerr *C.GError
+	var ref *C.char
+	defer C.free(unsafe.Pointer(ref))
+
+	cCommit := C.CString(commit)
+	defer C.free(unsafe.Pointer(cCommit))
+
+	if !glib.GoBool(glib.GBoolean(C.ostree_repo_resolve_rev(repo, cCommit, C.gboolean(1), &ref, &cerr))) {
+		return false, "", glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+
+	if ref == nil {
+		return false, "", nil
+	}
+
+	var variant *C.GVariant
+	if !glib.GoBool(glib.GBoolean(C.ostree_repo_load_variant(repo, C.OSTREE_OBJECT_TYPE_COMMIT, ref, &variant, &cerr))) {
+		return false, "", glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+	defer C.g_variant_unref(variant)
+	if variant != nil {
+		cKey := C.CString(key)
+		defer C.free(unsafe.Pointer(cKey))
+
+		metadata := C.g_variant_get_child_value(variant, 0)
+		defer C.g_variant_unref(metadata)
+
+		data := C.g_variant_lookup_value(metadata, (*C.gchar)(cKey), nil)
+		if data != nil {
+			defer C.g_variant_unref(data)
+			ptr := (*C.char)(C.g_variant_get_string(data, nil))
+			val := C.GoString(ptr)
+			return true, val, nil
+		}
+	}
+	return false, "", nil
+}
+
+func newOSTreePathFileGetter(repo *C.struct_OstreeRepo, commit string) (*ostreePathFileGetter, error) {
+	var cerr *C.GError
+	var parentRoot *C.GFile
+	cCommit := C.CString(commit)
+	defer C.free(unsafe.Pointer(cCommit))
+	if !glib.GoBool(glib.GBoolean(C.ostree_repo_read_commit(repo, cCommit, &parentRoot, nil, nil, &cerr))) {
+		return &ostreePathFileGetter{}, glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+
+	C.g_object_ref(C.gpointer(repo))
+
+	return &ostreePathFileGetter{repo: repo, parentRoot: parentRoot}, nil
+}
+
+func (o ostreePathFileGetter) Get(filename string) (io.ReadCloser, error) {
+	var file *C.GFile
+	if strings.HasPrefix(filename, "./") {
+		filename = filename[2:]
+	}
+	cfilename := C.CString(filename)
+	defer C.free(unsafe.Pointer(cfilename))
+
+	file = (*C.GFile)(C.g_file_resolve_relative_path(o.parentRoot, cfilename))
+
+	var cerr *C.GError
+	stream := C.g_file_read(file, nil, &cerr)
+	if stream == nil {
+		return nil, glib.ConvertGError(glib.ToGError(unsafe.Pointer(cerr)))
+	}
+
+	return &ostreeReader{stream: stream}, nil
+}
+
+func (o ostreePathFileGetter) Close() {
+	C.g_object_unref(C.gpointer(o.repo))
+	C.g_object_unref(C.gpointer(o.parentRoot))
+}
+
+func (s *ostreeImageSource) readSingleFile(commit, path string) (io.ReadCloser, error) {
+	getter, err := newOSTreePathFileGetter(s.repo, commit)
+	if err != nil {
+		return nil, err
+	}
+	defer getter.Close()
+
+	return getter.Get(path)
+}
+
+// GetBlob returns a stream for the specified blob, and the blob's size.
+func (s *ostreeImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+	blob := info.Digest.Hex()
+	branch := fmt.Sprintf("ociimage/%s", blob)
+
+	if s.repo == nil {
+		repo, err := openRepo(s.ref.repo)
+		if err != nil {
+			return nil, 0, err
+		}
+		s.repo = repo
+	}
+
+	layerSize, err := s.getLayerSize(blob)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	tarsplit, err := s.getTarSplitData(blob)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// if tarsplit is nil we are looking at the manifest.  Return directly the file in /content
+	if tarsplit == nil {
+		file, err := s.readSingleFile(branch, "/content")
+		if err != nil {
+			return nil, 0, err
+		}
+		return file, layerSize, nil
+	}
+
+	mf := bytes.NewReader(tarsplit)
+	mfz, err := gzip.NewReader(mf)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer mfz.Close()
+	metaUnpacker := storage.NewJSONUnpacker(mfz)
+
+	getter, err := newOSTreePathFileGetter(s.repo, branch)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	ots := asm.NewOutputTarStream(getter, metaUnpacker)
+
+	pipeReader, pipeWriter := io.Pipe()
+	go func() {
+		io.Copy(pipeWriter, ots)
+		pipeWriter.Close()
+	}()
+
+	rc := ioutils.NewReadCloserWrapper(pipeReader, func() error {
+		getter.Close()
+		return ots.Close()
+	})
+	return rc, layerSize, nil
+}
+
+func (s *ostreeImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	if instanceDigest != nil {
+		return nil, errors.New("manifest lists are not supported by this transport")
+	}
+	lenSignatures, err := s.getLenSignatures()
+	if err != nil {
+		return nil, err
+	}
+	branch := fmt.Sprintf("ociimage/%s", s.ref.branchName)
+
+	if s.repo == nil {
+		repo, err := openRepo(s.ref.repo)
+		if err != nil {
+			return nil, err
+		}
+		s.repo = repo
+	}
+
+	signatures := [][]byte{}
+	for i := int64(1); i <= lenSignatures; i++ {
+		sigReader, err := s.readSingleFile(branch, fmt.Sprintf("/signature-%d", i))
+		if err != nil {
+			return nil, err
+		}
+		defer sigReader.Close()
+
+		sig, err := ioutil.ReadAll(sigReader)
+		if err != nil {
+			return nil, err
+		}
+		signatures = append(signatures, sig)
+	}
+	return signatures, nil
+}
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (s *ostreeImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/ostree/ostree_transport.go

@@ -1,3 +1,5 @@
+// +build !containers_image_ostree_stub
+
 package ostree
 
 import (
@@ -8,12 +10,12 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/pkg/errors"
-
 	"github.com/containers/image/directory/explicitfilepath"
 	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
+	"github.com/pkg/errors"
 )
 
 const defaultOSTreeRepo = "/ostree/repo"
@@ -64,6 +66,11 @@ type ostreeReference struct {
 	repo       string
 }
 
+type ostreeImageCloser struct {
+	types.ImageCloser
+	size int64
+}
+
 func (t ostreeTransport) ParseReference(ref string) (types.ImageReference, error) {
 	var repo = ""
 	var image = ""
@@ -82,24 +89,15 @@ func NewReference(image string, repo string) (types.ImageReference, error) {
 	// image is not _really_ in a containers/image/docker/reference format;
 	// as far as the libOSTree ociimage/* namespace is concerned, it is more or
 	// less an arbitrary string with an implied tag.
-	// We use the reference.* parsers basically for the default tag name in
-	// reference.TagNameOnly, and incidentally for some character set and length
-	// restrictions.
-	var ostreeImage reference.Named
-	s := strings.SplitN(image, ":", 2)
-
-	named, err := reference.WithName(s[0])
+	// Parse the image using reference.ParseNormalizedNamed so that we can
+	// check whether the images has a tag specified and we can add ":latest" if needed
+	ostreeImage, err := reference.ParseNormalizedNamed(image)
 	if err != nil {
 		return nil, err
 	}
 
-	if len(s) == 1 {
-		ostreeImage = reference.TagNameOnly(named)
-	} else {
-		ostreeImage, err = reference.WithTag(named, s[1])
-		if err != nil {
-			return nil, err
-		}
+	if reference.IsNameOnly(ostreeImage) {
+		image = image + ":latest"
 	}
 
 	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(repo)
@@ -117,12 +115,12 @@ func NewReference(image string, repo string) (types.ImageReference, error) {
 	// This is necessary to prevent directory paths returned by PolicyConfigurationNamespaces
 	// from being ambiguous with values of PolicyConfigurationIdentity.
 	if strings.Contains(resolved, ":") {
-		return nil, errors.Errorf("Invalid OSTreeCI reference %s@%s: path %s contains a colon", image, repo, resolved)
+		return nil, errors.Errorf("Invalid OSTree reference %s@%s: path %s contains a colon", image, repo, resolved)
 	}
 
 	return ostreeReference{
-		image:      ostreeImage.String(),
-		branchName: encodeOStreeRef(ostreeImage.String()),
+		image:      image,
+		branchName: encodeOStreeRef(image),
 		repo:       resolved,
 	}, nil
 }
@@ -175,20 +173,38 @@ func (ref ostreeReference) PolicyConfigurationNamespaces() []string {
 	return res
 }
 
-// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-// The caller must call .Close() on the returned Image.
-// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
-// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref ostreeReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
-	return nil, errors.New("Reading ostree: images is currently not supported")
+func (s *ostreeImageCloser) Size() (int64, error) {
+	return s.size, nil
 }
 
-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+func (ref ostreeReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	var tmpDir string
+	if ctx == nil || ctx.OSTreeTmpDirPath == "" {
+		tmpDir = os.TempDir()
+	} else {
+		tmpDir = ctx.OSTreeTmpDirPath
+	}
+	src, err := newImageSource(ctx, tmpDir, ref)
+	if err != nil {
+		return nil, err
+	}
+	return image.FromSource(ctx, src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref ostreeReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	return nil, errors.New("Reading ostree: images is currently not supported")
+func (ref ostreeReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	var tmpDir string
+	if ctx == nil || ctx.OSTreeTmpDirPath == "" {
+		tmpDir = os.TempDir()
+	} else {
+		tmpDir = ctx.OSTreeTmpDirPath
+	}
+	return newImageSource(ctx, tmpDir, ref)
 }
 
 // NewImageDestination returns a types.ImageDestination for this reference.

vendor/github.com/containers/image/pkg/compression/compression.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 
-	"github.com/Sirupsen/logrus"
+	"github.com/sirupsen/logrus"
 )
 
 // DecompressorFunc returns the decompressed stream, given a compressed stream.

