release skopeo v0.1.40

* vendor containers/image v5.0.0
* copy: add a --all/-a flag
* System tests: various fixes
* Temporarily work around auth.json location confusion
* systemtest: copy: docker->storage->oci-archive
* systemtest/010-inspect.bats: require only PATH
* systemtest: add simple env test in inspect.bats
* bash completion: add comments to keep scattered options in sync
* bash completion: use read -r instead of disabling SC2207
* bash completion: support --opt arg completion
* bash-completion: use replacement instead of sed
* bash completion: disable shellcheck SC2207
* bash completion: double-quote to avoid re-splitting
* bash completions: use bash replacement instead of sed
* bash completion: remove unused variable
* bash-completions: split decl and assignment to avoid masking retvals
* bash completion: double-quote fixes
* bash completion: hard-set PROG=skopeo
* bash completion: remove unused variable
* bash completion: use `||` instead of `-o`
* bash completion: rm eval on assigned variable
* copy: add --dest-compress-format and --dest-compress-level
* flag: add optionalIntValue
* Makefile: use go proxy
* inspect --raw: skip the NewImage() step
* update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f
* inspect.go: inspect env variables
* ostree: use both image and & storage buildtags

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

Makefile

@@ -1,5 +1,7 @@
 .PHONY: all binary build-container docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor
 
+export GOPROXY=https://proxy.golang.org
+
 ifeq ($(shell uname),Darwin)
 PREFIX ?= ${DESTDIR}/usr/local
 DARWIN_BUILD_TAG=containers_image_ostree_stub

cmd/skopeo/copy.go

@@ -6,11 +6,11 @@ import (
 	"io"
 	"strings"
 
-	"github.com/containers/image/copy"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/urfave/cli"
 )
@@ -24,7 +24,7 @@ type copyOptions struct {
 	signByFingerprint string          // Sign the image using a GPG key with the specified fingerprint
 	format            optionalString  // Force conversion of the image to a specified format
 	quiet             bool            // Suppress output information when copying images
-
+	all               bool            // Copy all of the images if the source is a list
 }
 
 func copyCmd(global *globalOptions) cli.Command {
@@ -62,6 +62,11 @@ func copyCmd(global *globalOptions) cli.Command {
 				Usage:       "Suppress output information when copying images",
 				Destination: &opts.quiet,
 			},
+			cli.BoolFlag{
+				Name:        "all, a",
+				Usage:       "Copy all images if SOURCE-IMAGE is a list",
+				Destination: &opts.all,
+			},
 			cli.BoolFlag{
 				Name:        "remove-signatures",
 				Usage:       "Do not copy signatures from SOURCE-IMAGE",
@@ -147,6 +152,10 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if opts.quiet {
 		stdout = nil
 	}
+	imageListSelection := copy.CopySystemImage
+	if opts.all {
+		imageListSelection = copy.CopyAllImages
+	}
 	_, err = copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
 		RemoveSignatures:      opts.removeSignatures,
 		SignBy:                opts.signByFingerprint,
@@ -154,6 +163,7 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 		SourceCtx:             sourceCtx,
 		DestinationCtx:        destinationCtx,
 		ForceManifestMIMEType: manifestType,
+		ImageListSelection:    imageListSelection,
 	})
 	return err
 }

cmd/skopeo/delete.go

@@ -6,8 +6,8 @@ import (
 	"io"
 	"strings"
 
-	"github.com/containers/image/transports"
-	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/urfave/cli"
 )
 

cmd/skopeo/flag.go

@@ -73,3 +73,37 @@ func (ob *optionalStringValue) String() string {
 	}
 	return ob.value
 }
+
+// optionalInt is a int with a separate presence flag.
+type optionalInt struct {
+	present bool
+	value   int
+}
+
+// optionalInt is a cli.Generic == flag.Value implementation equivalent to
+// the one underlying flag.Int, except that it records whether the flag has been set.
+// This is distinct from optionalInt to (pretend to) force callers to use
+// newoptionalIntValue
+type optionalIntValue optionalInt
+
+func newOptionalIntValue(p *optionalInt) cli.Generic {
+	p.present = false
+	return (*optionalIntValue)(p)
+}
+
+func (ob *optionalIntValue) Set(s string) error {
+	v, err := strconv.ParseInt(s, 0, strconv.IntSize)
+	if err != nil {
+		return err
+	}
+	ob.value = int(v)
+	ob.present = true
+	return nil
+}
+
+func (ob *optionalIntValue) String() string {
+	if !ob.present {
+		return "" // If the value is not present, just return an empty string, any other value wouldn't make sense.
+	}
+	return strconv.Itoa(int(ob.value))
+}

cmd/skopeo/inspect.go

@@ -7,9 +7,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containers/image/docker"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/transports"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/transports"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -28,6 +29,7 @@ type inspectOutput struct {
 	Architecture  string
 	Os            string
 	Layers        []string
+	Env           []string
 }
 
 type inspectOptions struct {
@@ -85,21 +87,40 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		return err
 	}
 
-	img, err := parseImage(ctx, opts.image, imageName)
+	sys, err := opts.image.newSystemContext()
 	if err != nil {
 		return err
 	}
 
+	src, err := parseImageSource(ctx, opts.image, imageName)
+	if err != nil {
+		return fmt.Errorf("Error parsing image name %q: %v", imageName, err)
+	}
+
 	defer func() {
-		if err := img.Close(); err != nil {
+		if err := src.Close(); err != nil {
 			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
 		}
 	}()
 
-	rawManifest, _, err := img.Manifest(ctx)
+	rawManifest, _, err := src.GetManifest(ctx, nil)
 	if err != nil {
-		return err
+		return fmt.Errorf("Error retrieving manifest for image: %v", err)
 	}
+
+	if opts.raw && !opts.config {
+		_, err := stdout.Write(rawManifest)
+		if err != nil {
+			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+		}
+		return nil
+	}
+
+	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
+	if err != nil {
+		return fmt.Errorf("Error parsing manifest for image: %v", err)
+	}
+
 	if opts.config && opts.raw {
 		configBlob, err := img.ConfigBlob(ctx)
 		if err != nil {
@@ -110,12 +131,6 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 			return fmt.Errorf("Error writing configuration blob to standard output: %v", err)
 		}
 		return nil
-	} else if opts.raw {
-		_, err := stdout.Write(rawManifest)
-		if err != nil {
-			return fmt.Errorf("Error writing manifest to standard output: %v", err)
-		}
-		return nil
 	} else if opts.config {
 		config, err := img.OCIConfig(ctx)
 		if err != nil {
@@ -127,6 +142,7 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		}
 		return nil
 	}
+
 	imgInspect, err := img.Inspect(ctx)
 	if err != nil {
 		return err
@@ -142,6 +158,7 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		Architecture:  imgInspect.Architecture,
 		Os:            imgInspect.Os,
 		Layers:        imgInspect.Layers,
+		Env:           imgInspect.Env,
 	}
 	outputData.Digest, err = manifest.Digest(rawManifest)
 	if err != nil {

cmd/skopeo/layers.go

@@ -7,10 +7,10 @@ import (
 	"os"
 	"strings"
 
-	"github.com/containers/image/directory"
-	"github.com/containers/image/image"
-	"github.com/containers/image/pkg/blobinfocache"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@@ -142,9 +142,9 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if err != nil {
 		return err
 	}
-	if err := dest.PutManifest(ctx, manifest); err != nil {
+	if err := dest.PutManifest(ctx, manifest, nil); err != nil {
 		return err
 	}
 
-	return dest.Commit(ctx)
+	return dest.Commit(ctx, image.UnparsedInstance(rawSource, nil))
 }

cmd/skopeo/main.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/containers/image/signature"
+	"github.com/containers/image/v5/signature"
 	"github.com/containers/skopeo/version"
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/sirupsen/logrus"
@@ -22,7 +22,7 @@ type globalOptions struct {
 	tlsVerify          optionalBool  // Require HTTPS and verify certificates (for docker: and docker-daemon:)
 	policyPath         string        // Path to a signature verification policy file
 	insecurePolicy     bool          // Use an "allow everything" signature verification policy
-	registriesDirPath  string        // Path to a "registries.d" registry configuratio directory
+	registriesDirPath  string        // Path to a "registries.d" registry configuration directory
 	overrideArch       string        // Architecture to use for choosing images, instead of the runtime one
 	overrideOS         string        // OS to use for choosing images, instead of the runtime one
 	commandTimeout     time.Duration // Timeout for the command execution

cmd/skopeo/manifest.go

@@ -6,7 +6,7 @@ import (
 	"io"
 	"io/ioutil"
 
-	"github.com/containers/image/manifest"
+	"github.com/containers/image/v5/manifest"
 	"github.com/urfave/cli"
 )
 

cmd/skopeo/signing.go

@@ -7,7 +7,7 @@ import (
 	"io"
 	"io/ioutil"
 
-	"github.com/containers/image/signature"
+	"github.com/containers/image/v5/signature"
 	"github.com/urfave/cli"
 )
 

cmd/skopeo/signing_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/containers/image/signature"
+	"github.com/containers/image/v5/signature"
 	"github.com/opencontainers/go-digest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

cmd/skopeo/unshare_linux.go

@@ -2,8 +2,8 @@ package main
 
 import (
 	"github.com/containers/buildah/pkg/unshare"
-	"github.com/containers/image/storage"
-	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/v5/storage"
+	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/pkg/errors"
 	"github.com/syndtr/gocapability/capability"
 )

cmd/skopeo/utils.go

@@ -6,8 +6,9 @@ import (
 	"io"
 	"strings"
 
-	"github.com/containers/image/transports/alltransports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
 	"github.com/urfave/cli"
 )
 
@@ -147,15 +148,18 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 	if opts.noCreds {
 		ctx.DockerAuthConfig = &types.DockerAuthConfig{}
 	}
+
 	return ctx, nil
 }
 
 // imageDestOptions is a superset of imageOptions specialized for iamge destinations.
 type imageDestOptions struct {
 	*imageOptions
-	osTreeTmpDir                string // A directory to use for OSTree temporary files
-	dirForceCompression         bool   // Compress layers when saving to the dir: transport
-	ociAcceptUncompressedLayers bool   // Whether to accept uncompressed layers in the oci: transport
+	osTreeTmpDir                string      // A directory to use for OSTree temporary files
+	dirForceCompression         bool        // Compress layers when saving to the dir: transport
+	ociAcceptUncompressedLayers bool        // Whether to accept uncompressed layers in the oci: transport
+	compressionFormat           string      // Format to use for the compression
+	compressionLevel            optionalInt // Level to use for the compression
 }
 
 // imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
@@ -179,6 +183,16 @@ func imageDestFlags(global *globalOptions, shared *sharedImageOptions, flagPrefi
 			Usage:       "Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)",
 			Destination: &opts.ociAcceptUncompressedLayers,
 		},
+		cli.StringFlag{
+			Name:        flagPrefix + "compress-format",
+			Usage:       "`FORMAT` to use for the compression",
+			Destination: &opts.compressionFormat,
+		},
+		cli.GenericFlag{
+			Name:  flagPrefix + "compress-level",
+			Usage: "`LEVEL` to use for the compression",
+			Value: newOptionalIntValue(&opts.compressionLevel),
+		},
 	}...), &opts
 }
 
@@ -193,6 +207,16 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 	ctx.OSTreeTmpDirPath = opts.osTreeTmpDir
 	ctx.DirForceCompress = opts.dirForceCompression
 	ctx.OCIAcceptUncompressedLayers = opts.ociAcceptUncompressedLayers
+	if opts.compressionFormat != "" {
+		cf, err := compression.AlgorithmByName(opts.compressionFormat)
+		if err != nil {
+			return nil, err
+		}
+		ctx.CompressionFormat = &cf
+	}
+	if opts.compressionLevel.present {
+		ctx.CompressionLevel = &opts.compressionLevel.value
+	}
 	return ctx, err
 }
 

cmd/skopeo/utils_test.go

@@ -4,7 +4,7 @@ import (
 	"flag"
 	"testing"
 
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

completions/bash/skopeo

@@ -1,7 +1,5 @@
 #! /bin/bash
 
-: ${PROG:=$(basename ${BASH_SOURCE})}
-
 _complete_() {
     local options_with_args=$1
     local boolean_options="$2 -h --help"
@@ -10,7 +8,7 @@ _complete_() {
     local option_with_args
     for option_with_args in $options_with_args $transports
     do
-        if [ "$option_with_args" == "$prev" -o "$option_with_args" == "$cur" ]
+        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
         then
             return
         fi
@@ -18,13 +16,13 @@ _complete_() {
 
     case "$cur" in
         -*)
-            COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
             ;;
         *)
             if [ -n "$transports" ]
             then
                 compopt -o nospace
-                COMPREPLY=( $( compgen -W "$transports" -- "$cur" ) )
+                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
             fi
             ;;
     esac
@@ -33,7 +31,7 @@ _complete_() {
 _skopeo_supported_transports() {
     local subcommand=$1
 
-    ${PROG} $subcommand --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
+    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
 }
 
 _skopeo_copy() {
@@ -53,6 +51,7 @@ _skopeo_copy() {
     "
 
     local boolean_options="
+    --all
     --dest-compress
     --remove-signatures
     --src-no-creds
@@ -60,8 +59,9 @@ _skopeo_copy() {
     --dest-oci-accept-uncompressed-layers
     "
 
-    local transports="
-    $(_skopeo_supported_transports $(echo $FUNCNAME | sed 's/_skopeo_//'))
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
     "
 
     _complete_ "$options_with_args" "$boolean_options" "$transports"
@@ -80,8 +80,9 @@ _skopeo_inspect() {
      --no-creds
     "
 
-    local transports="
-    $(_skopeo_supported_transports $(echo $FUNCNAME | sed 's/_skopeo_//'))
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
     "
 
     _complete_ "$options_with_args" "$boolean_options" "$transports"
@@ -123,8 +124,9 @@ _skopeo_delete() {
      --no-creds
      "
 
-    local transports="
-    $(_skopeo_supported_transports $(echo $FUNCNAME | sed 's/_skopeo_//'))
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
     "
 
     _complete_ "$options_with_args" "$boolean_options" "$transports"
@@ -142,6 +144,8 @@ _skopeo_layers() {
 }
 
 _skopeo_skopeo() {
+     # XXX: Changes here need to be refleceted in the manually expanded
+     # string in the `case` statement below as well.
      local options_with_args="
        --policy
        --registries.d
@@ -155,26 +159,28 @@ _skopeo_skopeo() {
        --version -v
        --help -h
      "
-     commands=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
 
      case "$prev" in
-         $main_options_with_args_glob )
+         # XXX: Changes here need to be refleceted in $options_with_args as well.
+         --policy|--registries.d|--override-arch|--override-os|--command-timeout)
              return
              ;;
      esac
 
      case "$cur" in
          -*)
-             COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
              ;;
          *)
-             COMPREPLY=( $( compgen -W "${commands[*]} help" -- "$cur" ) )
+             commands=$( "${COMP_WORDS[@]:0:$COMP_CWORD}" --generate-bash-completion )
+
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
              ;;
      esac
 }
 
 _cli_bash_autocomplete() {
-     local cur opts base
+     local cur
 
      COMPREPLY=()
      cur="${COMP_WORDS[COMP_CWORD]}"
@@ -183,15 +189,12 @@ _cli_bash_autocomplete() {
 
      _get_comp_words_by_ref -n : cur prev words cword
 
-     local command=${PROG} cpos=0
+     local command="skopeo" cpos=0
      local counter=1
-     counter=1
-     while [ $counter -lt $cword ]; do
+     while [ $counter -lt "$cword" ]; do
          case "${words[$counter]}" in
-             -*)
-                ;;
-             *)
-                 command=$(echo "${words[$counter]}" | sed 's/-/_/g')
+             skopeo|copy|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h)
+                 command="${words[$counter]//-/_}"
                  cpos=$counter
                  (( cpos++ ))
                  break
@@ -201,10 +204,9 @@ _cli_bash_autocomplete() {
      done
 
      local completions_func=_skopeo_${command}
-     declare -F $completions_func >/dev/null && $completions_func
+     declare -F "$completions_func" >/dev/null && $completions_func
 
-     eval "$previous_extglob_setting"
      return 0
 }
 
- complete -F _cli_bash_autocomplete $PROG
+ complete -F _cli_bash_autocomplete skopeo

docs/skopeo-copy.1.md

@@ -17,6 +17,12 @@ Uses the system's trust policy to validate images, rejects images not trusted by
 
 ## OPTIONS
 
+**--all**
+
+If _source-image_ refers to a list of images, instead of copying just the image which matches the current OS and
+architecture (subject to the use of the global --override-os and --override-arch options), attempt to copy all of
+the images in the list, and the list itself.
+
 **--authfile** _path_
 
 Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
@@ -58,6 +64,10 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec
 
 Existing signatures, if any, are preserved as well.
 
+**--dest-compress-format** _format_ Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+
+**--dest-compress-level** _format_ Specifies the compression level to use.  The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
+
 ## EXAMPLES
 
 To copy the layers of the docker.io busybox image to a local directory:

go.mod

@@ -3,64 +3,24 @@ module github.com/containers/skopeo
 go 1.12
 
 require (
-	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/Microsoft/go-winio v0.4.12 // indirect
-	github.com/Microsoft/hcsshim v0.8.6 // indirect
-	github.com/VividCortex/ewma v1.1.1 // indirect
-	github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8 // indirect
 	github.com/containers/buildah v1.8.4
-	github.com/containers/image v3.0.0+incompatible
-	github.com/containers/storage v1.12.10
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65 // indirect
+	github.com/containers/image/v5 v5.0.0
+	github.com/containers/storage v1.13.4
 	github.com/docker/docker v0.0.0-20180522102801-da99009bbb11
-	github.com/docker/docker-credential-helpers v0.6.0 // indirect
-	github.com/docker/go-connections v0.0.0-20180212134524-7beb39f0b969 // indirect
-	github.com/docker/go-units v0.0.0-20161020213227-8a7beacffa30 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/etcd-io/bbolt v1.3.2 // indirect
-	github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680 // indirect
+	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/go-check/check v0.0.0-20180628173108-788fd7840127
-	github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f // indirect
-	github.com/gorilla/context v0.0.0-20140604161150-14f550f51af5 // indirect
-	github.com/gorilla/mux v0.0.0-20140926153814-e444e69cbd2e // indirect
-	github.com/imdario/mergo v0.0.0-20141206190957-6633656539c1 // indirect
-	github.com/klauspost/compress v1.4.1 // indirect
-	github.com/klauspost/cpuid v1.2.0 // indirect
-	github.com/klauspost/pgzip v1.2.1 // indirect
-	github.com/kr/pretty v0.1.0 // indirect
-	github.com/mattn/go-isatty v0.0.4 // indirect
-	github.com/mattn/go-shellwords v1.0.5 // indirect
-	github.com/mistifyio/go-zfs v0.0.0-20160425201758-22c9b32c84eb // indirect
-	github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c // indirect
-	github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2
-	github.com/opencontainers/image-spec v0.0.0-20180918080442-7b1e489870ac
+	github.com/opencontainers/go-digest v1.0.0-rc1
+	github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
 	github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d
-	github.com/opencontainers/runc v1.0.0-rc6 // indirect
 	github.com/opencontainers/runtime-spec v1.0.0 // indirect
-	github.com/opencontainers/selinux v0.0.0-20190118194635-b707dfcb00a1 // indirect
-	github.com/ostreedev/ostree-go v0.0.0-20181204105935-56f3a639dbc0 // indirect
-	github.com/pborman/uuid v0.0.0-20160209185913-a97ce2ca70fa // indirect
 	github.com/pkg/errors v0.8.1
-	github.com/pmezard/go-difflib v0.0.0-20181226105442-5d4384ee4fb2 // indirect
-	github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13 // indirect
-	github.com/sirupsen/logrus v1.0.0
-	github.com/stretchr/testify v1.1.3
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sirupsen/logrus v1.4.2
+	github.com/stretchr/testify v1.4.0
 	github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
-	github.com/tchap/go-patricia v2.2.6+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.4 // indirect
 	github.com/urfave/cli v1.20.0
-	github.com/vbatts/tar-split v0.10.2 // indirect
-	github.com/vbauerster/mpb v3.4.0+incompatible // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
-	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.1.0 // indirect
 	go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect
-	golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 // indirect
-	golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0 // indirect
-	golang.org/x/sync v0.0.0-20181108010431-42b317875d0f // indirect
-	golang.org/x/sys v0.0.0-20170817234608-43e60d72a8e2 // indirect
-	golang.org/x/text v0.0.0-20181227161524-e6919f6577db // indirect
-	gopkg.in/yaml.v2 v2.0.0-20141029210843-d466437aa4ad // indirect
 	k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 // indirect
 )

