Release 1.5.2

Includes a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh .

- use fedora:latest in contrib/skopeoimage/*/Dockerfile
- Fix test bug that prevented useful diagnostics on registry fail
- proxy: Add an API to fetch the config upconverted to OCI
- proxy: Add support for manifest lists
- proxy: Uncapitalize all errors
- Cirrus: Bump Fedora to release 35 & Ubuntu to 21.10
- Update to c/image v5.17.0

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

.cirrus.yml

@@ -23,12 +23,12 @@ env:
     ####
     #### Cache-image names to test with (double-quotes around names are critical)
     ####
-    FEDORA_NAME: "fedora-34"
-    PRIOR_FEDORA_NAME: "fedora-33"
-    UBUNTU_NAME: "ubuntu-2104"
+    FEDORA_NAME: "fedora-35"
+    PRIOR_FEDORA_NAME: "fedora-34"
+    UBUNTU_NAME: "ubuntu-2110"
 
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c6431352024203264"
+    IMAGE_SUFFIX: "c6226133906620416"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"

cmd/skopeo/proxy.go

@@ -83,9 +83,11 @@ import (
 
 // protocolVersion is semantic version of the protocol used by this proxy.
 // The first version of the protocol has major version 0.2 to signify a
-// departure from the original code which used HTTP.  The minor version is 1
-// instead of 0 to help exercise semver parsers.
-const protocolVersion = "0.2.1"
+// departure from the original code which used HTTP.
+//
+// 0.2.1: Initial version
+// 0.2.2: Added support for fetching image configuration as OCI
+const protocolVersion = "0.2.2"
 
 // maxMsgSize is the current limit on a packet size.
 // Note that all non-metadata (i.e. payload data) is sent over a pipe.
@@ -141,9 +143,9 @@ type activePipe struct {
 // openImage is an opened image reference
 type openImage struct {
 	// id is an opaque integer handle
-	id  uint32
-	src types.ImageSource
-	img types.Image
+	id        uint32
+	src       types.ImageSource
+	cachedimg types.Image
 }
 
 // proxyHandler is the state associated with our socket.
@@ -199,14 +201,14 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	var ret replyBuf
 
 	if h.sysctx == nil {
-		return ret, fmt.Errorf("Must invoke Initialize")
+		return ret, fmt.Errorf("client error: must invoke Initialize")
 	}
 	if len(args) != 1 {
 		return ret, fmt.Errorf("invalid request, expecting one argument")
 	}
 	imageref, ok := args[0].(string)
 	if !ok {
-		return ret, fmt.Errorf("Expecting string imageref, not %T", args[0])
+		return ret, fmt.Errorf("expecting string imageref, not %T", args[0])
 	}
 
 	imgRef, err := alltransports.ParseImageName(imageref)
@@ -217,16 +219,11 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	if err != nil {
 		return ret, err
 	}
-	img, err := image.FromUnparsedImage(context.Background(), h.sysctx, image.UnparsedInstance(imgsrc, nil))
-	if err != nil {
-		return ret, fmt.Errorf("failed to load image: %w", err)
-	}
 
 	h.imageSerial++
 	openimg := &openImage{
 		id:  h.imageSerial,
 		src: imgsrc,
-		img: img,
 	}
 	h.images[openimg.id] = openimg
 	ret.value = openimg.id
@@ -240,7 +237,7 @@ func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
 	var ret replyBuf
 
 	if h.sysctx == nil {
-		return ret, fmt.Errorf("Must invoke Initialize")
+		return ret, fmt.Errorf("client error: must invoke Initialize")
 	}
 	if len(args) != 1 {
 		return ret, fmt.Errorf("invalid request, expecting one argument")
@@ -258,7 +255,7 @@ func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
 func parseImageID(v interface{}) (uint32, error) {
 	imgidf, ok := v.(float64)
 	if !ok {
-		return 0, fmt.Errorf("Expecting integer imageid, not %T", v)
+		return 0, fmt.Errorf("expecting integer imageid, not %T", v)
 	}
 	return uint32(imgidf), nil
 }
@@ -267,10 +264,10 @@ func parseImageID(v interface{}) (uint32, error) {
 func parseUint64(v interface{}) (uint64, error) {
 	f, ok := v.(float64)
 	if !ok {
-		return 0, fmt.Errorf("Expecting numeric, not %T", v)
+		return 0, fmt.Errorf("expecting numeric, not %T", v)
 	}
 	if f > maxJSONFloat {
-		return 0, fmt.Errorf("Out of range integer for numeric %f", f)
+		return 0, fmt.Errorf("out of range integer for numeric %f", f)
 	}
 	return uint64(f), nil
 }
@@ -282,7 +279,7 @@ func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
 	}
 	imgref, ok := h.images[imgid]
 	if !ok {
-		return nil, fmt.Errorf("No image %v", imgid)
+		return nil, fmt.Errorf("no image %v", imgid)
 	}
 	return imgref, nil
 }
@@ -300,7 +297,70 @@ func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {
 	return piper, &f, nil
 }
 
