Hello community,
here is the log from the commit of package libcontainers-common for
openSUSE:Factory checked in at 2019-08-07 13:59:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcontainers-common (Old)
and /work/SRC/openSUSE:Factory/.libcontainers-common.new.9556 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcontainers-common"
Wed Aug 7 13:59:15 2019 rev:17 rq:720584 version:20190802
Changes:
--------
---
/work/SRC/openSUSE:Factory/libcontainers-common/libcontainers-common.changes
2019-07-22 12:17:11.943714934 +0200
+++
/work/SRC/openSUSE:Factory/.libcontainers-common.new.9556/libcontainers-common.changes
2019-08-07 13:59:17.304854264 +0200
@@ -1,0 +2,54 @@
+Fri Aug 2 09:46:10 UTC 2019 - Sascha Grunert <[email protected]>
+
+- Update to image v3.0.0
+ - Add "Env" to ImageInspectInfo
+ - Add API function TryUpdatingCache
+ - Add ability to install man pages
+ - Add user registry auth to kernel keyring
+ - Fix policy.json.md -> containers-policy.json.5.md references
+ - Fix typo in docs/containers-registries.conf.5.md
+ - Remove pkg/sysregistries
+ - Touch up transport man page
+ - Try harder in storageImageDestination.TryReusingBlob
+ - Use the same HTTP client for contacting the bearer token server and the
+ registry
+ - ci: change GOCACHE to a writeable path
+ - config.go: improve debug message
+ - config.go: log where credentials come from
+ - docker client: error if registry is blocked
+ - docker: allow deleting OCI images
+ - docker: delete: support all MIME types
+ - ostree: default is no OStree support
+ - ostree: improve error message
+ - progress bar: use spinners for unknown blob sizes
+ - use 'containers_image_ostree' as build tag
+ - use keyring when authfile empty
+- Update to storage v1.12.16
+ - Add cirrus vendor check
+ - Add storage options to IgnoreChownErrors
+ - Add support for UID as well as UserName in /etc/subuid files.
+ - Add support for ignoreChownErrors to vfs
+ - Add support for installing man pages
+ - Fix cross-compilation
+ - Keep track of the UIDs and GIDs used in applied layers
+ - Move lockfiles to their own package
+ - Remove merged directory when it is unmounted
+ - Switch to go modules
+ - Switch to golangci-lint
+ - Update generated files
+ - Use same variable name on both commands
+ - cirrus: ubuntu: try removing cryptsetup-initramfs
+ - compression: add support for the zstd algorithm
+ - getLockfile(): use the absolute path
+ - loadMounts(): reset counts before merging just-loaded data
+ - lockfile: don't bother releasing a lock when closing a file
+ - locking test updates
+ - locking: take read locks on read-only stores
+ - make local-cross more reliable for CI
+ - overlay: cache the results of supported/using-metacopy/use-naive-diff
+ feature tests
+ - overlay: fix small piece of repeated work
+ - utils: fix check for missing conf file
+ - zstd: use github.com/klauspost/compress directly
+
+-------------------------------------------------------------------
Old:
----
image-2.0.0.tar.xz
storage-1.12.13.tar.xz
New:
----
image-3.0.0.tar.xz
storage-1.12.16.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libcontainers-common.spec ++++++
--- /var/tmp/diff_new_pack.oCG4an/_old 2019-08-07 13:59:17.976854256 +0200
+++ /var/tmp/diff_new_pack.oCG4an/_new 2019-08-07 13:59:17.976854256 +0200
@@ -19,13 +19,13 @@
%define libpodver 1.4.4
# storagever - version from containers/storage
-%define storagever 1.12.13
+%define storagever 1.12.16
# imagever - version from containers/image
-%define imagever 2.0.0
+%define imagever 3.0.0
Name: libcontainers-common
-Version: 20190401
+Version: 20190802
Release: 0
Summary: Configuration files common to github.com/containers
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.oCG4an/_old 2019-08-07 13:59:18.032854255 +0200
+++ /var/tmp/diff_new_pack.oCG4an/_new 2019-08-07 13:59:18.032854255 +0200