go.sum

@@ -1,5 +1,8 @@
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774 h1:SCbEWT58NSt7d2mcFdvxC9uyrdcTfvBbPLThhkDmXzg=
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774/go.mod h1:6/0dYRLLXyJjbkIPeeGyoJ/eKOSI0eU6eTlCBYibgd0=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/DataDog/zstd v1.4.0/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/Microsoft/go-winio v0.4.12 h1:xAfWHN1IrQ0NJ9TBC0KBZoqLjzDTr1ML+4MywiUOryc=
 github.com/Microsoft/go-winio v0.4.12/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
@@ -10,52 +13,69 @@ github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8 h1:ZZOFPzvZO
 github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containers/buildah v1.8.4 h1:06c+UNeEWMa2wA1Z7muZ0ZqUzE91sDuZJbB0BiZaeYQ=
 github.com/containers/buildah v1.8.4/go.mod h1:1CsiLJvyU+h+wOjnqJJOWuJCVcMxZOr5HN/gHGdzJxY=
-github.com/containers/image v1.5.2-0.20190620105408-93b1deece293 h1:EalCgZ875kDCN2HcOch50q48GKerWGc5eV0BllCvln8=
-github.com/containers/image v1.5.2-0.20190620105408-93b1deece293/go.mod h1:8Vtij257IWSanUQKe1tAeNOm2sRVkSqQTVQ1IlwI3+M=
-github.com/containers/image v1.5.2-0.20190717062552-2178abd5f9b1 h1:RGlzwWSoGBbc5fgGysRrGAPLn8xQwihzRVPVDW5yQlo=
-github.com/containers/image v1.5.2-0.20190717062552-2178abd5f9b1/go.mod h1:8Vtij257IWSanUQKe1tAeNOm2sRVkSqQTVQ1IlwI3+M=
-github.com/containers/image v1.5.2-0.20190725091050-48acc3dcbb76 h1:+9unAKrV92Jvifb06UK8H4xTKf7h7XQDOsn4EC9eqH4=
-github.com/containers/image v1.5.2-0.20190725091050-48acc3dcbb76/go.mod h1:8Vtij257IWSanUQKe1tAeNOm2sRVkSqQTVQ1IlwI3+M=
-github.com/containers/image v2.0.0+incompatible h1:FTr6Br7jlIKNCKMjSOMbAxKp2keQ0//jzJaYNTVhauk=
-github.com/containers/image v2.0.0+incompatible/go.mod h1:8Vtij257IWSanUQKe1tAeNOm2sRVkSqQTVQ1IlwI3+M=
-github.com/containers/image v3.0.0+incompatible h1:pdUHY//H+3jYNnoTt+rqY8NsStX4ZBLKzPTlMC+XvnU=
-github.com/containers/image v3.0.0+incompatible/go.mod h1:8Vtij257IWSanUQKe1tAeNOm2sRVkSqQTVQ1IlwI3+M=
-github.com/containers/storage v1.12.10 h1:vw1aiLsZ1LvO09ELMxVBTe35tThRiMftI2cPeH+G5ow=
-github.com/containers/storage v1.12.10/go.mod h1:+RirK6VQAqskQlaTBrOG6ulDvn4si2QjFE1NZCn06MM=
+github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVgapSQ=
+github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+github.com/containers/image/v4 v4.0.2-0.20191021195858-69340234bfc6 h1:sFL2cwC0xjphJHpa6DXhka2jTLGI5HwbnAUSAKFhg2M=
+github.com/containers/image/v4 v4.0.2-0.20191021195858-69340234bfc6/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
+github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
+github.com/containers/storage v1.13.4/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65 h1:4zlOyrJUbYnrvlzChJ+jP2J3i77Jbhm336NEuCv7kZo=
 github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v0.0.0-20171019062838-86f080cff091/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v0.0.0-20180522102801-da99009bbb11 h1:p8hSDXZgVhyh/C9bPlG8QMY64VeXtVfjmjIlzaQok5Q=
 github.com/docker/docker v0.0.0-20180522102801-da99009bbb11/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.0 h1:5bhDRLn1roGiNjz8IezRngHxMfoeaXGyr0BeMHq4rD8=
 github.com/docker/docker-credential-helpers v0.6.0/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/go-connections v0.0.0-20180212134524-7beb39f0b969 h1:p2WzwcFof6KwsloLgCiAKkU5DJSVgOKGdevswAmskvY=
 github.com/docker/go-connections v0.0.0-20180212134524-7beb39f0b969/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.0.0-20161020213227-8a7beacffa30 h1:dDGntbHn0CUgKCyVvmHcD+spha+/4+8hJv5nbZVS6R8=
-github.com/docker/go-units v0.0.0-20161020213227-8a7beacffa30/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0=
-github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680 h1:ZktWZesgun21uEDrwW7iEV1zPCGQldM2atlJZ3TdvVM=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
+github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
+github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
+github.com/etcd-io/bbolt v1.3.3 h1:gSJmxrs37LgTqR/oyJBWok6k6SvXEUerFTbltIhXkBM=
+github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
+github.com/ghodss/yaml v0.0.0-20161207003320-04f313413ffd h1:U3yHrYB7NWH2o3UFzJ1J+TknZqM9QQtF8KVIE6Qzrfs=
+github.com/ghodss/yaml v0.0.0-20161207003320-04f313413ffd/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-check/check v0.0.0-20180628173108-788fd7840127 h1:0gkP6mzaMqkmpcJYCFOLkIBwI7xFExG03bbkOkCvUPI=
 github.com/go-check/check v0.0.0-20180628173108-788fd7840127/go.mod h1:9ES+weclKsC9YodN5RgxqK/VD9HM9JsCSh7rNhMZE98=
 github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f h1:r/AdTzqktq9nQpFlFePWcp+scVi+oFRajfjRJ3UnETg=
 github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gorilla/context v0.0.0-20140604161150-14f550f51af5 h1:yCHB2BCyFu0V6ChUHb8sF2VodD5B0PAgPDoCxBE7ICQ=
-github.com/gorilla/context v0.0.0-20140604161150-14f550f51af5/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v0.0.0-20140926153814-e444e69cbd2e h1:nH09qCdJVZxw0nRVfm14xjXkw2puLyLPN56n4u+vTC0=
-github.com/gorilla/mux v0.0.0-20140926153814-e444e69cbd2e/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/imdario/mergo v0.0.0-20141206190957-6633656539c1 h1:FeeCi0I2Fu8kA8IXrdVPtGzym+mW9bzfj9f26EaES9k=
-github.com/imdario/mergo v0.0.0-20141206190957-6633656539c1/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
+github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v0.0.0-20170217192616-94e7d24fd285 h1:pBGAMRKP7Tpv4mOq+RgzKz+jAj+ylo9O8PiNoMmCuu8=
+github.com/gorilla/mux v0.0.0-20170217192616-94e7d24fd285/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/klauspost/compress v1.4.1 h1:8VMb5+0wMgdBykOV96DwNwKFQ+WTI4pzYURP99CcB9E=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.7.2 h1:liMOoeIvFpr9kEvalrZ7VVBA4wGf7zfOgwBjzz/5g2Y=
+github.com/klauspost/compress v1.7.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.8.1 h1:oygt2ychZFHOB6M9gUgajzgKrwRgHbGC77NwA4COVgI=
+github.com/klauspost/compress v1.8.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/cpuid v1.2.0 h1:NMpwD2G9JSFOE1/TJjGSo5zG7Yb2bTe7eq1jH+irmeE=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w=
+github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/pgzip v1.2.1 h1:oIPZROsWuPHpOdMVWLuJZXwgjhrW8r1yEX8UqMyeNHM=
 github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -65,74 +85,100 @@ github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-shellwords v1.0.5 h1:JhhFTIOslh5ZsPrpa3Wdg8bF0WI3b44EMblmU9wIsXc=
 github.com/mattn/go-shellwords v1.0.5/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
-github.com/mistifyio/go-zfs v0.0.0-20160425201758-22c9b32c84eb h1:iTqJ2fjDnaldY7BXhfc15HkT769kWAstiz2bCmUrKAw=
-github.com/mistifyio/go-zfs v0.0.0-20160425201758-22c9b32c84eb/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
+github.com/mistifyio/go-zfs v2.1.1+incompatible h1:gAMO1HM9xBRONLHHYnu5iFsOJUiJdNZo6oqSENd4eW8=
+github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
 github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c h1:xa+eQWKuJ9MbB9FBL/eoNvDFvveAkz2LQoz8PzX7Q/4=
 github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 h1:QhPf3A2AZW3tTGvHPg0TA+CR3oHbVLlXUhlghqISp1I=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/image-spec v0.0.0-20180918080442-7b1e489870ac h1:Y0AqP4onEqgQST60GE172L61SAFMZMHQgXbwLMyj418=
-github.com/opencontainers/image-spec v0.0.0-20180918080442-7b1e489870ac/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/mtrmac/image/v4 v4.0.0-20191002203927-a64d9d2717f4 h1:AE5cilZfrGtAgMg5Ed4c2Y2KczlOsMVZAK055sSq+gc=
+github.com/mtrmac/image/v4 v4.0.0-20191002203927-a64d9d2717f4/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+github.com/mtrmac/image/v4 v4.0.0-20191003181245-f4c983e93262 h1:HMUEnWU3OPT09JRFQLn8VTp3GfdfiEhDMAEhkdX8QnA=
+github.com/mtrmac/image/v4 v4.0.0-20191003181245-f4c983e93262/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+github.com/mtrmac/image/v4 v4.0.0-20191003205427-4e53c7e04270 h1:pDOlOCB9naHCcv/RXWO129Dd03r710hQ2N83egZIf7A=
+github.com/mtrmac/image/v4 v4.0.0-20191003205427-4e53c7e04270/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d h1:X9WSFjjZNqYRqO2MenUgqE2nj/oydcfIzXJ0R/SVnnA=
 github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d/go.mod h1:A9btVpZLzttF4iFaKNychhPyrhfOjJ1OF5KrA8GcLj4=
-github.com/opencontainers/runc v1.0.0-rc6 h1:7AoN22rYxxkmsJS48wFaziH/n0OvrZVqL/TglgHKbKQ=
-github.com/opencontainers/runc v1.0.0-rc6/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8 h1:dDCFes8Hj1r/i5qnypONo5jdOme/8HWZC/aNDyhECt0=
+github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v1.0.0 h1:O6L965K88AilqnxeYPks/75HLpp4IG+FjeSCI3cVdRg=
 github.com/opencontainers/runtime-spec v1.0.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v0.0.0-20190118194635-b707dfcb00a1 h1:V8Icxoi2vzXvXaH0wuUZR+oyDvyRISW/1fXiK69le8E=
-github.com/opencontainers/selinux v0.0.0-20190118194635-b707dfcb00a1/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
-github.com/ostreedev/ostree-go v0.0.0-20181204105935-56f3a639dbc0 h1:l8oDb3Ln30sysfGafRZJ9zNnzYfNyWy+w4fGZjii5rQ=
-github.com/ostreedev/ostree-go v0.0.0-20181204105935-56f3a639dbc0/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
-github.com/pborman/uuid v0.0.0-20160209185913-a97ce2ca70fa h1:l8VQbMdmwFH37kOOaWQ/cw24/u8AuBz5lUym13Wcu0Y=
-github.com/pborman/uuid v0.0.0-20160209185913-a97ce2ca70fa/go.mod h1:VyrYX9gd7irzKovcSS6BIIEwPRkP2Wm2m9ufcdFSJ34=
+github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4FtGEe8bFg=
+github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20181226105442-5d4384ee4fb2 h1:Dp6WLvjytJLgEEknBM9ie5JffieQzzdv2pNpwCJ6lQQ=
-github.com/pmezard/go-difflib v0.0.0-20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13 h1:AUK/hm/tPsiNNASdb3J8fySVRZoI7fnK5mlOvdFD43o=
-github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
-github.com/sirupsen/logrus v1.0.0 h1:XM8X4m/9ACaclZMs946FQNEZBZafvToJLTR4007drwo=
-github.com/sirupsen/logrus v1.0.0/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/stretchr/testify v1.1.3 h1:76sIvNG1I8oBerx/MvuVHh5HBWBW7oxfsi3snKIsz5w=
-github.com/stretchr/testify v1.1.3/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7 h1:gGBSHPOU7g8YjTbhwn+lvFm2VDEhhA+PwDIlstkgSxE=
+github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9 h1:kyf9snWXHvQc+yxE9imhdI8YAm4oKeZISlaAR+x73zs=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/russross/blackfriday v2.0.0+incompatible h1:cBXrhZNUf9C+La9/YpS+UHpUT8YD6Td9ZMSU9APFcsk=
+github.com/russross/blackfriday v2.0.0+incompatible/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tchap/go-patricia v2.2.6+incompatible h1:JvoDL7JSoIP2HDE8AbDH3zC8QBPxmzYe32HHy5yQ+Ck=
-github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
-github.com/ulikunitz/xz v0.5.4 h1:zATC2OoZ8H1TZll3FpbX+ikwmadbO699PE06cIkm9oU=
-github.com/ulikunitz/xz v0.5.4/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
+github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
+github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
+github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
 github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/vbatts/tar-split v0.10.2 h1:CXd7HEKGkTLjBMinpObcJZU5Hm8EKlor2a1JtX6msXQ=
-github.com/vbatts/tar-split v0.10.2/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
-github.com/vbauerster/mpb v3.3.4+incompatible h1:DDIhnwmgTQIDZo+SWlEr5d6mJBxkOLBwCXPzunhEfJ4=
-github.com/vbauerster/mpb v3.3.4+incompatible/go.mod h1:zAHG26FUhVKETRu+MWqYXcI70POlC6N8up9p1dID7SU=
+github.com/vbatts/tar-split v0.11.1 h1:0Odu65rhcZ3JZaPHxl7tCI3V/C/Q9Zf82UFravl02dE=
+github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
 github.com/vbauerster/mpb v3.4.0+incompatible h1:mfiiYw87ARaeRW6x5gWwYRUawxaW1tLAD8IceomUCNw=
 github.com/vbauerster/mpb v3.4.0+incompatible/go.mod h1:zAHG26FUhVKETRu+MWqYXcI70POlC6N8up9p1dID7SU=
-github.com/vrothberg/image v0.0.0-20190717060034-cd5ce8239f51 h1:u4Hw4D3PLODtsZJ1FKi7j8bkd+zyJOc28dRSiVTOgyE=
-github.com/vrothberg/image v0.0.0-20190717060034-cd5ce8239f51/go.mod h1:/hIyjuUvIY6X2wGj/fbsA9zwlfAize8B2DLPishEHHg=
-github.com/vrothberg/image v0.0.0-20190718162835-cdafe647d2d8 h1:LpqO8V+oaT3eXrvKSminmqKWo2vhOdLgu1kp2/+fHAI=
-github.com/vrothberg/image v0.0.0-20190718162835-cdafe647d2d8/go.mod h1:/hIyjuUvIY6X2wGj/fbsA9zwlfAize8B2DLPishEHHg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b h1:6cLsL+2FW6dRAdl5iMtHgRogVCff0QpRi9653YmdcJA=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v0.0.0-20190816131739-be0936907f66/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
+go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go4.org v0.0.0-20190218023631-ce4c26f7be8e h1:m9LfARr2VIOW0vsV19kEKp/sWQvZnGobA8JHui/XJoY=
 go4.org v0.0.0-20190218023631-ce4c26f7be8e/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0 h1:1DW40AJQ7AP4nY6ORUGUdkpXyEC9W2GAXcOPaMZK0K8=
-golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7 h1:rTIdg5QFRR7XCaK4LCjBiPbx8j4DQRpdYMnGn/bJUEU=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f h1:Bl/8QSvNqXvPGPGXa2z5xUTmV7VDcZyvRZ+QQXkXTZQ=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170817234608-43e60d72a8e2 h1:90z1vgEVOG718nzy69KGhEtYepBetip3OSWJjMnI8Bw=
-golang.org/x/sys v0.0.0-20170817234608-43e60d72a8e2/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/text v0.0.0-20181227161524-e6919f6577db h1:ERgn/rMlavvbd/tNSkNoiKxiwdqWKnOfIB/X6qFxWsM=
-golang.org/x/text v0.0.0-20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-gopkg.in/yaml.v2 v2.0.0-20141029210843-d466437aa4ad h1:3SOi6w/NEma/Ir04qIGumn/RZwbXRhJSM7gN9YN8Ajc=
-gopkg.in/yaml.v2 v2.0.0-20141029210843-d466437aa4ad/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb h1:fgwFCsaw9buMuxNd6+DQfAuSFqbNiQZpcgJQAgJsK6k=
+golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190902133755-9109b7679e13 h1:tdsQdquKbTNMsSZLqnLELJGzCANp9oXhu6zFBW6ODx4=
+golang.org/x/sys v0.0.0-20190902133755-9109b7679e13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20180810170437-e96c4e24768d/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v0.0.0-20190624233834-05ebafbffc79 h1:C+K4iPg1rIvmCf4JjelkbWv2jeWevEwp05Lz8XfTYgE=
+gotest.tools v0.0.0-20190624233834-05ebafbffc79/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
+k8s.io/client-go v0.0.0-20170217214107-bcde30fb7eae/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 h1:+Qf/nITucAbm09aIdxvoA+7X0BwaXmQGVoR8k7Ynk9o=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=

hack/ostree_tag.sh

@@ -1,6 +1,11 @@
 #!/bin/bash
-if pkg-config ostree-1 2> /dev/null ; then
-	echo ostree
-else
-	echo containers_image_ostree_stub
+
+if test $(${GO:-go} env GOOS) != "linux" ; then
+	exit 0
+fi
+
+if pkg-config ostree-1 &> /dev/null ; then
+	# ostree: used by containers/storage
+	# containers_image_ostree: used by containers/image
+	echo "ostree containers_image_ostree"
 fi

integration/copy_test.go

@@ -11,8 +11,9 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/signature"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/types"
 	"github.com/go-check/check"
 	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -26,6 +27,7 @@ func init() {
 const (
 	v2DockerRegistryURL   = "localhost:5555" // Update also policy.json
 	v2s1DockerRegistryURL = "localhost:5556"
+	knownWindowsOnlyImage = "docker://mcr.microsoft.com/windows/servercore:ltsc2019"
 )
 
 type CopySuite struct {
@@ -97,9 +99,382 @@ func (s *CopySuite) TestCopyWithManifestList(c *check.C) {
 	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "dir:"+dir)
 }
 
+func (s *CopySuite) TestCopyAllWithManifestList(c *check.C) {
+	dir, err := ioutil.TempDir("", "copy-all-manifest-list")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://estesp/busybox:latest", "dir:"+dir)
+}
+
+func (s *CopySuite) TestCopyAllWithManifestListRoundTrip(c *check.C) {
+	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://estesp/busybox:latest", "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir1, "oci:"+oci2)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci2, "dir:"+dir2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *CopySuite) TestCopyAllWithManifestListConverge(c *check.C) {
+	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://estesp/busybox:latest", "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "--format", "oci", "docker://estesp/busybox:latest", "dir:"+dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir2, "oci:"+oci2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *CopySuite) TestCopyWithManifestListConverge(c *check.C) {
+	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--format", "oci", "docker://estesp/busybox:latest", "dir:"+dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir2, "oci:"+oci2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *CopySuite) TestCopyAllWithManifestListStorageFails(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-storage")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	assertSkopeoFails(c, `.*destination transport .* does not support copying multiple images as a group.*`, "copy", "--all", "docker://estesp/busybox:latest", "containers-storage:"+storage+"test")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorage(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "containers-storage:"+storage+"test")
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test", "dir:"+dir2)
+	runDecompressDirs(c, "", dir1, dir2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageMultiple(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	assertSkopeoSucceeds(c, "", "--override-arch", "amd64", "copy", "docker://estesp/busybox:latest", "containers-storage:"+storage+"test")
+	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", "docker://estesp/busybox:latest", "containers-storage:"+storage+"test")
+	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", "docker://estesp/busybox:latest", "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test", "dir:"+dir2)
+	runDecompressDirs(c, "", dir1, dir2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+}
+
+func (s *CopySuite) TestCopyWithManifestListDigest(c *check.C) {
+	dir1, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	oci1, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox@"+digest, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://estesp/busybox@"+digest, "dir:"+dir2)
+	assertSkopeoSucceeds(c, "", "copy", "dir:"+dir1, "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "dir:"+dir2, "oci:"+oci2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test@"+digest, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox@"+digest, "dir:"+dir2)
+	runDecompressDirs(c, "", dir1, dir2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArches(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test@"+digest, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox@"+digest, "dir:"+dir2)
+	runDecompressDirs(c, "", dir1, dir2)
+	assertDirImagesAreEqual(c, dir1, dir2)
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesBothUseListDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-both")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	_, err = manifest.ListFromBlob([]byte(m), manifest.GuessMIMEType([]byte(m)))
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoSucceeds(c, "", "--override-arch=arm64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	i2 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	var image2 imgspecv1.Image
+	err = json.Unmarshal([]byte(i2), &image2)
+	c.Assert(err, check.IsNil)
+	c.Assert(image2.Architecture, check.Equals, "arm64")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesFirstUsesListDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-first")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	list, err := manifest.ListFromBlob([]byte(m), manifest.GuessMIMEType([]byte(m)))
+	c.Assert(err, check.IsNil)
+	amd64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "amd64"})
+	c.Assert(err, check.IsNil)
+	arm64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "arm64"})
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoSucceeds(c, "", "--override-arch=arm64", "copy", "docker://estesp/busybox@"+arm64Instance.String(), "containers-storage:"+storage+"test@"+arm64Instance.String())
+	i1 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	var image1 imgspecv1.Image
+	err = json.Unmarshal([]byte(i1), &image1)
+	c.Assert(err, check.IsNil)
+	c.Assert(image1.Architecture, check.Equals, "amd64")
+	i2 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+amd64Instance.String())
+	var image2 imgspecv1.Image
+	err = json.Unmarshal([]byte(i2), &image2)
+	c.Assert(err, check.IsNil)
+	c.Assert(image2.Architecture, check.Equals, "amd64")
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=arm64", "inspect", "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	i3 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+arm64Instance.String())
+	var image3 imgspecv1.Image
+	err = json.Unmarshal([]byte(i3), &image3)
+	c.Assert(err, check.IsNil)
+	c.Assert(image3.Architecture, check.Equals, "arm64")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesSecondUsesListDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-second")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	list, err := manifest.ListFromBlob([]byte(m), manifest.GuessMIMEType([]byte(m)))
+	c.Assert(err, check.IsNil)
+	amd64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "amd64"})
+	c.Assert(err, check.IsNil)
+	arm64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "arm64"})
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox@"+amd64Instance.String(), "containers-storage:"+storage+"test@"+amd64Instance.String())
+	assertSkopeoSucceeds(c, "", "--override-arch=arm64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	i1 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+amd64Instance.String())
+	var image1 imgspecv1.Image
+	err = json.Unmarshal([]byte(i1), &image1)
+	c.Assert(err, check.IsNil)
+	c.Assert(image1.Architecture, check.Equals, "amd64")
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	i2 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	var image2 imgspecv1.Image
+	err = json.Unmarshal([]byte(i2), &image2)
+	c.Assert(err, check.IsNil)
+	c.Assert(image2.Architecture, check.Equals, "arm64")
+	i3 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+arm64Instance.String())
+	var image3 imgspecv1.Image
+	err = json.Unmarshal([]byte(i3), &image3)
+	c.Assert(err, check.IsNil)
+	c.Assert(image3.Architecture, check.Equals, "arm64")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesThirdUsesListDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-third")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	list, err := manifest.ListFromBlob([]byte(m), manifest.GuessMIMEType([]byte(m)))
+	c.Assert(err, check.IsNil)
+	amd64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "amd64"})
+	c.Assert(err, check.IsNil)
+	arm64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "arm64"})
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox@"+amd64Instance.String(), "containers-storage:"+storage+"test@"+amd64Instance.String())
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoSucceeds(c, "", "--override-arch=arm64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	i1 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+amd64Instance.String())
+	var image1 imgspecv1.Image
+	err = json.Unmarshal([]byte(i1), &image1)
+	c.Assert(err, check.IsNil)
+	c.Assert(image1.Architecture, check.Equals, "amd64")
+	i2 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	var image2 imgspecv1.Image
+	err = json.Unmarshal([]byte(i2), &image2)
+	c.Assert(err, check.IsNil)
+	c.Assert(image2.Architecture, check.Equals, "arm64")
+	i3 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+arm64Instance.String())
+	var image3 imgspecv1.Image
+	err = json.Unmarshal([]byte(i3), &image3)
+	c.Assert(err, check.IsNil)
+	c.Assert(image3.Architecture, check.Equals, "arm64")
+}
+
+func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesTagAndDigest(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-tag-digest")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", "docker://estesp/busybox:latest")
+	manifestDigest, err := manifest.Digest([]byte(m))
+	c.Assert(err, check.IsNil)
+	digest := manifestDigest.String()
+	list, err := manifest.ListFromBlob([]byte(m), manifest.GuessMIMEType([]byte(m)))
+	c.Assert(err, check.IsNil)
+	amd64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "amd64"})
+	c.Assert(err, check.IsNil)
+	arm64Instance, err := list.ChooseInstance(&types.SystemContext{ArchitectureChoice: "arm64"})
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "--override-arch=amd64", "copy", "docker://estesp/busybox:latest", "containers-storage:"+storage+"test:latest")
+	assertSkopeoSucceeds(c, "", "--override-arch=arm64", "copy", "docker://estesp/busybox@"+digest, "containers-storage:"+storage+"test@"+digest)
+	assertSkopeoFails(c, `.*error reading manifest for image instance.*does not exist.*`, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	i1 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test:latest")
+	var image1 imgspecv1.Image
+	err = json.Unmarshal([]byte(i1), &image1)
+	c.Assert(err, check.IsNil)
+	c.Assert(image1.Architecture, check.Equals, "amd64")
+	i2 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test@"+amd64Instance.String())
+	var image2 imgspecv1.Image
+	err = json.Unmarshal([]byte(i2), &image2)
+	c.Assert(err, check.IsNil)
+	c.Assert(image2.Architecture, check.Equals, "amd64")
+	i3 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=amd64", "inspect", "--config", "containers-storage:"+storage+"test:latest")
+	var image3 imgspecv1.Image
+	err = json.Unmarshal([]byte(i3), &image3)
+	c.Assert(err, check.IsNil)
+	c.Assert(image3.Architecture, check.Equals, "amd64")
+	i4 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+arm64Instance.String())
+	var image4 imgspecv1.Image
+	err = json.Unmarshal([]byte(i4), &image4)
+	c.Assert(err, check.IsNil)
+	c.Assert(image4.Architecture, check.Equals, "arm64")
+	i5 := combinedOutputOfCommand(c, skopeoBinary, "--override-arch=arm64", "inspect", "--config", "containers-storage:"+storage+"test@"+digest)
+	var image5 imgspecv1.Image
+	err = json.Unmarshal([]byte(i5), &image5)
+	c.Assert(err, check.IsNil)
+	c.Assert(image5.Architecture, check.Equals, "arm64")
+}
+
 func (s *CopySuite) TestCopyFailsWhenImageOSDoesntMatchRuntimeOS(c *check.C) {
-	c.Skip("can't run this on Travis")
-	assertSkopeoFails(c, `.*image operating system "windows" cannot be used on "linux".*`, "copy", "docker://microsoft/windowsservercore", "containers-storage:test")
+	storage, err := ioutil.TempDir("", "copy-fails-image-doesnt-match-runtime")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	assertSkopeoFails(c, `.*no image found in manifest list for architecture .*, OS .*`, "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
+}
+
+func (s *CopySuite) TestCopySucceedsWhenImageDoesntMatchRuntimeButWeOverride(c *check.C) {
+	storage, err := ioutil.TempDir("", "copy-succeeds-image-doesnt-match-runtime-but-override")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(storage)
+	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
+	assertSkopeoSucceeds(c, "", "--override-os=windows", "--override-arch=amd64", "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
 }
 
 func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
@@ -157,7 +532,6 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest)
 	_, err = os.Stat(ociDest)
 	c.Assert(err, check.IsNil)
-
 }
 
 // Check whether dir: images in dir1 and dir2 are equal, ignoring schema1 signatures.

integration/decompress-dirs.sh

@@ -0,0 +1,23 @@
+#!/bin/bash -e
+# Account for differences between dir: images that are solely due to one being
+# compressed (fresh from a registry) and the other not being compressed (read
+# from storage, which decompressed it and had to reassemble the layer blobs).
+for dir in "$@" ; do
+    # Updating the manifest's blob digests may change the formatting, so
+    # use jq to get them into similar shape.
+    jq -M . "${dir}"/manifest.json > "${dir}"/manifest.json.tmp && mv "${dir}"/manifest.json.tmp "${dir}"/manifest.json
+    for candidate in "${dir}"/???????????????????????????????????????????????????????????????? ; do
+        # If a digest-identified file looks like it was compressed,
+        # decompress it, and replace its hash and size in the manifest
+        # with the values for their decompressed versions.
+        uncompressed=`zcat "${candidate}" 2> /dev/null | sha256sum | cut -c1-64`
+        if test $? -eq 0 ; then
+            if test "$uncompressed" != e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; then
+                zcat "${candidate}" > "${dir}"/${uncompressed}
+                sed -r -i -e "s#sha256:$(basename ${candidate})#sha256:${uncompressed}#g" "${dir}"/manifest.json
+                sed -r -i -e "s#\"size\": $(wc -c < ${candidate}),#\"size\": $(wc -c < ${dir}/${uncompressed}),#g" "${dir}"/manifest.json
+                rm -f "${candidate}"
+            fi
+        fi
+    done
+done

integration/signing_test.go

@@ -8,7 +8,7 @@ import (
 	"os/exec"
 	"strings"
 
-	"github.com/containers/image/signature"
+	"github.com/containers/image/v5/signature"
 	"github.com/go-check/check"
 )
 

integration/utils.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"net"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -13,6 +14,7 @@ import (
 )
 
 const skopeoBinary = "skopeo"
+const decompressDirsBinary = "./decompress-dirs.sh"
 
 // consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
 func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
@@ -174,3 +176,27 @@ func fileFromFixture(c *check.C, inputPath string, edits map[string]string) stri
 	c.Assert(err, check.IsNil)
 	return path
 }
+
+// runDecompressDirs runs decompress-dirs.sh using exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and optionally that the output matches a multi-line regexp if it is nonempty; or terminates c on failure
+func runDecompressDirs(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
+	for i, dir := range args {
+		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		c.Assert(err, check.IsNil)
+		c.Logf("manifest %d before: %s", i+1, string(m))
+	}
+	out, err := exec.Command(decompressDirsBinary, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	for i, dir := range args {
+		if len(out) > 0 {
+			c.Logf("output: %s", out)
+		}
+		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		c.Assert(err, check.IsNil)
+		c.Logf("manifest %d after: %s", i+1, string(m))
+	}
+	if regexp != "" {
+		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	}
+}

systemtest/010-inspect.bats

@@ -64,4 +64,19 @@ Os                 linux
 END_EXPECT
 }
 
+@test "inspect: env" {
+    remote_image=docker://docker.io/fedora:latest
+    run_skopeo inspect $remote_image
+    inspect_remote=$output
+
+    # Simple check on 'inspect' output with environment variables.
+    #    1) Get remote image values of environment variables (the value of 'Env')
+    #    2) Confirm substring in check_array and the value of 'Env' match.
+    check_array=(PATH=.* )
+    remote=$(echo "$inspect_remote" | jq '.Env[]')
+    for substr in ${check_array[@]}; do
+        expect_output --from="$remote" --substring "$substr"
+    done
+}
+
 # vim: filetype=sh

systemtest/020-copy.bats

@@ -44,6 +44,21 @@ function setup() {
     diff -urN $dir1 $dir2
 }
 
+# Compression zstd
+@test "copy: oci, round trip, zstd" {
+    local remote_image=docker://busybox:latest
+
+    local dir=$TESTDIR/dir
+
+    run_skopeo copy --dest-compress --dest-compress-format=zstd $remote_image oci:$dir:latest
+
+    # zstd magic number
+    local magic=$(printf "\x28\xb5\x2f\xfd")
+
+    # Check there is at least one file that has the zstd magic number as the first 4 bytes
+    (for i in $dir/blobs/sha256/*; do test "$(head -c 4 $i)" = $magic && exit 0; done; exit 1)
+}
+
 # Same image, extracted once with :tag and once without
 @test "copy: oci w/ and w/o tags" {
     local remote_image=docker://busybox:latest
@@ -61,6 +76,15 @@ function setup() {
     grep '"org.opencontainers.image.ref.name":"withtag"' $dir2/index.json
 }
 
+# Registry -> storage -> oci-archive
+@test "copy: registry -> storage -> oci-archive" {
+    local alpine=docker.io/library/alpine:latest
+    local tmp=$TESTDIR/oci
+
+    run_skopeo copy docker://$alpine containers-storage:$alpine
+    run_skopeo copy containers-storage:$alpine oci-archive:$tmp
+}
+
 # This one seems unlikely to get fixed
 @test "copy: bug 651" {
     skip "Enable this once skopeo issue #651 has been fixed"

systemtest/040-local-registry-auth.bats

@@ -14,6 +14,15 @@ function setup() {
     mkdir -p $_cred_dir/containers
     rm -f $_cred_dir/containers/auth.json
 
+    # TODO: This is here to work around
+    # https://github.com/containers/libpod/issues/4227 in the
+    # "auth: credentials via podman login" test.
+    # It should be removed once a packaged version of podman which includes
+    # that fix is available in our CI environment, since we _want_ to be
+    # checking that podman and skopeo agree on the default for where registry
+    # credentials should be stored.
+    export REGISTRY_AUTH_FILE=$_cred_dir/containers/auth.json
+
     # Start authenticated registry with random password
     testuser=testuser
     testpassword=$(random_string 15)

systemtest/helpers.bash

@@ -106,6 +106,23 @@ function run_skopeo() {
     fi
 }
 
+#################
+#  log_and_run  #  log a command for later debugging, then run it
+#################
+#
+# When diagnosing a test failure,  it can be really nice to see the
+# more important commands that have been run in test setup: openssl,
+# podman registry, other complex commands that can give one a boost
+# when trying to reproduce problems. This simple wrapper takes a
+# command as its arg, echoes it to stdout (with a '$' prefix),
+# then runs the command. BATS does not show stdout unless there's
+# an error. Use this judiciously.
+#
+function log_and_run() {
+    echo "\$ $*"
+    "$@"
+}
+
 #########
 #  die  #  Abort with helpful message
 #########
@@ -282,7 +299,7 @@ start_registry() {
         fi
 
         if ! egrep -q "^$testuser:" $AUTHDIR/htpasswd; then
-            $PODMAN run --rm --entrypoint htpasswd registry:2 \
+            log_and_run $PODMAN run --rm --entrypoint htpasswd registry:2 \
                    -Bbn $testuser $testpassword >> $AUTHDIR/htpasswd
         fi
 