+// returnBytes generates a return pipe() from a byte array
+// In the future it might be nicer to return this via memfd_create()
+func (h *proxyHandler) returnBytes(retval interface{}, buf []byte) (replyBuf, error) {
+	var ret replyBuf
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		_, err = io.Copy(f.w, bytes.NewReader(buf))
+		if err != nil {
+			f.err = err
+		}
+	}()
+
+	ret.value = retval
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// cacheTargetManifest is invoked when GetManifest or GetConfig is invoked
+// the first time for a given image.  If the requested image is a manifest
+// list, this function resolves it to the image matching the calling process'
+// operating system and architecture.
+//
+// TODO: Add GetRawManifest or so that exposes manifest lists
+func (h *proxyHandler) cacheTargetManifest(img *openImage) error {
+	ctx := context.Background()
+	if img.cachedimg != nil {
+		return nil
+	}
+	unparsedToplevel := image.UnparsedInstance(img.src, nil)
+	mfest, manifestType, err := unparsedToplevel.Manifest(ctx)
+	if err != nil {
+		return err
+	}
+	var target *image.UnparsedImage
+	if manifest.MIMETypeIsMultiImage(manifestType) {
+		manifestList, err := manifest.ListFromBlob(mfest, manifestType)
+		if err != nil {
+			return err
+		}
+		instanceDigest, err := manifestList.ChooseInstance(h.sysctx)
+		if err != nil {
+			return err
+		}
+		target = image.UnparsedInstance(img.src, &instanceDigest)
+	} else {
+		target = unparsedToplevel
+	}
+	cachedimg, err := image.FromUnparsedImage(ctx, h.sysctx, target)
+	if err != nil {
+		return err
+	}
+	img.cachedimg = cachedimg
+	return nil
+}
+
 // GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
+// Manifest lists are resolved to the current operating system and architecture.
 func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
@@ -308,7 +368,7 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 	var ret replyBuf
 
 	if h.sysctx == nil {
-		return ret, fmt.Errorf("Must invoke Initialize")
+		return ret, fmt.Errorf("client error: must invoke Initialize")
 	}
 	if len(args) != 1 {
 		return ret, fmt.Errorf("invalid request, expecting one argument")
@@ -318,11 +378,18 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 		return ret, err
 	}
 
-	ctx := context.TODO()
-	rawManifest, manifestType, err := imgref.img.Manifest(ctx)
+	err = h.cacheTargetManifest(imgref)
 	if err != nil {
 		return ret, err
 	}
+	img := imgref.cachedimg
+
+	ctx := context.Background()
+	rawManifest, manifestType, err := img.Manifest(ctx)
+	if err != nil {
+		return ret, err
+	}
+
 	// We only support OCI and docker2schema2.  We know docker2schema2 can be easily+cheaply
 	// converted into OCI, so consumers only need to see OCI.
 	switch manifestType {
@@ -330,9 +397,9 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 		break
 	// Explicitly reject e.g. docker schema 1 type with a "legacy" note
 	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
-		return ret, fmt.Errorf("Unsupported legacy manifest MIME type: %s", manifestType)
+		return ret, fmt.Errorf("unsupported legacy manifest MIME type: %s", manifestType)
 	default:
-		return ret, fmt.Errorf("Unsupported manifest MIME type: %s", manifestType)
+		return ret, fmt.Errorf("unsupported manifest MIME type: %s", manifestType)
 	}
 
 	// We always return the original digest, as that's what clients need to do pull-by-digest
@@ -347,7 +414,7 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 	// docker schema and MIME types.
 	if manifestType != imgspecv1.MediaTypeImageManifest {
 		manifestUpdates := types.ManifestUpdateOptions{ManifestMIMEType: imgspecv1.MediaTypeImageManifest}
-		ociImage, err := imgref.img.UpdatedImage(ctx, manifestUpdates)
+		ociImage, err := img.UpdatedImage(ctx, manifestUpdates)
 		if err != nil {
 			return ret, err
 		}
@@ -360,24 +427,43 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
 	} else {
 		serialized = rawManifest
 	}
-	piper, f, err := h.allocPipe()
+	return h.returnBytes(digest, serialized)
+}
+
+// GetConfig returns a copy of the image configuration, converted to OCI format.
+func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
 	if err != nil {
 		return ret, err
 	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
 