vendor/github.com/containers/image/pkg/docker/config/config.go

@@ -0,0 +1,295 @@
+package config
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/containers/image/types"
+	helperclient "github.com/docker/docker-credential-helpers/client"
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/pkg/errors"
+)
+
+type dockerAuthConfig struct {
+	Auth string `json:"auth,omitempty"`
+}
+
+type dockerConfigFile struct {
+	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
+	CredHelpers map[string]string           `json:"credHelpers,omitempty"`
+}
+
+const (
+	defaultPath       = "/run/user"
+	authCfg           = "containers"
+	authCfgFileName   = "auth.json"
+	dockerCfg         = ".docker"
+	dockerCfgFileName = "config.json"
+	dockerLegacyCfg   = ".dockercfg"
+)
+
+var (
+	// ErrNotLoggedIn is returned for users not logged into a registry
+	// that they are trying to logout of
+	ErrNotLoggedIn = errors.New("not logged in")
+)
+
+// SetAuthentication stores the username and password in the auth.json file
+func SetAuthentication(ctx *types.SystemContext, registry, username, password string) error {
+	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+		if ch, exists := auths.CredHelpers[registry]; exists {
+			return false, setAuthToCredHelper(ch, registry, username, password)
+		}
+
+		creds := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
+		newCreds := dockerAuthConfig{Auth: creds}
+		auths.AuthConfigs[registry] = newCreds
+		return true, nil
+	})
+}
+
+// GetAuthentication returns the registry credentials stored in
+// either auth.json file or .docker/config.json
+// If an entry is not found empty strings are returned for the username and password
+func GetAuthentication(ctx *types.SystemContext, registry string) (string, string, error) {
+	if ctx != nil && ctx.DockerAuthConfig != nil {
+		return ctx.DockerAuthConfig.Username, ctx.DockerAuthConfig.Password, nil
+	}
+
+	dockerLegacyPath := filepath.Join(homedir.Get(), dockerLegacyCfg)
+	paths := [3]string{getPathToAuth(ctx), filepath.Join(homedir.Get(), dockerCfg, dockerCfgFileName), dockerLegacyPath}
+
+	for _, path := range paths {
+		legacyFormat := path == dockerLegacyPath
+		username, password, err := findAuthentication(registry, path, legacyFormat)
+		if err != nil {
+			return "", "", err
+		}
+		if username != "" && password != "" {
+			return username, password, nil
+		}
+	}
+	return "", "", nil
+}
+
+// GetUserLoggedIn returns the username logged in to registry from either
+// auth.json or XDG_RUNTIME_DIR
+// Used to tell the user if someone is logged in to the registry when logging in
+func GetUserLoggedIn(ctx *types.SystemContext, registry string) string {
+	path := getPathToAuth(ctx)
+	username, _, _ := findAuthentication(registry, path, false)
+	if username != "" {
+		return username
+	}
+	return ""
+}
+
+// RemoveAuthentication deletes the credentials stored in auth.json
+func RemoveAuthentication(ctx *types.SystemContext, registry string) error {
+	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+		// First try cred helpers.
+		if ch, exists := auths.CredHelpers[registry]; exists {
+			return false, deleteAuthFromCredHelper(ch, registry)
+		}
+
+		if _, ok := auths.AuthConfigs[registry]; ok {
+			delete(auths.AuthConfigs, registry)
+		} else if _, ok := auths.AuthConfigs[normalizeRegistry(registry)]; ok {
+			delete(auths.AuthConfigs, normalizeRegistry(registry))
+		} else {
+			return false, ErrNotLoggedIn
+		}
+		return true, nil
+	})
+}
+
+// RemoveAllAuthentication deletes all the credentials stored in auth.json
+func RemoveAllAuthentication(ctx *types.SystemContext) error {
+	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+		auths.CredHelpers = make(map[string]string)
+		auths.AuthConfigs = make(map[string]dockerAuthConfig)
+		return true, nil
+	})
+}
+
+// getPath gets the path of the auth.json file
+// The path can be overriden by the user if the overwrite-path flag is set
+// If the flag is not set and XDG_RUNTIME_DIR is ser, the auth.json file is saved in XDG_RUNTIME_DIR/containers
+// Otherwise, the auth.json file is stored in /run/user/UID/containers
+func getPathToAuth(ctx *types.SystemContext) string {
+	if ctx != nil {
+		if ctx.AuthFilePath != "" {
+			return ctx.AuthFilePath
+		}
+		if ctx.RootForImplicitAbsolutePaths != "" {
+			return filepath.Join(ctx.RootForImplicitAbsolutePaths, defaultPath, strconv.Itoa(os.Getuid()), authCfg, authCfgFileName)
+		}
+	}
+	runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+	if runtimeDir == "" {
+		runtimeDir = filepath.Join(defaultPath, strconv.Itoa(os.Getuid()))
+	}
+	return filepath.Join(runtimeDir, authCfg, authCfgFileName)
+}
+
+// readJSONFile unmarshals the authentications stored in the auth.json file and returns it
+// or returns an empty dockerConfigFile data structure if auth.json does not exist
+// if the file exists and is empty, readJSONFile returns an error
+func readJSONFile(path string, legacyFormat bool) (dockerConfigFile, error) {
+	var auths dockerConfigFile
+
+	raw, err := ioutil.ReadFile(path)
+	if os.IsNotExist(err) {
+		auths.AuthConfigs = map[string]dockerAuthConfig{}
+		return auths, nil
+	}
+
+	if legacyFormat {
+		if err = json.Unmarshal(raw, &auths.AuthConfigs); err != nil {
+			return dockerConfigFile{}, errors.Wrapf(err, "error unmarshaling JSON at %q", path)
+		}
+		return auths, nil
+	}
+
+	if err = json.Unmarshal(raw, &auths); err != nil {
+		return dockerConfigFile{}, errors.Wrapf(err, "error unmarshaling JSON at %q", path)
+	}
+
+	return auths, nil
+}
+
+// modifyJSON writes to auth.json if the dockerConfigFile has been updated
+func modifyJSON(ctx *types.SystemContext, editor func(auths *dockerConfigFile) (bool, error)) error {
+	path := getPathToAuth(ctx)
+	dir := filepath.Dir(path)
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.Mkdir(dir, 0700); err != nil {
+			return errors.Wrapf(err, "error creating directory %q", dir)
+		}
+	}
+
+	auths, err := readJSONFile(path, false)
+	if err != nil {
+		return errors.Wrapf(err, "error reading JSON file %q", path)
+	}
+
+	updated, err := editor(&auths)
+	if err != nil {
+		return errors.Wrapf(err, "error updating %q", path)
+	}
+	if updated {
+		newData, err := json.MarshalIndent(auths, "", "\t")
+		if err != nil {
+			return errors.Wrapf(err, "error marshaling JSON %q", path)
+		}
+
+		if err = ioutil.WriteFile(path, newData, 0755); err != nil {
+			return errors.Wrapf(err, "error writing to file %q", path)
+		}
+	}
+
+	return nil
+}
+
+func getAuthFromCredHelper(credHelper, registry string) (string, string, error) {
+	helperName := fmt.Sprintf("docker-credential-%s", credHelper)
+	p := helperclient.NewShellProgramFunc(helperName)
+	creds, err := helperclient.Get(p, registry)
+	if err != nil {
+		return "", "", err
+	}
+	return creds.Username, creds.Secret, nil
+}
+
+func setAuthToCredHelper(credHelper, registry, username, password string) error {
+	helperName := fmt.Sprintf("docker-credential-%s", credHelper)
+	p := helperclient.NewShellProgramFunc(helperName)
+	creds := &credentials.Credentials{
+		ServerURL: registry,
+		Username:  username,
+		Secret:    password,
+	}
+	return helperclient.Store(p, creds)
+}
+
+func deleteAuthFromCredHelper(credHelper, registry string) error {
+	helperName := fmt.Sprintf("docker-credential-%s", credHelper)
+	p := helperclient.NewShellProgramFunc(helperName)
+	return helperclient.Erase(p, registry)
+}
+
+// findAuthentication looks for auth of registry in path
+func findAuthentication(registry, path string, legacyFormat bool) (string, string, error) {
+	auths, err := readJSONFile(path, legacyFormat)
+	if err != nil {
+		return "", "", errors.Wrapf(err, "error reading JSON file %q", path)
+	}
+
+	// First try cred helpers. They should always be normalized.
+	if ch, exists := auths.CredHelpers[registry]; exists {
+		return getAuthFromCredHelper(ch, registry)
+	}
+
+	// I'm feeling lucky
+	if val, exists := auths.AuthConfigs[registry]; exists {
+		return decodeDockerAuth(val.Auth)
+	}
+
+	// bad luck; let's normalize the entries first
+	registry = normalizeRegistry(registry)
+	normalizedAuths := map[string]dockerAuthConfig{}
+	for k, v := range auths.AuthConfigs {
+		normalizedAuths[normalizeRegistry(k)] = v
+	}
+	if val, exists := normalizedAuths[registry]; exists {
+		return decodeDockerAuth(val.Auth)
+	}
+	return "", "", nil
+}
+
+func decodeDockerAuth(s string) (string, string, error) {
+	decoded, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return "", "", err
+	}
+	parts := strings.SplitN(string(decoded), ":", 2)
+	if len(parts) != 2 {
+		// if it's invalid just skip, as docker does
+		return "", "", nil
+	}
+	user := parts[0]
+	password := strings.Trim(parts[1], "\x00")
+	return user, password, nil
+}
+
+// convertToHostname converts a registry url which has http|https prepended
+// to just an hostname.
+// Copied from github.com/docker/docker/registry/auth.go
+func convertToHostname(url string) string {
+	stripped := url
+	if strings.HasPrefix(url, "http://") {
+		stripped = strings.TrimPrefix(url, "http://")
+	} else if strings.HasPrefix(url, "https://") {
+		stripped = strings.TrimPrefix(url, "https://")
+	}
+
+	nameParts := strings.SplitN(stripped, "/", 2)
+
+	return nameParts[0]
+}
+
+func normalizeRegistry(registry string) string {
+	normalized := convertToHostname(registry)
+	switch normalized {
+	case "registry-1.docker.io", "docker.io":
+		return "index.docker.io"
+	}
+	return normalized
+}

vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go

@@ -0,0 +1,102 @@
+package tlsclientconfig
+
+import (
+	"crypto/tls"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// SetupCertificates opens all .crt, .cert, and .key files in dir and appends / loads certs and key pairs as appropriate to tlsc
+func SetupCertificates(dir string, tlsc *tls.Config) error {
+	logrus.Debugf("Looking for TLS certificates and private keys in %s", dir)
+	fs, err := ioutil.ReadDir(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		if os.IsPermission(err) {
+			logrus.Debugf("Skipping scan of %s due to permission error: %v", dir, err)
+			return nil
+		}
+		return err
+	}
+
+	for _, f := range fs {
+		fullPath := filepath.Join(dir, f.Name())
+		if strings.HasSuffix(f.Name(), ".crt") {
+			systemPool, err := tlsconfig.SystemCertPool()
+			if err != nil {
+				return errors.Wrap(err, "unable to get system cert pool")
+			}
+			tlsc.RootCAs = systemPool
+			logrus.Debugf(" crt: %s", fullPath)
+			data, err := ioutil.ReadFile(fullPath)
+			if err != nil {
+				return err
+			}
+			tlsc.RootCAs.AppendCertsFromPEM(data)
+		}
+		if strings.HasSuffix(f.Name(), ".cert") {
+			certName := f.Name()
+			keyName := certName[:len(certName)-5] + ".key"
+			logrus.Debugf(" cert: %s", fullPath)
+			if !hasFile(fs, keyName) {
+				return errors.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
+			}
+			cert, err := tls.LoadX509KeyPair(filepath.Join(dir, certName), filepath.Join(dir, keyName))
+			if err != nil {
+				return err
+			}
+			tlsc.Certificates = append(tlsc.Certificates, cert)
+		}
+		if strings.HasSuffix(f.Name(), ".key") {
+			keyName := f.Name()
+			certName := keyName[:len(keyName)-4] + ".cert"
+			logrus.Debugf(" key: %s", fullPath)
+			if !hasFile(fs, certName) {
+				return errors.Errorf("missing client certificate %s for key %s", certName, keyName)
+			}
+		}
+	}
+	return nil
+}
+
+func hasFile(files []os.FileInfo, name string) bool {
+	for _, f := range files {
+		if f.Name() == name {
+			return true
+		}
+	}
+	return false
+}
+
+// NewTransport Creates a default transport
+func NewTransport() *http.Transport {
+	direct := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+		DualStack: true,
+	}
+	tr := &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		Dial:                direct.Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
+		DisableKeepAlives: true,
+	}
+	proxyDialer, err := sockets.DialerFromEnvironment(direct)
+	if err == nil {
+		tr.Dial = proxyDialer.Dial
+	}
+	return tr
+}

vendor/github.com/containers/image/signature/mechanism_openpgp.go

@@ -132,11 +132,17 @@ func (m *openpgpSigningMechanism) Verify(unverifiedSignature []byte) (contents [
 	if md.SignedBy == nil {
 		return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", md.Signature)}
 	}
-	if md.Signature.SigLifetimeSecs != nil {
-		expiry := md.Signature.CreationTime.Add(time.Duration(*md.Signature.SigLifetimeSecs) * time.Second)
-		if time.Now().After(expiry) {
-			return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Signature expired on %s", expiry)}
+	if md.Signature != nil {
+		if md.Signature.SigLifetimeSecs != nil {
+			expiry := md.Signature.CreationTime.Add(time.Duration(*md.Signature.SigLifetimeSecs) * time.Second)
+			if time.Now().After(expiry) {
+				return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Signature expired on %s", expiry)}
+			}
 		}
+	} else if md.SignatureV3 == nil {
+		// Coverage: If md.SignedBy != nil, the final md.UnverifiedBody.Read() either sets one of md.Signature or md.SignatureV3,
+		// or sets md.SignatureError.
+		return nil, "", InvalidSignatureError{msg: "Unexpected openpgp.MessageDetails: neither Signature nor SignatureV3 is set"}
 	}
 
 	// Uppercase the fingerprint to be compatible with gpgme

vendor/github.com/containers/image/signature/policy_config.go

@@ -70,7 +70,11 @@ func NewPolicyFromFile(fileName string) (*Policy, error) {
 	if err != nil {
 		return nil, err
 	}
-	return NewPolicyFromBytes(contents)
+	policy, err := NewPolicyFromBytes(contents)
+	if err != nil {
+		return nil, errors.Wrapf(err, "invalid policy in %q", fileName)
+	}
+	return policy, nil
 }
 
 // NewPolicyFromBytes returns a policy parsed from the specified blob.

vendor/github.com/containers/image/signature/policy_eval.go

@@ -6,9 +6,11 @@
 package signature
 
 import (
-	"github.com/Sirupsen/logrus"
+	"context"
+
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // PolicyRequirementError is an explanatory text for rejecting a signature or an image.
@@ -188,7 +190,8 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.UnparsedIma
 	reqs := pc.requirementsForImageRef(image.Reference())
 
 	// FIXME: rename Signatures to UnverifiedSignatures
-	unverifiedSignatures, err := image.Signatures()
+	// FIXME: pass context.Context
+	unverifiedSignatures, err := image.Signatures(context.TODO())
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/image/signature/policy_eval_baselayer.go

@@ -3,8 +3,8 @@
 package signature
 
 import (
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/types"
+	"github.com/sirupsen/logrus"
 )
 
 func (pr *prSignedBaseLayer) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {

vendor/github.com/containers/image/signature/policy_eval_signedby.go

@@ -3,6 +3,7 @@
 package signature
 
 import (
+	"context"
 	"fmt"
 	"io/ioutil"
 	"strings"
@@ -90,7 +91,8 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig [
 }
 
 func (pr *prSignedBy) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
-	sigs, err := image.Signatures()
+	// FIXME: pass context.Context
+	sigs, err := image.Signatures(context.TODO())
 	if err != nil {
 		return false, err
 	}

vendor/github.com/containers/image/signature/signature.go

@@ -180,13 +180,9 @@ func (s *untrustedSignature) strictUnmarshalJSON(data []byte) error {
 	}
 	s.UntrustedDockerManifestDigest = digest.Digest(digestString)
 
-	if err := paranoidUnmarshalJSONObjectExactFields(identity, map[string]interface{}{
+	return paranoidUnmarshalJSONObjectExactFields(identity, map[string]interface{}{
 		"docker-reference": &s.UntrustedDockerReference,
-	}); err != nil {
-		return err
-	}
-
-	return nil
+	})
 }
 
 // Sign formats the signature and returns a blob signed using mech and keyIdentity

vendor/github.com/containers/image/storage/storage_reference.go

@@ -1,13 +1,16 @@
+// +build !containers_image_storage_stub
+
 package storage
 
 import (
 	"strings"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // A storageReference holds an arbitrary name and/or an ID, which is a 32-byte
@@ -18,9 +21,11 @@ type storageReference struct {
 	reference string
 	id        string
 	name      reference.Named
+	tag       string
+	digest    digest.Digest
 }
 
-func newReference(transport storageTransport, reference, id string, name reference.Named) *storageReference {
+func newReference(transport storageTransport, reference, id string, name reference.Named, tag string, digest digest.Digest) *storageReference {
 	// We take a copy of the transport, which contains a pointer to the
 	// store that it used for resolving this reference, so that the
 	// transport that we'll return from Transport() won't be affected by
@@ -30,6 +35,8 @@ func newReference(transport storageTransport, reference, id string, name referen
 		reference: reference,
 		id:        id,
 		name:      name,
+		tag:       tag,
+		digest:    digest,
 	}
 }
 
@@ -37,25 +44,49 @@ func newReference(transport storageTransport, reference, id string, name referen
 // one present with the same name or ID, and return the image.
 func (s *storageReference) resolveImage() (*storage.Image, error) {
 	if s.id == "" {
+		// Look for an image that has the expanded reference name as an explicit Name value.
 		image, err := s.transport.store.Image(s.reference)
 		if image != nil && err == nil {
 			s.id = image.ID
 		}
 	}
+	if s.id == "" && s.name != nil && s.digest != "" {
+		// Look for an image with the specified digest that has the same name,
+		// though possibly with a different tag or digest, as a Name value, so
+		// that the canonical reference can be implicitly resolved to the image.
+		images, err := s.transport.store.ImagesByDigest(s.digest)
+		if images != nil && err == nil {
+			repo := reference.FamiliarName(reference.TrimNamed(s.name))
+		search:
+			for _, image := range images {
+				for _, name := range image.Names {
+					if named, err := reference.ParseNormalizedNamed(name); err == nil {
+						if reference.FamiliarName(reference.TrimNamed(named)) == repo {
+							s.id = image.ID
+							break search
+						}
+					}
+				}
+			}
+		}
+	}
 	if s.id == "" {
-		logrus.Errorf("reference %q does not resolve to an image ID", s.StringWithinTransport())
-		return nil, ErrNoSuchImage
+		logrus.Debugf("reference %q does not resolve to an image ID", s.StringWithinTransport())
+		return nil, errors.Wrapf(ErrNoSuchImage, "reference %q does not resolve to an image ID", s.StringWithinTransport())
 	}
 	img, err := s.transport.store.Image(s.id)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading image %q", s.id)
 	}
-	if s.reference != "" {
+	if s.name != nil {
+		repo := reference.FamiliarName(reference.TrimNamed(s.name))
 		nameMatch := false
 		for _, name := range img.Names {
-			if name == s.reference {
-				nameMatch = true
-				break
+			if named, err := reference.ParseNormalizedNamed(name); err == nil {
+				if reference.FamiliarName(reference.TrimNamed(named)) == repo {
+					nameMatch = true
+					break
+				}
 			}
 		}
 		if !nameMatch {
@@ -70,12 +101,27 @@ func (s *storageReference) resolveImage() (*storage.Image, error) {
 // to build this reference object.
 func (s storageReference) Transport() types.ImageTransport {
 	return &storageTransport{
-		store: s.transport.store,
+		store:         s.transport.store,
+		defaultUIDMap: s.transport.defaultUIDMap,
+		defaultGIDMap: s.transport.defaultGIDMap,
 	}
 }
 
-// Return a name with a tag, if we have a name to base them on.
+// Return a name with a tag or digest, if we have either, else return it bare.
 func (s storageReference) DockerReference() reference.Named {
+	if s.name == nil {
+		return nil
+	}
+	if s.tag != "" {
+		if namedTagged, err := reference.WithTag(s.name, s.tag); err == nil {
+			return namedTagged
+		}
+	}
+	if s.digest != "" {
+		if canonical, err := reference.WithDigest(s.name, s.digest); err == nil {
+			return canonical
+		}
+	}
 	return s.name
 }
 
@@ -83,8 +129,13 @@ func (s storageReference) DockerReference() reference.Named {
 // disambiguate between images which may be present in multiple stores and
 // share only their names.
 func (s storageReference) StringWithinTransport() string {
-	storeSpec := "[" + s.transport.store.GraphDriverName() + "@" + s.transport.store.GraphRoot() + "]"
-	if s.name == nil {
+	optionsList := ""
+	options := s.transport.store.GraphOptions()
+	if len(options) > 0 {
+		optionsList = ":" + strings.Join(options, ",")
+	}
+	storeSpec := "[" + s.transport.store.GraphDriverName() + "@" + s.transport.store.GraphRoot() + "+" + s.transport.store.RunRoot() + optionsList + "]"
+	if s.reference == "" {
 		return storeSpec + "@" + s.id
 	}
 	if s.id == "" {
@@ -94,7 +145,14 @@ func (s storageReference) StringWithinTransport() string {
 }
 
 func (s storageReference) PolicyConfigurationIdentity() string {
-	return s.StringWithinTransport()
+	storeSpec := "[" + s.transport.store.GraphDriverName() + "@" + s.transport.store.GraphRoot() + "]"
+	if s.name == nil {
+		return storeSpec + "@" + s.id
+	}
+	if s.id == "" {
+		return storeSpec + s.reference
+	}
+	return storeSpec + s.reference + "@" + s.id
 }
 