@@ -297,7 +314,7 @@ start_registry() {
     if [[ -n $create_cert ]]; then
         CERT=$AUTHDIR/domain.crt
         if [ ! -e $CERT ]; then
-            openssl req -newkey rsa:4096 -nodes -sha256 \
+            log_and_run openssl req -newkey rsa:4096 -nodes -sha256 \
                     -keyout $AUTHDIR/domain.key -x509 -days 2 \
                     -out $CERT \
                     -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
@@ -312,15 +329,15 @@ start_registry() {
         # test the client. (If client sees a matching .key file, it fails)
         # Thanks to Miloslav Trmac for this hint.
         mkdir -p $TESTDIR/client-auth
-        cp $CERT $TESTDIR/client-auth/
+        log_and_run cp $CERT $TESTDIR/client-auth/
     fi
 
-    $PODMAN run -d --name $name "${reg_args[@]}" registry:2
+    log_and_run $PODMAN run -d --name $name "${reg_args[@]}" registry:2
 
     # Wait for registry to actually come up
     timeout=10
     while [[ $timeout -ge 1 ]]; do
-        if curl localhost:$port/; then
+        if echo -n >/dev/tcp/127.0.0.1/$port; then
             return
         fi
 

vendor/github.com/containers/image/image/docker_list.go

@@ -1,94 +0,0 @@
-package image
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"runtime"
-
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
-	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
-)
-
-type platformSpec struct {
-	Architecture string   `json:"architecture"`
-	OS           string   `json:"os"`
-	OSVersion    string   `json:"os.version,omitempty"`
-	OSFeatures   []string `json:"os.features,omitempty"`
-	Variant      string   `json:"variant,omitempty"`
-	Features     []string `json:"features,omitempty"` // removed in OCI
-}
-
-// A manifestDescriptor references a platform-specific manifest.
-type manifestDescriptor struct {
-	manifest.Schema2Descriptor
-	Platform platformSpec `json:"platform"`
-}
-
-type manifestList struct {
-	SchemaVersion int                  `json:"schemaVersion"`
-	MediaType     string               `json:"mediaType"`
-	Manifests     []manifestDescriptor `json:"manifests"`
-}
-
-// chooseDigestFromManifestList parses blob as a schema2 manifest list,
-// and returns the digest of the image appropriate for the current environment.
-func chooseDigestFromManifestList(sys *types.SystemContext, blob []byte) (digest.Digest, error) {
-	wantedArch := runtime.GOARCH
-	if sys != nil && sys.ArchitectureChoice != "" {
-		wantedArch = sys.ArchitectureChoice
-	}
-	wantedOS := runtime.GOOS
-	if sys != nil && sys.OSChoice != "" {
-		wantedOS = sys.OSChoice
-	}
-
-	list := manifestList{}
-	if err := json.Unmarshal(blob, &list); err != nil {
-		return "", err
-	}
-	for _, d := range list.Manifests {
-		if d.Platform.Architecture == wantedArch && d.Platform.OS == wantedOS {
-			return d.Digest, nil
-		}
-	}
-	return "", fmt.Errorf("no image found in manifest list for architecture %s, OS %s", wantedArch, wantedOS)
-}
-
-func manifestSchema2FromManifestList(ctx context.Context, sys *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
-	targetManifestDigest, err := chooseDigestFromManifestList(sys, manblob)
-	if err != nil {
-		return nil, err
-	}
-	manblob, mt, err := src.GetManifest(ctx, &targetManifestDigest)
-	if err != nil {
-		return nil, err
-	}
-
-	matches, err := manifest.MatchesDigest(manblob, targetManifestDigest)
-	if err != nil {
-		return nil, errors.Wrap(err, "Error computing manifest digest")
-	}
-	if !matches {
-		return nil, errors.Errorf("Manifest image does not match selected manifest digest %s", targetManifestDigest)
-	}
-
-	return manifestInstanceFromBlob(ctx, sys, src, manblob, mt)
-}
-
-// ChooseManifestInstanceFromManifestList returns a digest of a manifest appropriate
-// for the current system from the manifest available from src.
-func ChooseManifestInstanceFromManifestList(ctx context.Context, sys *types.SystemContext, src types.UnparsedImage) (digest.Digest, error) {
-	// For now this only handles manifest.DockerV2ListMediaType; we can generalize it later,
-	// probably along with manifest list editing.
-	blob, mt, err := src.Manifest(ctx)
-	if err != nil {
-		return "", err
-	}
-	if mt != manifest.DockerV2ListMediaType {
-		return "", fmt.Errorf("Internal error: Trying to select an image from a non-manifest-list manifest type %s", mt)
-	}
-	return chooseDigestFromManifestList(sys, blob)
-}

vendor/github.com/containers/image/manifest/oci.go

@@ -1,130 +0,0 @@
-package manifest
-
-import (
-	"encoding/json"
-
-	"github.com/containers/image/types"
-	"github.com/opencontainers/go-digest"
-	"github.com/opencontainers/image-spec/specs-go"
-	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-)
-
-// BlobInfoFromOCI1Descriptor returns a types.BlobInfo based on the input OCI1 descriptor.
-func BlobInfoFromOCI1Descriptor(desc imgspecv1.Descriptor) types.BlobInfo {
-	return types.BlobInfo{
-		Digest:      desc.Digest,
-		Size:        desc.Size,
-		URLs:        desc.URLs,
-		Annotations: desc.Annotations,
-		MediaType:   desc.MediaType,
-	}
-}
-
-// OCI1 is a manifest.Manifest implementation for OCI images.
-// The underlying data from imgspecv1.Manifest is also available.
-type OCI1 struct {
-	imgspecv1.Manifest
-}
-
-// OCI1FromManifest creates an OCI1 manifest instance from a manifest blob.
-func OCI1FromManifest(manifest []byte) (*OCI1, error) {
-	oci1 := OCI1{}
-	if err := json.Unmarshal(manifest, &oci1); err != nil {
-		return nil, err
-	}
-	return &oci1, nil
-}
-
-// OCI1FromComponents creates an OCI1 manifest instance from the supplied data.
-func OCI1FromComponents(config imgspecv1.Descriptor, layers []imgspecv1.Descriptor) *OCI1 {
-	return &OCI1{
-		imgspecv1.Manifest{
-			Versioned: specs.Versioned{SchemaVersion: 2},
-			Config:    config,
-			Layers:    layers,
-		},
-	}
-}
-
-// OCI1Clone creates a copy of the supplied OCI1 manifest.
-func OCI1Clone(src *OCI1) *OCI1 {
-	return &OCI1{
-		Manifest: src.Manifest,
-	}
-}
-
-// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
-func (m *OCI1) ConfigInfo() types.BlobInfo {
-	return BlobInfoFromOCI1Descriptor(m.Config)
-}
-
-// LayerInfos returns a list of LayerInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
-// The Digest field is guaranteed to be provided; Size may be -1.
-// WARNING: The list may contain duplicates, and they are semantically relevant.
-func (m *OCI1) LayerInfos() []LayerInfo {
-	blobs := []LayerInfo{}
-	for _, layer := range m.Layers {
-		blobs = append(blobs, LayerInfo{
-			BlobInfo:   BlobInfoFromOCI1Descriptor(layer),
-			EmptyLayer: false,
-		})
-	}
-	return blobs
-}
-
-// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
-func (m *OCI1) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
-	if len(m.Layers) != len(layerInfos) {
-		return errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(m.Layers), len(layerInfos))
-	}
-	original := m.Layers
-	m.Layers = make([]imgspecv1.Descriptor, len(layerInfos))
-	for i, info := range layerInfos {
-		m.Layers[i].MediaType = original[i].MediaType
-		m.Layers[i].Digest = info.Digest
-		m.Layers[i].Size = info.Size
-		m.Layers[i].Annotations = info.Annotations
-		m.Layers[i].URLs = info.URLs
-	}
-	return nil
-}
-
-// Serialize returns the manifest in a blob format.
-// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
-func (m *OCI1) Serialize() ([]byte, error) {
-	return json.Marshal(*m)
-}
-
-// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-func (m *OCI1) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error) {
-	config, err := configGetter(m.ConfigInfo())
-	if err != nil {
-		return nil, err
-	}
-	v1 := &imgspecv1.Image{}
-	if err := json.Unmarshal(config, v1); err != nil {
-		return nil, err
-	}
-	d1 := &Schema2V1Image{}
-	json.Unmarshal(config, d1)
-	i := &types.ImageInspectInfo{
-		Tag:           "",
-		Created:       v1.Created,
-		DockerVersion: d1.DockerVersion,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-		Layers:        layerInfosToStrings(m.LayerInfos()),
-		Env:           d1.Config.Env,
-	}
-	return i, nil
-}
-
-// ImageID computes an ID which can uniquely identify this image by its contents.
-func (m *OCI1) ImageID([]digest.Digest) (string, error) {
-	if err := m.Config.Digest.Validate(); err != nil {
-		return "", err
-	}
-	return m.Config.Digest.Hex(), nil
-}

vendor/github.com/containers/image/pkg/compression/compression.go

@@ -1,94 +0,0 @@
-package compression
-
-import (
-	"bytes"
-	"compress/bzip2"
-	"io"
-	"io/ioutil"
-
-	"github.com/klauspost/pgzip"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"github.com/ulikunitz/xz"
-)
-
-// DecompressorFunc returns the decompressed stream, given a compressed stream.
-// The caller must call Close() on the decompressed stream (even if the compressed input stream does not need closing!).
-type DecompressorFunc func(io.Reader) (io.ReadCloser, error)
-
-// GzipDecompressor is a DecompressorFunc for the gzip compression algorithm.
-func GzipDecompressor(r io.Reader) (io.ReadCloser, error) {
-	return pgzip.NewReader(r)
-}
-
-// Bzip2Decompressor is a DecompressorFunc for the bzip2 compression algorithm.
-func Bzip2Decompressor(r io.Reader) (io.ReadCloser, error) {
-	return ioutil.NopCloser(bzip2.NewReader(r)), nil
-}
-
-// XzDecompressor is a DecompressorFunc for the xz compression algorithm.
-func XzDecompressor(r io.Reader) (io.ReadCloser, error) {
-	r, err := xz.NewReader(r)
-	if err != nil {
-		return nil, err
-	}
-	return ioutil.NopCloser(r), nil
-}
-
-// compressionAlgos is an internal implementation detail of DetectCompression
-var compressionAlgos = map[string]struct {
-	prefix       []byte
-	decompressor DecompressorFunc
-}{
-	"gzip":  {[]byte{0x1F, 0x8B, 0x08}, GzipDecompressor},                 // gzip (RFC 1952)
-	"bzip2": {[]byte{0x42, 0x5A, 0x68}, Bzip2Decompressor},                // bzip2 (decompress.c:BZ2_decompress)
-	"xz":    {[]byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}, XzDecompressor}, // xz (/usr/share/doc/xz/xz-file-format.txt)
-}
-
-// DetectCompression returns a DecompressorFunc if the input is recognized as a compressed format, nil otherwise.
-// Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
-func DetectCompression(input io.Reader) (DecompressorFunc, io.Reader, error) {
-	buffer := [8]byte{}
-
-	n, err := io.ReadAtLeast(input, buffer[:], len(buffer))
-	if err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {
-		// This is a “real” error. We could just ignore it this time, process the data we have, and hope that the source will report the same error again.
-		// Instead, fail immediately with the original error cause instead of a possibly secondary/misleading error returned later.
-		return nil, nil, err
-	}
-
-	var decompressor DecompressorFunc
-	for name, algo := range compressionAlgos {
-		if bytes.HasPrefix(buffer[:n], algo.prefix) {
-			logrus.Debugf("Detected compression format %s", name)
-			decompressor = algo.decompressor
-			break
-		}
-	}
-	if decompressor == nil {
-		logrus.Debugf("No compression detected")
-	}
-
-	return decompressor, io.MultiReader(bytes.NewReader(buffer[:n]), input), nil
-}
-
-// AutoDecompress takes a stream and returns an uncompressed version of the
-// same stream.
-// The caller must call Close() on the returned stream (even if the input does not need,
-// or does not even support, closing!).
-func AutoDecompress(stream io.Reader) (io.ReadCloser, bool, error) {
-	decompressor, stream, err := DetectCompression(stream)
-	if err != nil {
-		return nil, false, errors.Wrapf(err, "Error detecting compression")
-	}
-	var res io.ReadCloser
-	if decompressor != nil {
-		res, err = decompressor(stream)
-		if err != nil {
-			return nil, false, errors.Wrapf(err, "Error initializing decompression")
-		}
-	} else {
-		res = ioutil.NopCloser(stream)
-	}
-	return res, decompressor != nil, nil
-}

vendor/github.com/containers/image/pkg/keyctl/sys_linux.go

@@ -1,121 +0,0 @@
-// Copyright 2015 Jesse Sipprell. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-// +build 386 amd64
-
-package keyctl
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-type keyctlCommand int
-
-type keyID int32
-
-const (
-	keySpecSessionKeyring keyID = -3
-	keySpecUserKeyring    keyID = -4
-)
-
-const (
-	keyctlGetKeyringID keyctlCommand = 0
-	keyctlSetPerm      keyctlCommand = 5
-	keyctlLink         keyctlCommand = 8
-	keyctlUnlink       keyctlCommand = 9
-	keyctlSearch       keyctlCommand = 10
-	keyctlRead         keyctlCommand = 11
-)
-
-func (id keyID) ID() int32 {
-	return int32(id)
-}
-
-func keyctl(cmd keyctlCommand, args ...uintptr) (r1 int32, r2 int32, err error) {
-	a := make([]uintptr, 6)
-	l := len(args)
-	if l > 5 {
-		l = 5
-	}
-	a[0] = uintptr(cmd)
-	for idx, v := range args[:l] {
-		a[idx+1] = v
-	}
-	v1, v2, errno := syscall.Syscall6(syscallKeyctl, a[0], a[1], a[2], a[3], a[4], a[5])
-	if errno != 0 {
-		err = errno
-		return
-	}
-
-	r1 = int32(v1)
-	r2 = int32(v2)
-	return
-}
-
-func addkey(keyType, keyDesc string, payload []byte, id int32) (int32, error) {
-	var (
-		err    error
-		errno  syscall.Errno
-		b1, b2 *byte
-		r1     uintptr
-		pptr   unsafe.Pointer
-	)
-
-	if b1, err = syscall.BytePtrFromString(keyType); err != nil {
-		return 0, err
-	}
-
-	if b2, err = syscall.BytePtrFromString(keyDesc); err != nil {
-		return 0, err
-	}
-
-	if len(payload) > 0 {
-		pptr = unsafe.Pointer(&payload[0])
-	}
-	r1, _, errno = syscall.Syscall6(syscallAddKey,
-		uintptr(unsafe.Pointer(b1)),
-		uintptr(unsafe.Pointer(b2)),
-		uintptr(pptr),
-		uintptr(len(payload)),
-		uintptr(id),
-		0)
-
-	if errno != 0 {
-		err = errno
-		return 0, err
-	}
-	return int32(r1), nil
-}
-
-func newKeyring(id keyID) (*keyring, error) {
-	r1, _, err := keyctl(keyctlGetKeyringID, uintptr(id), uintptr(1))
-	if err != nil {
-		return nil, err
-	}
-
-	if id < 0 {
-		r1 = int32(id)
-	}
-	return &keyring{id: keyID(r1)}, nil
-}
-
-func searchKeyring(id keyID, name, keyType string) (keyID, error) {
-	var (
-		r1     int32
-		b1, b2 *byte
-		err    error
-	)
-
-	if b1, err = syscall.BytePtrFromString(keyType); err != nil {
-		return 0, err
-	}
-	if b2, err = syscall.BytePtrFromString(name); err != nil {
-		return 0, err
-	}
-
-	r1, _, err = keyctl(keyctlSearch, uintptr(id), uintptr(unsafe.Pointer(b1)), uintptr(unsafe.Pointer(b2)))
-	return keyID(r1), err
-}

vendor/github.com/containers/image/pkg/keyctl/sys_linux_386.go

@@ -1,12 +0,0 @@
-// Copyright 2015 Jesse Sipprell. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package keyctl
-
-const (
-	syscallKeyctl uintptr = 288
-	syscallAddKey uintptr = 286
-)

vendor/github.com/containers/image/pkg/keyctl/sys_linux_amd64.go

@@ -1,12 +0,0 @@
-// Copyright 2015 Jesse Sipprell. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package keyctl
-
-const (
-	syscallKeyctl uintptr = 250
-	syscallAddKey uintptr = 248
-)

vendor/github.com/containers/image/v5/copy/copy.go

@@ -13,16 +13,16 @@ import (
 	"sync"
 	"time"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/blobinfocache"
-	"github.com/containers/image/pkg/compression"
-	"github.com/containers/image/signature"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
-	"github.com/klauspost/pgzip"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/vbauerster/mpb"
@@ -43,6 +43,9 @@ type digestingReader struct {
 // downloads.  Let's follow Firefox by limiting it to 6.
 var maxParallelDownloads = 6
 
+// compressionBufferSize is the buffer size used to compress a blob
+var compressionBufferSize = 1048576
+
 // newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
 // or set validationSucceeded/validationFailed to true if the source stream does/does not match expectedDigest.
 // (neither is set if EOF is never reached).
@@ -86,14 +89,16 @@ func (d *digestingReader) Read(p []byte) (int, error) {
 // copier allows us to keep track of diffID values for blobs, and other
 // data shared across one or more images in a possible manifest list.
 type copier struct {
-	dest             types.ImageDestination
-	rawSource        types.ImageSource
-	reportWriter     io.Writer
-	progressOutput   io.Writer
-	progressInterval time.Duration
-	progress         chan types.ProgressProperties
-	blobInfoCache    types.BlobInfoCache
-	copyInParallel   bool
+	dest              types.ImageDestination
+	rawSource         types.ImageSource
+	reportWriter      io.Writer
+	progressOutput    io.Writer
+	progressInterval  time.Duration
+	progress          chan types.ProgressProperties
+	blobInfoCache     types.BlobInfoCache
+	copyInParallel    bool
+	compressionFormat compression.Algorithm
+	compressionLevel  *int
 }
 
 // imageCopier tracks state specific to a single image (possibly an item of a manifest list)
@@ -106,6 +111,37 @@ type imageCopier struct {
 	canSubstituteBlobs bool
 }
 
+const (
+	// CopySystemImage is the default value which, when set in
+	// Options.ImageListSelection, indicates that the caller expects only one
+	// image to be copied, so if the source reference refers to a list of
+	// images, one that matches the current system will be selected.
+	CopySystemImage ImageListSelection = iota
+	// CopyAllImages is a value which, when set in Options.ImageListSelection,
+	// indicates that the caller expects to copy multiple images, and if
+	// the source reference refers to a list, that the list and every image
+	// to which it refers will be copied.  If the source reference refers
+	// to a list, the target reference can not accept lists, an error
+	// should be returned.
+	CopyAllImages
+	// CopySpecificImages is a value which, when set in
+	// Options.ImageListSelection, indicates that the caller expects the
+	// source reference to be either a single image or a list of images,
+	// and if the source reference is a list, wants only specific instances
+	// from it copied (or none of them, if the list of instances to copy is
+	// empty), along with the list itself.  If the target reference can
+	// only accept one image (i.e., it cannot accept lists), an error
+	// should be returned.
+	CopySpecificImages
+)
+
+// ImageListSelection is one of CopySystemImage, CopyAllImages, or
+// CopySpecificImages, to control whether, when the source reference is a list,
+// copy.Image() copies only an image which matches the current runtime
+// environment, or all images which match the supplied reference, or only
+// specific images from the source reference.
+type ImageListSelection int
+
 // Options allows supplying non-default configuration modifying the behavior of CopyImage.
 type Options struct {
 	RemoveSignatures bool   // Remove any pre-existing signatures. SignBy will still add a new signature.
@@ -117,12 +153,24 @@ type Options struct {
 	Progress         chan types.ProgressProperties // Reported to when ProgressInterval has arrived for a single artifact+offset.
 	// manifest MIME type of image set by user. "" is default and means use the autodetection to the the manifest MIME type
 	ForceManifestMIMEType string
+	ImageListSelection    ImageListSelection // set to either CopySystemImage (the default), CopyAllImages, or CopySpecificImages to control which instances we copy when the source reference is a list; ignored if the source reference is not a list
+	Instances             []digest.Digest    // if ImageListSelection is CopySpecificImages, copy only these instances and the list itself
+}
+
+// validateImageListSelection returns an error if the passed-in value is not one that we recognize as a valid ImageListSelection value
+func validateImageListSelection(selection ImageListSelection) error {
+	switch selection {
+	case CopySystemImage, CopyAllImages, CopySpecificImages:
+		return nil
+	default:
+		return errors.Errorf("Invalid value for options.ImageListSelection: %d", selection)
+	}
 }
 
 // Image copies image from srcRef to destRef, using policyContext to validate
 // source image admissibility.  It returns the manifest which was written to
 // the new copy of the image.
-func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (manifest []byte, retErr error) {
+func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (copiedManifest []byte, retErr error) {
 	// NOTE this function uses an output parameter for the error return value.
 	// Setting this and returning is the ideal way to return an error.
 	//
@@ -132,6 +180,10 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 		options = &Options{}
 	}
 
+	if err := validateImageListSelection(options.ImageListSelection); err != nil {
+		return nil, err
+	}
+
 	reportWriter := ioutil.Discard
 
 	if options.ReportWriter != nil {
@@ -166,6 +218,7 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 		progressOutput = ioutil.Discard
 	}
 	copyInParallel := dest.HasThreadSafePutBlob() && rawSource.HasThreadSafeGetBlob()
+
 	c := &copier{
 		dest:             dest,
 		rawSource:        rawSource,
@@ -179,6 +232,20 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 		// we might want to add a separate CommonCtx — or would that be too confusing?
 		blobInfoCache: blobinfocache.DefaultCache(options.DestinationCtx),
 	}
+	// Default to using gzip compression unless specified otherwise.
+	if options.DestinationCtx == nil || options.DestinationCtx.CompressionFormat == nil {
+		algo, err := compression.AlgorithmByName("gzip")
+		if err != nil {
+			return nil, err
+		}
+		c.compressionFormat = algo
+	} else {
+		c.compressionFormat = *options.DestinationCtx.CompressionFormat
+	}
+	if options.DestinationCtx != nil {
+		// Note that the compressionLevel can be nil.
+		c.compressionLevel = options.DestinationCtx.CompressionLevel
+	}
 
 	unparsedToplevel := image.UnparsedInstance(rawSource, nil)
 	multiImage, err := isMultiImage(ctx, unparsedToplevel)
@@ -187,79 +254,278 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 	}
 
 	if !multiImage {
-		// The simple case: Just copy a single image.
-		if manifest, err = c.copyOneImage(ctx, policyContext, options, unparsedToplevel); err != nil {
+		// The simple case: just copy a single image.
+		if copiedManifest, _, _, err = c.copyOneImage(ctx, policyContext, options, unparsedToplevel, unparsedToplevel, nil); err != nil {
 			return nil, err
 		}
-	} else {
-		// This is a manifest list. Choose a single image and copy it.
-		// FIXME: Copy to destinations which support manifest lists, one image at a time.
-		instanceDigest, err := image.ChooseManifestInstanceFromManifestList(ctx, options.SourceCtx, unparsedToplevel)
+	} else if options.ImageListSelection == CopySystemImage {
+		// This is a manifest list, and we weren't asked to copy multiple images.  Choose a single image that
+		// matches the current system to copy, and copy it.
+		mfest, manifestType, err := unparsedToplevel.Manifest(ctx)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Error reading manifest for %s", transports.ImageName(srcRef))
+		}
+		manifestList, err := manifest.ListFromBlob(mfest, manifestType)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Error parsing primary manifest as list for %s", transports.ImageName(srcRef))
+		}
+		instanceDigest, err := manifestList.ChooseInstance(options.SourceCtx) // try to pick one that matches options.SourceCtx
 		if err != nil {
 			return nil, errors.Wrapf(err, "Error choosing an image from manifest list %s", transports.ImageName(srcRef))
 		}
-		logrus.Debugf("Source is a manifest list; copying (only) instance %s", instanceDigest)
+		logrus.Debugf("Source is a manifest list; copying (only) instance %s for current system", instanceDigest)
 		unparsedInstance := image.UnparsedInstance(rawSource, &instanceDigest)
 
-		if manifest, err = c.copyOneImage(ctx, policyContext, options, unparsedInstance); err != nil {
+		if copiedManifest, _, _, err = c.copyOneImage(ctx, policyContext, options, unparsedToplevel, unparsedInstance, nil); err != nil {
+			return nil, err
+		}
+	} else { /* options.ImageListSelection == CopyAllImages or options.ImageListSelection == CopySpecificImages, */
+		// If we were asked to copy multiple images and can't, that's an error.
+		if !supportsMultipleImages(c.dest) {
+			return nil, errors.Errorf("Error copying multiple images: destination transport %q does not support copying multiple images as a group", destRef.Transport().Name())
+		}
+		// Copy some or all of the images.
+		switch options.ImageListSelection {
+		case CopyAllImages:
+			logrus.Debugf("Source is a manifest list; copying all instances")
+		case CopySpecificImages:
+			logrus.Debugf("Source is a manifest list; copying some instances")
+		}
+		if copiedManifest, _, err = c.copyMultipleImages(ctx, policyContext, options, unparsedToplevel); err != nil {
 			return nil, err
 		}
 	}
 
-	if err := c.dest.Commit(ctx); err != nil {
+	if err := c.dest.Commit(ctx, unparsedToplevel); err != nil {
 		return nil, errors.Wrap(err, "Error committing the finished image")
 	}
 