-	go func() {
-		// Signal completion when we return
-		defer f.wg.Done()
-		_, err = io.Copy(f.w, bytes.NewReader(serialized))
-		if err != nil {
-			f.err = err
-		}
-	}()
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config.Config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
 
-	ret.value = digest.String()
-	ret.fd = piper
-	ret.pipeid = uint32(f.w.Fd())
-	return ret, nil
 }
 
 // GetBlob fetches a blob, performing digest verification.
@@ -388,7 +474,7 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
 	var ret replyBuf
 
 	if h.sysctx == nil {
-		return ret, fmt.Errorf("Must invoke Initialize")
+		return ret, fmt.Errorf("client error: must invoke Initialize")
 	}
 	if len(args) != 3 {
 		return ret, fmt.Errorf("found %d args, expecting (imgid, digest, size)", len(args))
@@ -431,7 +517,7 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
 			return
 		}
 		if n != int64(size) {
-			f.err = fmt.Errorf("Expected %d bytes in blob, got %d", size, n)
+			f.err = fmt.Errorf("expected %d bytes in blob, got %d", size, n)
 		}
 		if !verifier.Verified() {
 			f.err = fmt.Errorf("corrupted blob, expecting %s", d.String())
@@ -451,11 +537,11 @@ func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
 
 	var ret replyBuf
 
-	pipeidf, ok := args[0].(float64)
-	if !ok {
-		return ret, fmt.Errorf("finishpipe: expecting pipeid, not %T", args[0])
+	pipeidv, err := parseUint64(args[0])
+	if err != nil {
+		return ret, err
 	}
-	pipeid := uint32(pipeidf)
+	pipeid := uint32(pipeidv)
 
 	f, ok := h.activePipes[pipeid]
 	if !ok {
@@ -467,7 +553,7 @@ func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
 	// And only now do we close the write half; this forces the client to call this API
 	f.w.Close()
 	// Propagate any errors from the goroutine worker
-	err := f.err
+	err = f.err
 	delete(h.activePipes, pipeid)
 	return ret, err
 }
@@ -551,6 +637,8 @@ func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool,
 		rb, err = h.CloseImage(req.Args)
 	case "GetManifest":
 		rb, err = h.GetManifest(req.Args)
+	case "GetConfig":
+		rb, err = h.GetConfig(req.Args)
 	case "GetBlob":
 		rb, err = h.GetBlob(req.Args)
 	case "FinishPipe":

contrib/cirrus/runner.sh

@@ -58,10 +58,6 @@ _run_setup() {
         return
     fi
 
-    # This is required as part of the standard Fedora GCE VM setup
-    growpart /dev/sda 1
-    resize2fs /dev/sda1
-
     # VM's come with the distro. skopeo package pre-installed
     dnf erase -y skopeo
 

contrib/skopeoimage/stable/Dockerfile

@@ -6,7 +6,7 @@
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
-FROM registry.fedoraproject.org/fedora:33
+FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
 # directories used by yum that are just taking

contrib/skopeoimage/testing/Dockerfile

@@ -7,7 +7,7 @@
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
-FROM registry.fedoraproject.org/fedora:33
+FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
 # directories used by yum that are just taking

contrib/skopeoimage/upstream/Dockerfile

@@ -6,7 +6,7 @@
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
-FROM registry.fedoraproject.org/fedora:33
+FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
 # directories used by yum that are just taking

go.mod

@@ -4,10 +4,10 @@ go 1.12
 
 require (
 	github.com/containers/common v0.46.1-0.20211026130826-7abfd453c86f
-	github.com/containers/image/v5 v5.16.2-0.20211021181114-25411654075f
+	github.com/containers/image/v5 v5.17.0
 	github.com/containers/ocicrypt v1.1.2
 	github.com/containers/storage v1.37.0
-	github.com/docker/docker v20.10.10+incompatible
+	github.com/docker/docker v20.10.11+incompatible
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2-0.20210819154149-5ad6f50d6283