 // Also accept policy that's tied to the combination of the graph root and
@@ -106,11 +164,8 @@ func (s storageReference) PolicyConfigurationNamespaces() []string {
 	driverlessStoreSpec := "[" + s.transport.store.GraphRoot() + "]"
 	namespaces := []string{}
 	if s.name != nil {
-		if s.id != "" {
-			// The reference without the ID is also a valid namespace.
-			namespaces = append(namespaces, storeSpec+s.reference)
-		}
-		components := strings.Split(s.name.Name(), "/")
+		name := reference.TrimNamed(s.name)
+		components := strings.Split(name.String(), "/")
 		for len(components) > 0 {
 			namespaces = append(namespaces, storeSpec+strings.Join(components, "/"))
 			components = components[:len(components)-1]
@@ -121,8 +176,13 @@ func (s storageReference) PolicyConfigurationNamespaces() []string {
 	return namespaces
 }
 
-func (s storageReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
-	return newImage(s)
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (s storageReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	return newImage(ctx, s)
 }
 
 func (s storageReference) DeleteImage(ctx *types.SystemContext) error {
@@ -140,10 +200,10 @@ func (s storageReference) DeleteImage(ctx *types.SystemContext) error {
 	return err
 }
 
-func (s storageReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (s storageReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(s)
 }
 
 func (s storageReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(s)
+	return newImageDestination(ctx, s)
 }

vendor/github.com/containers/image/storage/storage_transport.go

@@ -1,3 +1,5 @@
+// +build !containers_image_storage_stub
+
 package storage
 
 import (
@@ -6,13 +8,17 @@ import (
 
 	"github.com/pkg/errors"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
-	"github.com/opencontainers/go-digest"
-	ddigest "github.com/opencontainers/go-digest"
+	"github.com/containers/storage/pkg/idtools"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	minimumTruncatedIDLength = 3
 )
 
 func init() {
@@ -46,10 +52,20 @@ type StoreTransport interface {
 	// ParseStoreReference parses a reference, overriding any store
 	// specification that it may contain.
 	ParseStoreReference(store storage.Store, reference string) (*storageReference, error)
+	// SetDefaultUIDMap sets the default UID map to use when opening stores.
+	SetDefaultUIDMap(idmap []idtools.IDMap)
+	// SetDefaultGIDMap sets the default GID map to use when opening stores.
+	SetDefaultGIDMap(idmap []idtools.IDMap)
+	// DefaultUIDMap returns the default UID map used when opening stores.
+	DefaultUIDMap() []idtools.IDMap
+	// DefaultGIDMap returns the default GID map used when opening stores.
+	DefaultGIDMap() []idtools.IDMap
 }
 
 type storageTransport struct {
-	store storage.Store
+	store         storage.Store
+	defaultUIDMap []idtools.IDMap
+	defaultGIDMap []idtools.IDMap
 }
 
 func (s *storageTransport) Name() string {
@@ -66,75 +82,167 @@ func (s *storageTransport) SetStore(store storage.Store) {
 	s.store = store
 }
 
+// SetDefaultUIDMap sets the default UID map to use when opening stores.
+func (s *storageTransport) SetDefaultUIDMap(idmap []idtools.IDMap) {
+	s.defaultUIDMap = idmap
+}
+
+// SetDefaultGIDMap sets the default GID map to use when opening stores.
+func (s *storageTransport) SetDefaultGIDMap(idmap []idtools.IDMap) {
+	s.defaultGIDMap = idmap
+}
+
+// DefaultUIDMap returns the default UID map used when opening stores.
+func (s *storageTransport) DefaultUIDMap() []idtools.IDMap {
+	return s.defaultUIDMap
+}
+
+// DefaultGIDMap returns the default GID map used when opening stores.
+func (s *storageTransport) DefaultGIDMap() []idtools.IDMap {
+	return s.defaultGIDMap
+}
+
 // ParseStoreReference takes a name or an ID, tries to figure out which it is
 // relative to the given store, and returns it in a reference object.
 func (s storageTransport) ParseStoreReference(store storage.Store, ref string) (*storageReference, error) {
 	var name reference.Named
-	var sum digest.Digest
-	var err error
 	if ref == "" {
-		return nil, ErrInvalidReference
+		return nil, errors.Wrapf(ErrInvalidReference, "%q is an empty reference")
 	}
 	if ref[0] == '[' {
 		// Ignore the store specifier.
 		closeIndex := strings.IndexRune(ref, ']')
 		if closeIndex < 1 {
-			return nil, ErrInvalidReference
+			return nil, errors.Wrapf(ErrInvalidReference, "store specifier in %q did not end", ref)
 		}
 		ref = ref[closeIndex+1:]
 	}
-	refInfo := strings.SplitN(ref, "@", 2)
-	if len(refInfo) == 1 {
-		// A name.
-		name, err = reference.ParseNormalizedNamed(refInfo[0])
-		if err != nil {
-			return nil, err
+
+	// The last segment, if there's more than one, is either a digest from a reference, or an image ID.
+	split := strings.LastIndex(ref, "@")
+	idOrDigest := ""
+	if split != -1 {
+		// Peel off that last bit so that we can work on the rest.
+		idOrDigest = ref[split+1:]
+		if idOrDigest == "" {
+			return nil, errors.Wrapf(ErrInvalidReference, "%q does not look like a digest or image ID", idOrDigest)
 		}
-	} else if len(refInfo) == 2 {
-		// An ID, possibly preceded by a name.
-		if refInfo[0] != "" {
-			name, err = reference.ParseNormalizedNamed(refInfo[0])
-			if err != nil {
-				return nil, err
-			}
-		}
-		sum, err = digest.Parse(refInfo[1])
-		if err != nil || sum.Validate() != nil {
-			sum, err = digest.Parse("sha256:" + refInfo[1])
-			if err != nil || sum.Validate() != nil {
-				return nil, err
-			}
-		}
-	} else { // Coverage: len(refInfo) is always 1 or 2
-		// Anything else: store specified in a form we don't
-		// recognize.
-		return nil, ErrInvalidReference
+		ref = ref[:split]
 	}
-	storeSpec := "[" + store.GraphDriverName() + "@" + store.GraphRoot() + "]"
+
+	// The middle segment (now the last segment), if there is one, is a digest.
+	split = strings.LastIndex(ref, "@")
+	sum := digest.Digest("")
+	if split != -1 {
+		sum = digest.Digest(ref[split+1:])
+		if sum == "" {
+			return nil, errors.Wrapf(ErrInvalidReference, "%q does not look like an image digest", sum)
+		}
+		ref = ref[:split]
+	}
+
+	// If we have something that unambiguously should be a digest, validate it, and then the third part,
+	// if we have one, as an ID.
 	id := ""
-	if sum.Validate() == nil {
-		id = sum.Hex()
+	if sum != "" {
+		if idSum, err := digest.Parse("sha256:" + idOrDigest); err != nil || idSum.Validate() != nil {
+			return nil, errors.Wrapf(ErrInvalidReference, "%q does not look like an image ID", idOrDigest)
+		}
+		if err := sum.Validate(); err != nil {
+			return nil, errors.Wrapf(ErrInvalidReference, "%q does not look like an image digest", sum)
+		}
+		id = idOrDigest
+		if img, err := store.Image(idOrDigest); err == nil && img != nil && len(idOrDigest) >= minimumTruncatedIDLength && strings.HasPrefix(img.ID, idOrDigest) {
+			// The ID is a truncated version of the ID of an image that's present in local storage,
+			// so we might as well use the expanded value.
+			id = img.ID
+		}
+	} else if idOrDigest != "" {
+		// There was no middle portion, so the final portion could be either a digest or an ID.
+		if idSum, err := digest.Parse("sha256:" + idOrDigest); err == nil && idSum.Validate() == nil {
+			// It's an ID.
+			id = idOrDigest
+		} else if idSum, err := digest.Parse(idOrDigest); err == nil && idSum.Validate() == nil {
+			// It's a digest.
+			sum = idSum
+		} else if img, err := store.Image(idOrDigest); err == nil && img != nil && len(idOrDigest) >= minimumTruncatedIDLength && strings.HasPrefix(img.ID, idOrDigest) {
+			// It's a truncated version of the ID of an image that's present in local storage,
+			// and we may need the expanded value.
+			id = img.ID
+		} else {
+			return nil, errors.Wrapf(ErrInvalidReference, "%q does not look like a digest or image ID", idOrDigest)
+		}
 	}
+
+	// If we only had one portion, then _maybe_ it's a truncated image ID.  Only check on that if it's
+	// at least of what we guess is a reasonable minimum length, because we don't want a really short value
+	// like "a" matching an image by ID prefix when the input was actually meant to specify an image name.
+	if len(ref) >= minimumTruncatedIDLength && sum == "" && id == "" {
+		if img, err := store.Image(ref); err == nil && img != nil && strings.HasPrefix(img.ID, ref) {
+			// It's a truncated version of the ID of an image that's present in local storage;
+			// we need to expand it.
+			id = img.ID
+			ref = ""
+		}
+	}
+
+	// The initial portion is probably a name, possibly with a tag.
+	if ref != "" {
+		var err error
+		if name, err = reference.ParseNormalizedNamed(ref); err != nil {
+			return nil, errors.Wrapf(err, "error parsing named reference %q", ref)
+		}
+	}
+	if name == nil && sum == "" && id == "" {
+		return nil, errors.Errorf("error parsing reference")
+	}
+
+	// Construct a copy of the store spec.
+	optionsList := ""
+	options := store.GraphOptions()
+	if len(options) > 0 {
+		optionsList = ":" + strings.Join(options, ",")
+	}
+	storeSpec := "[" + store.GraphDriverName() + "@" + store.GraphRoot() + "+" + store.RunRoot() + optionsList + "]"
+
+	// Convert the name back into a reference string, if we got a name.
 	refname := ""
+	tag := ""
 	if name != nil {
-		name = reference.TagNameOnly(name)
-		refname = verboseName(name)
+		if sum.Validate() == nil {
+			canonical, err := reference.WithDigest(name, sum)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error mixing name %q with digest %q", name, sum)
+			}
+			refname = verboseName(canonical)
+		} else {
+			name = reference.TagNameOnly(name)
+			tagged, ok := name.(reference.Tagged)
+			if !ok {
+				return nil, errors.Errorf("error parsing possibly-tagless name %q", ref)
+			}
+			refname = verboseName(name)
+			tag = tagged.Tag()
+		}
 	}
 	if refname == "" {
-		logrus.Debugf("parsed reference into %q", storeSpec+"@"+id)
+		logrus.Debugf("parsed reference to id into %q", storeSpec+"@"+id)
 	} else if id == "" {
-		logrus.Debugf("parsed reference into %q", storeSpec+refname)
+		logrus.Debugf("parsed reference to refname into %q", storeSpec+refname)
 	} else {
-		logrus.Debugf("parsed reference into %q", storeSpec+refname+"@"+id)
+		logrus.Debugf("parsed reference to refname@id into %q", storeSpec+refname+"@"+id)
 	}
-	return newReference(storageTransport{store: store}, refname, id, name), nil
+	return newReference(storageTransport{store: store, defaultUIDMap: s.defaultUIDMap, defaultGIDMap: s.defaultGIDMap}, refname, id, name, tag, sum), nil
 }
 