-	return manifest, nil
+	return copiedManifest, nil
 }
 
-// Image copies a single (on-manifest-list) image unparsedImage, using policyContext to validate
+// Checks if the destination supports accepting multiple images by checking if it can support
+// manifest types that are lists of other manifests.
+func supportsMultipleImages(dest types.ImageDestination) bool {
+	mtypes := dest.SupportedManifestMIMETypes()
+	if len(mtypes) == 0 {
+		// Anything goes!
+		return true
+	}
+	for _, mtype := range mtypes {
+		if manifest.MIMETypeIsMultiImage(mtype) {
+			return true
+		}
+	}
+	return false
+}
+
+// copyMultipleImages copies some or all of an image list's instances, using
+// policyContext to validate source image admissibility.
+func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signature.PolicyContext, options *Options, unparsedToplevel *image.UnparsedImage) (copiedManifest []byte, copiedManifestType string, retErr error) {
+	// Parse the list and get a copy of the original value after it's re-encoded.
+	manifestList, manifestType, err := unparsedToplevel.Manifest(ctx)
+	if err != nil {
+		return nil, "", errors.Wrapf(err, "Error reading manifest list")
+	}
+	list, err := manifest.ListFromBlob(manifestList, manifestType)
+	if err != nil {
+		return nil, "", errors.Wrapf(err, "Error parsing manifest list %q", string(manifestList))
+	}
+	originalList := list.Clone()
+
+	// Read and/or clear the set of signatures for this list.
+	var sigs [][]byte
+	if options.RemoveSignatures {
+		sigs = [][]byte{}
+	} else {
+		c.Printf("Getting image list signatures\n")
+		s, err := c.rawSource.GetSignatures(ctx, nil)
+		if err != nil {
+			return nil, "", errors.Wrap(err, "Error reading signatures")
+		}
+		sigs = s
+	}
+	if len(sigs) != 0 {
+		c.Printf("Checking if image list destination supports signatures\n")
+		if err := c.dest.SupportsSignatures(ctx); err != nil {
+			return nil, "", errors.Wrap(err, "Can not copy signatures")
+		}
+	}
+
+	// Determine if we'll need to convert the manifest list to a different format.
+	forceListMIMEType := options.ForceManifestMIMEType
+	switch forceListMIMEType {
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType, manifest.DockerV2Schema2MediaType:
+		forceListMIMEType = manifest.DockerV2ListMediaType
+	case imgspecv1.MediaTypeImageManifest:
+		forceListMIMEType = imgspecv1.MediaTypeImageIndex
+	}
+	selectedListType, err := c.determineListConversion(manifestType, c.dest.SupportedManifestMIMETypes(), forceListMIMEType)
+	if err != nil {
+		return nil, "", errors.Wrapf(err, "Error determining manifest list type to write to destination")
+	}
+	if selectedListType != list.MIMEType() {
+		canModifyManifestList := (len(sigs) == 0)
+		if !canModifyManifestList {
+			return nil, "", errors.Errorf("Error: manifest list must be converted to type %q to be written to destination, but that would invalidate signatures", selectedListType)
+		}
+	}
+
+	// Copy each image, or just the ones we want to copy, in turn.
+	instanceDigests := list.Instances()
+	imagesToCopy := len(instanceDigests)
+	if options.ImageListSelection == CopySpecificImages {
+		imagesToCopy = len(options.Instances)
+	}
+	c.Printf("Copying %d of %d images in list\n", imagesToCopy, len(instanceDigests))
+	updates := make([]manifest.ListUpdate, len(instanceDigests))
+	instancesCopied := 0
+	for i, instanceDigest := range instanceDigests {
+		if options.ImageListSelection == CopySpecificImages {
+			skip := true
+			for _, instance := range options.Instances {
+				if instance == instanceDigest {
+					skip = false
+					break
+				}
+			}
+			if skip {
+				update, err := list.Instance(instanceDigest)
+				if err != nil {
+					return nil, "", err
+				}
+				logrus.Debugf("Skipping instance %s (%d/%d)", instanceDigest, i+1, len(instanceDigests))
+				// Record the digest/size/type of the manifest that we didn't copy.
+				updates[i] = update
+				continue
+			}
+		}
+		logrus.Debugf("Copying instance %s (%d/%d)", instanceDigest, i+1, len(instanceDigests))
+		c.Printf("Copying image %s (%d/%d)\n", instanceDigest, instancesCopied+1, imagesToCopy)
+		unparsedInstance := image.UnparsedInstance(c.rawSource, &instanceDigest)
+		updatedManifest, updatedManifestType, updatedManifestDigest, err := c.copyOneImage(ctx, policyContext, options, unparsedToplevel, unparsedInstance, &instanceDigest)
+		if err != nil {
+			return nil, "", err
+		}
+		instancesCopied++
+		// Record the result of a possible conversion here.
+		update := manifest.ListUpdate{
+			Digest:    updatedManifestDigest,
+			Size:      int64(len(updatedManifest)),
+			MediaType: updatedManifestType,
+		}
+		updates[i] = update
+	}
+
+	// Now reset the digest/size/types of the manifests in the list to account for any conversions that we made.
+	if err = list.UpdateInstances(updates); err != nil {
+		return nil, "", errors.Wrapf(err, "Error updating manifest list")
+	}
+
+	// Check if the updates meaningfully changed the list of images.
+	listIsModified := false
+	if !reflect.DeepEqual(list.Instances(), originalList.Instances()) {
+		listIsModified = true
+	}
+
+	// Perform the list conversion.
+	if selectedListType != list.MIMEType() {
+		list, err = list.ConvertToMIMEType(selectedListType)
+		if err != nil {
+			return nil, "", errors.Wrapf(err, "Error converting manifest list to list with MIME type %q", selectedListType)
+		}
+	}
+
+	// If we can't use the original value, but we have to change it, flag an error.
+	if listIsModified {
+		manifestList, err = list.Serialize()
+		if err != nil {
+			return nil, "", errors.Wrapf(err, "Error encoding updated manifest list (%q: %#v)", list.MIMEType(), list.Instances())
+		}
+		logrus.Debugf("Manifest list has been updated")
+	}
+
+	// Save the manifest list.
+	c.Printf("Writing manifest list to image destination\n")
+	if err = c.dest.PutManifest(ctx, manifestList, nil); err != nil {
+		return nil, "", errors.Wrapf(err, "Error writing manifest list %q", string(manifestList))
+	}
+
+	// Sign the manifest list.
+	if options.SignBy != "" {
+		newSig, err := c.createSignature(manifestList, options.SignBy)
+		if err != nil {
+			return nil, "", err
+		}
+		sigs = append(sigs, newSig)
+	}
+
+	c.Printf("Storing list signatures\n")
+	if err := c.dest.PutSignatures(ctx, sigs, nil); err != nil {
+		return nil, "", errors.Wrap(err, "Error writing signatures")
+	}
+
+	return manifestList, selectedListType, nil
+}
+
+// copyOneImage copies a single (non-manifest-list) image unparsedImage, using policyContext to validate
 // source image admissibility.
-func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.PolicyContext, options *Options, unparsedImage *image.UnparsedImage) (manifestBytes []byte, retErr error) {
+func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.PolicyContext, options *Options, unparsedToplevel, unparsedImage *image.UnparsedImage, targetInstance *digest.Digest) (retManifest []byte, retManifestType string, retManifestDigest digest.Digest, retErr error) {
 	// The caller is handling manifest lists; this could happen only if a manifest list contains a manifest list.
 	// Make sure we fail cleanly in such cases.
 	multiImage, err := isMultiImage(ctx, unparsedImage)
 	if err != nil {
 		// FIXME FIXME: How to name a reference for the sub-image?
-		return nil, errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(unparsedImage.Reference()))
+		return nil, "", "", errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(unparsedImage.Reference()))
 	}
 	if multiImage {
-		return nil, fmt.Errorf("Unexpectedly received a manifest list instead of a manifest for a single image")
+		return nil, "", "", fmt.Errorf("Unexpectedly received a manifest list instead of a manifest for a single image")
 	}
 
 	// Please keep this policy check BEFORE reading any other information about the image.
-	// (the multiImage check above only matches the MIME type, which we have received anyway.
+	// (The multiImage check above only matches the MIME type, which we have received anyway.
 	// Actual parsing of anything should be deferred.)
 	if allowed, err := policyContext.IsRunningImageAllowed(ctx, unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
-		return nil, errors.Wrap(err, "Source image rejected")
+		return nil, "", "", errors.Wrap(err, "Source image rejected")
 	}
 	src, err := image.FromUnparsedImage(ctx, options.SourceCtx, unparsedImage)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(c.rawSource.Reference()))
+		return nil, "", "", errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(c.rawSource.Reference()))
 	}
 
 	// If the destination is a digested reference, make a note of that, determine what digest value we're
-	// expecting, and check that the source manifest matches it.
+	// expecting, and check that the source manifest matches it.  If the source manifest doesn't, but it's
+	// one item from a manifest list that matches it, accept that as a match.
 	destIsDigestedReference := false
 	if named := c.dest.Reference().DockerReference(); named != nil {
 		if digested, ok := named.(reference.Digested); ok {
 			destIsDigestedReference = true
 			sourceManifest, _, err := src.Manifest(ctx)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Error reading manifest from source image")
+				return nil, "", "", errors.Wrapf(err, "Error reading manifest from source image")
 			}
 			matches, err := manifest.MatchesDigest(sourceManifest, digested.Digest())
 			if err != nil {
-				return nil, errors.Wrapf(err, "Error computing digest of source image's manifest")
+				return nil, "", "", errors.Wrapf(err, "Error computing digest of source image's manifest")
 			}
 			if !matches {
-				return nil, errors.New("Digest of source image's manifest would not match destination reference")
+				manifestList, _, err := unparsedToplevel.Manifest(ctx)
+				if err != nil {
+					return nil, "", "", errors.Wrapf(err, "Error reading manifest from source image")
+				}
+				matches, err = manifest.MatchesDigest(manifestList, digested.Digest())
+				if err != nil {
+					return nil, "", "", errors.Wrapf(err, "Error computing digest of source image's manifest")
+				}
+				if !matches {
+					return nil, "", "", errors.New("Digest of source image's manifest would not match destination reference")
+				}
 			}
 		}
 	}
 
 	if err := checkImageDestinationForCurrentRuntimeOS(ctx, options.DestinationCtx, src, c.dest); err != nil {
-		return nil, err
+		return nil, "", "", err
 	}
 
 	var sigs [][]byte
@@ -269,14 +535,14 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
 		c.Printf("Getting image source signatures\n")
 		s, err := src.Signatures(ctx)
 		if err != nil {
-			return nil, errors.Wrap(err, "Error reading signatures")
+			return nil, "", "", errors.Wrap(err, "Error reading signatures")
 		}
 		sigs = s
 	}
 	if len(sigs) != 0 {
 		c.Printf("Checking if image destination supports signatures\n")
 		if err := c.dest.SupportsSignatures(ctx); err != nil {
-			return nil, errors.Wrap(err, "Can not copy signatures")
+			return nil, "", "", errors.Wrap(err, "Can not copy signatures")
 		}
 	}
 
@@ -296,28 +562,29 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
 	ic.canSubstituteBlobs = ic.canModifyManifest && options.SignBy == ""
 
 	if err := ic.updateEmbeddedDockerReference(); err != nil {
-		return nil, err
+		return nil, "", "", err
 	}
 
 	// We compute preferredManifestMIMEType only to show it in error messages.
 	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
 	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := ic.determineManifestConversion(ctx, c.dest.SupportedManifestMIMETypes(), options.ForceManifestMIMEType)
 	if err != nil {
-		return nil, err
+		return nil, "", "", err
 	}
 
 	// If src.UpdatedImageNeedsLayerDiffIDs(ic.manifestUpdates) will be true, it needs to be true by the time we get here.
 	ic.diffIDsAreNeeded = src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates)
 
 	if err := ic.copyLayers(ctx); err != nil {
-		return nil, err
+		return nil, "", "", err
 	}
 
 	// With docker/distribution registries we do not know whether the registry accepts schema2 or schema1 only;
 	// and at least with the OpenShift registry "acceptschema2" option, there is no way to detect the support
 	// without actually trying to upload something and getting a types.ManifestTypeRejectedError.
 	// So, try the preferred manifest MIME type. If the process succeeds, fine…
-	manifestBytes, err = ic.copyUpdatedConfigAndManifest(ctx)
+	manifestBytes, retManifestDigest, err := ic.copyUpdatedConfigAndManifest(ctx, targetInstance)
+	retManifestType = preferredManifestMIMEType
 	if err != nil {
 		logrus.Debugf("Writing manifest using preferred type %s failed: %v", preferredManifestMIMEType, err)
 		// … if it fails, _and_ the failure is because the manifest is rejected, we may have other options.
@@ -325,14 +592,14 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
 			// We don’t have other options.
 			// In principle the code below would handle this as well, but the resulting  error message is fairly ugly.
 			// Don’t bother the user with MIME types if we have no choice.
-			return nil, err
+			return nil, "", "", err
 		}
 		// If the original MIME type is acceptable, determineManifestConversion always uses it as preferredManifestMIMEType.
 		// So if we are here, we will definitely be trying to convert the manifest.
 		// With !ic.canModifyManifest, that would just be a string of repeated failures for the same reason,
 		// so let’s bail out early and with a better error message.
 		if !ic.canModifyManifest {
-			return nil, errors.Wrap(err, "Writing manifest failed (and converting it is not possible)")
+			return nil, "", "", errors.Wrap(err, "Writing manifest failed (and converting it is not possible)")
 		}
 
 		// errs is a list of errors when trying various manifest types. Also serves as an "upload succeeded" flag when set to nil.
@@ -340,7 +607,7 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
 		for _, manifestMIMEType := range otherManifestMIMETypeCandidates {
 			logrus.Debugf("Trying to use manifest type %s…", manifestMIMEType)
 			ic.manifestUpdates.ManifestMIMEType = manifestMIMEType
-			attemptedManifest, err := ic.copyUpdatedConfigAndManifest(ctx)
+			attemptedManifest, attemptedManifestDigest, err := ic.copyUpdatedConfigAndManifest(ctx, targetInstance)
 			if err != nil {
 				logrus.Debugf("Upload of manifest type %s failed: %v", manifestMIMEType, err)
 				errs = append(errs, fmt.Sprintf("%s(%v)", manifestMIMEType, err))
@@ -349,28 +616,30 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
 
 			// We have successfully uploaded a manifest.
 			manifestBytes = attemptedManifest
+			retManifestDigest = attemptedManifestDigest
+			retManifestType = manifestMIMEType
 			errs = nil // Mark this as a success so that we don't abort below.
 			break
 		}
 		if errs != nil {
-			return nil, fmt.Errorf("Uploading manifest failed, attempted the following formats: %s", strings.Join(errs, ", "))
+			return nil, "", "", fmt.Errorf("Uploading manifest failed, attempted the following formats: %s", strings.Join(errs, ", "))
 		}
 	}
 
 	if options.SignBy != "" {
 		newSig, err := c.createSignature(manifestBytes, options.SignBy)
 		if err != nil {
-			return nil, err
+			return nil, "", "", err
 		}
 		sigs = append(sigs, newSig)
 	}
 
 	c.Printf("Storing signatures\n")
-	if err := c.dest.PutSignatures(ctx, sigs); err != nil {
-		return nil, errors.Wrap(err, "Error writing signatures")
+	if err := c.dest.PutSignatures(ctx, sigs, targetInstance); err != nil {
+		return nil, "", "", errors.Wrap(err, "Error writing signatures")
 	}
 
-	return manifestBytes, nil
+	return manifestBytes, retManifestType, retManifestDigest, nil
 }
 
 // Printf writes a formatted string to c.reportWriter.
@@ -535,12 +804,13 @@ func layerDigestsDiffer(a, b []types.BlobInfo) bool {
 }
 
 // copyUpdatedConfigAndManifest updates the image per ic.manifestUpdates, if necessary,
-// stores the resulting config and manifest to the destination, and returns the stored manifest.
-func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context) ([]byte, error) {
+// stores the resulting config and manifest to the destination, and returns the stored manifest
+// and its digest.
+func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, digest.Digest, error) {
 	pendingImage := ic.src
 	if !reflect.DeepEqual(*ic.manifestUpdates, types.ManifestUpdateOptions{InformationOnly: ic.manifestUpdates.InformationOnly}) {
 		if !ic.canModifyManifest {
-			return nil, errors.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
+			return nil, "", errors.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
 		}
 		if !ic.diffIDsAreNeeded && ic.src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates) {
 			// We have set ic.diffIDsAreNeeded based on the preferred MIME type returned by determineManifestConversion.
@@ -549,28 +819,35 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context) ([]byte
 			// when ic.c.dest.SupportedManifestMIMETypes() includes both s1 and s2, the upload using s1 failed, and we are now trying s2.
 			// Supposedly s2-only registries do not exist or are extremely rare, so failing with this error message is good enough for now.
 			// If handling such registries turns out to be necessary, we could compute ic.diffIDsAreNeeded based on the full list of manifest MIME type candidates.
-			return nil, errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
+			return nil, "", errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
 		}
 		pi, err := ic.src.UpdatedImage(ctx, *ic.manifestUpdates)
 		if err != nil {
-			return nil, errors.Wrap(err, "Error creating an updated image manifest")
+			return nil, "", errors.Wrap(err, "Error creating an updated image manifest")
 		}
 		pendingImage = pi
 	}
-	manifest, _, err := pendingImage.Manifest(ctx)
+	man, _, err := pendingImage.Manifest(ctx)
 	if err != nil {
-		return nil, errors.Wrap(err, "Error reading manifest")
+		return nil, "", errors.Wrap(err, "Error reading manifest")
 	}
 
 	if err := ic.c.copyConfig(ctx, pendingImage); err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	ic.c.Printf("Writing manifest to image destination\n")
-	if err := ic.c.dest.PutManifest(ctx, manifest); err != nil {
-		return nil, errors.Wrap(err, "Error writing manifest")
+	manifestDigest, err := manifest.Digest(man)
+	if err != nil {
+		return nil, "", err
 	}
-	return manifest, nil
+	if instanceDigest != nil {
+		instanceDigest = &manifestDigest
+	}
+	if err := ic.c.dest.PutManifest(ctx, man, instanceDigest); err != nil {
+		return nil, "", errors.Wrap(err, "Error writing manifest")
+	}
+	return man, manifestDigest, nil
 }
 
 // newProgressPool creates a *mpb.Progress and a cleanup function.
@@ -666,7 +943,7 @@ type diffIDResult struct {
 	err    error
 }
 
-// copyLayer copies a layer with srcInfo (with known Digest and possibly known Size) in src to dest, perhaps compressing it if canCompress,
+// copyLayer copies a layer with srcInfo (with known Digest and Annotations and possibly known Size) in src to dest, perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied layer, and a value for LayerDiffIDs if diffIDIsNeeded
 func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, pool *mpb.Progress) (types.BlobInfo, digest.Digest, error) {
 	cachedDiffID := ic.c.blobInfoCache.UncompressedDigest(srcInfo.Digest) // May be ""
@@ -695,7 +972,7 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, po
 
 	bar := ic.c.createProgressBar(pool, srcInfo, "blob", "done")
 
-	blobInfo, diffIDChan, err := ic.copyLayerFromStream(ctx, srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize}, diffIDIsNeeded, bar)
+	blobInfo, diffIDChan, err := ic.copyLayerFromStream(ctx, srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize, Annotations: srcInfo.Annotations}, diffIDIsNeeded, bar)
 	if err != nil {
 		return types.BlobInfo{}, "", err
 	}
@@ -722,7 +999,7 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, po
 }
 
 // copyLayerFromStream is an implementation detail of copyLayer; mostly providing a separate “defer” scope.
-// it copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
+// it copies a blob with srcInfo (with known Digest and Annotations and possibly known Size) from srcStream to dest,
 // perhaps compressing the stream if canCompress,
 // and returns a complete blobInfo of the copied blob and perhaps a <-chan diffIDResult if diffIDIsNeeded, to be read by the caller.
 func (ic *imageCopier) copyLayerFromStream(ctx context.Context, srcStream io.Reader, srcInfo types.BlobInfo,
@@ -781,7 +1058,7 @@ func computeDiffID(stream io.Reader, decompressor compression.DecompressorFunc)
 	return digest.Canonical.FromReader(stream)
 }
 
-// copyBlobFromStream copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
+// copyBlobFromStream copies a blob with srcInfo (with known Digest and Annotations and possibly known Size) from srcStream to dest,
 // perhaps sending a copy to an io.Writer if getOriginalLayerCopyWriter != nil,
 // perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied blob.
@@ -805,7 +1082,7 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 
 	// === Detect compression of the input stream.
 	// This requires us to “peek ahead” into the stream to read the initial part, which requires us to chain through another io.Reader returned by DetectCompression.
-	decompressor, destStream, err := compression.DetectCompression(destStream) // We could skip this in some cases, but let's keep the code path uniform
+	compressionFormat, decompressor, destStream, err := compression.DetectCompressionFormat(destStream) // We could skip this in some cases, but let's keep the code path uniform
 	if err != nil {
 		return types.BlobInfo{}, errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
 	}
@@ -819,6 +1096,8 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 		originalLayerReader = destStream
 	}
 
+	desiredCompressionFormat := c.compressionFormat
+
 	// === Deal with layer compression/decompression if necessary
 	var inputInfo types.BlobInfo
 	var compressionOperation types.LayerCompression
@@ -831,7 +1110,27 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 		// If this fails while writing data, it will do pipeWriter.CloseWithError(); if it fails otherwise,
 		// e.g. because we have exited and due to pipeReader.Close() above further writing to the pipe has failed,
 		// we don’t care.
-		go compressGoroutine(pipeWriter, destStream) // Closes pipeWriter
+		go c.compressGoroutine(pipeWriter, destStream, desiredCompressionFormat) // Closes pipeWriter
+		destStream = pipeReader
+		inputInfo.Digest = ""
+		inputInfo.Size = -1
+	} else if canModifyBlob && c.dest.DesiredLayerCompression() == types.Compress && isCompressed && desiredCompressionFormat.Name() != compressionFormat.Name() {
+		// When the blob is compressed, but the desired format is different, it first needs to be decompressed and finally
+		// re-compressed using the desired format.
+		logrus.Debugf("Blob will be converted")
+
+		compressionOperation = types.PreserveOriginal
+		s, err := decompressor(destStream)
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		defer s.Close()
+
+		pipeReader, pipeWriter := io.Pipe()
+		defer pipeReader.Close()
+
+		go c.compressGoroutine(pipeWriter, s, desiredCompressionFormat) // Closes pipeWriter
+
 		destStream = pipeReader
 		inputInfo.Digest = ""
 		inputInfo.Size = -1
@@ -847,6 +1146,7 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 		inputInfo.Digest = ""
 		inputInfo.Size = -1
 	} else {
+		// PreserveOriginal might also need to recompress the original blob if the desired compression format is different.
 		logrus.Debugf("Using original blob without modification")
 		compressionOperation = types.PreserveOriginal
 		inputInfo = srcInfo
@@ -869,6 +1169,14 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 		return types.BlobInfo{}, errors.Wrap(err, "Error writing blob")
 	}
 
+	uploadedInfo.Annotations = srcInfo.Annotations
+
+	uploadedInfo.CompressionOperation = compressionOperation
+	// If we can modify the layer's blob, set the desired algorithm for it to be set in the manifest.
+	if canModifyBlob && !isConfig {
+		uploadedInfo.CompressionAlgorithm = &desiredCompressionFormat
+	}
+
 	// This is fairly horrible: the writer from getOriginalLayerCopyWriter wants to consumer
 	// all of the input (to compute DiffIDs), even if dest.PutBlob does not need it.
 	// So, read everything from originalLayerReader, which will cause the rest to be
@@ -907,14 +1215,19 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 }
 
 // compressGoroutine reads all input from src and writes its compressed equivalent to dest.
-func compressGoroutine(dest *io.PipeWriter, src io.Reader) {
+func (c *copier) compressGoroutine(dest *io.PipeWriter, src io.Reader, compressionFormat compression.Algorithm) {
 	err := errors.New("Internal error: unexpected panic in compressGoroutine")
 	defer func() { // Note that this is not the same as {defer dest.CloseWithError(err)}; we need err to be evaluated lazily.
 		dest.CloseWithError(err) // CloseWithError(nil) is equivalent to Close()
 	}()
 
-	zipper := pgzip.NewWriter(dest)
-	defer zipper.Close()
+	compressor, err := compression.CompressStream(dest, compressionFormat, c.compressionLevel)
+	if err != nil {
+		return
+	}
+	defer compressor.Close()
 
-	_, err = io.Copy(zipper, src) // Sets err to nil, i.e. causes dest.Close()
+	buf := make([]byte, compressionBufferSize)
+
+	_, err = io.CopyBuffer(compressor, src, buf) // Sets err to nil, i.e. causes dest.Close()
 }

vendor/github.com/containers/image/v5/copy/manifest.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"strings"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -119,3 +119,36 @@ func isMultiImage(ctx context.Context, img types.UnparsedImage) (bool, error) {
 	}
 	return manifest.MIMETypeIsMultiImage(mt), nil
 }
+
+// determineListConversion takes the current MIME type of a list of manifests,
+// the list of MIME types supported for a given destination, and a possible
+// forced value, and returns the MIME type to which we should convert the list
+// of manifests, whether we are converting to it or using it unmodified.
+func (c *copier) determineListConversion(currentListMIMEType string, destSupportedMIMETypes []string, forcedListMIMEType string) (string, error) {
+	// If we're forcing it, we prefer the forced value over everything else.
+	if forcedListMIMEType != "" {
+		return forcedListMIMEType, nil
+	}
+	// If there's no list of supported types, then anything we support is expected to be supported.
+	if len(destSupportedMIMETypes) == 0 {
+		destSupportedMIMETypes = manifest.SupportedListMIMETypes
+	}
+	var selectedType string
+	for i := range destSupportedMIMETypes {
+		// The second priority is the first member of the list of acceptable types that is a list,
+		// but keep going in case current type occurs later in the list.
+		if selectedType == "" && manifest.MIMETypeIsMultiImage(destSupportedMIMETypes[i]) {
+			selectedType = destSupportedMIMETypes[i]
+		}
+		// The first priority is the current type, if it's in the list, since that lets us avoid a
+		// conversion that isn't strictly necessary.
+		if destSupportedMIMETypes[i] == currentListMIMEType {
+			selectedType = destSupportedMIMETypes[i]
+		}
+	}
+	if selectedType == "" {
+		return "", errors.Errorf("destination does not support any supported manifest list types (%v)", manifest.SupportedListMIMETypes)
+	}
+	// Done.
+	return selectedType, nil
+}

vendor/github.com/containers/image/v5/copy/progress_reader.go

@@ -4,7 +4,7 @@ import (
 	"io"
 	"time"
 
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/types"
 )
 
 // progressReader is a reader that reports its progress on an interval.

vendor/github.com/containers/image/v5/copy/sign.go

@@ -1,8 +1,8 @@
 package copy
 
 import (
-	"github.com/containers/image/signature"
-	"github.com/containers/image/transports"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/transports"
 	"github.com/pkg/errors"
 )
 

vendor/github.com/containers/image/v5/directory/directory_dest.go

@@ -7,7 +7,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -199,16 +199,23 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo
 }
 
 // PutManifest writes manifest to the destination.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to write the manifest for (when
+// the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+// It is expected but not enforced that the instanceDigest, when specified, matches the digest of `manifest` as generated
+// by `manifest.Digest()`.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte) error {
-	return ioutil.WriteFile(d.ref.manifestPath(), manifest, 0644)
+func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error {
+	return ioutil.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644)
 }
 
-func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
+// PutSignatures writes a set of signatures to the destination.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to write or overwrite the signatures for
+// (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
 	for i, sig := range signatures {
-		if err := ioutil.WriteFile(d.ref.signaturePath(i), sig, 0644); err != nil {
+		if err := ioutil.WriteFile(d.ref.signaturePath(i, instanceDigest), sig, 0644); err != nil {
 			return err
 		}
 	}
@@ -219,7 +226,7 @@ func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *dirImageDestination) Commit(ctx context.Context) error {
+func (d *dirImageDestination) Commit(context.Context, types.UnparsedImage) error {
 	return nil
 }
 

vendor/github.com/containers/image/v5/directory/directory_src.go

@@ -6,10 +6,9 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 )
 
 type dirImageSource struct {
@@ -38,10 +37,7 @@ func (s *dirImageSource) Close() error {
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
 func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
-	if instanceDigest != nil {
-		return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
-	}
-	m, err := ioutil.ReadFile(s.ref.manifestPath())
+	m, err := ioutil.ReadFile(s.ref.manifestPath(instanceDigest))
 	if err != nil {
 		return nil, "", err
 	}
@@ -73,12 +69,9 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache
 // (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
 // (e.g. if the source never returns manifest lists).
 func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
-	if instanceDigest != nil {
-		return nil, errors.Errorf(`Manifests lists are not supported by "dir:"`)
-	}
 	signatures := [][]byte{}
 	for i := 0; ; i++ {
-		signature, err := ioutil.ReadFile(s.ref.signaturePath(i))
+		signature, err := ioutil.ReadFile(s.ref.signaturePath(i, instanceDigest))
 		if err != nil {
 			if os.IsNotExist(err) {
 				break
@@ -90,7 +83,14 @@ func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *dige
 	return signatures, nil
 }
 