go.sum

@@ -228,8 +228,8 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD
 github.com/containers/common v0.46.1-0.20211026130826-7abfd453c86f h1:jFFIV8QvsPgwkJHh3tjfREFRwSeMq5M8lt8vklkZaOk=
 github.com/containers/common v0.46.1-0.20211026130826-7abfd453c86f/go.mod h1:pVvmLTLCOZE300e4rex/QDmpnRmEM/5aZ/YfCkkjgZo=
 github.com/containers/image/v5 v5.16.1/go.mod h1:mCvIFdzyyP1B0NBcZ80OIuaYqFn/OpFpaOMOMn1kU2M=
-github.com/containers/image/v5 v5.16.2-0.20211021181114-25411654075f h1:gqeQG8jumo9u6TmyUPrSCuflSjkQX+zFa5bRJAZYz2g=
-github.com/containers/image/v5 v5.16.2-0.20211021181114-25411654075f/go.mod h1:ERFkrXC5lLXov65ia/NiKBKfEeHgiItB9bQz6fReQ7g=
+github.com/containers/image/v5 v5.17.0 h1:KS5pro80CCsSp5qDBTMmSAWQo+xcBX19zUPExmYX2OQ=
+github.com/containers/image/v5 v5.17.0/go.mod h1:GnYVusVRFPMMTAAUkrcS8NNSpBp8oyrjOUe04AAmRr4=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
@@ -279,9 +279,9 @@ github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.8+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.10+incompatible h1:GKkP0T7U4ks6X3lmmHKC2QDprnpRJor2Z5a8m62R9ZM=
 github.com/docker/docker v20.10.10+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.11+incompatible h1:OqzI/g/W54LczvhnccGqniFoQghHx3pklbLuhfXpqGo=
+github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o=
 github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -536,6 +536,7 @@ github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/manifoldco/promptui v0.8.0/go.mod h1:n4zTdgP0vr0S3w7/O/g98U+e0gwLScEXGwov2nIKuGQ=
+github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=

integration/procutils.go

@@ -0,0 +1,12 @@
+//go:build !linux
+// +build !linux
+
+package main
+
+import (
+	"os/exec"
+)
+
+// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux)
+func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
+}

integration/procutils_linux.go

@@ -0,0 +1,14 @@
+package main
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+// cmdLifecyleToParentIfPossible is a thin wrapper around prctl(PR_SET_PDEATHSIG)
+// on Linux.
+func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
+	c.SysProcAttr = &syscall.SysProcAttr{
+		Pdeathsig: syscall.SIGTERM,
+	}
+}