 func (s *storageTransport) GetStore() (storage.Store, error) {
 	// Return the transport's previously-set store.  If we don't have one
 	// of those, initialize one now.
 	if s.store == nil {
-		store, err := storage.GetStore(storage.DefaultStoreOptions)
+		options := storage.DefaultStoreOptions
+		options.UIDMap = s.defaultUIDMap
+		options.GIDMap = s.defaultGIDMap
+		store, err := storage.GetStore(options)
 		if err != nil {
 			return nil, err
 		}
@@ -143,17 +251,16 @@ func (s *storageTransport) GetStore() (storage.Store, error) {
 	return s.store, nil
 }
 
-// ParseReference takes a name and/or an ID ("_name_"/"@_id_"/"_name_@_id_"),
+// ParseReference takes a name and a tag or digest and/or ID
+// ("_name_"/"@_id_"/"_name_:_tag_"/"_name_:_tag_@_id_"/"_name_@_digest_"/"_name_@_digest_@_id_"),
 // possibly prefixed with a store specifier in the form "[_graphroot_]" or
-// "[_driver_@_graphroot_]", tries to figure out which it is, and returns it in
-// a reference object.  If the _graphroot_ is a location other than the default,
-// it needs to have been previously opened using storage.GetStore(), so that it
-// can figure out which run root goes with the graph root.
+// "[_driver_@_graphroot_]" or "[_driver_@_graphroot_+_runroot_]" or
+// "[_driver_@_graphroot_:_options_]" or "[_driver_@_graphroot_+_runroot_:_options_]",
+// tries to figure out which it is, and returns it in a reference object.
+// If _id_ is the ID of an image that's present in local storage, it can be truncated, and
+// even be specified as if it were a _name_, value.
 func (s *storageTransport) ParseReference(reference string) (types.ImageReference, error) {
-	store, err := s.GetStore()
-	if err != nil {
-		return nil, err
-	}
+	var store storage.Store
 	// Check if there's a store location prefix.  If there is, then it
 	// needs to match a store that was previously initialized using
 	// storage.GetStore(), or be enough to let the storage library fill out
@@ -165,54 +272,88 @@ func (s *storageTransport) ParseReference(reference string) (types.ImageReferenc
 		}
 		storeSpec := reference[1:closeIndex]
 		reference = reference[closeIndex+1:]
-		storeInfo := strings.SplitN(storeSpec, "@", 2)
-		if len(storeInfo) == 1 && storeInfo[0] != "" {
-			// One component: the graph root.
-			if !filepath.IsAbs(storeInfo[0]) {
-				return nil, ErrPathNotAbsolute
+		// Peel off a "driver@" from the start.
+		driverInfo := ""
+		driverSplit := strings.SplitN(storeSpec, "@", 2)
+		if len(driverSplit) != 2 {
+			if storeSpec == "" {
+				return nil, ErrInvalidReference
 			}
-			store2, err := storage.GetStore(storage.StoreOptions{
-				GraphRoot: storeInfo[0],
-			})
-			if err != nil {
-				return nil, err
-			}
-			store = store2
-		} else if len(storeInfo) == 2 && storeInfo[0] != "" && storeInfo[1] != "" {
-			// Two components: the driver type and the graph root.
-			if !filepath.IsAbs(storeInfo[1]) {
-				return nil, ErrPathNotAbsolute
-			}
-			store2, err := storage.GetStore(storage.StoreOptions{
-				GraphDriverName: storeInfo[0],
-				GraphRoot:       storeInfo[1],
-			})
-			if err != nil {
-				return nil, err
-			}
-			store = store2
 		} else {
-			// Anything else: store specified in a form we don't
-			// recognize.
-			return nil, ErrInvalidReference
+			driverInfo = driverSplit[0]
+			if driverInfo == "" {
+				return nil, ErrInvalidReference
+			}
+			storeSpec = driverSplit[1]
+			if storeSpec == "" {
+				return nil, ErrInvalidReference
+			}
 		}
+		// Peel off a ":options" from the end.
+		var options []string
+		optionsSplit := strings.SplitN(storeSpec, ":", 2)
+		if len(optionsSplit) == 2 {
+			options = strings.Split(optionsSplit[1], ",")
+			storeSpec = optionsSplit[0]
+		}
+		// Peel off a "+runroot" from the new end.
+		runRootInfo := ""
+		runRootSplit := strings.SplitN(storeSpec, "+", 2)
+		if len(runRootSplit) == 2 {
+			runRootInfo = runRootSplit[1]
+			storeSpec = runRootSplit[0]
+		}
+		// The rest is our graph root.
+		rootInfo := storeSpec
+		// Check that any paths are absolute paths.
+		if rootInfo != "" && !filepath.IsAbs(rootInfo) {
+			return nil, ErrPathNotAbsolute
+		}
+		if runRootInfo != "" && !filepath.IsAbs(runRootInfo) {
+			return nil, ErrPathNotAbsolute
+		}
+		store2, err := storage.GetStore(storage.StoreOptions{
+			GraphDriverName:    driverInfo,
+			GraphRoot:          rootInfo,
+			RunRoot:            runRootInfo,
+			GraphDriverOptions: options,
+			UIDMap:             s.defaultUIDMap,
+			GIDMap:             s.defaultGIDMap,
+		})
+		if err != nil {
+			return nil, err
+		}
+		store = store2
+	} else {
+		// We didn't have a store spec, so use the default.
+		store2, err := s.GetStore()
+		if err != nil {
+			return nil, err
+		}
+		store = store2
 	}
 	return s.ParseStoreReference(store, reference)
 }
 
 func (s storageTransport) GetStoreImage(store storage.Store, ref types.ImageReference) (*storage.Image, error) {
 	dref := ref.DockerReference()
-	if dref == nil {
-		if sref, ok := ref.(*storageReference); ok {
-			if sref.id != "" {
-				if img, err := store.Image(sref.id); err == nil {
-					return img, nil
-				}
+	if dref != nil {
+		if img, err := store.Image(verboseName(dref)); err == nil {
+			return img, nil
+		}
+	}
+	if sref, ok := ref.(*storageReference); ok {
+		if sref.id != "" {
+			if img, err := store.Image(sref.id); err == nil {
+				return img, nil
 			}
 		}
-		return nil, ErrInvalidReference
+		tmpRef := *sref
+		if img, err := tmpRef.resolveImage(); err == nil {
+			return img, nil
+		}
 	}
-	return store.Image(verboseName(dref))
+	return nil, storage.ErrImageUnknown
 }
 
 func (s *storageTransport) GetImage(ref types.ImageReference) (*storage.Image, error) {
@@ -250,7 +391,7 @@ func (s storageTransport) ValidatePolicyConfigurationScope(scope string) error {
 			return ErrPathNotAbsolute
 		}
 	} else {
-		// Anything else: store specified in a form we don't
+		// Anything else: scope specified in a form we don't
 		// recognize.
 		return ErrInvalidReference
 	}
@@ -272,7 +413,7 @@ func (s storageTransport) ValidatePolicyConfigurationScope(scope string) error {
 		if err != nil {
 			return err
 		}
-		_, err = ddigest.Parse("sha256:" + scopeInfo[1])
+		_, err = digest.Parse("sha256:" + scopeInfo[1])
 		if err != nil {
 			return err
 		}
@@ -282,11 +423,28 @@ func (s storageTransport) ValidatePolicyConfigurationScope(scope string) error {
 	return nil
 }
 
-func verboseName(name reference.Named) string {
-	name = reference.TagNameOnly(name)
-	tag := ""
-	if tagged, ok := name.(reference.NamedTagged); ok {
-		tag = ":" + tagged.Tag()
+func verboseName(r reference.Reference) string {
+	if r == nil {
+		return ""
 	}
-	return name.Name() + tag
+	named, isNamed := r.(reference.Named)
+	digested, isDigested := r.(reference.Digested)
+	tagged, isTagged := r.(reference.Tagged)
+	name := ""
+	tag := ""
+	sum := ""
+	if isNamed {
+		name = (reference.TrimNamed(named)).String()
+	}
+	if isTagged {
+		if tagged.Tag() != "" {
+			tag = ":" + tagged.Tag()
+		}
+	}
+	if isDigested {
+		if digested.Digest().Validate() == nil {
+			sum = "@" + digested.Digest().String()
+		}
+	}
+	return name + tag + sum
 }