-// LayerInfosForCopy() returns updated layer info that should be used when copying, in preference to values in the manifest, if specified.
-func (s *dirImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve BlobInfos for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *dirImageSource) LayerInfosForCopy(context.Context, *digest.Digest) ([]types.BlobInfo, error) {
 	return nil, nil
 }

vendor/github.com/containers/image/v5/directory/directory_transport.go

@@ -6,11 +6,11 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/image/directory/explicitfilepath"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/directory/explicitfilepath"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )
@@ -166,18 +166,24 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex
 }
 
 // manifestPath returns a path for the manifest within a directory using our conventions.
-func (ref dirReference) manifestPath() string {
+func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string {
+	if instanceDigest != nil {
+		return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json")
+	}
 	return filepath.Join(ref.path, "manifest.json")
 }
 
 // layerPath returns a path for a layer tarball within a directory using our conventions.
 func (ref dirReference) layerPath(digest digest.Digest) string {
 	// FIXME: Should we keep the digest identification?
-	return filepath.Join(ref.path, digest.Hex())
+	return filepath.Join(ref.path, digest.Encoded())
 }
 
 // signaturePath returns a path for a signature within a directory using our conventions.
-func (ref dirReference) signaturePath(index int) string {
+func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string {
+	if instanceDigest != nil {
+		return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1))
+	}
 	return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1))
 }
 

vendor/github.com/containers/image/v5/docker/archive/dest.go

@@ -5,8 +5,8 @@ import (
 	"io"
 	"os"
 
-	"github.com/containers/image/docker/tarfile"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/tarfile"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 
@@ -67,6 +67,6 @@ func (d *archiveImageDestination) Close() error {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *archiveImageDestination) Commit(ctx context.Context) error {
+func (d *archiveImageDestination) Commit(ctx context.Context, unparsedToplevel types.UnparsedImage) error {
 	return d.Destination.Commit(ctx)
 }

vendor/github.com/containers/image/v5/docker/archive/src.go

@@ -2,8 +2,8 @@ package archive
 
 import (
 	"context"
-	"github.com/containers/image/docker/tarfile"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/tarfile"
+	"github.com/containers/image/v5/types"
 	"github.com/sirupsen/logrus"
 )
 
@@ -33,8 +33,3 @@ func newImageSource(ctx context.Context, ref archiveReference) (types.ImageSourc
 func (s *archiveImageSource) Reference() types.ImageReference {
 	return s.ref
 }
-
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *archiveImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
-	return nil, nil
-}

vendor/github.com/containers/image/v5/docker/archive/transport.go

@@ -5,10 +5,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/containers/image/docker/reference"
-	ctrImage "github.com/containers/image/image"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	ctrImage "github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 

vendor/github.com/containers/image/v5/docker/cache.go

@@ -1,8 +1,8 @@
 package docker
 
 import (
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/types"
 )
 
 // bicTransportScope returns a BICTransportScope appropriate for ref.

vendor/github.com/containers/image/v5/docker/daemon/client.go

@@ -4,7 +4,7 @@ import (
 	"net/http"
 	"path/filepath"
 
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/types"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/docker/go-connections/tlsconfig"
 )

vendor/github.com/containers/image/v5/docker/daemon/daemon_dest.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"io"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/docker/tarfile"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/docker/tarfile"
+	"github.com/containers/image/v5/types"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -124,7 +124,7 @@ func (d *daemonImageDestination) Reference() types.ImageReference {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *daemonImageDestination) Commit(ctx context.Context) error {
+func (d *daemonImageDestination) Commit(ctx context.Context, unparsedToplevel types.UnparsedImage) error {
 	logrus.Debugf("docker-daemon: Closing tar stream")
 	if err := d.Destination.Commit(ctx); err != nil {
 		return err

vendor/github.com/containers/image/v5/docker/daemon/daemon_src.go

@@ -3,8 +3,8 @@ package daemon
 import (
 	"context"
 
-	"github.com/containers/image/docker/tarfile"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/tarfile"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 
@@ -55,8 +55,3 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref daemonRef
 func (s *daemonImageSource) Reference() types.ImageReference {
 	return s.ref
 }
-
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *daemonImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
-	return nil, nil
-}

vendor/github.com/containers/image/v5/docker/daemon/daemon_transport.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/containers/image/docker/policyconfiguration"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/policyconfiguration"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )

vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -16,12 +16,12 @@ import (
 	"sync"
 	"time"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/pkg/docker/config"
-	"github.com/containers/image/pkg/sysregistriesv2"
-	"github.com/containers/image/pkg/tlsclientconfig"
-	"github.com/containers/image/types"
-	"github.com/docker/distribution/registry/client"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/pkg/docker/config"
+	"github.com/containers/image/v5/pkg/sysregistriesv2"
+	"github.com/containers/image/v5/pkg/tlsclientconfig"
+	"github.com/containers/image/v5/types"
+	clientLib "github.com/docker/distribution/registry/client"
 	"github.com/docker/go-connections/tlsconfig"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
@@ -47,14 +47,7 @@ const (
 	extensionSignatureTypeAtomic    = "atomic" // extensionSignature.Type
 )
 
-var (
-	// ErrV1NotSupported is returned when we're trying to talk to a
-	// docker V1 registry.
-	ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
-	// ErrUnauthorizedForCredentials is returned when the status code returned is 401
-	ErrUnauthorizedForCredentials = errors.New("unable to retrieve auth token: invalid username/password")
-	systemPerHostCertDirPaths     = [2]string{"/etc/containers/certs.d", "/etc/docker/certs.d"}
-)
+var systemPerHostCertDirPaths = [2]string{"/etc/containers/certs.d", "/etc/docker/certs.d"}
 
 // extensionSignature and extensionSignatureList come from github.com/openshift/origin/pkg/dockerregistry/server/signaturedispatcher.go:
 // signature represents a Docker image signature.
@@ -284,14 +277,7 @@ func CheckAuth(ctx context.Context, sys *types.SystemContext, username, password
 	}
 	defer resp.Body.Close()
 
-	switch resp.StatusCode {
-	case http.StatusOK:
-		return nil
-	case http.StatusUnauthorized:
-		return ErrUnauthorizedForCredentials
-	default:
-		return errors.Errorf("error occured with status code %d (%s)", resp.StatusCode, http.StatusText(resp.StatusCode))
-	}
+	return httpResponseToError(resp)
 }
 
 // SearchResult holds the information of each matching image
@@ -365,7 +351,7 @@ func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, ima
 		} else {
 			defer resp.Body.Close()
 			if resp.StatusCode != http.StatusOK {
-				logrus.Debugf("error getting search results from v1 endpoint %q, status code %d (%s)", registry, resp.StatusCode, http.StatusText(resp.StatusCode))
+				logrus.Debugf("error getting search results from v1 endpoint %q: %v", registry, httpResponseToError(resp))
 			} else {
 				if err := json.NewDecoder(resp.Body).Decode(v1Res); err != nil {
 					return nil, err
@@ -382,7 +368,7 @@ func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, ima
 	} else {
 		defer resp.Body.Close()
 		if resp.StatusCode != http.StatusOK {
-			logrus.Errorf("error getting search results from v2 endpoint %q, status code %d (%s)", registry, resp.StatusCode, http.StatusText(resp.StatusCode))
+			logrus.Errorf("error getting search results from v2 endpoint %q: %v", registry, httpResponseToError(resp))
 		} else {
 			if err := json.NewDecoder(resp.Body).Decode(v2Res); err != nil {
 				return nil, err
@@ -417,8 +403,78 @@ func (c *dockerClient) makeRequest(ctx context.Context, method, path string, hea
 // makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // streamLen, if not -1, specifies the length of the data expected on stream.
 // makeRequest should generally be preferred.
+// In case of an http 429 status code in the response, it performs an exponential back off starting at 2 seconds for at most 5 iterations.
+// If the `Retry-After` header is set in the response, the specified value or date is
+// If the stream is non-nil, no back off will be performed.
 // TODO(runcom): too many arguments here, use a struct
 func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
+	var (
+		res   *http.Response
+		err   error
+		delay int64
+	)
+	delay = 2
+	const numIterations = 5
+	const maxDelay = 60
+
+	// math.Min() only supports float64, so have an anonymous func to avoid
+	// casting.
+	min := func(a int64, b int64) int64 {
+		if a < b {
+			return a
+		}
+		return b
+	}
+
+	nextDelay := func(r *http.Response, delay int64) int64 {
+		after := res.Header.Get("Retry-After")
+		if after == "" {
+			return min(delay, maxDelay)
+		}
+		logrus.Debugf("detected 'Retry-After' header %q", after)
+		// First check if we have a numerical value.
+		if num, err := strconv.ParseInt(after, 10, 64); err == nil {
+			return min(num, maxDelay)
+		}
+		// Secondly check if we have an http date.
+		// If the delta between the date and now is positive, use it.
+		// Otherwise, fall back to using the default exponential back off.
+		if t, err := http.ParseTime(after); err == nil {
+			delta := int64(t.Sub(time.Now()).Seconds())
+			if delta > 0 {
+				return min(delta, maxDelay)
+			}
+			logrus.Debugf("negative date: falling back to using %d seconds", delay)
+			return min(delay, maxDelay)
+		}
+		// If the header contains bogus, fall back to using the default
+		// exponential back off.
+		logrus.Debugf("invalid format: falling back to using %d seconds", delay)
+		return min(delay, maxDelay)
+	}
+
+	for i := 0; i < numIterations; i++ {
+		res, err = c.makeRequestToResolvedURLOnce(ctx, method, url, headers, stream, streamLen, auth, extraScope)
+		if stream == nil && res != nil && res.StatusCode == http.StatusTooManyRequests {
+			if i < numIterations-1 {
+				logrus.Errorf("HEADER %v", res.Header)
+				delay = nextDelay(res, delay) // compute next delay - does NOT exceed maxDelay
+				logrus.Debugf("too many request to %s: sleeping for %d seconds before next attempt", url, delay)
+				time.Sleep(time.Duration(delay) * time.Second)
+				delay = delay * 2 // exponential back off
+			}
+			continue
+		}
+		break
+	}
+	return res, err
+}
+
+// makeRequestToResolvedURLOnce creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
+// streamLen, if not -1, specifies the length of the data expected on stream.
+// makeRequest should generally be preferred.
+// Note that no exponential back off is performed when receiving an http 429 status code.
+func (c *dockerClient) makeRequestToResolvedURLOnce(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
 	req, err := http.NewRequest(method, url, stream)
 	if err != nil {
 		return nil, err
@@ -533,7 +589,9 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
 	defer res.Body.Close()
 	switch res.StatusCode {
 	case http.StatusUnauthorized:
-		return nil, ErrUnauthorizedForCredentials
+		err := clientLib.HandleErrorResponse(res)
+		logrus.Debugf("Server response when trying to obtain an access token: \n%q", err.Error())
+		return nil, ErrUnauthorizedForCredentials{Err: err}
 	case http.StatusOK:
 		break
 	default:
@@ -569,7 +627,7 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
 		defer resp.Body.Close()
 		logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
 		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
-			return errors.Errorf("error pinging registry %s, response code %d (%s)", c.registry, resp.StatusCode, http.StatusText(resp.StatusCode))
+			return httpResponseToError(resp)
 		}
 		c.challenges = parseAuthHeader(resp.Header)
 		c.scheme = scheme
@@ -581,7 +639,7 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
 		err = ping("http")
 	}
 	if err != nil {
-		err = errors.Wrap(err, "pinging docker registry returned")
+		err = errors.Wrapf(err, "error pinging docker registry %s", c.registry)
 		if c.sys != nil && c.sys.DockerDisableV1Ping {
 			return err
 		}
@@ -627,9 +685,11 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
 		return nil, err
 	}
 	defer res.Body.Close()
+
 	if res.StatusCode != http.StatusOK {
-		return nil, errors.Wrapf(client.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
+		return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
 	}
+
 	body, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err

vendor/github.com/containers/image/v5/docker/docker_image.go

@@ -4,13 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net/http"
 	"net/url"
 	"strings"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 
@@ -71,9 +70,8 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
 			return nil, err
 		}
 		defer res.Body.Close()
-		if res.StatusCode != http.StatusOK {
-			// print url also
-			return nil, errors.Errorf("Invalid status code returned when fetching tags list %d (%s)", res.StatusCode, http.StatusText(res.StatusCode))
+		if err := httpResponseToError(res); err != nil {
+			return nil, err
 		}
 
 		var tagsHolder struct {

vendor/github.com/containers/image/v5/docker/docker_image_dest.go

@@ -14,12 +14,12 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/blobinfocache/none"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache/none"
+	"github.com/containers/image/v5/types"
 	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/api/v2"
+	v2 "github.com/docker/distribution/registry/api/v2"
 	"github.com/docker/distribution/registry/client"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -61,6 +61,8 @@ func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
 	return []string{
 		imgspecv1.MediaTypeImageManifest,
 		manifest.DockerV2Schema2MediaType,
+		imgspecv1.MediaTypeImageIndex,
+		manifest.DockerV2ListMediaType,
 		manifest.DockerV2Schema1SignedMediaType,
 		manifest.DockerV2Schema1MediaType,
 	}
@@ -343,20 +345,47 @@ func (d *dockerImageDestination) TryReusingBlob(ctx context.Context, info types.
 }
 
 // PutManifest writes manifest to the destination.
+// When the primary manifest is a manifest list, if instanceDigest is nil, we're saving the list
+// itself, else instanceDigest contains a digest of the specific manifest instance to overwrite the
+// manifest for; when the primary manifest is not a manifest list, instanceDigest should always be nil.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte) error {
-	digest, err := manifest.Digest(m)
-	if err != nil {
-		return err
+func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte, instanceDigest *digest.Digest) error {
+	refTail := ""
+	if instanceDigest != nil {
+		// If the instanceDigest is provided, then use it as the refTail, because the reference,
+		// whether it includes a tag or a digest, refers to the list as a whole, and not this
+		// particular instance.
+		refTail = instanceDigest.String()
+		// Double-check that the manifest we've been given matches the digest we've been given.
+		matches, err := manifest.MatchesDigest(m, *instanceDigest)
+		if err != nil {
+			return errors.Wrapf(err, "error digesting manifest in PutManifest")
+		}
+		if !matches {
+			manifestDigest, merr := manifest.Digest(m)
+			if merr != nil {
+				return errors.Wrapf(err, "Attempted to PutManifest using an explicitly specified digest (%q) that didn't match the manifest's digest (%v attempting to compute it)", instanceDigest.String(), merr)
+			}
+			return errors.Errorf("Attempted to PutManifest using an explicitly specified digest (%q) that didn't match the manifest's digest (%q)", instanceDigest.String(), manifestDigest.String())
+		}
+	} else {
+		// Compute the digest of the main manifest, or the list if it's a list, so that we
+		// have a digest value to use if we're asked to save a signature for the manifest.
+		digest, err := manifest.Digest(m)
+		if err != nil {
+			return err
+		}
+		d.manifestDigest = digest
+		// The refTail should be either a digest (which we expect to match the value we just
+		// computed) or a tag name.
+		refTail, err = d.ref.tagOrDigest()
+		if err != nil {
+			return err
+		}
 	}
-	d.manifestDigest = digest
 
-	refTail, err := d.ref.tagOrDigest()
-	if err != nil {
-		return err
-	}
 	path := fmt.Sprintf(manifestPath, reference.Path(d.ref.ref), refTail)
 
 	headers := map[string][]string{}
@@ -416,19 +445,30 @@ func isManifestInvalidError(err error) bool {
 	}
 }
 
-func (d *dockerImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
+// PutSignatures uploads a set of signatures to the relevant lookaside or API extension point.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to upload the signatures for (when
+// the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+func (d *dockerImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
 	// Do not fail if we don’t really need to support signatures.
 	if len(signatures) == 0 {
 		return nil
 	}
+	if instanceDigest == nil {
+		if d.manifestDigest.String() == "" {
+			// This shouldn’t happen, ImageDestination users are required to call PutManifest before PutSignatures
+			return errors.Errorf("Unknown manifest digest, can't add signatures")
+		}
+		instanceDigest = &d.manifestDigest
+	}
+
 	if err := d.c.detectProperties(ctx); err != nil {
 		return err
 	}
 	switch {
 	case d.c.signatureBase != nil:
-		return d.putSignaturesToLookaside(signatures)
+		return d.putSignaturesToLookaside(signatures, instanceDigest)
 	case d.c.supportsSignatures:
-		return d.putSignaturesToAPIExtension(ctx, signatures)
+		return d.putSignaturesToAPIExtension(ctx, signatures, instanceDigest)
 	default:
 		return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
 	}
@@ -436,7 +476,7 @@ func (d *dockerImageDestination) PutSignatures(ctx context.Context, signatures [
 
 // putSignaturesToLookaside implements PutSignatures() from the lookaside location configured in s.c.signatureBase,
 // which is not nil.
-func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte) error {
+func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, instanceDigest *digest.Digest) error {
 	// FIXME? This overwrites files one at a time, definitely not atomic.
 	// A failure when updating signatures with a reordered copy could lose some of them.
 
@@ -445,14 +485,9 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte) e
 		return nil
 	}
 
-	if d.manifestDigest.String() == "" {
-		// This shouldn’t happen, ImageDestination users are required to call PutManifest before PutSignatures
-		return errors.Errorf("Unknown manifest digest, can't add signatures")
-	}
-
 	// NOTE: Keep this in sync with docs/signature-protocols.md!
 	for i, signature := range signatures {
-		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
+		url := signatureStorageURL(d.c.signatureBase, *instanceDigest, i)
 		if url == nil {
 			return errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
@@ -467,7 +502,7 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte) e
 	// is enough for dockerImageSource to stop looking for other signatures, so that
 	// is sufficient.
 	for i := len(signatures); ; i++ {
-		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
+		url := signatureStorageURL(d.c.signatureBase, *instanceDigest, i)
 		if url == nil {
 			return errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
@@ -527,22 +562,17 @@ func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error
 }
 
 // putSignaturesToAPIExtension implements PutSignatures() using the X-Registry-Supports-Signatures API extension.
-func (d *dockerImageDestination) putSignaturesToAPIExtension(ctx context.Context, signatures [][]byte) error {
+func (d *dockerImageDestination) putSignaturesToAPIExtension(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
 	// Skip dealing with the manifest digest, or reading the old state, if not necessary.
 	if len(signatures) == 0 {
 		return nil
 	}
 
-	if d.manifestDigest.String() == "" {
-		// This shouldn’t happen, ImageDestination users are required to call PutManifest before PutSignatures
-		return errors.Errorf("Unknown manifest digest, can't add signatures")
-	}
-
 	// Because image signatures are a shared resource in Atomic Registry, the default upload
 	// always adds signatures.  Eventually we should also allow removing signatures,
 	// but the X-Registry-Supports-Signatures API extension does not support that yet.
 
-	existingSignatures, err := d.c.getExtensionsSignatures(ctx, d.ref, d.manifestDigest)
+	existingSignatures, err := d.c.getExtensionsSignatures(ctx, d.ref, *instanceDigest)
 	if err != nil {
 		return err
 	}
@@ -567,7 +597,7 @@ sigExists:
 			if err != nil || n != 16 {
 				return errors.Wrapf(err, "Error generating random signature len %d", n)
 			}
-			signatureName = fmt.Sprintf("%s@%032x", d.manifestDigest.String(), randBytes)
+			signatureName = fmt.Sprintf("%s@%032x", instanceDigest.String(), randBytes)
 			if _, ok := existingSigNames[signatureName]; !ok {
 				break
 			}
@@ -606,6 +636,6 @@ sigExists:
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *dockerImageDestination) Commit(ctx context.Context) error {
+func (d *dockerImageDestination) Commit(context.Context, types.UnparsedImage) error {
 	return nil
 }

vendor/github.com/containers/image/v5/docker/docker_image_src.go

@@ -11,10 +11,10 @@ import (
 	"os"
 	"strconv"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/sysregistriesv2"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/sysregistriesv2"
+	"github.com/containers/image/v5/types"
 	"github.com/docker/distribution/registry/client"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
@@ -103,8 +103,15 @@ func (s *dockerImageSource) Close() error {
 	return nil
 }
 
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *dockerImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve BlobInfos for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *dockerImageSource) LayerInfosForCopy(context.Context, *digest.Digest) ([]types.BlobInfo, error) {
 	return nil, nil
 }
 
@@ -232,9 +239,8 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
 	if err != nil {
 		return nil, 0, err
 	}
-	if res.StatusCode != http.StatusOK {
-		// print url also
-		return nil, 0, errors.Errorf("Invalid status code returned when fetching blob %d (%s)", res.StatusCode, http.StatusText(res.StatusCode))
+	if err := httpResponseToError(res); err != nil {
+		return nil, 0, err
 	}
 	cache.RecordKnownLocation(s.ref.Transport(), bicTransportScope(s.ref), info.Digest, newBICLocationReference(s.ref))
 	return res.Body, getBlobSize(res), nil

vendor/github.com/containers/image/v5/docker/docker_transport.go

@@ -5,10 +5,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/containers/image/docker/policyconfiguration"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/policyconfiguration"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 

vendor/github.com/containers/image/v5/docker/errors.go

@@ -0,0 +1,43 @@
+package docker
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/docker/distribution/registry/client"
+	perrors "github.com/pkg/errors"
+)
+
+var (
+	// ErrV1NotSupported is returned when we're trying to talk to a
+	// docker V1 registry.
+	ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
+	// ErrTooManyRequests is returned when the status code returned is 429
+	ErrTooManyRequests = errors.New("too many request to registry")
+)
+
+// ErrUnauthorizedForCredentials is returned when the status code returned is 401
+type ErrUnauthorizedForCredentials struct { // We only use a struct to allow a type assertion, without limiting the contents of the error otherwise.
+	Err error
+}
+
+func (e ErrUnauthorizedForCredentials) Error() string {
+	return fmt.Sprintf("unable to retrieve auth token: invalid username/password: %s", e.Err.Error())
+}
+
+// httpResponseToError translates the https.Response into an error. It returns
+// nil if the response is not considered an error.
+func httpResponseToError(res *http.Response) error {
+	switch res.StatusCode {
+	case http.StatusOK:
+		return nil
+	case http.StatusTooManyRequests:
+		return ErrTooManyRequests
+	case http.StatusUnauthorized:
+		err := client.HandleErrorResponse(res)
+		return ErrUnauthorizedForCredentials{Err: err}
+	default:
+		return perrors.Errorf("invalid status code from registry %d (%s)", res.StatusCode, http.StatusText(res.StatusCode))
+	}
+}

vendor/github.com/containers/image/v5/docker/lookaside.go

@@ -9,8 +9,8 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/types"
 	"github.com/ghodss/yaml"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"

vendor/github.com/containers/image/v5/docker/policyconfiguration/naming.go

@@ -3,7 +3,7 @@ package policyconfiguration
 import (
 	"strings"
 
-	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/v5/docker/reference"
 	"github.com/pkg/errors"
 )
 

vendor/github.com/containers/image/v5/docker/tarfile/dest.go

@@ -12,10 +12,10 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/internal/tmpdir"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/internal/tmpdir"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -195,10 +195,15 @@ func (d *Destination) createRepositoriesFile(rootLayerID string) error {
 }
 
 // PutManifest writes manifest to the destination.
+// The instanceDigest value is expected to always be nil, because this transport does not support manifest lists, so
+// there can be no secondary manifests.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *Destination) PutManifest(ctx context.Context, m []byte) error {
+func (d *Destination) PutManifest(ctx context.Context, m []byte, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil {
+		return errors.New(`Manifest lists are not supported for docker tar files`)
+	}
 	// We do not bother with types.ManifestTypeRejectedError; our .SupportedManifestMIMETypes() above is already providing only one alternative,
 	// so the caller trying a different manifest kind would be pointless.
 	var man manifest.Schema2
@@ -390,10 +395,13 @@ func (d *Destination) sendFile(path string, expectedSize int64, stream io.Reader
 	return nil
 }
 
-// PutSignatures adds the given signatures to the docker tarfile (currently not
-// supported). MUST be called after PutManifest (signatures reference manifest
-// contents)
-func (d *Destination) PutSignatures(ctx context.Context, signatures [][]byte) error {
+// PutSignatures would add the given signatures to the docker tarfile (currently not supported).
+// The instanceDigest value is expected to always be nil, because this transport does not support manifest lists, so
+// there can be no secondary manifests.  MUST be called after PutManifest (signatures reference manifest contents).
+func (d *Destination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil {
+		return errors.Errorf(`Manifest lists are not supported for docker tar files`)
+	}
 	if len(signatures) != 0 {
 		return errors.Errorf("Storing signatures for docker tar files is not supported")
 	}

vendor/github.com/containers/image/v5/docker/tarfile/src.go

@@ -11,10 +11,10 @@ import (
 	"path"
 	"sync"
 
-	"github.com/containers/image/internal/tmpdir"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/compression"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/internal/tmpdir"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )
@@ -349,10 +349,12 @@ func (s *Source) prepareLayerData(tarManifest *ManifestItem, parsedConfig *manif
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as the primary manifest can not be a list, so there can be no secondary instances.
 func (s *Source) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
 		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
-		return nil, "", errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
+		return nil, "", errors.New(`Manifest lists are not supported by "docker-daemon:"`)
 	}
 	if s.generatedManifest == nil {
 		if err := s.ensureCachedDataIsPresent(); err != nil {
@@ -466,9 +468,8 @@ func (s *Source) GetBlob(ctx context.Context, info types.BlobInfo, cache types.B
 }
 