@@ -4,16 +4,16 @@
<param name="url">https://github.com/containers/storage.git</param>
<param name="scm">git</param>
<param name="filename">storage</param>
-<param name="versionformat">1.12.13</param>
-<param name="revision">v1.12.13</param>
+<param name="versionformat">1.12.16</param>
+<param name="revision">v1.12.16</param>
</service>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/containers/image.git</param>
<param name="scm">git</param>
<param name="filename">image</param>
-<param name="versionformat">2.0.0</param>
-<param name="revision">v2.0.0</param>
+<param name="versionformat">3.0.0</param>
+<param name="revision">v3.0.0</param>
</service>
<service name="tar_scm" mode="disabled">
++++++ image-2.0.0.tar.xz -> image-3.0.0.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/.travis.Dockerfile
new/image-3.0.0/.travis.Dockerfile
--- old/image-2.0.0/.travis.Dockerfile 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/.travis.Dockerfile 2019-08-02 11:13:02.000000000 +0200
@@ -3,8 +3,8 @@
RUN apt-get -qq update && \
apt-get install -y sudo docker.io git make btrfs-tools libdevmapper-dev
libgpgme-dev libostree-dev
-ADD https://storage.googleapis.com/golang/go1.11.1.linux-amd64.tar.gz /tmp
+ADD https://storage.googleapis.com/golang/go1.11.12.linux-amd64.tar.gz /tmp
-RUN tar -C /usr/local -xzf /tmp/go1.11.1.linux-amd64.tar.gz && \
- rm /tmp/go1.11.1.linux-amd64.tar.gz && \
+RUN tar -C /usr/local -xzf /tmp/go1.11.12.linux-amd64.tar.gz && \
+ rm /tmp/go1.11.12.linux-amd64.tar.gz && \
ln -s /usr/local/go/bin/* /usr/local/bin/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/.travis.yml new/image-3.0.0/.travis.yml
--- old/image-2.0.0/.travis.yml 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/.travis.yml 2019-08-02 11:13:02.000000000 +0200
@@ -22,6 +22,7 @@
-e TRAVIS_PULL_REQUEST=$TRAVIS_PULL_REQUEST -e
TRAVIS_REPO_SLUG=$TRAVIS_REPO_SLUG
-e TRAVIS_BRANCH=$TRAVIS_BRANCH -e TRAVIS_COMMIT=$TRAVIS_COMMIT
-e GOPATH=/gopath -e TRASH_CACHE=/gopath/.trashcache
+ -e GOCACHE=/tmp/gocache
-v /etc/passwd:/etc/passwd -v /etc/sudoers:/etc/sudoers -v
/etc/sudoers.d:/etc/sudoers.d
-v /var/run:/var/run:z -v $HOME/gopath:/gopath:Z
-w /gopath/src/github.com/containers/image image-test bash -c
"PATH=$PATH:/gopath/bin make cross tools .gitvalidation validate test
test-skopeo SUDO=sudo BUILDTAGS=\"$BUILDTAGS\""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/Makefile new/image-3.0.0/Makefile
--- old/image-2.0.0/Makefile 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/Makefile 2019-08-02 11:13:02.000000000 +0200
@@ -7,22 +7,21 @@
SUDO =
# when cross compiling _for_ a Darwin or windows host, then we must use openpgp
-BUILD_TAGS_WINDOWS_CROSS = containers_image_ostree_stub
containers_image_openpgp
-BUILD_TAGS_DARWIN_CROSS = containers_image_ostree_stub containers_image_openpgp
-# when compiling _on_ a Darwin host, then we can link against gpgme
-BUILD_TAGS_DARWIN_NATIVE = containers_image_ostree_stub
+BUILD_TAGS_WINDOWS_CROSS = containers_image_openpgp
+BUILD_TAGS_DARWIN_CROSS = containers_image_openpgp
-ifeq ($(shell uname),Darwin)
-PLATFORM_BUILD_TAG = $(BUILD_TAGS_DARWIN_NATIVE)
-endif
-
-
-BUILDTAGS = btrfs_noversion libdm_no_deferred_remove $(PLATFORM_BUILD_TAG)
+BUILDTAGS = btrfs_noversion libdm_no_deferred_remove
BUILDFLAGS := -tags "$(BUILDTAGS)"
PACKAGES := $(shell go list $(BUILDFLAGS) ./... | grep -v
github.com/containers/image/vendor)
SOURCE_DIRS = $(shell echo $(PACKAGES) | awk 'BEGIN{FS="/"; RS=" "}{print
$$4}' | uniq)
+PREFIX ?= ${DESTDIR}/usr
+MANINSTALLDIR=${PREFIX}/share/man
+GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
+MANPAGES_MD = $(wildcard docs/*.5.md)
+MANPAGES ?= $(MANPAGES_MD:%.md=%)
+
# On macOS, (brew install gpgme) installs it within /usr/local, but
/usr/local/include is not in the default search path.