vendor/github.com/containers/image/tarball/doc.go

@@ -0,0 +1,48 @@
+// Package tarball provides a way to generate images using one or more layer
+// tarballs and an optional template configuration.
+//
+// An example:
+//	package main
+//
+//	import (
+//		"fmt"
+//
+//		cp "github.com/containers/image/copy"
+//		"github.com/containers/image/tarball"
+//		"github.com/containers/image/transports/alltransports"
+//
+//		imgspecv1 "github.com/containers/image/transports/alltransports"
+//	)
+//
+//	func imageFromTarball() {
+//		src, err := alltransports.ParseImageName("tarball:/var/cache/mock/fedora-26-x86_64/root_cache/cache.tar.gz")
+//		// - or -
+//		// src, err := tarball.Transport.ParseReference("/var/cache/mock/fedora-26-x86_64/root_cache/cache.tar.gz")
+//		if err != nil {
+//			panic(err)
+//		}
+//		updater, ok := src.(tarball.ConfigUpdater)
+//		if !ok {
+//			panic("unexpected: a tarball reference should implement tarball.ConfigUpdater")
+//		}
+//		config := imgspecv1.Image{
+//			Config: imgspecv1.ImageConfig{
+//				Cmd: []string{"/bin/bash"},
+//			},
+//		}
+//		annotations := make(map[string]string)
+//		annotations[imgspecv1.AnnotationDescription] = "test image built from a mock root cache"
+//		err = updater.ConfigUpdate(config, annotations)
+//		if err != nil {
+//			panic(err)
+//		}
+//		dest, err := alltransports.ParseImageName("docker-daemon:mock:latest")
+//		if err != nil {
+//			panic(err)
+//		}
+//		err = cp.Image(nil, dest, src, nil)
+//		if err != nil {
+//			panic(err)
+//		}
+//	}
+package tarball

vendor/github.com/containers/image/tarball/tarball_reference.go

@@ -0,0 +1,93 @@
+package tarball
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
+	"github.com/containers/image/types"
+
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ConfigUpdater is an interface that ImageReferences for "tarball" images also
+// implement.  It can be used to set values for a configuration, and to set
+// image annotations which will be present in the images returned by the
+// reference's NewImage() or NewImageSource() methods.
+type ConfigUpdater interface {
+	ConfigUpdate(config imgspecv1.Image, annotations map[string]string) error
+}
+
+type tarballReference struct {
+	transport   types.ImageTransport
+	config      imgspecv1.Image
+	annotations map[string]string
+	filenames   []string
+	stdin       []byte
+}
+
+// ConfigUpdate updates the image's default configuration and adds annotations
+// which will be visible in source images created using this reference.
+func (r *tarballReference) ConfigUpdate(config imgspecv1.Image, annotations map[string]string) error {
+	r.config = config
+	if r.annotations == nil {
+		r.annotations = make(map[string]string)
+	}
+	for k, v := range annotations {
+		r.annotations[k] = v
+	}
+	return nil
+}
+
+func (r *tarballReference) Transport() types.ImageTransport {
+	return r.transport
+}
+
+func (r *tarballReference) StringWithinTransport() string {
+	return strings.Join(r.filenames, ":")
+}
+
+func (r *tarballReference) DockerReference() reference.Named {
+	return nil
+}
+
+func (r *tarballReference) PolicyConfigurationIdentity() string {
+	return ""
+}
+
+func (r *tarballReference) PolicyConfigurationNamespaces() []string {
+	return nil
+}
+
+// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned ImageCloser.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+func (r *tarballReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+	src, err := r.NewImageSource(ctx)
+	if err != nil {
+		return nil, err
+	}
+	img, err := image.FromSource(ctx, src)
+	if err != nil {
+		src.Close()
+		return nil, err
+	}
+	return img, nil
+}
+
+func (r *tarballReference) DeleteImage(ctx *types.SystemContext) error {
+	for _, filename := range r.filenames {
+		if err := os.Remove(filename); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("error removing %q: %v", filename, err)
+		}
+	}
+	return nil
+}
+
+func (r *tarballReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return nil, fmt.Errorf(`"tarball:" locations can only be read from, not written to`)
+}

vendor/github.com/containers/image/tarball/tarball_src.go

@@ -0,0 +1,260 @@
+package tarball
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/containers/image/types"
+
+	digest "github.com/opencontainers/go-digest"
+	imgspecs "github.com/opencontainers/image-spec/specs-go"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type tarballImageSource struct {
+	reference  tarballReference
+	filenames  []string
+	diffIDs    []digest.Digest
+	diffSizes  []int64
+	blobIDs    []digest.Digest
+	blobSizes  []int64
+	blobTypes  []string
+	config     []byte
+	configID   digest.Digest
+	configSize int64
+	manifest   []byte
+}
+
+func (r *tarballReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	// Gather up the digests, sizes, and date information for all of the files.
+	filenames := []string{}
+	diffIDs := []digest.Digest{}
+	diffSizes := []int64{}
+	blobIDs := []digest.Digest{}
+	blobSizes := []int64{}
+	blobTimes := []time.Time{}
+	blobTypes := []string{}
+	for _, filename := range r.filenames {
+		var file *os.File
+		var err error
+		var blobSize int64
+		var blobTime time.Time
+		var reader io.Reader
+		if filename == "-" {
+			blobSize = int64(len(r.stdin))
+			blobTime = time.Now()
+			reader = bytes.NewReader(r.stdin)
+		} else {
+			file, err = os.Open(filename)
+			if err != nil {
+				return nil, fmt.Errorf("error opening %q for reading: %v", filename, err)
+			}
+			defer file.Close()
+			reader = file
+			fileinfo, err := file.Stat()
+			if err != nil {
+				return nil, fmt.Errorf("error reading size of %q: %v", filename, err)
+			}
+			blobSize = fileinfo.Size()
+			blobTime = fileinfo.ModTime()
+		}
+
+		// Default to assuming the layer is compressed.
+		layerType := imgspecv1.MediaTypeImageLayerGzip
+
+		// Set up to digest the file as it is.
+		blobIDdigester := digest.Canonical.Digester()
+		reader = io.TeeReader(reader, blobIDdigester.Hash())
+
+		// Set up to digest the file after we maybe decompress it.
+		diffIDdigester := digest.Canonical.Digester()
+		uncompressed, err := gzip.NewReader(reader)
+		if err == nil {
+			// It is compressed, so the diffID is the digest of the uncompressed version
+			reader = io.TeeReader(uncompressed, diffIDdigester.Hash())
+		} else {
+			// It is not compressed, so the diffID and the blobID are going to be the same
+			diffIDdigester = blobIDdigester
+			layerType = imgspecv1.MediaTypeImageLayer
+			uncompressed = nil
+		}
+		n, err := io.Copy(ioutil.Discard, reader)
+		if err != nil {
+			return nil, fmt.Errorf("error reading %q: %v", filename, err)
+		}
+		if uncompressed != nil {
+			uncompressed.Close()
+		}
+
+		// Grab our uncompressed and possibly-compressed digests and sizes.
+		filenames = append(filenames, filename)
+		diffIDs = append(diffIDs, diffIDdigester.Digest())
+		diffSizes = append(diffSizes, n)
+		blobIDs = append(blobIDs, blobIDdigester.Digest())
+		blobSizes = append(blobSizes, blobSize)
+		blobTimes = append(blobTimes, blobTime)
+		blobTypes = append(blobTypes, layerType)
+	}
+
+	// Build the rootfs and history for the configuration blob.
+	rootfs := imgspecv1.RootFS{
+		Type:    "layers",
+		DiffIDs: diffIDs,
+	}
+	created := time.Time{}
+	history := []imgspecv1.History{}
+	// Pick up the layer comment from the configuration's history list, if one is set.
+	comment := "imported from tarball"
+	if len(r.config.History) > 0 && r.config.History[0].Comment != "" {
+		comment = r.config.History[0].Comment
+	}
+	for i := range diffIDs {
+		createdBy := fmt.Sprintf("/bin/sh -c #(nop) ADD file:%s in %c", diffIDs[i].Hex(), os.PathSeparator)
+		history = append(history, imgspecv1.History{
+			Created:   &blobTimes[i],
+			CreatedBy: createdBy,
+			Comment:   comment,
+		})
+		// Use the mtime of the most recently modified file as the image's creation time.
+		if created.Before(blobTimes[i]) {
+			created = blobTimes[i]
+		}
+	}
+
+	// Pick up other defaults from the config in the reference.
+	config := r.config
+	if config.Created == nil {
+		config.Created = &created
+	}
+	if config.Architecture == "" {
+		config.Architecture = runtime.GOARCH
+	}
+	if config.OS == "" {
+		config.OS = runtime.GOOS
+	}
+	config.RootFS = rootfs
+	config.History = history
+
+	// Encode and digest the image configuration blob.
+	configBytes, err := json.Marshal(&config)
+	if err != nil {
+		return nil, fmt.Errorf("error generating configuration blob for %q: %v", strings.Join(r.filenames, separator), err)
+	}
+	configID := digest.Canonical.FromBytes(configBytes)
+	configSize := int64(len(configBytes))
+
+	// Populate a manifest with the configuration blob and the file as the single layer.
+	layerDescriptors := []imgspecv1.Descriptor{}
+	for i := range blobIDs {
+		layerDescriptors = append(layerDescriptors, imgspecv1.Descriptor{
+			Digest:    blobIDs[i],
+			Size:      blobSizes[i],
+			MediaType: blobTypes[i],
+		})
+	}
+	annotations := make(map[string]string)
+	for k, v := range r.annotations {
+		annotations[k] = v
+	}
+	manifest := imgspecv1.Manifest{
+		Versioned: imgspecs.Versioned{
+			SchemaVersion: 2,
+		},
+		Config: imgspecv1.Descriptor{
+			Digest:    configID,
+			Size:      configSize,
+			MediaType: imgspecv1.MediaTypeImageConfig,
+		},
+		Layers:      layerDescriptors,
+		Annotations: annotations,
+	}
+
+	// Encode the manifest.
+	manifestBytes, err := json.Marshal(&manifest)
+	if err != nil {
+		return nil, fmt.Errorf("error generating manifest for %q: %v", strings.Join(r.filenames, separator), err)
+	}
+
+	// Return the image.
+	src := &tarballImageSource{
+		reference:  *r,
+		filenames:  filenames,
+		diffIDs:    diffIDs,
+		diffSizes:  diffSizes,
+		blobIDs:    blobIDs,
+		blobSizes:  blobSizes,
+		blobTypes:  blobTypes,
+		config:     configBytes,
+		configID:   configID,
+		configSize: configSize,
+		manifest:   manifestBytes,
+	}
+
+	return src, nil
+}
+
+func (is *tarballImageSource) Close() error {
+	return nil
+}
+
+func (is *tarballImageSource) GetBlob(blobinfo types.BlobInfo) (io.ReadCloser, int64, error) {
+	// We should only be asked about things in the manifest.  Maybe the configuration blob.
+	if blobinfo.Digest == is.configID {
+		return ioutil.NopCloser(bytes.NewBuffer(is.config)), is.configSize, nil
+	}
+	// Maybe one of the layer blobs.
+	for i := range is.blobIDs {
+		if blobinfo.Digest == is.blobIDs[i] {
+			// We want to read that layer: open the file or memory block and hand it back.
+			if is.filenames[i] == "-" {
+				return ioutil.NopCloser(bytes.NewBuffer(is.reference.stdin)), int64(len(is.reference.stdin)), nil
+			}
+			reader, err := os.Open(is.filenames[i])
+			if err != nil {
+				return nil, -1, fmt.Errorf("error opening %q: %v", is.filenames[i], err)
+			}
+			return reader, is.blobSizes[i], nil
+		}
+	}
+	return nil, -1, fmt.Errorf("no blob with digest %q found", blobinfo.Digest.String())
+}
+
+// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
+// It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+func (is *tarballImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+	if instanceDigest != nil {
+		return nil, "", fmt.Errorf("manifest lists are not supported by the %q transport", transportName)
+	}
+	return is.manifest, imgspecv1.MediaTypeImageManifest, nil
+}
+
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+func (*tarballImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
+	if instanceDigest != nil {
+		return nil, fmt.Errorf("manifest lists are not supported by the %q transport", transportName)
+	}
+	return nil, nil
+}
+
+func (is *tarballImageSource) Reference() types.ImageReference {
+	return &is.reference
+}
+
+// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
+func (*tarballImageSource) LayerInfosForCopy() []types.BlobInfo {
+	return nil
+}