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
-// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
-// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
-// (e.g. if the source never returns manifest lists).
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as there can be no secondary manifests.
 func (s *Source) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
 	if instanceDigest != nil {
 		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
@@ -476,3 +477,14 @@ func (s *Source) GetSignatures(ctx context.Context, instanceDigest *digest.Diges
 	}
 	return [][]byte{}, nil
 }
+
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as the primary manifest can not be a list, so there can be no secondary manifests.
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *Source) LayerInfosForCopy(context.Context, *digest.Digest) ([]types.BlobInfo, error) {
+	return nil, nil
+}

vendor/github.com/containers/image/v5/docker/tarfile/types.go

@@ -1,7 +1,7 @@
 package tarfile
 
 import (
-	"github.com/containers/image/manifest"
+	"github.com/containers/image/v5/manifest"
 	"github.com/opencontainers/go-digest"
 )
 

vendor/github.com/containers/image/v5/image/docker_list.go

@@ -0,0 +1,34 @@
+package image
+
+import (
+	"context"
+
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
+	"github.com/pkg/errors"
+)
+
+func manifestSchema2FromManifestList(ctx context.Context, sys *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
+	list, err := manifest.Schema2ListFromManifest(manblob)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error parsing schema2 manifest list")
+	}
+	targetManifestDigest, err := list.ChooseInstance(sys)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error choosing image instance")
+	}
+	manblob, mt, err := src.GetManifest(ctx, &targetManifestDigest)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error loading manifest for target platform")
+	}
+
+	matches, err := manifest.MatchesDigest(manblob, targetManifestDigest)
+	if err != nil {
+		return nil, errors.Wrap(err, "Error computing manifest digest")
+	}
+	if !matches {
+		return nil, errors.Errorf("Image manifest does not match selected manifest digest %s", targetManifestDigest)
+	}
+
+	return manifestInstanceFromBlob(ctx, sys, src, manblob, mt)
+}

vendor/github.com/containers/image/v5/image/docker_schema1.go

@@ -3,9 +3,9 @@ package image
 import (
 	"context"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"

vendor/github.com/containers/image/v5/image/docker_schema2.go

@@ -6,13 +6,14 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"strings"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/blobinfocache/none"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache/none"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -207,12 +208,17 @@ func (m *manifestSchema2) convertToManifestOCI1(ctx context.Context) (types.Imag
 	layers := make([]imgspecv1.Descriptor, len(m.m.LayersDescriptors))
 	for idx := range layers {
 		layers[idx] = oci1DescriptorFromSchema2Descriptor(m.m.LayersDescriptors[idx])
-		if m.m.LayersDescriptors[idx].MediaType == manifest.DockerV2Schema2ForeignLayerMediaType {
+		switch m.m.LayersDescriptors[idx].MediaType {
+		case manifest.DockerV2Schema2ForeignLayerMediaType:
 			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerNonDistributable
-		} else {
-			// we assume layers are gzip'ed because docker v2s2 only deals with
-			// gzip'ed layers. However, OCI has non-gzip'ed layers as well.
+		case manifest.DockerV2Schema2ForeignLayerMediaTypeGzip:
+			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerNonDistributableGzip
+		case manifest.DockerV2SchemaLayerMediaTypeUncompressed:
+			layers[idx].MediaType = imgspecv1.MediaTypeImageLayer
+		case manifest.DockerV2Schema2LayerMediaType:
 			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerGzip
+		default:
+			return nil, fmt.Errorf("Unknown media type during manifest conversion: %q", m.m.LayersDescriptors[idx].MediaType)
 		}
 	}
 

vendor/github.com/containers/image/v5/image/manifest.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -58,6 +58,8 @@ func manifestInstanceFromBlob(ctx context.Context, sys *types.SystemContext, src
 		return manifestSchema2FromManifest(src, manblob)
 	case manifest.DockerV2ListMediaType:
 		return manifestSchema2FromManifestList(ctx, sys, src, manblob)
+	case imgspecv1.MediaTypeImageIndex:
+		return manifestOCI1FromImageIndex(ctx, sys, src, manblob)
 	default: // Note that this may not be reachable, manifest.NormalizedMIMEType has a default for unknown values.
 		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", mt)
 	}

vendor/github.com/containers/image/v5/image/memory.go

@@ -3,9 +3,8 @@ package image
 import (
 	"context"
 
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
-
-	"github.com/containers/image/types"
 )
 
 // memoryImage is a mostly-implementation of types.Image assembled from data

vendor/github.com/containers/image/v5/image/oci.go

@@ -3,12 +3,13 @@ package image
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/pkg/blobinfocache/none"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache/none"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -187,7 +188,22 @@ func (m *manifestOCI1) convertToManifestSchema2() (types.Image, error) {
 	layers := make([]manifest.Schema2Descriptor, len(m.m.Layers))
 	for idx := range layers {
 		layers[idx] = schema2DescriptorFromOCI1Descriptor(m.m.Layers[idx])
-		layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
+		switch layers[idx].MediaType {
+		case imgspecv1.MediaTypeImageLayerNonDistributable:
+			layers[idx].MediaType = manifest.DockerV2Schema2ForeignLayerMediaType
+		case imgspecv1.MediaTypeImageLayerNonDistributableGzip:
+			layers[idx].MediaType = manifest.DockerV2Schema2ForeignLayerMediaTypeGzip
+		case imgspecv1.MediaTypeImageLayerNonDistributableZstd:
+			return nil, fmt.Errorf("Error during manifest conversion: %q: zstd compression is not supported for docker images", layers[idx].MediaType)
+		case imgspecv1.MediaTypeImageLayer:
+			layers[idx].MediaType = manifest.DockerV2SchemaLayerMediaTypeUncompressed
+		case imgspecv1.MediaTypeImageLayerGzip:
+			layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
+		case imgspecv1.MediaTypeImageLayerZstd:
+			return nil, fmt.Errorf("Error during manifest conversion: %q: zstd compression is not supported for docker images", layers[idx].MediaType)
+		default:
+			return nil, fmt.Errorf("Unknown media type during manifest conversion: %q", layers[idx].MediaType)
+		}
 	}
 
 	// Rather than copying the ConfigBlob now, we just pass m.src to the

vendor/github.com/containers/image/v5/image/oci_index.go

@@ -0,0 +1,34 @@
+package image
+
+import (
+	"context"
+
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
+	"github.com/pkg/errors"
+)
+
+func manifestOCI1FromImageIndex(ctx context.Context, sys *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
+	index, err := manifest.OCI1IndexFromManifest(manblob)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error parsing OCI1 index")
+	}
+	targetManifestDigest, err := index.ChooseInstance(sys)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error choosing image instance")
+	}
+	manblob, mt, err := src.GetManifest(ctx, &targetManifestDigest)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error loading manifest for target platform")
+	}
+
+	matches, err := manifest.MatchesDigest(manblob, targetManifestDigest)
+	if err != nil {
+		return nil, errors.Wrap(err, "Error computing manifest digest")
+	}
+	if !matches {
+		return nil, errors.Errorf("Image manifest does not match selected manifest digest %s", targetManifestDigest)
+	}
+
+	return manifestInstanceFromBlob(ctx, sys, src, manblob, mt)
+}

vendor/github.com/containers/image/v5/image/sourced.go

@@ -5,7 +5,8 @@ package image
 
 import (
 	"context"
-	"github.com/containers/image/types"
+
+	"github.com/containers/image/v5/types"
 )
 
 // imageCloser implements types.ImageCloser, perhaps allowing simple users
@@ -99,5 +100,5 @@ func (i *sourcedImage) Manifest(ctx context.Context) ([]byte, string, error) {
 }
 
 func (i *sourcedImage) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
-	return i.UnparsedImage.src.LayerInfosForCopy(ctx)
+	return i.UnparsedImage.src.LayerInfosForCopy(ctx, i.UnparsedImage.instanceDigest)
 }

vendor/github.com/containers/image/v5/image/unparsed.go

@@ -3,9 +3,9 @@ package image
 import (
 	"context"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )

vendor/github.com/containers/image/v5/internal/pkg/keyctl/key.go

@@ -3,12 +3,11 @@
 // license that can be found in the LICENSE file.
 
 // +build linux
-// +build 386 amd64
 
 package keyctl
 
 import (
-	"unsafe"
+	"golang.org/x/sys/unix"
 )
 
 // Key represents a single key linked to one or more kernel keyrings.
@@ -41,7 +40,7 @@ func (k *Key) Get() ([]byte, error) {
 	b = make([]byte, int(size))
 	sizeRead = size + 1
 	for sizeRead > size {
-		r1, _, err := keyctl(keyctlRead, uintptr(k.id), uintptr(unsafe.Pointer(&b[0])), uintptr(size))
+		r1, err := unix.KeyctlBuffer(unix.KEYCTL_READ, int(k.id), b, size)
 		if err != nil {
 			return nil, err
 		}
@@ -60,6 +59,15 @@ func (k *Key) Get() ([]byte, error) {
 // Unlink a key from the keyring it was loaded from (or added to). If the key
 // is not linked to any other keyrings, it is destroyed.
 func (k *Key) Unlink() error {
-	_, _, err := keyctl(keyctlUnlink, uintptr(k.id), uintptr(k.ring))
+	_, err := unix.KeyctlInt(unix.KEYCTL_UNLINK, int(k.id), int(k.ring), 0, 0)
 	return err
 }
+
+// Describe returns a string describing the attributes of a specified key
+func (k *Key) Describe() (string, error) {
+	keyAttr, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(k.id))
+	if err != nil {
+		return "", err
+	}
+	return keyAttr, nil
+}

vendor/github.com/containers/image/v5/internal/pkg/keyctl/keyring.go

@@ -3,11 +3,19 @@
 // license that can be found in the LICENSE file.
 
 // +build linux
-// +build 386 amd64
 
 // Package keyctl is a Go interface to linux kernel keyrings (keyctl interface)
+//
+// Deprecated: Most callers should use either golang.org/x/sys/unix directly,
+// or the original (and more extensive) github.com/jsipprell/keyctl .
 package keyctl
 
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
 // Keyring is the basic interface to a linux keyctl keyring.
 type Keyring interface {
 	ID
@@ -26,7 +34,7 @@ type ID interface {
 
 // Add a new key to a keyring. The key can be searched for later by name.
 func (kr *keyring) Add(name string, key []byte) (*Key, error) {
-	r, err := addkey("user", name, key, int32(kr.id))
+	r, err := unix.AddKey("user", name, key, int(kr.id))
 	if err == nil {
 		key := &Key{Name: name, id: keyID(r), ring: kr.id}
 		return key, nil
@@ -38,9 +46,9 @@ func (kr *keyring) Add(name string, key []byte) (*Key, error) {
 // one. The key, if found, is linked to the top keyring that Search() was called
 // from.
 func (kr *keyring) Search(name string) (*Key, error) {
-	id, err := searchKeyring(kr.id, name, "user")
+	id, err := unix.KeyctlSearch(int(kr.id), "user", name, 0)
 	if err == nil {
-		return &Key{Name: name, id: id, ring: kr.id}, nil
+		return &Key{Name: name, id: keyID(id), ring: kr.id}, nil
 	}
 	return nil, err
 }
@@ -52,22 +60,61 @@ func (kr *keyring) ID() int32 {
 
 // SessionKeyring returns the current login session keyring
 func SessionKeyring() (Keyring, error) {
-	return newKeyring(keySpecSessionKeyring)
+	return newKeyring(unix.KEY_SPEC_SESSION_KEYRING)
 }
 
 // UserKeyring  returns the keyring specific to the current user.
 func UserKeyring() (Keyring, error) {
-	return newKeyring(keySpecUserKeyring)
+	return newKeyring(unix.KEY_SPEC_USER_KEYRING)
 }
 
 // Unlink an object from a keyring
 func Unlink(parent Keyring, child ID) error {
-	_, _, err := keyctl(keyctlUnlink, uintptr(child.ID()), uintptr(parent.ID()))
+	_, err := unix.KeyctlInt(unix.KEYCTL_UNLINK, int(child.ID()), int(parent.ID()), 0, 0)
 	return err
 }
 
 // Link a key into a keyring
 func Link(parent Keyring, child ID) error {
-	_, _, err := keyctl(keyctlLink, uintptr(child.ID()), uintptr(parent.ID()))
+	_, err := unix.KeyctlInt(unix.KEYCTL_LINK, int(child.ID()), int(parent.ID()), 0, 0)
 	return err
 }
+
+// ReadUserKeyring reads user keyring and returns slice of key with id(key_serial_t) representing the IDs of all the keys that are linked to it
+func ReadUserKeyring() ([]*Key, error) {
+	var (
+		b        []byte
+		err      error
+		sizeRead int
+	)
+	krSize := 4
+	size := krSize
+	b = make([]byte, size)
+	sizeRead = size + 1
+	for sizeRead > size {
+		r1, err := unix.KeyctlBuffer(unix.KEYCTL_READ, unix.KEY_SPEC_USER_KEYRING, b, size)
+		if err != nil {
+			return nil, err
+		}
+
+		if sizeRead = int(r1); sizeRead > size {
+			b = make([]byte, sizeRead)
+			size = sizeRead
+			sizeRead = size + 1
+		} else {
+			krSize = sizeRead
+		}
+	}
+	keyIDs := getKeyIDsFromByte(b[:krSize])
+	return keyIDs, err
+}
+
+func getKeyIDsFromByte(byteKeyIDs []byte) []*Key {
+	idSize := 4
+	var keys []*Key
+	for idx := 0; idx+idSize <= len(byteKeyIDs); idx = idx + idSize {
+		tempID := *(*int32)(unsafe.Pointer(&byteKeyIDs[idx]))
+		keys = append(keys, &Key{id: keyID(tempID)})
+	}
+	return keys
+}

vendor/github.com/containers/image/v5/internal/pkg/keyctl/perm.go

@@ -6,6 +6,10 @@
 
 package keyctl
 
+import (
+	"golang.org/x/sys/unix"
+)
+
 // KeyPerm represents in-kernel access control permission to keys and keyrings
 // as a 32-bit integer broken up into four permission sets, one per byte.
 // In MSB order, the perms are: Processor, User, Group, Other.
@@ -24,6 +28,6 @@ const (
 
 // SetPerm sets the permissions on a key or keyring.
 func SetPerm(k ID, p KeyPerm) error {
-	_, _, err := keyctl(keyctlSetPerm, uintptr(k.ID()), uintptr(p))
+	err := unix.KeyctlSetperm(int(k.ID()), uint32(p))
 	return err
 }

vendor/github.com/containers/image/v5/internal/pkg/keyctl/sys_linux.go

@@ -0,0 +1,25 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package keyctl
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+type keyID int32
+
+func newKeyring(id keyID) (*keyring, error) {
+	r1, err := unix.KeyctlGetKeyringID(int(id), true)
+	if err != nil {
+		return nil, err
+	}
+
+	if id < 0 {
+		r1 = int(id)
+	}
+	return &keyring{id: keyID(r1)}, nil
+}

vendor/github.com/containers/image/v5/manifest/docker_schema1.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/types"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"

vendor/github.com/containers/image/v5/manifest/docker_schema2.go

@@ -2,12 +2,15 @@ package manifest
 
 import (
 	"encoding/json"
+	"fmt"
 	"time"
 
-	"github.com/containers/image/pkg/strslice"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/pkg/strslice"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // Schema2Descriptor is a “descriptor” in docker/distribution schema 2.
@@ -161,6 +164,15 @@ func Schema2FromManifest(manifest []byte) (*Schema2, error) {
 	if err := json.Unmarshal(manifest, &s2); err != nil {
 		return nil, err
 	}
+	// Check manifest's and layers' media types.
+	if err := SupportedSchema2MediaType(s2.MediaType); err != nil {
+		return nil, err
+	}
+	for _, layer := range s2.LayersDescriptors {
+		if err := SupportedSchema2MediaType(layer.MediaType); err != nil {
+			return nil, err
+		}
+	}
 	return &s2, nil
 }
 
@@ -199,6 +211,28 @@ func (m *Schema2) LayerInfos() []LayerInfo {
 	return blobs
 }
 
+// isSchema2ForeignLayer is a convenience wrapper to check if a given mime type
+// is a compressed or decompressed schema 2 foreign layer.
+func isSchema2ForeignLayer(mimeType string) bool {
+	switch mimeType {
+	case DockerV2Schema2ForeignLayerMediaType, DockerV2Schema2ForeignLayerMediaTypeGzip:
+		return true
+	default:
+		return false
+	}
+}
+
+// isSchema2Layer is a convenience wrapper to check if a given mime type is a
+// compressed or decompressed schema 2 layer.
+func isSchema2Layer(mimeType string) bool {
+	switch mimeType {
+	case DockerV2SchemaLayerMediaTypeUncompressed, DockerV2Schema2LayerMediaType:
+		return true
+	default:
+		return false
+	}
+}
+
 // UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
 func (m *Schema2) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
 	if len(m.LayersDescriptors) != len(layerInfos) {
@@ -207,7 +241,67 @@ func (m *Schema2) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
 	original := m.LayersDescriptors
 	m.LayersDescriptors = make([]Schema2Descriptor, len(layerInfos))
 	for i, info := range layerInfos {
-		m.LayersDescriptors[i].MediaType = original[i].MediaType
+		// First make sure we support the media type of the original layer.
+		if err := SupportedSchema2MediaType(original[i].MediaType); err != nil {
+			return fmt.Errorf("Error preparing updated manifest: unknown media type of original layer: %q", original[i].MediaType)
+		}
+
+		// Set the correct media types based on the specified compression
+		// operation, the desired compression algorithm AND the original media
+		// type.
+		//
+		// Note that manifests in containers-storage might be reporting the
+		// wrong media type since the original manifests are stored while layers
+		// are decompressed in storage.  Hence, we need to consider the case
+		// that an already {de}compressed layer should be {de}compressed, which
+		// is being addressed in `isSchema2{Foreign}Layer`.
+		switch info.CompressionOperation {
+		case types.PreserveOriginal:
+			// Keep the original media type.
+			m.LayersDescriptors[i].MediaType = original[i].MediaType
+
+		case types.Decompress:
+			// Decompress the original media type and check if it was
+			// non-distributable one or not.
+			mimeType := original[i].MediaType
+			switch {
+			case isSchema2ForeignLayer(mimeType):
+				m.LayersDescriptors[i].MediaType = DockerV2Schema2ForeignLayerMediaType
+			case isSchema2Layer(mimeType):
+				m.LayersDescriptors[i].MediaType = DockerV2SchemaLayerMediaTypeUncompressed
+			default:
+				return fmt.Errorf("Error preparing updated manifest: unsupported media type for decompression: %q", original[i].MediaType)
+			}
+
+		case types.Compress:
+			if info.CompressionAlgorithm == nil {
+				logrus.Debugf("Preparing updated manifest: blob %q was compressed but does not specify by which algorithm: falling back to use the original blob", info.Digest)
+				m.LayersDescriptors[i].MediaType = original[i].MediaType
+				break
+			}
+			// Compress the original media type and set the new one based on
+			// that type (distributable or not) and the specified compression
+			// algorithm. Throw an error if the algorithm is not supported.
+			switch info.CompressionAlgorithm.Name() {
+			case compression.Gzip.Name():
+				mimeType := original[i].MediaType
+				switch {
+				case isSchema2ForeignLayer(mimeType):
+					m.LayersDescriptors[i].MediaType = DockerV2Schema2ForeignLayerMediaTypeGzip
+				case isSchema2Layer(mimeType):
+					m.LayersDescriptors[i].MediaType = DockerV2Schema2LayerMediaType
+				default:
+					return fmt.Errorf("Error preparing updated manifest: unsupported media type for compression: %q", original[i].MediaType)
+				}
+			case compression.Zstd.Name():
+				return fmt.Errorf("Error preparing updated manifest: zstd compression is not supported for docker images")
+			default:
+				return fmt.Errorf("Error preparing updated manifest: unknown compression algorithm %q for layer %q", info.CompressionAlgorithm.Name(), info.Digest)
+			}
+
+		default:
+			return fmt.Errorf("Error preparing updated manifest: unknown compression operation (%d) for layer %q", info.CompressionOperation, info.Digest)
+		}
 		m.LayersDescriptors[i].Digest = info.Digest
 		m.LayersDescriptors[i].Size = info.Size
 		m.LayersDescriptors[i].URLs = info.URLs

vendor/github.com/containers/image/v5/manifest/docker_schema2_list.go

@@ -0,0 +1,216 @@
+package manifest
+
+import (
+	"encoding/json"
+	"fmt"
+	"runtime"
+
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// Schema2PlatformSpec describes the platform which a particular manifest is
+// specialized for.
+type Schema2PlatformSpec struct {
+	Architecture string   `json:"architecture"`
+	OS           string   `json:"os"`
+	OSVersion    string   `json:"os.version,omitempty"`
+	OSFeatures   []string `json:"os.features,omitempty"`
+	Variant      string   `json:"variant,omitempty"`
+	Features     []string `json:"features,omitempty"` // removed in OCI
+}
+
+// Schema2ManifestDescriptor references a platform-specific manifest.
+type Schema2ManifestDescriptor struct {
+	Schema2Descriptor
+	Platform Schema2PlatformSpec `json:"platform"`
+}
+
+// Schema2List is a list of platform-specific manifests.
+type Schema2List struct {
+	SchemaVersion int                         `json:"schemaVersion"`
+	MediaType     string                      `json:"mediaType"`
+	Manifests     []Schema2ManifestDescriptor `json:"manifests"`
+}
+
+// MIMEType returns the MIME type of this particular manifest list.
+func (list *Schema2List) MIMEType() string {
+	return list.MediaType
+}
+
+// Instances returns a slice of digests of the manifests that this list knows of.
+func (list *Schema2List) Instances() []digest.Digest {
+	results := make([]digest.Digest, len(list.Manifests))
+	for i, m := range list.Manifests {
+		results[i] = m.Digest
+	}
+	return results
+}
+
+// Instance returns the ListUpdate of a particular instance in the list.
+func (list *Schema2List) Instance(instanceDigest digest.Digest) (ListUpdate, error) {
+	for _, manifest := range list.Manifests {
+		if manifest.Digest == instanceDigest {
+			return ListUpdate{
+				Digest:    manifest.Digest,
+				Size:      manifest.Size,
+				MediaType: manifest.MediaType,
+			}, nil
+		}
+	}
+	return ListUpdate{}, errors.Errorf("unable to find instance %s passed to Schema2List.Instances", instanceDigest)
+}
+
+// UpdateInstances updates the sizes, digests, and media types of the manifests
+// which the list catalogs.
+func (list *Schema2List) UpdateInstances(updates []ListUpdate) error {
+	if len(updates) != len(list.Manifests) {
+		return errors.Errorf("incorrect number of update entries passed to Schema2List.UpdateInstances: expected %d, got %d", len(list.Manifests), len(updates))
+	}
+	for i := range updates {
+		if err := updates[i].Digest.Validate(); err != nil {
+			return errors.Wrapf(err, "update %d of %d passed to Schema2List.UpdateInstances contained an invalid digest", i+1, len(updates))
+		}
+		list.Manifests[i].Digest = updates[i].Digest
+		if updates[i].Size < 0 {
+			return errors.Errorf("update %d of %d passed to Schema2List.UpdateInstances had an invalid size (%d)", i+1, len(updates), updates[i].Size)
+		}
+		list.Manifests[i].Size = updates[i].Size
+		if updates[i].MediaType == "" {
+			return errors.Errorf("update %d of %d passed to Schema2List.UpdateInstances had no media type (was %q)", i+1, len(updates), list.Manifests[i].MediaType)
+		}
+		if err := SupportedSchema2MediaType(updates[i].MediaType); err != nil && SupportedOCI1MediaType(updates[i].MediaType) != nil {
+			return errors.Wrapf(err, "update %d of %d passed to Schema2List.UpdateInstances had an unsupported media type (was %q): %q", i+1, len(updates), list.Manifests[i].MediaType, updates[i].MediaType)
+		}
+		list.Manifests[i].MediaType = updates[i].MediaType
+	}
+	return nil
+}
+
+// ChooseInstance parses blob as a schema2 manifest list, and returns the digest
+// of the image which is appropriate for the current environment.
+func (list *Schema2List) ChooseInstance(ctx *types.SystemContext) (digest.Digest, error) {
+	wantedArch := runtime.GOARCH
+	if ctx != nil && ctx.ArchitectureChoice != "" {
+		wantedArch = ctx.ArchitectureChoice
+	}
+	wantedOS := runtime.GOOS
+	if ctx != nil && ctx.OSChoice != "" {
+		wantedOS = ctx.OSChoice
+	}
+
+	for _, d := range list.Manifests {
+		if d.Platform.Architecture == wantedArch && d.Platform.OS == wantedOS {
+			return d.Digest, nil
+		}
+	}
+	return "", fmt.Errorf("no image found in manifest list for architecture %s, OS %s", wantedArch, wantedOS)
+}
+
+// Serialize returns the list in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (list *Schema2List) Serialize() ([]byte, error) {
+	buf, err := json.Marshal(list)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error marshaling Schema2List %#v", list)
+	}
+	return buf, nil
+}
+
+// Schema2ListFromComponents creates a Schema2 manifest list instance from the
+// supplied data.
+func Schema2ListFromComponents(components []Schema2ManifestDescriptor) *Schema2List {
+	list := Schema2List{
+		SchemaVersion: 2,
+		MediaType:     DockerV2ListMediaType,
+		Manifests:     make([]Schema2ManifestDescriptor, len(components)),
+	}
+	for i, component := range components {
+		m := Schema2ManifestDescriptor{
+			Schema2Descriptor{
+				MediaType: component.MediaType,
+				Size:      component.Size,
+				Digest:    component.Digest,
+				URLs:      dupStringSlice(component.URLs),
+			},
+			Schema2PlatformSpec{
+				Architecture: component.Platform.Architecture,
+				OS:           component.Platform.OS,
+				OSVersion:    component.Platform.OSVersion,
+				OSFeatures:   dupStringSlice(component.Platform.OSFeatures),
+				Variant:      component.Platform.Variant,
+				Features:     dupStringSlice(component.Platform.Features),
+			},
+		}
+		list.Manifests[i] = m
+	}
+	return &list
+}
+
+// Schema2ListClone creates a deep copy of the passed-in list.
+func Schema2ListClone(list *Schema2List) *Schema2List {
+	return Schema2ListFromComponents(list.Manifests)
+}
+
+// ToOCI1Index returns the list encoded as an OCI1 index.
+func (list *Schema2List) ToOCI1Index() (*OCI1Index, error) {
+	components := make([]imgspecv1.Descriptor, 0, len(list.Manifests))
+	for _, manifest := range list.Manifests {
+		converted := imgspecv1.Descriptor{
+			MediaType: manifest.MediaType,
+			Size:      manifest.Size,
+			Digest:    manifest.Digest,
+			URLs:      dupStringSlice(manifest.URLs),
+			Platform: &imgspecv1.Platform{
+				OS:           manifest.Platform.OS,
+				Architecture: manifest.Platform.Architecture,
+				OSFeatures:   dupStringSlice(manifest.Platform.OSFeatures),
+				OSVersion:    manifest.Platform.OSVersion,
+				Variant:      manifest.Platform.Variant,
+			},
+		}
+		components = append(components, converted)
+	}
+	oci := OCI1IndexFromComponents(components, nil)
+	return oci, nil
+}
+
+// ToSchema2List returns the list encoded as a Schema2 list.
+func (list *Schema2List) ToSchema2List() (*Schema2List, error) {
+	return Schema2ListClone(list), nil
+}
+
+// Schema2ListFromManifest creates a Schema2 manifest list instance from marshalled
+// JSON, presumably generated by encoding a Schema2 manifest list.
+func Schema2ListFromManifest(manifest []byte) (*Schema2List, error) {
+	list := Schema2List{
+		Manifests: []Schema2ManifestDescriptor{},
+	}
+	if err := json.Unmarshal(manifest, &list); err != nil {
+		return nil, errors.Wrapf(err, "error unmarshaling Schema2List %q", string(manifest))
+	}
+	return &list, nil
+}
+
+// Clone returns a deep copy of this list and its contents.
+func (list *Schema2List) Clone() List {
+	return Schema2ListClone(list)
+}
+
+// ConvertToMIMEType converts the passed-in manifest list to a manifest
+// list of the specified type.
+func (list *Schema2List) ConvertToMIMEType(manifestMIMEType string) (List, error) {
+	switch normalized := NormalizedMIMEType(manifestMIMEType); normalized {
+	case DockerV2ListMediaType:
+		return list.Clone(), nil
+	case imgspecv1.MediaTypeImageIndex:
+		return list.ToOCI1Index()
+	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType, imgspecv1.MediaTypeImageManifest, DockerV2Schema2MediaType:
+		return nil, fmt.Errorf("Can not convert manifest list to MIME type %q, which is not a list type", manifestMIMEType)
+	default:
+		// Note that this may not be reachable, NormalizedMIMEType has a default for unknown values.
+		return nil, fmt.Errorf("Unimplemented manifest list MIME type %s", manifestMIMEType)
+	}
+}

vendor/github.com/containers/image/v5/manifest/list.go

@@ -0,0 +1,106 @@
+package manifest
+
+import (
+	"fmt"
+
+	"github.com/containers/image/v5/types"
+	digest "github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+var (
+	// SupportedListMIMETypes is a list of the manifest list types that we know how to
+	// read/manipulate/write.
+	SupportedListMIMETypes = []string{
+		DockerV2ListMediaType,
+		imgspecv1.MediaTypeImageIndex,
+	}
+)
+
+// List is an interface for parsing, modifying lists of image manifests.
+// Callers can either use this abstract interface without understanding the details of the formats,
+// or instantiate a specific implementation (e.g. manifest.OCI1Index) and access the public members
+// directly.
+type List interface {
+	// MIMEType returns the MIME type of this particular manifest list.
+	MIMEType() string
+
+	// Instances returns a list of the manifests that this list knows of, other than its own.
+	Instances() []digest.Digest
+
+	// Update information about the list's instances.  The length of the passed-in slice must
+	// match the length of the list of instances which the list already contains, and every field
+	// must be specified.
+	UpdateInstances([]ListUpdate) error
+
+	// Instance returns the size and MIME type of a particular instance in the list.
+	Instance(digest.Digest) (ListUpdate, error)
+
+	// ChooseInstance selects which manifest is most appropriate for the platform described by the
+	// SystemContext, or for the current platform if the SystemContext doesn't specify any details.
+	ChooseInstance(ctx *types.SystemContext) (digest.Digest, error)
+
+	// Serialize returns the list in a blob format.
+	// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded
+	// from, even if no modifications were made!
+	Serialize() ([]byte, error)
+
+	// ConvertToMIMEType returns the list rebuilt to the specified MIME type, or an error.
+	ConvertToMIMEType(mimeType string) (List, error)
+
+	// Clone returns a deep copy of this list and its contents.
+	Clone() List
+}
+
+// ListUpdate includes the fields which a List's UpdateInstances() method will modify.
+type ListUpdate struct {
+	Digest    digest.Digest
+	Size      int64
+	MediaType string
+}
+
+// dupStringSlice returns a deep copy of a slice of strings, or nil if the
+// source slice is empty.
+func dupStringSlice(list []string) []string {
+	if len(list) == 0 {
+		return nil
+	}
+	dup := make([]string, len(list))
+	for i := range list {
+		dup[i] = list[i]
+	}
+	return dup
+}
+
+// dupStringStringMap returns a deep copy of a map[string]string, or nil if the
+// passed-in map is nil or has no keys.
+func dupStringStringMap(m map[string]string) map[string]string {
+	if len(m) == 0 {
+		return nil
+	}
+	result := make(map[string]string)
+	for k, v := range m {
+		result[k] = v
+	}
+	return result
+}
+
+// ListFromBlob parses a list of manifests.
+func ListFromBlob(manifest []byte, manifestMIMEType string) (List, error) {
+	normalized := NormalizedMIMEType(manifestMIMEType)
+	switch normalized {
+	case DockerV2ListMediaType:
+		return Schema2ListFromManifest(manifest)
+	case imgspecv1.MediaTypeImageIndex:
+		return OCI1IndexFromManifest(manifest)
+	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType, imgspecv1.MediaTypeImageManifest, DockerV2Schema2MediaType:
+		return nil, fmt.Errorf("Treating single images as manifest lists is not implemented")
+	}
+	return nil, fmt.Errorf("Unimplemented manifest list MIME type %s (normalized as %s)", manifestMIMEType, normalized)
+}
+
+// ConvertListToMIMEType converts the passed-in manifest list to a manifest
+// list of the specified type.
+func ConvertListToMIMEType(list List, manifestMIMEType string) (List, error) {
+	return list.ConvertToMIMEType(manifestMIMEType)
+}

vendor/github.com/containers/image/v5/manifest/manifest.go

@@ -4,15 +4,15 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/containers/image/types"
-	"github.com/docker/libtrust"
-	"github.com/opencontainers/go-digest"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/libtrust"
+	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // FIXME: Should we just use docker/distribution and docker/docker implementations directly?
 