integration/proxy_test.go

@@ -0,0 +1,288 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/containers/image/v5/manifest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// This image is known to be x86_64 only right now
+const knownNotManifestListedImage_x8664 = "docker://quay.io/coreos/11bot"
+
+const expectedProxySemverMajor = "0.2"
+
+// request is copied from proxy.go
+// We intentionally copy to ensure that we catch any unexpected "API" changes
+// in the JSON.
+type request struct {
+	// Method is the name of the function
+	Method string `json:"method"`
+	// Args is the arguments (parsed inside the fuction)
+	Args []interface{} `json:"args"`
+}
+
+// reply is copied from proxy.go
+type reply struct {
+	// Success is true if and only if the call succeeded.
+	Success bool `json:"success"`
+	// Value is an arbitrary value (or values, as array/map) returned from the call.
+	Value interface{} `json:"value"`
+	// PipeID is an index into open pipes, and should be passed to FinishPipe
+	PipeID uint32 `json:"pipeid"`
+	// Error should be non-empty if Success == false
+	Error string `json:"error"`
+}
+
+// maxMsgSize is also copied from proxy.go
+const maxMsgSize = 32 * 1024
+
+type proxy struct {
+	c *net.UnixConn
+}
+
+type pipefd struct {
+	// id is the remote identifier "pipeid"
+	id uint
+	fd *os.File
+}
+
+func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
+	req := request{
+		Method: method,
+		Args:   args,
+	}
+	reqbuf, err := json.Marshal(&req)
+	if err != nil {
+		return
+	}
+	n, err := self.c.Write(reqbuf)
+	if err != nil {
+		return
+	}
+	if n != len(reqbuf) {
+		err = fmt.Errorf("short write during call of %d bytes", n)
+		return
+	}
+	oob := make([]byte, syscall.CmsgSpace(1))
+	replybuf := make([]byte, maxMsgSize)
+	n, oobn, _, _, err := self.c.ReadMsgUnix(replybuf, oob)
+	if err != nil {
+		err = fmt.Errorf("reading reply: %v", err)
+		return
+	}
+	var reply reply
+	err = json.Unmarshal(replybuf[0:n], &reply)
+	if err != nil {
+		err = fmt.Errorf("Failed to parse reply: %w", err)
+		return
+	}
+	if !reply.Success {
+		err = fmt.Errorf("remote error: %s", reply.Error)
+		return
+	}
+
+	if reply.PipeID > 0 {
+		var scms []syscall.SocketControlMessage
+		scms, err = syscall.ParseSocketControlMessage(oob[:oobn])
+		if err != nil {
+			err = fmt.Errorf("failed to parse control message: %v", err)
+			return
+		}
+		if len(scms) != 1 {
+			err = fmt.Errorf("Expected 1 received fd, found %d", len(scms))
+			return
+		}
+		var fds []int
+		fds, err = syscall.ParseUnixRights(&scms[0])
+		if err != nil {
+			err = fmt.Errorf("failed to parse unix rights: %v", err)
+			return
+		}
+		fd = &pipefd{
+			fd: os.NewFile(uintptr(fds[0]), "replyfd"),
+			id: uint(reply.PipeID),
+		}
+	}
+
+	rval = reply.Value
+	return
+}
+
+func (self *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
+	var fd *pipefd
+	rval, fd, err = self.call(method, args)
+	if err != nil {
+		return
+	}
+	if fd != nil {
+		err = fmt.Errorf("Unexpected fd from method %s", method)
+		return
+	}
+	return rval, nil
+}
+
+func (self *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
+	var fd *pipefd
+	rval, fd, err = self.call(method, args)
+	if err != nil {
+		return
+	}
+	if fd == nil {
+		err = fmt.Errorf("Expected fd from method %s", method)
+		return
+	}
+	fetchchan := make(chan byteFetch)
+	go func() {
+		manifestBytes, err := ioutil.ReadAll(fd.fd)
+		fetchchan <- byteFetch{
+			content: manifestBytes,
+			err:     err,
+		}
+	}()
+	_, err = self.callNoFd("FinishPipe", []interface{}{fd.id})
+	if err != nil {
+		return
+	}
+	select {
+	case fetchRes := <-fetchchan:
+		err = fetchRes.err
+		if err != nil {
+			return
+		}
+
+		buf = fetchRes.content
+	case <-time.After(5 * time.Minute):
+		err = fmt.Errorf("timed out during proxy fetch")
+	}
+	return
+}
+
+func newProxy() (*proxy, error) {
+	fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_SEQPACKET, 0)
+	if err != nil {
+		return nil, err
+	}
+	myfd := os.NewFile(uintptr(fds[0]), "myfd")
+	defer myfd.Close()
+	theirfd := os.NewFile(uintptr(fds[1]), "theirfd")
+	defer theirfd.Close()
+
+	mysock, err := net.FileConn(myfd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Note ExtraFiles starts at 3
+	proc := exec.Command("skopeo", "experimental-image-proxy", "--sockfd", "3")
+	proc.Stderr = os.Stderr
+	cmdLifecycleToParentIfPossible(proc)
+	proc.ExtraFiles = append(proc.ExtraFiles, theirfd)
+
+	if err = proc.Start(); err != nil {
+		return nil, err
+	}
+
+	p := &proxy{
+		c: mysock.(*net.UnixConn),
+	}
+
+	v, err := p.callNoFd("Initialize", nil)
+	if err != nil {
+		return nil, err
+	}
+	semver, ok := v.(string)
+	if !ok {
+		return nil, fmt.Errorf("proxy Initialize: Unexpected value %T", v)
+	}
+	if !strings.HasPrefix(semver, expectedProxySemverMajor) {
+		return nil, fmt.Errorf("Unexpected semver %s", semver)
+	}
+	return p, nil
+}
+
+func init() {
+	check.Suite(&ProxySuite{})
+}
+
+type ProxySuite struct {
+}
+
+func (s *ProxySuite) SetUpSuite(c *check.C) {
+}
+
+func (s *ProxySuite) TearDownSuite(c *check.C) {
+}
+
+type byteFetch struct {
+	content []byte
+	err     error
+}
+
+func runTestGetManifestAndConfig(p *proxy, img string) error {
+	v, err := p.callNoFd("OpenImage", []interface{}{knownNotManifestListedImage_x8664})
+	if err != nil {
+		return err
+	}
+
+	imgidv, ok := v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImage return value is %T", v)
+	}
+	imgid := uint32(imgidv)
+
+	v, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+	_, err = manifest.OCI1FromManifest(manifestBytes)
+	if err != nil {
+		return err
+	}
+
+	v, configBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+	var config imgspecv1.ImageConfig
+	err = json.Unmarshal(configBytes, &config)
+	if err != nil {
+		return err
+	}
+
+	// Validate that the config seems sane
+	if len(config.Cmd) == 0 && len(config.Entrypoint) == 0 {
+		return fmt.Errorf("No CMD or ENTRYPOINT set")
+	}
+
+	_, err = p.callNoFd("CloseImage", []interface{}{imgid})
+
+	return nil
+}
+
+func (s *ProxySuite) TestProxy(c *check.C) {
+	p, err := newProxy()
+	c.Assert(err, check.IsNil)
+
+	err = runTestGetManifestAndConfig(p, knownNotManifestListedImage_x8664)
+	if err != nil {
+		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImage_x8664, err)
+	}
+	c.Assert(err, check.IsNil)
+
+	err = runTestGetManifestAndConfig(p, knownListImage)
+	if err != nil {
+		err = fmt.Errorf("Testing image %s: %v", knownListImage, err)
+	}
+	c.Assert(err, check.IsNil)
+}