vendor/github.com/containers/image/tarball/tarball_transport.go

@@ -0,0 +1,66 @@
+package tarball
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+)
+
+const (
+	transportName = "tarball"
+	separator     = ":"
+)
+
+var (
+	// Transport implements the types.ImageTransport interface for "tarball:" images,
+	// which are makeshift images constructed using one or more possibly-compressed tar
+	// archives.
+	Transport = &tarballTransport{}
+)
+
+type tarballTransport struct {
+}
+
+func (t *tarballTransport) Name() string {
+	return transportName
+}
+
+func (t *tarballTransport) ParseReference(reference string) (types.ImageReference, error) {
+	var stdin []byte
+	var err error
+	filenames := strings.Split(reference, separator)
+	for _, filename := range filenames {
+		if filename == "-" {
+			stdin, err = ioutil.ReadAll(os.Stdin)
+			if err != nil {
+				return nil, fmt.Errorf("error buffering stdin: %v", err)
+			}
+			continue
+		}
+		f, err := os.Open(filename)
+		if err != nil {
+			return nil, fmt.Errorf("error opening %q: %v", filename, err)
+		}
+		f.Close()
+	}
+	ref := &tarballReference{
+		transport: t,
+		filenames: filenames,
+		stdin:     stdin,
+	}
+	return ref, nil
+}
+
+func (t *tarballTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// See the explanation in daemonReference.PolicyConfigurationIdentity.
+	return errors.New(`tarball: does not support any scopes except the default "" one`)
+}
+
+func init() {
+	transports.Register(Transport)
+}

vendor/github.com/containers/image/transports/alltransports/alltransports.go

@@ -10,10 +10,12 @@ import (
 	_ "github.com/containers/image/docker"
 	_ "github.com/containers/image/docker/archive"
 	_ "github.com/containers/image/docker/daemon"
+	_ "github.com/containers/image/oci/archive"
 	_ "github.com/containers/image/oci/layout"
 	_ "github.com/containers/image/openshift"
-	_ "github.com/containers/image/ostree"
-	_ "github.com/containers/image/storage"
+	_ "github.com/containers/image/tarball"
+	// The ostree transport is registered by ostree*.go
+	// The storage transport is registered by storage*.go
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"

vendor/github.com/containers/image/transports/alltransports/ostree.go

@@ -0,0 +1,8 @@
+// +build !containers_image_ostree_stub
+
+package alltransports
+
+import (
+	// Register the ostree transport
+	_ "github.com/containers/image/ostree"
+)

vendor/github.com/containers/image/transports/alltransports/ostree_stub.go

@@ -0,0 +1,9 @@
+// +build containers_image_ostree_stub
+
+package alltransports
+
+import "github.com/containers/image/transports"
+
+func init() {
+	transports.Register(transports.NewStubTransport("ostree"))
+}

vendor/github.com/containers/image/transports/alltransports/storage.go

@@ -0,0 +1,8 @@
+// +build !containers_image_storage_stub
+
+package alltransports
+
+import (
+	// Register the storage transport
+	_ "github.com/containers/image/storage"
+)

vendor/github.com/containers/image/transports/alltransports/storage_stub.go

@@ -0,0 +1,9 @@
+// +build containers_image_storage_stub
+
+package alltransports
+
+import "github.com/containers/image/transports"
+
+func init() {
+	transports.Register(transports.NewStubTransport("containers-storage"))
+}

vendor/github.com/containers/image/transports/stub.go

@@ -0,0 +1,36 @@
+package transports
+
+import (
+	"fmt"
+
+	"github.com/containers/image/types"
+)
+
+// stubTransport is an implementation of types.ImageTransport which has a name, but rejects any references with “the transport $name: is not supported in this build”.
+type stubTransport string
+
+// NewStubTransport returns an implementation of types.ImageTransport which has a name, but rejects any references with “the transport $name: is not supported in this build”.
+func NewStubTransport(name string) types.ImageTransport {
+	return stubTransport(name)
+}
+
+// Name returns the name of the transport, which must be unique among other transports.
+func (s stubTransport) Name() string {
+	return string(s)
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (s stubTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return nil, fmt.Errorf(`The transport "%s:" is not supported in this build`, string(s))
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (s stubTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// Allowing any reference in here allows tools with some transports stubbed-out to still
+	// use signature verification policies which refer to these stubbed-out transports.
+	// See also the treatment of unknown transports in policyTransportScopesWithTransport.UnmarshalJSON .
+	return nil
+}

vendor/github.com/containers/image/transports/transports.go

@@ -71,13 +71,19 @@ func ImageName(ref types.ImageReference) string {
 	return ref.Transport().Name() + ":" + ref.StringWithinTransport()
 }
 
-// ListNames returns a list of transport names
+// ListNames returns a list of non deprecated transport names.
+// Deprecated transports can be used, but are not presented to users.
 func ListNames() []string {
 	kt.mu.Lock()
 	defer kt.mu.Unlock()
+	deprecated := map[string]bool{
+		"atomic": true,
+	}
 	var names []string
 	for _, transport := range kt.transports {
-		names = append(names, transport.Name())
+		if !deprecated[transport.Name()] {
+			names = append(names, transport.Name())
+		}
 	}
 	sort.Strings(names)
 	return names

vendor/github.com/containers/image/types/types.go

@@ -1,6 +1,7 @@
 package types
 
 import (
+	"context"
 	"io"
 	"time"
 
@@ -72,16 +73,15 @@ type ImageReference interface {
 	// and each following element to be a prefix of the element preceding it.
 	PolicyConfigurationNamespaces() []string
 
-	// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
-	// The caller must call .Close() on the returned Image.
+	// NewImage returns a types.ImageCloser for this reference, possibly specialized for this ImageTransport.
+	// The caller must call .Close() on the returned ImageCloser.
 	// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 	// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-	NewImage(ctx *SystemContext) (Image, error)
-	// NewImageSource returns a types.ImageSource for this reference,
-	// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-	// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+	// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
+	NewImage(ctx *SystemContext) (ImageCloser, error)
+	// NewImageSource returns a types.ImageSource for this reference.
 	// The caller must call .Close() on the returned ImageSource.
-	NewImageSource(ctx *SystemContext, requestedManifestMIMETypes []string) (ImageSource, error)
+	NewImageSource(ctx *SystemContext) (ImageSource, error)
 	// NewImageDestination returns a types.ImageDestination for this reference.
 	// The caller must call .Close() on the returned ImageDestination.
 	NewImageDestination(ctx *SystemContext) (ImageDestination, error)
@@ -93,12 +93,14 @@ type ImageReference interface {
 // BlobInfo collects known information about a blob (layer/config).
 // In some situations, some fields may be unknown, in others they may be mandatory; documenting an “unknown” value here does not override that.
 type BlobInfo struct {
-	Digest digest.Digest // "" if unknown.
-	Size   int64         // -1 if unknown
-	URLs   []string
+	Digest      digest.Digest // "" if unknown.
+	Size        int64         // -1 if unknown
+	URLs        []string
+	Annotations map[string]string
+	MediaType   string
 }
 
-// ImageSource is a service, possibly remote (= slow), to download components of a single image.
+// ImageSource is a service, possibly remote (= slow), to download components of a single image or a named image set (manifest list).
 // This is primarily useful for copying images around; for examining their properties, Image (below)
 // is usually more useful.
 // Each ImageSource should eventually be closed by calling Close().
@@ -113,15 +115,21 @@ type ImageSource interface {
 	Close() error
 	// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 	// It may use a remote (= slow) service.
-	GetManifest() ([]byte, string, error)
-	// GetTargetManifest returns an image's manifest given a digest. This is mainly used to retrieve a single image's manifest
-	// out of a manifest list.
-	GetTargetManifest(digest digest.Digest) ([]byte, string, error)
+	// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
+	// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+	GetManifest(instanceDigest *digest.Digest) ([]byte, string, error)
 	// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-	// The Digest field in BlobInfo is guaranteed to be provided; Size may be -1.
+	// The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
 	GetBlob(BlobInfo) (io.ReadCloser, int64, error)
 	// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
-	GetSignatures() ([][]byte, error)
+	// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
+	// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+	// (e.g. if the source never returns manifest lists).
+	GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error)
+	// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer blobsums that are listed in the image's manifest.
+	// The Digest field is guaranteed to be provided; Size may be -1.
+	// WARNING: The list may contain duplicates, and they are semantically relevant.
+	LayerInfosForCopy() []BlobInfo
 }
 
 // ImageDestination is a service, possibly remote (= slow), to store components of a single image.
@@ -153,9 +161,10 @@ type ImageDestination interface {
 	AcceptsForeignLayerURLs() bool
 	// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
 	MustMatchRuntimeOS() bool
-	// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+	// PutBlob writes contents of stream and returns data representing the result.
 	// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
 	// inputInfo.Size is the expected length of stream, if known.
+	// inputInfo.MediaType describes the blob format, if known.
 	// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 	// to any other readers for download using the supplied digest.
 	// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
@@ -194,28 +203,35 @@ func (e ManifestTypeRejectedError) Error() string {
 // Thus, an UnparsedImage can be created from an ImageSource simply by fetching blobs without interpreting them,
 // allowing cryptographic signature verification to happen first, before even fetching the manifest, or parsing anything else.
 // This also makes the UnparsedImage→Image conversion an explicitly visible step.
-// Each UnparsedImage should eventually be closed by calling Close().
+//
+// An UnparsedImage is a pair of (ImageSource, instance digest); it can represent either a manifest list or a single image instance.
+//
+// The UnparsedImage must not be used after the underlying ImageSource is Close()d.
 type UnparsedImage interface {
 	// Reference returns the reference used to set up this source, _as specified by the user_
 	// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
 	Reference() ImageReference
-	// Close removes resources associated with an initialized UnparsedImage, if any.
-	Close() error
 	// Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
 	Manifest() ([]byte, string, error)
 	// Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-	Signatures() ([][]byte, error)
+	Signatures(ctx context.Context) ([][]byte, error)
+	// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer blobsums that are listed in the image's manifest.
+	// The Digest field is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
+	// WARNING: The list may contain duplicates, and they are semantically relevant.
+	LayerInfosForCopy() []BlobInfo
 }
 