-// FIXME(runcom, mitr): should we havea mediatype pkg??
+// FIXME(runcom, mitr): should we have a mediatype pkg??
 const (
 	// DockerV2Schema1MediaType MIME type represents Docker manifest schema 1
 	DockerV2Schema1MediaType = "application/vnd.docker.distribution.manifest.v1+json"
@@ -24,12 +24,26 @@ const (
 	DockerV2Schema2ConfigMediaType = "application/vnd.docker.container.image.v1+json"
 	// DockerV2Schema2LayerMediaType is the MIME type used for schema 2 layers.
 	DockerV2Schema2LayerMediaType = "application/vnd.docker.image.rootfs.diff.tar.gzip"
+	// DockerV2SchemaLayerMediaTypeUncompressed is the mediaType used for uncompressed layers.
+	DockerV2SchemaLayerMediaTypeUncompressed = "application/vnd.docker.image.rootfs.diff.tar"
 	// DockerV2ListMediaType MIME type represents Docker manifest schema 2 list
 	DockerV2ListMediaType = "application/vnd.docker.distribution.manifest.list.v2+json"
 	// DockerV2Schema2ForeignLayerMediaType is the MIME type used for schema 2 foreign layers.
-	DockerV2Schema2ForeignLayerMediaType = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
+	DockerV2Schema2ForeignLayerMediaType = "application/vnd.docker.image.rootfs.foreign.diff.tar"
+	// DockerV2Schema2ForeignLayerMediaType is the MIME type used for gzippped schema 2 foreign layers.
+	DockerV2Schema2ForeignLayerMediaTypeGzip = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
 )
 
+// SupportedSchema2MediaType checks if the specified string is a supported Docker v2s2 media type.
+func SupportedSchema2MediaType(m string) error {
+	switch m {
+	case DockerV2ListMediaType, DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType, DockerV2Schema2ConfigMediaType, DockerV2Schema2ForeignLayerMediaType, DockerV2Schema2ForeignLayerMediaTypeGzip, DockerV2Schema2LayerMediaType, DockerV2Schema2MediaType, DockerV2SchemaLayerMediaTypeUncompressed:
+		return nil
+	default:
+		return fmt.Errorf("unsupported docker v2s2 media type: %q", m)
+	}
+}
+
 // DefaultRequestedManifestMIMETypes is a list of MIME types a types.ImageSource
 // should request from the backend unless directed otherwise.
 var DefaultRequestedManifestMIMETypes = []string{
@@ -38,6 +52,7 @@ var DefaultRequestedManifestMIMETypes = []string{
 	DockerV2Schema1SignedMediaType,
 	DockerV2Schema1MediaType,
 	DockerV2ListMediaType,
+	imgspecv1.MediaTypeImageIndex,
 }
 
 // Manifest is an interface for parsing, modifying image manifests in isolation.
@@ -113,12 +128,11 @@ func GuessMIMEType(manifest []byte) string {
 			Config struct {
 				MediaType string `json:"mediaType"`
 			} `json:"config"`
-			Layers []imgspecv1.Descriptor `json:"layers"`
 		}{}
 		if err := json.Unmarshal(manifest, &ociMan); err != nil {
 			return ""
 		}
-		if ociMan.Config.MediaType == imgspecv1.MediaTypeImageConfig && len(ociMan.Layers) != 0 {
+		if ociMan.Config.MediaType == imgspecv1.MediaTypeImageConfig {
 			return imgspecv1.MediaTypeImageManifest
 		}
 		ociIndex := struct {
@@ -127,8 +141,11 @@ func GuessMIMEType(manifest []byte) string {
 		if err := json.Unmarshal(manifest, &ociIndex); err != nil {
 			return ""
 		}
-		if len(ociIndex.Manifests) != 0 && ociIndex.Manifests[0].MediaType == imgspecv1.MediaTypeImageManifest {
-			return imgspecv1.MediaTypeImageIndex
+		if len(ociIndex.Manifests) != 0 {
+			if ociMan.Config.MediaType == "" {
+				return imgspecv1.MediaTypeImageIndex
+			}
+			return ociMan.Config.MediaType
 		}
 		return DockerV2Schema2MediaType
 	}
@@ -186,7 +203,7 @@ func AddDummyV2S1Signature(manifest []byte) ([]byte, error) {
 
 // MIMETypeIsMultiImage returns true if mimeType is a list of images
 func MIMETypeIsMultiImage(mimeType string) bool {
-	return mimeType == DockerV2ListMediaType
+	return mimeType == DockerV2ListMediaType || mimeType == imgspecv1.MediaTypeImageIndex
 }
 
 // NormalizedMIMEType returns the effective MIME type of a manifest MIME type returned by a server,
@@ -200,6 +217,7 @@ func NormalizedMIMEType(input string) string {
 		return DockerV2Schema1SignedMediaType
 	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType,
 		imgspecv1.MediaTypeImageManifest,
+		imgspecv1.MediaTypeImageIndex,
 		DockerV2Schema2MediaType,
 		DockerV2ListMediaType:
 		return input
@@ -219,18 +237,19 @@ func NormalizedMIMEType(input string) string {
 
 // FromBlob returns a Manifest instance for the specified manifest blob and the corresponding MIME type
 func FromBlob(manblob []byte, mt string) (Manifest, error) {
-	switch NormalizedMIMEType(mt) {
+	nmt := NormalizedMIMEType(mt)
+	switch nmt {
 	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType:
 		return Schema1FromManifest(manblob)
 	case imgspecv1.MediaTypeImageManifest:
 		return OCI1FromManifest(manblob)
 	case DockerV2Schema2MediaType:
 		return Schema2FromManifest(manblob)
-	case DockerV2ListMediaType:
+	case DockerV2ListMediaType, imgspecv1.MediaTypeImageIndex:
 		return nil, fmt.Errorf("Treating manifest lists as individual manifests is not implemented")
-	default: // Note that this may not be reachable, NormalizedMIMEType has a default for unknown values.
-		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", mt)
 	}
+	// Note that this may not be reachable, NormalizedMIMEType has a default for unknown values.
+	return nil, fmt.Errorf("Unimplemented manifest MIME type %s (normalized as %s)", mt, nmt)
 }
 
 // layerInfosToStrings converts a list of layer infos, presumably obtained from a Manifest.LayerInfos()

vendor/github.com/containers/image/v5/manifest/oci.go

@@ -0,0 +1,243 @@
+package manifest
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// BlobInfoFromOCI1Descriptor returns a types.BlobInfo based on the input OCI1 descriptor.
+func BlobInfoFromOCI1Descriptor(desc imgspecv1.Descriptor) types.BlobInfo {
+	return types.BlobInfo{
+		Digest:      desc.Digest,
+		Size:        desc.Size,
+		URLs:        desc.URLs,
+		Annotations: desc.Annotations,
+		MediaType:   desc.MediaType,
+	}
+}
+
+// OCI1 is a manifest.Manifest implementation for OCI images.
+// The underlying data from imgspecv1.Manifest is also available.
+type OCI1 struct {
+	imgspecv1.Manifest
+}
+
+// SupportedOCI1MediaType checks if the specified string is a supported OCI1 media type.
+func SupportedOCI1MediaType(m string) error {
+	switch m {
+	case imgspecv1.MediaTypeDescriptor, imgspecv1.MediaTypeImageConfig, imgspecv1.MediaTypeImageLayer, imgspecv1.MediaTypeImageLayerGzip, imgspecv1.MediaTypeImageLayerNonDistributable, imgspecv1.MediaTypeImageLayerNonDistributableGzip, imgspecv1.MediaTypeImageLayerNonDistributableZstd, imgspecv1.MediaTypeImageLayerZstd, imgspecv1.MediaTypeImageManifest, imgspecv1.MediaTypeLayoutHeader:
+		return nil
+	default:
+		return fmt.Errorf("unsupported OCIv1 media type: %q", m)
+	}
+}
+
+// OCI1FromManifest creates an OCI1 manifest instance from a manifest blob.
+func OCI1FromManifest(manifest []byte) (*OCI1, error) {
+	oci1 := OCI1{}
+	if err := json.Unmarshal(manifest, &oci1); err != nil {
+		return nil, err
+	}
+	// Check manifest's and layers' media types.
+	if err := SupportedOCI1MediaType(oci1.Config.MediaType); err != nil {
+		return nil, err
+	}
+	for _, layer := range oci1.Layers {
+		if err := SupportedOCI1MediaType(layer.MediaType); err != nil {
+			return nil, err
+		}
+	}
+	return &oci1, nil
+}
+
+// OCI1FromComponents creates an OCI1 manifest instance from the supplied data.
+func OCI1FromComponents(config imgspecv1.Descriptor, layers []imgspecv1.Descriptor) *OCI1 {
+	return &OCI1{
+		imgspecv1.Manifest{
+			Versioned: specs.Versioned{SchemaVersion: 2},
+			Config:    config,
+			Layers:    layers,
+		},
+	}
+}
+
+// OCI1Clone creates a copy of the supplied OCI1 manifest.
+func OCI1Clone(src *OCI1) *OCI1 {
+	return &OCI1{
+		Manifest: src.Manifest,
+	}
+}
+
+// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+func (m *OCI1) ConfigInfo() types.BlobInfo {
+	return BlobInfoFromOCI1Descriptor(m.Config)
+}
+
+// LayerInfos returns a list of LayerInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (m *OCI1) LayerInfos() []LayerInfo {
+	blobs := []LayerInfo{}
+	for _, layer := range m.Layers {
+		blobs = append(blobs, LayerInfo{
+			BlobInfo:   BlobInfoFromOCI1Descriptor(layer),
+			EmptyLayer: false,
+		})
+	}
+	return blobs
+}
+
+// isOCI1NonDistributableLayer is a convenience wrapper to check if a given mime
+// type is a compressed or decompressed OCI v1 non-distributable layer.
+func isOCI1NonDistributableLayer(mimeType string) bool {
+	switch mimeType {
+	case imgspecv1.MediaTypeImageLayerNonDistributable, imgspecv1.MediaTypeImageLayerNonDistributableGzip, imgspecv1.MediaTypeImageLayerNonDistributableZstd:
+		return true
+	default:
+		return false
+	}
+}
+
+// isOCI1Layer is a convenience wrapper to check if a given mime type is a
+// compressed or decompressed OCI v1 layer.
+func isOCI1Layer(mimeType string) bool {
+	switch mimeType {
+	case imgspecv1.MediaTypeImageLayer, imgspecv1.MediaTypeImageLayerGzip, imgspecv1.MediaTypeImageLayerZstd:
+		return true
+	default:
+		return false
+	}
+}
+
+// UpdateLayerInfos replaces the original layers with the specified BlobInfos (size+digest+urls), in order (the root layer first, and then successive layered layers)
+func (m *OCI1) UpdateLayerInfos(layerInfos []types.BlobInfo) error {
+	if len(m.Layers) != len(layerInfos) {
+		return errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(m.Layers), len(layerInfos))
+	}
+	original := m.Layers
+	m.Layers = make([]imgspecv1.Descriptor, len(layerInfos))
+	for i, info := range layerInfos {
+		// First make sure we support the media type of the original layer.
+		if err := SupportedOCI1MediaType(original[i].MediaType); err != nil {
+			return fmt.Errorf("Error preparing updated manifest: unknown media type of original layer: %q", original[i].MediaType)
+		}
+
+		// Set the correct media types based on the specified compression
+		// operation, the desired compression algorithm AND the original media
+		// type.
+		//
+		// Note that manifests in containers-storage might be reporting the
+		// wrong media type since the original manifests are stored while layers
+		// are decompressed in storage.  Hence, we need to consider the case
+		// that an already {de}compressed layer should be {de}compressed, which
+		// is being addressed in `isSchema2{Foreign}Layer`.
+		switch info.CompressionOperation {
+		case types.PreserveOriginal:
+			// Keep the original media type.
+			m.Layers[i].MediaType = original[i].MediaType
+
+		case types.Decompress:
+			// Decompress the original media type and check if it was
+			// non-distributable one or not.
+			mimeType := original[i].MediaType
+			switch {
+			case isOCI1NonDistributableLayer(mimeType):
+				m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerNonDistributable
+			case isOCI1Layer(mimeType):
+				m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayer
+			default:
+				return fmt.Errorf("Error preparing updated manifest: unsupported media type for decompression: %q", original[i].MediaType)
+			}
+
+		case types.Compress:
+			if info.CompressionAlgorithm == nil {
+				logrus.Debugf("Error preparing updated manifest: blob %q was compressed but does not specify by which algorithm: falling back to use the original blob", info.Digest)
+				m.Layers[i].MediaType = original[i].MediaType
+				break
+			}
+			// Compress the original media type and set the new one based on
+			// that type (distributable or not) and the specified compression
+			// algorithm. Throw an error if the algorithm is not supported.
+			mimeType := original[i].MediaType
+			switch info.CompressionAlgorithm.Name() {
+			case compression.Gzip.Name():
+				switch {
+				case isOCI1NonDistributableLayer(mimeType):
+					m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerNonDistributableGzip
+				case isOCI1Layer(mimeType):
+					m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerGzip
+				default:
+					return fmt.Errorf("Error preparing updated manifest: unsupported media type for compression: %q", original[i].MediaType)
+				}
+
+			case compression.Zstd.Name():
+				switch {
+				case isOCI1NonDistributableLayer(mimeType):
+					m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerNonDistributableZstd
+				case isOCI1Layer(mimeType):
+					m.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerZstd
+				default:
+					return fmt.Errorf("Error preparing updated manifest: unsupported media type for compression: %q", original[i].MediaType)
+				}
+
+			default:
+				return fmt.Errorf("Error preparing updated manifest: unknown compression algorithm %q for layer %q", info.CompressionAlgorithm.Name(), info.Digest)
+			}
+
+		default:
+			return fmt.Errorf("Error preparing updated manifest: unknown compression operation (%d) for layer %q", info.CompressionOperation, info.Digest)
+		}
+		m.Layers[i].Digest = info.Digest
+		m.Layers[i].Size = info.Size
+		m.Layers[i].Annotations = info.Annotations
+		m.Layers[i].URLs = info.URLs
+	}
+	return nil
+}
+
+// Serialize returns the manifest in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (m *OCI1) Serialize() ([]byte, error) {
+	return json.Marshal(*m)
+}
+
+// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
+func (m *OCI1) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*types.ImageInspectInfo, error) {
+	config, err := configGetter(m.ConfigInfo())
+	if err != nil {
+		return nil, err
+	}
+	v1 := &imgspecv1.Image{}
+	if err := json.Unmarshal(config, v1); err != nil {
+		return nil, err
+	}
+	d1 := &Schema2V1Image{}
+	json.Unmarshal(config, d1)
+	i := &types.ImageInspectInfo{
+		Tag:           "",
+		Created:       v1.Created,
+		DockerVersion: d1.DockerVersion,
+		Labels:        v1.Config.Labels,
+		Architecture:  v1.Architecture,
+		Os:            v1.OS,
+		Layers:        layerInfosToStrings(m.LayerInfos()),
+		Env:           d1.Config.Env,
+	}
+	return i, nil
+}
+
+// ImageID computes an ID which can uniquely identify this image by its contents.
+func (m *OCI1) ImageID([]digest.Digest) (string, error) {
+	if err := m.Config.Digest.Validate(); err != nil {
+		return "", err
+	}
+	return m.Config.Digest.Hex(), nil
+}

vendor/github.com/containers/image/v5/manifest/oci_index.go

@@ -0,0 +1,221 @@
+package manifest
+
+import (
+	"encoding/json"
+	"fmt"
+	"runtime"
+
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	imgspec "github.com/opencontainers/image-spec/specs-go"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// OCI1Index is just an alias for the OCI index type, but one which we can
+// provide methods for.
+type OCI1Index struct {
+	imgspecv1.Index
+}
+
+// MIMEType returns the MIME type of this particular manifest index.
+func (index *OCI1Index) MIMEType() string {
+	return imgspecv1.MediaTypeImageIndex
+}
+
+// Instances returns a slice of digests of the manifests that this index knows of.
+func (index *OCI1Index) Instances() []digest.Digest {
+	results := make([]digest.Digest, len(index.Manifests))
+	for i, m := range index.Manifests {
+		results[i] = m.Digest
+	}
+	return results
+}
+
+// Instance returns the ListUpdate of a particular instance in the index.
+func (index *OCI1Index) Instance(instanceDigest digest.Digest) (ListUpdate, error) {
+	for _, manifest := range index.Manifests {
+		if manifest.Digest == instanceDigest {
+			return ListUpdate{
+				Digest:    manifest.Digest,
+				Size:      manifest.Size,
+				MediaType: manifest.MediaType,
+			}, nil
+		}
+	}
+	return ListUpdate{}, errors.Errorf("unable to find instance %s in OCI1Index", instanceDigest)
+}
+
+// UpdateInstances updates the sizes, digests, and media types of the manifests
+// which the list catalogs.
+func (index *OCI1Index) UpdateInstances(updates []ListUpdate) error {
+	if len(updates) != len(index.Manifests) {
+		return errors.Errorf("incorrect number of update entries passed to OCI1Index.UpdateInstances: expected %d, got %d", len(index.Manifests), len(updates))
+	}
+	for i := range updates {
+		if err := updates[i].Digest.Validate(); err != nil {
+			return errors.Wrapf(err, "update %d of %d passed to OCI1Index.UpdateInstances contained an invalid digest", i+1, len(updates))
+		}
+		index.Manifests[i].Digest = updates[i].Digest
+		if updates[i].Size < 0 {
+			return errors.Errorf("update %d of %d passed to OCI1Index.UpdateInstances had an invalid size (%d)", i+1, len(updates), updates[i].Size)
+		}
+		index.Manifests[i].Size = updates[i].Size
+		if updates[i].MediaType == "" {
+			return errors.Errorf("update %d of %d passed to OCI1Index.UpdateInstances had no media type (was %q)", i+1, len(updates), index.Manifests[i].MediaType)
+		}
+		if err := SupportedOCI1MediaType(updates[i].MediaType); err != nil && SupportedSchema2MediaType(updates[i].MediaType) != nil && updates[i].MediaType != imgspecv1.MediaTypeImageIndex {
+			return errors.Wrapf(err, "update %d of %d passed to OCI1Index.UpdateInstances had an unsupported media type (was %q): %q", i+1, len(updates), index.Manifests[i].MediaType, updates[i].MediaType)
+		}
+		index.Manifests[i].MediaType = updates[i].MediaType
+	}
+	return nil
+}
+
+// ChooseInstance parses blob as an oci v1 manifest index, and returns the digest
+// of the image which is appropriate for the current environment.
+func (index *OCI1Index) ChooseInstance(ctx *types.SystemContext) (digest.Digest, error) {
+	wantedArch := runtime.GOARCH
+	if ctx != nil && ctx.ArchitectureChoice != "" {
+		wantedArch = ctx.ArchitectureChoice
+	}
+	wantedOS := runtime.GOOS
+	if ctx != nil && ctx.OSChoice != "" {
+		wantedOS = ctx.OSChoice
+	}
+
+	for _, d := range index.Manifests {
+		if d.Platform != nil && d.Platform.Architecture == wantedArch && d.Platform.OS == wantedOS {
+			return d.Digest, nil
+		}
+	}
+	for _, d := range index.Manifests {
+		if d.Platform == nil {
+			return d.Digest, nil
+		}
+	}
+	return "", fmt.Errorf("no image found in image index for architecture %s, OS %s", wantedArch, wantedOS)
+}
+
+// Serialize returns the index in a blob format.
+// NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
+func (index *OCI1Index) Serialize() ([]byte, error) {
+	buf, err := json.Marshal(index)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error marshaling OCI1Index %#v", index)
+	}
+	return buf, nil
+}
+
+// OCI1IndexFromComponents creates an OCI1 image index instance from the
+// supplied data.
+func OCI1IndexFromComponents(components []imgspecv1.Descriptor, annotations map[string]string) *OCI1Index {
+	index := OCI1Index{
+		imgspecv1.Index{
+			Versioned:   imgspec.Versioned{SchemaVersion: 2},
+			Manifests:   make([]imgspecv1.Descriptor, len(components)),
+			Annotations: dupStringStringMap(annotations),
+		},
+	}
+	for i, component := range components {
+		var platform *imgspecv1.Platform
+		if component.Platform != nil {
+			platform = &imgspecv1.Platform{
+				Architecture: component.Platform.Architecture,
+				OS:           component.Platform.OS,
+				OSVersion:    component.Platform.OSVersion,
+				OSFeatures:   dupStringSlice(component.Platform.OSFeatures),
+				Variant:      component.Platform.Variant,
+			}
+		}
+		m := imgspecv1.Descriptor{
+			MediaType:   component.MediaType,
+			Size:        component.Size,
+			Digest:      component.Digest,
+			URLs:        dupStringSlice(component.URLs),
+			Annotations: dupStringStringMap(component.Annotations),
+			Platform:    platform,
+		}
+		index.Manifests[i] = m
+	}
+	return &index
+}
+
+// OCI1IndexClone creates a deep copy of the passed-in index.
+func OCI1IndexClone(index *OCI1Index) *OCI1Index {
+	return OCI1IndexFromComponents(index.Manifests, index.Annotations)
+}
+
+// ToOCI1Index returns the index encoded as an OCI1 index.
+func (index *OCI1Index) ToOCI1Index() (*OCI1Index, error) {
+	return OCI1IndexClone(index), nil
+}
+
+// ToSchema2List returns the index encoded as a Schema2 list.
+func (index *OCI1Index) ToSchema2List() (*Schema2List, error) {
+	components := make([]Schema2ManifestDescriptor, 0, len(index.Manifests))
+	for _, manifest := range index.Manifests {
+		platform := manifest.Platform
+		if platform == nil {
+			platform = &imgspecv1.Platform{
+				OS:           runtime.GOOS,
+				Architecture: runtime.GOARCH,
+			}
+		}
+		converted := Schema2ManifestDescriptor{
+			Schema2Descriptor{
+				MediaType: manifest.MediaType,
+				Size:      manifest.Size,
+				Digest:    manifest.Digest,
+				URLs:      dupStringSlice(manifest.URLs),
+			},
+			Schema2PlatformSpec{
+				OS:           platform.OS,
+				Architecture: platform.Architecture,
+				OSFeatures:   dupStringSlice(platform.OSFeatures),
+				OSVersion:    platform.OSVersion,
+				Variant:      platform.Variant,
+			},
+		}
+		components = append(components, converted)
+	}
+	s2 := Schema2ListFromComponents(components)
+	return s2, nil
+}
+
+// OCI1IndexFromManifest creates an OCI1 manifest index instance from marshalled
+// JSON, presumably generated by encoding a OCI1 manifest index.
+func OCI1IndexFromManifest(manifest []byte) (*OCI1Index, error) {
+	index := OCI1Index{
+		Index: imgspecv1.Index{
+			Versioned:   imgspec.Versioned{SchemaVersion: 2},
+			Manifests:   []imgspecv1.Descriptor{},
+			Annotations: make(map[string]string),
+		},
+	}
+	if err := json.Unmarshal(manifest, &index); err != nil {
+		return nil, errors.Wrapf(err, "error unmarshaling OCI1Index %q", string(manifest))
+	}
+	return &index, nil
+}
+
+// Clone returns a deep copy of this list and its contents.
+func (index *OCI1Index) Clone() List {
+	return OCI1IndexClone(index)
+}
+
+// ConvertToMIMEType converts the passed-in image index to a manifest list of
+// the specified type.
+func (index *OCI1Index) ConvertToMIMEType(manifestMIMEType string) (List, error) {
+	switch normalized := NormalizedMIMEType(manifestMIMEType); normalized {
+	case DockerV2ListMediaType:
+		return index.ToSchema2List()
+	case imgspecv1.MediaTypeImageIndex:
+		return index.Clone(), nil
+	case DockerV2Schema1MediaType, DockerV2Schema1SignedMediaType, imgspecv1.MediaTypeImageManifest, DockerV2Schema2MediaType:
+		return nil, fmt.Errorf("Can not convert image index to MIME type %q, which is not a list type", manifestMIMEType)
+	default:
+		// Note that this may not be reachable, NormalizedMIMEType has a default for unknown values.
+		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", manifestMIMEType)
+	}
+}

vendor/github.com/containers/image/v5/oci/archive/oci_dest.go

@@ -5,8 +5,9 @@ import (
 	"io"
 	"os"
 