systemtest/helpers.bash

@@ -356,7 +356,7 @@ start_registry() {
             return
         fi
 
-        timeout=$(expr $timeout - 1)
+        timeout=$(( timeout - 1 ))
         sleep 1
     done
     log_and_run $PODMAN logs $name

vendor/github.com/containers/image/v5/docker/docker_image_src.go

@@ -236,6 +236,9 @@ func (s *dockerImageSource) ensureManifestIsLoaded(ctx context.Context) error {
 	return nil
 }
 
+// getExternalBlob returns the reader of the first available blob URL from urls, which must not be empty.
+// This function can return nil reader when no url is supported by this function. In this case, the caller
+// should fallback to fetch the non-external blob (i.e. pull from the registry).
 func (s *dockerImageSource) getExternalBlob(ctx context.Context, urls []string) (io.ReadCloser, int64, error) {
 	var (
 		resp *http.Response
@@ -244,14 +247,17 @@ func (s *dockerImageSource) getExternalBlob(ctx context.Context, urls []string)
 	if len(urls) == 0 {
 		return nil, 0, errors.New("internal error: getExternalBlob called with no URLs")
 	}
-	for _, url := range urls {
+	for _, u := range urls {
+		if u, err := url.Parse(u); err != nil || (u.Scheme != "http" && u.Scheme != "https") {
+			continue // unsupported url. skip this url.
+		}
 		// NOTE: we must not authenticate on additional URLs as those
 		//       can be abused to leak credentials or tokens.  Please
 		//       refer to CVE-2020-15157 for more information.
-		resp, err = s.c.makeRequestToResolvedURL(ctx, http.MethodGet, url, nil, nil, -1, noAuth, nil)
+		resp, err = s.c.makeRequestToResolvedURL(ctx, http.MethodGet, u, nil, nil, -1, noAuth, nil)
 		if err == nil {
 			if resp.StatusCode != http.StatusOK {
-				err = errors.Errorf("error fetching external blob from %q: %d (%s)", url, resp.StatusCode, http.StatusText(resp.StatusCode))
+				err = errors.Errorf("error fetching external blob from %q: %d (%s)", u, resp.StatusCode, http.StatusText(resp.StatusCode))
 				logrus.Debug(err)
 				resp.Body.Close()
 				continue
@@ -259,6 +265,9 @@ func (s *dockerImageSource) getExternalBlob(ctx context.Context, urls []string)
 			break
 		}
 	}
+	if resp == nil && err == nil {
+		return nil, 0, nil // fallback to non-external blob
+	}
 	if err != nil {
 		return nil, 0, err
 	}
@@ -408,7 +417,12 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
 // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location.
 func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(ctx, info.URLs)
+		r, s, err := s.getExternalBlob(ctx, info.URLs)
+		if err != nil {
+			return nil, 0, err
+		} else if r != nil {
+			return r, s, nil
+		}
 	}
 
 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())

vendor/github.com/containers/image/v5/manifest/common.go

@@ -1,6 +1,7 @@
 package manifest
 
 import (
+	"encoding/json"
 	"fmt"
 
 	compressiontypes "github.com/containers/image/v5/pkg/compression/types"
@@ -32,6 +33,72 @@ func dupStringStringMap(m map[string]string) map[string]string {
 	return result
 }
 