 // Image is the primary API for inspecting properties of images.
-// Each Image should eventually be closed by calling Close().
+// An Image is based on a pair of (ImageSource, instance digest); it can represent either a manifest list or a single image instance.
+//
+// The Image must not be used after the underlying ImageSource is Close()d.
 type Image interface {
 	// Note that Reference may return nil in the return value of UpdatedImage!
 	UnparsedImage
 	// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
 	// Note that the config object may not exist in the underlying storage in the return value of UpdatedImage! Use ConfigBlob() below.
 	ConfigInfo() BlobInfo
-	// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
+	// ConfigBlob returns the blob described by ConfigInfo, if ConfigInfo().Digest != ""; nil otherwise.
 	// The result is cached; it is OK to call this however often you need.
 	ConfigBlob() ([]byte, error)
 	// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
@@ -223,7 +239,7 @@ type Image interface {
 	// old image manifests work (docker v2s1 especially).
 	OCIConfig() (*v1.Image, error)
 	// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
-	// The Digest field is guaranteed to be provided; Size may be -1.
+	// The Digest field is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
 	LayerInfos() []BlobInfo
 	// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
@@ -240,16 +256,23 @@ type Image interface {
 	// Everything in options.InformationOnly should be provided, other fields should be set only if a modification is desired.
 	// This does not change the state of the original Image object.
 	UpdatedImage(options ManifestUpdateOptions) (Image, error)
-	// IsMultiImage returns true if the image's manifest is a list of images, false otherwise.
-	IsMultiImage() bool
 	// Size returns an approximation of the amount of disk space which is consumed by the image in its current
 	// location.  If the size is not known, -1 will be returned.
 	Size() (int64, error)
 }
 
+// ImageCloser is an Image with a Close() method which must be called by the user.
+// This is returned by ImageReference.NewImage, which transparently instantiates a types.ImageSource,
+// to ensure that the ImageSource is closed.
+type ImageCloser interface {
+	Image
+	// Close removes resources associated with an initialized ImageCloser.
+	Close() error
+}
+
 // ManifestUpdateOptions is a way to pass named optional arguments to Image.UpdatedManifest
 type ManifestUpdateOptions struct {
-	LayerInfos              []BlobInfo // Complete BlobInfos (size+digest+urls) which should replace the originals, in order (the root layer first, and then successive layered layers)
+	LayerInfos              []BlobInfo // Complete BlobInfos (size+digest+urls+annotations) which should replace the originals, in order (the root layer first, and then successive layered layers). BlobInfos' MediaType fields are ignored.
 	EmbeddedDockerReference reference.Named
 	ManifestMIMEType        string
 	// The values below are NOT requests to modify the image; they provide optional context which may or may not be used.
@@ -283,7 +306,7 @@ type DockerAuthConfig struct {
 	Password string
 }
 
-// SystemContext allows parametrizing access to implicitly-accessed resources,
+// SystemContext allows parameterizing access to implicitly-accessed resources,
 // like configuration files in /etc and users' login state in their home directory.
 // Various components can share the same field only if their semantics is exactly
 // the same; if in doubt, add a new field.
@@ -302,6 +325,24 @@ type SystemContext struct {
 	SignaturePolicyPath string
 	// If not "", overrides the system's default path for registries.d (Docker signature storage configuration)
 	RegistriesDirPath string
+	// Path to the system-wide registries configuration file
+	SystemRegistriesConfPath string
+	// If not "", overrides the default path for the authentication file
+	AuthFilePath string
+	// If not "", overrides the use of platform.GOARCH when choosing an image or verifying architecture match.
+	ArchitectureChoice string
+	// If not "", overrides the use of platform.GOOS when choosing an image or verifying OS match.
+	OSChoice string
+
+	// === OCI.Transport overrides ===
+	// If not "", a directory containing a CA certificate (ending with ".crt"),
+	// a client certificate (ending with ".cert") and a client ceritificate key
+	// (ending with ".key") used when downloading OCI image layers.
+	OCICertPath string
+	// Allow downloading OCI image layers over HTTP, or HTTPS with failed TLS verification. Note that this does not affect other TLS connections.
+	OCIInsecureSkipTLSVerify bool
+	// If not "", use a shared directory for storing blobs rather than within OCI layouts
+	OCISharedBlobDirPath string
 
 	// === docker.Transport overrides ===
 	// If not "", a directory containing a CA certificate (ending with ".crt"),
@@ -310,8 +351,9 @@ type SystemContext struct {
 	DockerCertPath string
 	// If not "", overrides the system’s default path for a directory containing host[:port] subdirectories with the same structure as DockerCertPath above.
 	// Ignored if DockerCertPath is non-empty.
-	DockerPerHostCertDirPath    string
-	DockerInsecureSkipTLSVerify bool // Allow contacting docker registries over HTTP, or HTTPS with failed TLS verification. Note that this does not affect other TLS connections.
+	DockerPerHostCertDirPath string
+	// Allow contacting docker registries over HTTP, or HTTPS with failed TLS verification. Note that this does not affect other TLS connections.
+	DockerInsecureSkipTLSVerify bool
 	// if nil, the library tries to parse ~/.docker/config.json to retrieve credentials
 	DockerAuthConfig *DockerAuthConfig
 	// if not "", an User-Agent header is added to each request when contacting a registry.
@@ -322,6 +364,20 @@ type SystemContext struct {
 	DockerDisableV1Ping bool
 	// Directory to use for OSTree temporary files
 	OSTreeTmpDirPath string
+
+	// === docker/daemon.Transport overrides ===
+	// A directory containing a CA certificate (ending with ".crt"),
+	// a client certificate (ending with ".cert") and a client certificate key
+	// (ending with ".key") used when talking to a Docker daemon.
+	DockerDaemonCertPath string
+	// The hostname or IP to the Docker daemon. If not set (aka ""), client.DefaultDockerHost is assumed.
+	DockerDaemonHost string
+	// Used to skip TLS verification, off by default. To take effect DockerDaemonCertPath needs to be specified as well.
+	DockerDaemonInsecureSkipTLSVerify bool
+
+	// === dir.Transport overrides ===
+	// DirForceCompress compresses the image layers if set to true
+	DirForceCompress bool
 }
 
 // ProgressProperties is used to pass information from the copy code to a monitor which

vendor/github.com/containers/image/vendor.conf

@@ -1,9 +1,10 @@
-github.com/Sirupsen/logrus 7f4b1adc791766938c29457bed0703fb9134421a
-github.com/containers/storage 989b1c1d85f5dfe2076c67b54289cc13dc836c8c
+github.com/sirupsen/logrus v1.0.0
+github.com/containers/storage master
 github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
-github.com/docker/distribution df5327f76fb6468b84a87771e361762b8be23fdb
-github.com/docker/docker 75843d36aa5c3eaade50da005f9e0ff2602f3d5e
-github.com/docker/go-connections 7da10c8c50cad14494ec818dcdfb6506265c0086
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
+github.com/docker/docker 30eb4d8cdc422b023d5f11f29a82ecb73554183b
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
 github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
 github.com/docker/libtrust aabc10ec26b754e797f9028f4589c5b7bd90dc20
 github.com/ghodss/yaml 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
@@ -15,16 +16,16 @@ github.com/mattn/go-shellwords 005a0944d84452842197c2108bd9168ced206f78
 github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062
 github.com/mtrmac/gpgme b2432428689ca58c2b8e8dea9449d3295cf96fc9
 github.com/opencontainers/go-digest aa2ec055abd10d26d539eb630a92241b781ce4bc
-github.com/opencontainers/image-spec v1.0.0-rc6
+github.com/opencontainers/image-spec v1.0.0
 github.com/opencontainers/runc 6b1d0e76f239ffb435445e5ae316d2676c07c6e3
 github.com/pborman/uuid 1b00554d822231195d1babd97ff4a781231955c9
 github.com/pkg/errors 248dadf4e9068a0b3e79f02ed0a610d935de5302
 github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2
 github.com/stretchr/testify 4d4bfba8f1d1027c4fdbe371823030df51419987
-github.com/vbatts/tar-split bd4c5d64c3e9297f410025a3b1bd0c58f659e721
+github.com/vbatts/tar-split v0.10.2
 golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8
 golang.org/x/net 6b27048ae5e6ad1ef927e72e437531493de612fe
-golang.org/x/sys 075e574b89e4c2d22f2286a7e2b919519c6f3547
+golang.org/x/sys 43e60d72a8e2bd92ee98319ba9a384a0e9837c08
 gopkg.in/cheggaaa/pb.v1 d7e6ca3010b6f084d8056847f55d7f572f180678
 gopkg.in/yaml.v2 a3f3340b5840cee44f372bddb5880fcbc419b46a
 k8s.io/client-go bcde30fb7eaed76fd98a36b4120321b94995ffb6
@@ -34,4 +35,6 @@ github.com/xeipuuv/gojsonpointer master
 github.com/tchap/go-patricia v2.2.6
 github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d
 github.com/BurntSushi/toml b26d9c308763d68093482582cea63d69be07a0f0
-github.com/ostreedev/ostree-go 61532f383f1f48e5c27080b0b9c8b022c3706a97
+github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
+github.com/gogo/protobuf fcdc5011193ff531a548e9b0301828d5a5b97fd8
+github.com/pquerna/ffjson master

vendor/github.com/containers/storage/README.md

@@ -1,6 +1,6 @@
 `storage` is a Go library which aims to provide methods for storing filesystem
-layers, container images, and containers.  An `oci-storage` CLI wrapper is also
-included for manual and scripting use.
+layers, container images, and containers.  A `containers-storage` CLI wrapper
+is also included for manual and scripting use.
 
 To build the CLI wrapper, use 'make build-binary'.