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/archive"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )
 
@@ -105,19 +106,26 @@ func (d *ociArchiveImageDestination) TryReusingBlob(ctx context.Context, info ty
 	return d.unpackedDest.TryReusingBlob(ctx, info, cache, canSubstitute)
 }
 
-// PutManifest writes manifest to the destination
-func (d *ociArchiveImageDestination) PutManifest(ctx context.Context, m []byte) error {
-	return d.unpackedDest.PutManifest(ctx, m)
+// PutManifest writes the manifest to the destination.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to overwrite the manifest for (when
+// the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+// It is expected but not enforced that the instanceDigest, when specified, matches the digest of `manifest` as generated
+// by `manifest.Digest()`.
+func (d *ociArchiveImageDestination) PutManifest(ctx context.Context, m []byte, instanceDigest *digest.Digest) error {
+	return d.unpackedDest.PutManifest(ctx, m, instanceDigest)
 }
 
-func (d *ociArchiveImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
-	return d.unpackedDest.PutSignatures(ctx, signatures)
+// PutSignatures writes a set of signatures to the destination.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to write or overwrite the signatures for
+// (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+func (d *ociArchiveImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
+	return d.unpackedDest.PutSignatures(ctx, signatures, instanceDigest)
 }
 
 // Commit marks the process of storing the image as successful and asks for the image to be persisted
 // after the directory is made, it is tarred up into a file and the directory is deleted
-func (d *ociArchiveImageDestination) Commit(ctx context.Context) error {
-	if err := d.unpackedDest.Commit(ctx); err != nil {
+func (d *ociArchiveImageDestination) Commit(ctx context.Context, unparsedToplevel types.UnparsedImage) error {
+	if err := d.unpackedDest.Commit(ctx, unparsedToplevel); err != nil {
 		return errors.Wrapf(err, "error storing image %q", d.ref.image)
 	}
 

vendor/github.com/containers/image/v5/oci/archive/oci_src.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"io"
 
-	ocilayout "github.com/containers/image/oci/layout"
-	"github.com/containers/image/types"
+	ocilayout "github.com/containers/image/v5/oci/layout"
+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -96,7 +96,14 @@ func (s *ociArchiveImageSource) GetSignatures(ctx context.Context, instanceDiges
 	return s.unpackedSrc.GetSignatures(ctx, instanceDigest)
 }
 
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *ociArchiveImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
-	return nil, nil
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve BlobInfos for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *ociArchiveImageSource) LayerInfosForCopy(ctx context.Context, instanceDigest *digest.Digest) ([]types.BlobInfo, error) {
+	return s.unpackedSrc.LayerInfosForCopy(ctx, instanceDigest)
 }

vendor/github.com/containers/image/v5/oci/archive/oci_transport.go

@@ -7,14 +7,14 @@ import (
 	"os"
 	"strings"
 
-	"github.com/containers/image/directory/explicitfilepath"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/internal/tmpdir"
-	"github.com/containers/image/oci/internal"
-	ocilayout "github.com/containers/image/oci/layout"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/directory/explicitfilepath"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/internal/tmpdir"
+	"github.com/containers/image/v5/oci/internal"
+	ocilayout "github.com/containers/image/v5/oci/layout"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
 )

vendor/github.com/containers/image/v5/oci/layout/oci_dest.go

@@ -9,8 +9,8 @@ import (
 	"path/filepath"
 	"runtime"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 	imgspec "github.com/opencontainers/image-spec/specs-go"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -38,6 +38,7 @@ func newImageDestination(sys *types.SystemContext, ref ociReference) (types.Imag
 			Versioned: imgspec.Versioned{
 				SchemaVersion: 2,
 			},
+			Annotations: make(map[string]string),
 		}
 	}
 
@@ -73,6 +74,7 @@ func (d *ociImageDestination) Close() error {
 func (d *ociImageDestination) SupportedManifestMIMETypes() []string {
 	return []string{
 		imgspecv1.MediaTypeImageManifest,
+		imgspecv1.MediaTypeImageIndex,
 	}
 }
 
@@ -205,20 +207,27 @@ func (d *ociImageDestination) TryReusingBlob(ctx context.Context, info types.Blo
 	return true, types.BlobInfo{Digest: info.Digest, Size: finfo.Size()}, nil
 }
 
-// PutManifest writes manifest to the destination.
+// PutManifest writes a manifest to the destination.  Per our list of supported manifest MIME types,
+// this should be either an OCI manifest (possibly converted to this format by the caller) or index,
+// neither of which we'll need to modify further.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to overwrite the manifest for (when
+// the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+// It is expected but not enforced that the instanceDigest, when specified, matches the digest of `manifest` as generated
+// by `manifest.Digest()`.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *ociImageDestination) PutManifest(ctx context.Context, m []byte) error {
-	digest, err := manifest.Digest(m)
-	if err != nil {
-		return err
+func (d *ociImageDestination) PutManifest(ctx context.Context, m []byte, instanceDigest *digest.Digest) error {
+	var digest digest.Digest
+	var err error
+	if instanceDigest != nil {
+		digest = *instanceDigest
+	} else {
+		digest, err = manifest.Digest(m)
+		if err != nil {
+			return err
+		}
 	}
-	desc := imgspecv1.Descriptor{}
-	desc.Digest = digest
-	// TODO(runcom): beaware and add support for OCI manifest list
-	desc.MediaType = imgspecv1.MediaTypeImageManifest
-	desc.Size = int64(len(m))
 
 	blobPath, err := d.ref.blobPath(digest, d.sharedBlobDir)
 	if err != nil {
@@ -231,32 +240,59 @@ func (d *ociImageDestination) PutManifest(ctx context.Context, m []byte) error {
 		return err
 	}
 
+	if instanceDigest != nil {
+		return nil
+	}
+
+	// If we had platform information, we'd build an imgspecv1.Platform structure here.
+
+	// Start filling out the descriptor for this entry
+	desc := imgspecv1.Descriptor{}
+	desc.Digest = digest
+	desc.Size = int64(len(m))
 	if d.ref.image != "" {
-		annotations := make(map[string]string)
-		annotations["org.opencontainers.image.ref.name"] = d.ref.image
-		desc.Annotations = annotations
-	}
-	desc.Platform = &imgspecv1.Platform{
-		Architecture: runtime.GOARCH,
-		OS:           runtime.GOOS,
+		desc.Annotations = make(map[string]string)
+		desc.Annotations[imgspecv1.AnnotationRefName] = d.ref.image
 	}
+
+	// If we knew the MIME type, we wouldn't have to guess here.
+	desc.MediaType = manifest.GuessMIMEType(m)
+
 	d.addManifest(&desc)
 
 	return nil
 }
 
 func (d *ociImageDestination) addManifest(desc *imgspecv1.Descriptor) {
+	// If the new entry has a name, remove any conflicting names which we already have.
+	if desc.Annotations != nil && desc.Annotations[imgspecv1.AnnotationRefName] != "" {
+		// The name is being set on a new entry, so remove any older ones that had the same name.
+		// We might be storing an index and all of its component images, and we'll want to attach
+		// the name to the last one, which is the index.
+		for i, manifest := range d.index.Manifests {
+			if manifest.Annotations[imgspecv1.AnnotationRefName] == desc.Annotations[imgspecv1.AnnotationRefName] {
+				delete(d.index.Manifests[i].Annotations, imgspecv1.AnnotationRefName)
+				break
+			}
+		}
+	}
+	// If it has the same digest as another entry in the index, we already overwrote the file,
+	// so just pick up the other information.
 	for i, manifest := range d.index.Manifests {
-		if manifest.Annotations["org.opencontainers.image.ref.name"] == desc.Annotations["org.opencontainers.image.ref.name"] {
-			// TODO Should there first be a cleanup based on the descriptor we are going to replace?
+		if manifest.Digest == desc.Digest {
+			// Replace it completely.
 			d.index.Manifests[i] = *desc
 			return
 		}
 	}
+	// It's a new entry to be added to the index.
 	d.index.Manifests = append(d.index.Manifests, *desc)
 }
 
-func (d *ociImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
+// PutSignatures would add the given signatures to the oci layout (currently not supported).
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to write or overwrite the signatures for
+// (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
+func (d *ociImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
 	if len(signatures) != 0 {
 		return errors.Errorf("Pushing signatures for OCI images is not supported")
 	}
@@ -267,7 +303,7 @@ func (d *ociImageDestination) PutSignatures(ctx context.Context, signatures [][]
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *ociImageDestination) Commit(ctx context.Context) error {
+func (d *ociImageDestination) Commit(context.Context, types.UnparsedImage) error {
 	if err := ioutil.WriteFile(d.ref.ociLayoutPath(), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0644); err != nil {
 		return err
 	}

vendor/github.com/containers/image/v5/oci/layout/oci_src.go

@@ -8,8 +8,9 @@ import (
 	"os"
 	"strconv"
 
-	"github.com/containers/image/pkg/tlsclientconfig"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/tlsclientconfig"
+	"github.com/containers/image/v5/types"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -18,6 +19,7 @@ import (
 
 type ociImageSource struct {
 	ref           ociReference
+	index         *imgspecv1.Index
 	descriptor    imgspecv1.Descriptor
 	client        *http.Client
 	sharedBlobDir string
@@ -41,7 +43,11 @@ func newImageSource(sys *types.SystemContext, ref ociReference) (types.ImageSour
 	if err != nil {
 		return nil, err
 	}
-	d := &ociImageSource{ref: ref, descriptor: descriptor, client: client}
+	index, err := ref.getIndex()
+	if err != nil {
+		return nil, err
+	}
+	d := &ociImageSource{ref: ref, index: index, descriptor: descriptor, client: client}
 	if sys != nil {
 		// TODO(jonboulle): check dir existence?
 		d.sharedBlobDir = sys.OCISharedBlobDirPath
@@ -66,28 +72,33 @@ func (s *ociImageSource) Close() error {
 func (s *ociImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	var dig digest.Digest
 	var mimeType string
+	var err error
+
 	if instanceDigest == nil {
 		dig = digest.Digest(s.descriptor.Digest)
 		mimeType = s.descriptor.MediaType
 	} else {
 		dig = *instanceDigest
-		// XXX: instanceDigest means that we don't immediately have the context of what
-		//      mediaType the manifest has. In OCI this means that we don't know
-		//      what reference it came from, so we just *assume* that its
-		//      MediaTypeImageManifest.
-		// FIXME: We should actually be able to look up the manifest in the index,
-		// and see the MIME type there.
-		mimeType = imgspecv1.MediaTypeImageManifest
+		for _, md := range s.index.Manifests {
+			if md.Digest == dig {
+				mimeType = md.MediaType
+				break
+			}
+		}
 	}
 
 	manifestPath, err := s.ref.blobPath(dig, s.sharedBlobDir)
 	if err != nil {
 		return nil, "", err
 	}
+
 	m, err := ioutil.ReadFile(manifestPath)
 	if err != nil {
 		return nil, "", err
 	}
+	if mimeType == "" {
+		mimeType = manifest.GuessMIMEType(m)
+	}
 
 	return m, mimeType, nil
 }
@@ -157,8 +168,15 @@ func (s *ociImageSource) getExternalBlob(ctx context.Context, urls []string) (io
 	return nil, 0, errWrap
 }
 
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *ociImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve BlobInfos for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *ociImageSource) LayerInfosForCopy(context.Context, *digest.Digest) ([]types.BlobInfo, error) {
 	return nil, nil
 }
 

vendor/github.com/containers/image/v5/oci/layout/oci_transport.go

@@ -8,12 +8,12 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/image/directory/explicitfilepath"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/image"
-	"github.com/containers/image/oci/internal"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/directory/explicitfilepath"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/oci/internal"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -195,10 +195,10 @@ func (ref ociReference) getManifestDescriptor() (imgspecv1.Descriptor, error) {
 	} else {
 		// if image specified, look through all manifests for a match
 		for _, md := range index.Manifests {
-			if md.MediaType != imgspecv1.MediaTypeImageManifest {
+			if md.MediaType != imgspecv1.MediaTypeImageManifest && md.MediaType != imgspecv1.MediaTypeImageIndex {
 				continue
 			}
-			refName, ok := md.Annotations["org.opencontainers.image.ref.name"]
+			refName, ok := md.Annotations[imgspecv1.AnnotationRefName]
 			if !ok {
 				continue
 			}

vendor/github.com/containers/image/v5/openshift/openshift-copies.go

@@ -205,22 +205,18 @@ func (config *directClientConfig) ClientConfig() (*restConfig, error) {
 	// only try to read the auth information if we are secure
 	if isConfigTransportTLS(*clientConfig) {
 		var err error
-
-		// mergo is a first write wins for map value and a last writing wins for interface values
-		// NOTE: This behavior changed with https://github.com/imdario/mergo/commit/d304790b2ed594794496464fadd89d2bb266600a.
-		//       Our mergo.Merge version is older than this change.
 		// REMOVED: Support for interactive fallback.
 		userAuthPartialConfig, err := getUserIdentificationPartialConfig(configAuthInfo)
 		if err != nil {
 			return nil, err
 		}
-		mergo.Merge(clientConfig, userAuthPartialConfig)
+		mergo.MergeWithOverwrite(clientConfig, userAuthPartialConfig)
 
 		serverAuthPartialConfig, err := getServerIdentificationPartialConfig(configAuthInfo, configClusterInfo)
 		if err != nil {
 			return nil, err
 		}
-		mergo.Merge(clientConfig, serverAuthPartialConfig)
+		mergo.MergeWithOverwrite(clientConfig, serverAuthPartialConfig)
 	}
 
 	return clientConfig, nil
@@ -241,7 +237,7 @@ func getServerIdentificationPartialConfig(configAuthInfo clientcmdAuthInfo, conf
 	configClientConfig.CAFile = configClusterInfo.CertificateAuthority
 	configClientConfig.CAData = configClusterInfo.CertificateAuthorityData
 	configClientConfig.Insecure = configClusterInfo.InsecureSkipTLSVerify
-	mergo.Merge(mergedConfig, configClientConfig)
+	mergo.MergeWithOverwrite(mergedConfig, configClientConfig)
 
 	return mergedConfig, nil
 }
@@ -324,7 +320,7 @@ func (config *directClientConfig) getContext() clientcmdContext {
 
 	var mergedContext clientcmdContext
 	if configContext, exists := contexts[contextName]; exists {
-		mergo.Merge(&mergedContext, configContext)
+		mergo.MergeWithOverwrite(&mergedContext, configContext)
 	}
 	// REMOVED: overrides support
 
@@ -427,7 +423,7 @@ func (config *directClientConfig) getAuthInfo() clientcmdAuthInfo {
 
 	var mergedAuthInfo clientcmdAuthInfo
 	if configAuthInfo, exists := authInfos[authInfoName]; exists {
-		mergo.Merge(&mergedAuthInfo, configAuthInfo)
+		mergo.MergeWithOverwrite(&mergedAuthInfo, configAuthInfo)
 	}
 	// REMOVED: overrides support
 
@@ -440,10 +436,10 @@ func (config *directClientConfig) getCluster() clientcmdCluster {
 	clusterInfoName := config.getClusterName()
 
 	var mergedClusterInfo clientcmdCluster
-	mergo.Merge(&mergedClusterInfo, defaultCluster)
-	mergo.Merge(&mergedClusterInfo, envVarCluster)
+	mergo.MergeWithOverwrite(&mergedClusterInfo, defaultCluster)
+	mergo.MergeWithOverwrite(&mergedClusterInfo, envVarCluster)
 	if configClusterInfo, exists := clusterInfos[clusterInfoName]; exists {
-		mergo.Merge(&mergedClusterInfo, configClusterInfo)
+		mergo.MergeWithOverwrite(&mergedClusterInfo, configClusterInfo)
 	}
 	// REMOVED: overrides support
 
@@ -577,7 +573,7 @@ func (rules *clientConfigLoadingRules) Load() (*clientcmdConfig, error) {
 	// first merge all of our maps
 	mapConfig := clientcmdNewConfig()
 	for _, kubeconfig := range kubeconfigs {
-		mergo.Merge(mapConfig, kubeconfig)
+		mergo.MergeWithOverwrite(mapConfig, kubeconfig)
 	}
 
 	// merge all of the struct values in the reverse order so that priority is given correctly
@@ -585,14 +581,14 @@ func (rules *clientConfigLoadingRules) Load() (*clientcmdConfig, error) {
 	nonMapConfig := clientcmdNewConfig()
 	for i := len(kubeconfigs) - 1; i >= 0; i-- {
 		kubeconfig := kubeconfigs[i]
-		mergo.Merge(nonMapConfig, kubeconfig)
+		mergo.MergeWithOverwrite(nonMapConfig, kubeconfig)
 	}
 
 	// since values are overwritten, but maps values are not, we can merge the non-map config on top of the map config and
 	// get the values we expect.
 	config := clientcmdNewConfig()
-	mergo.Merge(config, mapConfig)
-	mergo.Merge(config, nonMapConfig)
+	mergo.MergeWithOverwrite(config, mapConfig)
+	mergo.MergeWithOverwrite(config, nonMapConfig)
 
 	// REMOVED: Possibility to skip this.
 	if err := resolveLocalPaths(config); err != nil {

vendor/github.com/containers/image/v5/openshift/openshift.go

@@ -12,11 +12,11 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/containers/image/docker"
-	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
-	"github.com/containers/image/version"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/image/v5/version"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -231,16 +231,16 @@ func (s *openshiftImageSource) GetBlob(ctx context.Context, info types.BlobInfo,
 // (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
 // (e.g. if the source never returns manifest lists).
 func (s *openshiftImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
-	var imageName string
+	var imageStreamImageName string
 	if instanceDigest == nil {
 		if err := s.ensureImageIsResolved(ctx); err != nil {
 			return nil, err
 		}
-		imageName = s.imageStreamImageName
+		imageStreamImageName = s.imageStreamImageName
 	} else {
-		imageName = instanceDigest.String()
+		imageStreamImageName = instanceDigest.String()
 	}
-	image, err := s.client.getImage(ctx, imageName)
+	image, err := s.client.getImage(ctx, imageStreamImageName)
 	if err != nil {
 		return nil, err
 	}
@@ -253,8 +253,15 @@ func (s *openshiftImageSource) GetSignatures(ctx context.Context, instanceDigest
 	return sigs, nil
 }
 
-// LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *openshiftImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve BlobInfos for
+// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
+// (e.g. if the source never returns manifest lists).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *openshiftImageSource) LayerInfosForCopy(ctx context.Context, instanceDigest *digest.Digest) ([]types.BlobInfo, error) {
 	return nil, nil
 }
 
@@ -414,20 +421,28 @@ func (d *openshiftImageDestination) TryReusingBlob(ctx context.Context, info typ
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *openshiftImageDestination) PutManifest(ctx context.Context, m []byte) error {
-	manifestDigest, err := manifest.Digest(m)
-	if err != nil {
-		return err
+func (d *openshiftImageDestination) PutManifest(ctx context.Context, m []byte, instanceDigest *digest.Digest) error {
+	if instanceDigest == nil {
+		manifestDigest, err := manifest.Digest(m)
+		if err != nil {
+			return err
+		}
+		d.imageStreamImageName = manifestDigest.String()
 	}
-	d.imageStreamImageName = manifestDigest.String()
-
-	return d.docker.PutManifest(ctx, m)
+	return d.docker.PutManifest(ctx, m, instanceDigest)
 }
 
-func (d *openshiftImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
-	if d.imageStreamImageName == "" {
-		return errors.Errorf("Internal error: Unknown manifest digest, can't add signatures")
+func (d *openshiftImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
+	var imageStreamName string
+	if instanceDigest == nil {
+		if d.imageStreamImageName == "" {
+			return errors.Errorf("Internal error: Unknown manifest digest, can't add signatures")
+		}
+		imageStreamName = d.imageStreamImageName
+	} else {
+		imageStreamName = instanceDigest.String()
 	}
+
 	// Because image signatures are a shared resource in Atomic Registry, the default upload
 	// always adds signatures.  Eventually we should also allow removing signatures.
 
@@ -435,7 +450,7 @@ func (d *openshiftImageDestination) PutSignatures(ctx context.Context, signature
 		return nil // No need to even read the old state.
 	}
 
-	image, err := d.client.getImage(ctx, d.imageStreamImageName)
+	image, err := d.client.getImage(ctx, imageStreamName)
 	if err != nil {
 		return err
 	}
@@ -460,7 +475,7 @@ sigExists:
 			if err != nil || n != 16 {
 				return errors.Wrapf(err, "Error generating random signature len %d", n)
 			}
-			signatureName = fmt.Sprintf("%s@%032x", d.imageStreamImageName, randBytes)
+			signatureName = fmt.Sprintf("%s@%032x", imageStreamName, randBytes)
 			if _, ok := existingSigNames[signatureName]; !ok {
 				break
 			}
@@ -489,8 +504,8 @@ sigExists:
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *openshiftImageDestination) Commit(ctx context.Context) error {
-	return d.docker.Commit(ctx)
+func (d *openshiftImageDestination) Commit(ctx context.Context, unparsedToplevel types.UnparsedImage) error {
+	return d.docker.Commit(ctx, unparsedToplevel)
 }
 
 // These structs are subsets of github.com/openshift/origin/pkg/image/api/v1 and its dependencies.

vendor/github.com/containers/image/v5/openshift/openshift_transport.go

@@ -6,11 +6,11 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/containers/image/docker/policyconfiguration"
-	"github.com/containers/image/docker/reference"
-	genericImage "github.com/containers/image/image"
-	"github.com/containers/image/transports"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/docker/policyconfiguration"
+	"github.com/containers/image/v5/docker/reference"
+	genericImage "github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
 	"github.com/pkg/errors"
 )
 

vendor/github.com/containers/image/v5/ostree/ostree_dest.go

@@ -20,8 +20,8 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/klauspost/pgzip"
 	"github.com/opencontainers/go-digest"
@@ -376,10 +376,16 @@ func (d *ostreeImageDestination) TryReusingBlob(ctx context.Context, info types.
 }
 
 // PutManifest writes manifest to the destination.
+// The instanceDigest value is expected to always be nil, because this transport does not support manifest lists, so
+// there can be no secondary manifests.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *ostreeImageDestination) PutManifest(ctx context.Context, manifestBlob []byte) error {
+func (d *ostreeImageDestination) PutManifest(ctx context.Context, manifestBlob []byte, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil {
+		return errors.New(`Manifest lists are not supported by "ostree:"`)
+	}
+
 	d.manifest = string(manifestBlob)
 
 	if err := json.Unmarshal(manifestBlob, &d.schema); err != nil {
@@ -400,7 +406,14 @@ func (d *ostreeImageDestination) PutManifest(ctx context.Context, manifestBlob [
 	return ioutil.WriteFile(manifestPath, manifestBlob, 0644)
 }
 
-func (d *ostreeImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
+// PutSignatures writes signatures to the destination.
+// The instanceDigest value is expected to always be nil, because this transport does not support manifest lists, so
+// there can be no secondary manifests.
+func (d *ostreeImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil {
+		return errors.New(`Manifest lists are not supported by "ostree:"`)
+	}
+
 	path := filepath.Join(d.tmpDirPath, d.ref.signaturePath(0))
 	if err := ensureParentDirectoryExists(path); err != nil {
 		return err
@@ -416,7 +429,7 @@ func (d *ostreeImageDestination) PutSignatures(ctx context.Context, signatures [
 	return nil
 }
 
-func (d *ostreeImageDestination) Commit(ctx context.Context) error {
+func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 

vendor/github.com/containers/image/v5/ostree/ostree_src.go

@@ -13,8 +13,8 @@ import (
 	"strings"
 	"unsafe"
 
-	"github.com/containers/image/manifest"
-	"github.com/containers/image/types"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/klauspost/pgzip"
 	digest "github.com/opencontainers/go-digest"
@@ -59,9 +59,15 @@ func (s *ostreeImageSource) Close() error {
 	return nil
 }
 
-func (s *ostreeImageSource) getLayerSize(blob string) (int64, error) {
+func (s *ostreeImageSource) getBlobUncompressedSize(blob string, isCompressed bool) (int64, error) {
+	var metadataKey string
+	if isCompressed {
+		metadataKey = "docker.uncompressed_size"
+	} else {
+		metadataKey = "docker.size"
+	}
 	b := fmt.Sprintf("ociimage/%s", blob)
-	found, data, err := readMetadata(s.repo, b, "docker.size")
+	found, data, err := readMetadata(s.repo, b, metadataKey)
 	if err != nil || !found {
 		return 0, err
 	}
@@ -92,9 +98,11 @@ func (s *ostreeImageSource) getTarSplitData(blob string) ([]byte, error) {
 
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as the primary manifest can not be a list, so there can be non-default instances.
 func (s *ostreeImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
-		return nil, "", errors.Errorf(`Manifest lists are not supported by "ostree:"`)
+		return nil, "", errors.New(`Manifest lists are not supported by "ostree:"`)
 	}
 	if s.repo == nil {
 		repo, err := openRepo(s.ref.repo)
@@ -269,14 +277,14 @@ func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
 
 	// Ensure s.compressed is initialized.  It is build by LayerInfosForCopy.
 	if s.compressed == nil {
-		_, err := s.LayerInfosForCopy(ctx)
+		_, err := s.LayerInfosForCopy(ctx, nil)
 		if err != nil {
 			return nil, -1, err
 		}
 
 	}
-	compressedBlob, found := s.compressed[info.Digest]
-	if found {
+	compressedBlob, isCompressed := s.compressed[info.Digest]
+	if isCompressed {
 		blob = compressedBlob.Hex()
 	}
 	branch := fmt.Sprintf("ociimage/%s", blob)
@@ -289,7 +297,7 @@ func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
 		s.repo = repo
 	}
 
-	layerSize, err := s.getLayerSize(blob)
+	layerSize, err := s.getBlobUncompressedSize(blob, isCompressed)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -331,9 +339,12 @@ func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
 	return rc, layerSize, nil
 }
 
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as there can be no secondary manifests.
 func (s *ostreeImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
 	if instanceDigest != nil {
-		return nil, errors.New("manifest lists are not supported by this transport")
+		return nil, errors.New(`Manifest lists are not supported by "ostree:"`)
 	}
 	lenSignatures, err := s.getLenSignatures()
 	if err != nil {
@@ -366,9 +377,18 @@ func (s *ostreeImageSource) GetSignatures(ctx context.Context, instanceDigest *d
 	return signatures, nil
 }
 
-// LayerInfosForCopy() returns the list of layer blobs that make up the root filesystem of
-// the image, after they've been decompressed.
-func (s *ostreeImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
+// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
+// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
+// to read the image's layers.
+// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
+// as the primary manifest can not be a list, so there can be secondary manifests.
+// The Digest field is guaranteed to be provided; Size may be -1.
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (s *ostreeImageSource) LayerInfosForCopy(ctx context.Context, instanceDigest *digest.Digest) ([]types.BlobInfo, error) {
+	if instanceDigest != nil {
+		return nil, errors.New(`Manifest lists are not supported by "ostree:"`)
+	}
+
 	updatedBlobInfos := []types.BlobInfo{}
 	manifestBlob, manifestType, err := s.GetManifest(ctx, nil)
 	if err != nil {