+// allowedManifestFields is a bit mask of “essential” manifest fields that validateUnambiguousManifestFormat
+// can expect to be present.
+type allowedManifestFields int
+
+const (
+	allowedFieldConfig allowedManifestFields = 1 << iota
+	allowedFieldFSLayers
+	allowedFieldHistory
+	allowedFieldLayers
+	allowedFieldManifests
+	allowedFieldFirstUnusedBit // Keep this at the end!
+)
+
+// validateUnambiguousManifestFormat rejects manifests (incl. multi-arch) that look like more than
+// one kind we currently recognize, i.e. if they contain any of the known “essential” format fields
+// other than the ones the caller specifically allows.
+// expectedMIMEType is used only for diagnostics.
+// NOTE: The caller should do the non-heuristic validations (e.g. check for any specified format
+// identification/version, or other “magic numbers”) before calling this, to cleanly reject unambigous
+// data that just isn’t what was expected, as opposed to actually ambiguous data.
+func validateUnambiguousManifestFormat(manifest []byte, expectedMIMEType string,
+	allowed allowedManifestFields) error {
+	if allowed >= allowedFieldFirstUnusedBit {
+		return fmt.Errorf("internal error: invalid allowedManifestFields value %#v", allowed)
+	}
+	// Use a private type to decode, not just a map[string]interface{}, because we want
+	// to also reject case-insensitive matches (which would be used by Go when really decoding
+	// the manifest).
+	// (It is expected that as manifest formats are added or extended over time, more fields will be added
+	// here.)
+	detectedFields := struct {
+		Config    interface{} `json:"config"`
+		FSLayers  interface{} `json:"fsLayers"`
+		History   interface{} `json:"history"`
+		Layers    interface{} `json:"layers"`
+		Manifests interface{} `json:"manifests"`
+	}{}
+	if err := json.Unmarshal(manifest, &detectedFields); err != nil {
+		// The caller was supposed to already validate version numbers, so this shold not happen;
+		// let’s not bother with making this error “nice”.
+		return err
+	}
+	unexpected := []string{}
+	// Sadly this isn’t easy to automate in Go, without reflection. So, copy&paste.
+	if detectedFields.Config != nil && (allowed&allowedFieldConfig) == 0 {
+		unexpected = append(unexpected, "config")
+	}
+	if detectedFields.FSLayers != nil && (allowed&allowedFieldFSLayers) == 0 {
+		unexpected = append(unexpected, "fsLayers")
+	}
+	if detectedFields.History != nil && (allowed&allowedFieldHistory) == 0 {
+		unexpected = append(unexpected, "history")
+	}
+	if detectedFields.Layers != nil && (allowed&allowedFieldLayers) == 0 {
+		unexpected = append(unexpected, "layers")
+	}
+	if detectedFields.Manifests != nil && (allowed&allowedFieldManifests) == 0 {
+		unexpected = append(unexpected, "manifests")
+	}
+	if len(unexpected) != 0 {
+		return fmt.Errorf(`rejecting ambiguous manifest, unexpected fields %#v in supposedly %s`,
+			unexpected, expectedMIMEType)
+	}
+	return nil
+}
+
 // layerInfosToStrings converts a list of layer infos, presumably obtained from a Manifest.LayerInfos()
 // method call, into a format suitable for inclusion in a types.ImageInspectInfo structure.
 func layerInfosToStrings(infos []LayerInfo) []string {

vendor/github.com/containers/image/v5/manifest/docker_schema1.go

@@ -60,6 +60,10 @@ func Schema1FromManifest(manifest []byte) (*Schema1, error) {
 	if s1.SchemaVersion != 1 {
 		return nil, errors.Errorf("unsupported schema version %d", s1.SchemaVersion)
 	}
+	if err := validateUnambiguousManifestFormat(manifest, DockerV2Schema1SignedMediaType,
+		allowedFieldFSLayers|allowedFieldHistory); err != nil {
+		return nil, err
+	}
 	if err := s1.initialize(); err != nil {
 		return nil, err
 	}

vendor/github.com/containers/image/v5/manifest/docker_schema2.go

@@ -165,6 +165,10 @@ func Schema2FromManifest(manifest []byte) (*Schema2, error) {
 	if err := json.Unmarshal(manifest, &s2); err != nil {
 		return nil, err
 	}
+	if err := validateUnambiguousManifestFormat(manifest, DockerV2Schema2MediaType,
+		allowedFieldConfig|allowedFieldLayers); err != nil {
+		return nil, err
+	}
 	// Check manifest's and layers' media types.
 	if err := SupportedSchema2MediaType(s2.MediaType); err != nil {
 		return nil, err

vendor/github.com/containers/image/v5/manifest/docker_schema2_list.go

@@ -192,6 +192,10 @@ func Schema2ListFromManifest(manifest []byte) (*Schema2List, error) {
 	if err := json.Unmarshal(manifest, &list); err != nil {
 		return nil, errors.Wrapf(err, "unmarshaling Schema2List %q", string(manifest))
 	}
+	if err := validateUnambiguousManifestFormat(manifest, DockerV2ListMediaType,
+		allowedFieldManifests); err != nil {
+		return nil, err
+	}
 	return &list, nil
 }
 

vendor/github.com/containers/image/v5/manifest/oci.go

@@ -54,6 +54,10 @@ func OCI1FromManifest(manifest []byte) (*OCI1, error) {
 	if err := json.Unmarshal(manifest, &oci1); err != nil {
 		return nil, err
 	}
+	if err := validateUnambiguousManifestFormat(manifest, imgspecv1.MediaTypeImageIndex,
+		allowedFieldConfig|allowedFieldLayers); err != nil {
+		return nil, err
+	}
 	return &oci1, nil
 }
 

vendor/github.com/containers/image/v5/manifest/oci_index.go

@@ -202,6 +202,10 @@ func OCI1IndexFromManifest(manifest []byte) (*OCI1Index, error) {
 	if err := json.Unmarshal(manifest, &index); err != nil {
 		return nil, errors.Wrapf(err, "unmarshaling OCI1Index %q", string(manifest))
 	}
+	if err := validateUnambiguousManifestFormat(manifest, imgspecv1.MediaTypeImageIndex,
+		allowedFieldManifests); err != nil {
+		return nil, err
+	}
 	return &index, nil
 }
 

vendor/github.com/containers/image/v5/oci/layout/oci_src.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"strconv"
 
@@ -113,7 +114,12 @@ func (s *ociImageSource) HasThreadSafeGetBlob() bool {
 // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location.
 func (s *ociImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(ctx, info.URLs)
+		r, s, err := s.getExternalBlob(ctx, info.URLs)
+		if err != nil {
+			return nil, 0, err
+		} else if r != nil {
+			return r, s, nil
+		}
 	}
 
 	path, err := s.ref.blobPath(info.Digest, s.sharedBlobDir)
@@ -140,34 +146,44 @@ func (s *ociImageSource) GetSignatures(ctx context.Context, instanceDigest *dige
 	return [][]byte{}, nil
 }
 
+// getExternalBlob returns the reader of the first available blob URL from urls, which must not be empty.
+// This function can return nil reader when no url is supported by this function. In this case, the caller
+// should fallback to fetch the non-external blob (i.e. pull from the registry).
 func (s *ociImageSource) getExternalBlob(ctx context.Context, urls []string) (io.ReadCloser, int64, error) {
 	if len(urls) == 0 {
 		return nil, 0, errors.New("internal error: getExternalBlob called with no URLs")
 	}
 
 	errWrap := errors.New("failed fetching external blob from all urls")
-	for _, url := range urls {
-
-		req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	hasSupportedURL := false
+	for _, u := range urls {
+		if u, err := url.Parse(u); err != nil || (u.Scheme != "http" && u.Scheme != "https") {
+			continue // unsupported url. skip this url.
+		}
+		hasSupportedURL = true
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, nil)
 		if err != nil {
-			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", u, err.Error())
 			continue
 		}
 
 		resp, err := s.client.Do(req)
 		if err != nil {
-			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", u, err.Error())
 			continue
 		}
 
 		if resp.StatusCode != http.StatusOK {
 			resp.Body.Close()
-			errWrap = errors.Wrapf(errWrap, "fetching %s failed, response code not 200", url)
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed, response code not 200", u)
 			continue
 		}
 
 		return resp.Body, getBlobSize(resp), nil
 	}
+	if !hasSupportedURL {
+		return nil, 0, nil // fallback to non-external blob
+	}
 
 	return nil, 0, errWrap
 }

vendor/github.com/containers/image/v5/version/version.go

@@ -6,12 +6,12 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 5
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 16
+	VersionMinor = 17
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 2
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-dev"
+	VersionDev = ""
 )
 
 // Version is the specification version that the package types support.

vendor/modules.txt

@@ -53,7 +53,7 @@ github.com/containers/common/pkg/flag
 github.com/containers/common/pkg/report
 github.com/containers/common/pkg/report/camelcase
 github.com/containers/common/pkg/retry
-# github.com/containers/image/v5 v5.16.2-0.20211021181114-25411654075f
+# github.com/containers/image/v5 v5.17.0
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
 github.com/containers/image/v5/directory/explicitfilepath
@@ -177,7 +177,7 @@ github.com/docker/distribution/registry/client/auth/challenge
 github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
-# github.com/docker/docker v20.10.10+incompatible
+# github.com/docker/docker v20.10.11+incompatible
 github.com/docker/docker/api
 github.com/docker/docker/api/types
 github.com/docker/docker/api/types/blkiodev

version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "1.5.1"
+const Version = "1.5.2"