# Rather than hard-code this directory, use gpgme-config. Sadly that must be
done at the top-level user
# instead of locally in the gpgme subpackage, because cgo supports only
pkg-config, not general shell scripts,
@@ -38,6 +37,17 @@
build-internal:
$(GPGME_ENV) go build $(BUILDFLAGS) $(PACKAGES)
+$(MANPAGES): %: %.md
+ $(GOMD2MAN) -in $< -out $@
+
+docs: $(MANPAGES)
+
+install-docs: docs
+ install -d -m 755 ${MANINSTALLDIR}/man5
+ install -m 644 docs/*.5 ${MANINSTALLDIR}/man5/
+
+install: install-docs
+
cross: vendor
GOOS=windows $(MAKE) build-internal BUILDTAGS="$(BUILDTAGS)
$(BUILD_TAGS_WINDOWS_CROSS)"
GOOS=darwin $(MAKE) build-internal BUILDTAGS="$(BUILDTAGS)
$(BUILD_TAGS_DARWIN_CROSS)"
@@ -63,7 +73,7 @@
@touch vendor
clean:
- rm -rf vendor tools.timestamp
+ rm -rf vendor tools.timestamp $(MANPAGES)
test: vendor
@$(GPGME_ENV) go test $(BUILDFLAGS) -cover $(PACKAGES)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/README.md new/image-3.0.0/README.md
--- old/image-2.0.0/README.md 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/README.md 2019-08-02 11:13:02.000000000 +0200
@@ -62,8 +62,8 @@
- `containers_image_openpgp`: Use a Golang-only OpenPGP implementation for
signature verification instead of the default cgo/gpgme-based implementation;
the primary downside is that creating new signatures with the Golang-only
implementation is not supported.
-- `containers_image_ostree_stub`: Instead of importing `ostree:` transport in
`github.com/containers/image/transports/alltransports`, use a stub which
reports that the transport is not supported. This allows building the library
without requiring the `libostree` development libraries. The
`github.com/containers/image/ostree` package is completely disabled
-and impossible to import when this build tag is in use.
+- `containers_image_ostree`: Import `ostree:` transport in
`github.com/containers/image/transports/alltransports`. This builds the library
requiring the `libostree` development libraries. Otherwise a stub which reports
that the transport is not supported gets used. The
`github.com/containers/image/ostree` package is completely disabled
+and impossible to import when this build tag is not in use.
## [Contributing](CONTRIBUTING.md)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/copy/copy.go new/image-3.0.0/copy/copy.go
--- old/image-2.0.0/copy/copy.go 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/copy/copy.go 2019-08-02 11:13:02.000000000 +0200
@@ -597,15 +597,32 @@
prefix = prefix[:maxPrefixLen]
}
- bar := pool.AddBar(info.Size,
- mpb.BarClearOnComplete(),
- mpb.PrependDecorators(
- decor.Name(prefix),
- ),
- mpb.AppendDecorators(
- decor.OnComplete(decor.CountersKibiByte("%.1f / %.1f"),
" "+onComplete),
- ),
- )
+ // Use a normal progress bar when we know the size (i.e., size > 0).
+ // Otherwise, use a spinner to indicate that something's happening.
+ var bar *mpb.Bar
+ if info.Size > 0 {
+ bar = pool.AddBar(info.Size,
+ mpb.BarClearOnComplete(),
+ mpb.PrependDecorators(
+ decor.Name(prefix),
+ ),
+ mpb.AppendDecorators(
+ decor.OnComplete(decor.CountersKibiByte("%.1f /
%.1f"), " "+onComplete),
+ ),
+ )
+ } else {
+ bar = pool.AddSpinner(info.Size,
+ mpb.SpinnerOnLeft,
+ mpb.BarClearOnComplete(),
+ mpb.SpinnerStyle([]string{".", "..", "...", "....",
""}),
+ mpb.PrependDecorators(
+ decor.Name(prefix),
+ ),
+ mpb.AppendDecorators(
+ decor.OnComplete(decor.Name(""), "
"+onComplete),
+ ),
+ )
+ }
if c.progressOutput == ioutil.Discard {
c.Printf("Copying %s %s\n", kind, info.Digest)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docker/docker_client.go
new/image-3.0.0/docker/docker_client.go
--- old/image-2.0.0/docker/docker_client.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/docker/docker_client.go 2019-08-02 11:13:02.000000000
+0200
@@ -254,6 +254,9 @@
return nil, errors.Wrapf(err, "error loading registries")
}
if reg != nil {
+ if reg.Blocked {
+ return nil, fmt.Errorf("registry %s is blocked in %s",
reg.Prefix, sysregistriesv2.ConfigPath(sys))
+ }
skipVerify = reg.Insecure
}
tlsClientConfig.InsecureSkipVerify = skipVerify
@@ -523,11 +526,7 @@
authReq.SetBasicAuth(c.username, c.password)
}
logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
- tr := tlsclientconfig.NewTransport()
- // TODO(runcom): insecure for now to contact the external token service
- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
- client := &http.Client{Transport: tr}
- res, err := client.Do(authReq)
+ res, err := c.client.Do(authReq)
if err != nil {
return nil, err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docker/docker_image_src.go
new/image-3.0.0/docker/docker_image_src.go
--- old/image-2.0.0/docker/docker_image_src.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/docker/docker_image_src.go 2019-08-02 11:13:02.000000000
+0200
@@ -138,8 +138,9 @@
func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest
string) ([]byte, string, error) {
path := fmt.Sprintf(manifestPath, reference.Path(s.ref.ref),
tagOrDigest)
- headers := make(map[string][]string)
- headers["Accept"] = manifest.DefaultRequestedManifestMIMETypes
+ headers := map[string][]string{
+ "Accept": manifest.DefaultRequestedManifestMIMETypes,
+ }
res, err := s.c.makeRequest(ctx, "GET", path, headers, nil, v2Auth, nil)
if err != nil {
return nil, "", err
@@ -381,11 +382,9 @@
return err
}
- // When retrieving the digest from a registry >= 2.3 use the following
header:
- // "Accept": "application/vnd.docker.distribution.manifest.v2+json"
- headers := make(map[string][]string)
- headers["Accept"] = []string{manifest.DockerV2Schema2MediaType}
-
+ headers := map[string][]string{
+ "Accept": manifest.DefaultRequestedManifestMIMETypes,
+ }
refTail, err := ref.tagOrDigest()
if err != nil {
return err
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docker/tarfile/src.go
new/image-3.0.0/docker/tarfile/src.go
--- old/image-2.0.0/docker/tarfile/src.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/docker/tarfile/src.go 2019-08-02 11:13:02.000000000
+0200
@@ -15,24 +15,24 @@
"github.com/containers/image/manifest"
"github.com/containers/image/pkg/compression"
"github.com/containers/image/types"
- "github.com/opencontainers/go-digest"
+ digest "github.com/opencontainers/go-digest"
"github.com/pkg/errors"
)
// Source is a partial implementation of types.ImageSource for reading from
tarPath.
type Source struct {
tarPath string
- removeTarPathOnClose bool // Remove temp file on close if true
- cacheDataLock sync.Once // Atomic way to ensure that
ensureCachedDataIsPresent is only invoked once
+ removeTarPathOnClose bool // Remove temp file on close if true
// The following data is only available after
ensureCachedDataIsPresent() succeeds
- cacheDataResult error // The return value of
ensureCachedDataIsPresent, since it should be as safe to cache as the side
effects
tarManifest *ManifestItem // nil if not available yet.
configBytes []byte
configDigest digest.Digest
orderedDiffIDList []digest.Digest
knownLayers map[digest.Digest]*layerInfo
// Other state
- generatedManifest []byte // Private cache for GetManifest(), nil if not
set yet.
+ generatedManifest []byte // Private cache for GetManifest(), nil if
not set yet.
+ cacheDataLock sync.Once // Private state for
ensureCachedDataIsPresent to make it concurrency-safe
+ cacheDataResult error // Private state for
ensureCachedDataIsPresent
}
type layerInfo struct {
@@ -201,47 +201,50 @@
}
// ensureCachedDataIsPresent loads data necessary for any of the public
accessors.
+// It is safe to call this from multi-threaded code.
func (s *Source) ensureCachedDataIsPresent() error {
s.cacheDataLock.Do(func() {
- // Read and parse manifest.json
- tarManifest, err := s.loadTarManifest()
- if err != nil {
- s.cacheDataResult = err
- return
- }
+ s.cacheDataResult = s.ensureCachedDataIsPresentPrivate()
+ })
+ return s.cacheDataResult
+}
- // Check to make sure length is 1
- if len(tarManifest) != 1 {
- s.cacheDataResult = errors.Errorf("Unexpected tar
manifest.json: expected 1 item, got %d", len(tarManifest))
- return
- }
+// ensureCachedDataIsPresentPrivate is a private implementation detail of
ensureCachedDataIsPresent.
+// Call ensureCachedDataIsPresent instead.
+func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ // Read and parse manifest.json
+ tarManifest, err := s.loadTarManifest()
+ if err != nil {
+ return err
+ }
- // Read and parse config.
- configBytes, err := s.readTarComponent(tarManifest[0].Config)
- if err != nil {
- s.cacheDataResult = err
- return
- }
- var parsedConfig manifest.Schema2Image // There's a lot of info
there, but we only really care about layer DiffIDs.
- if err := json.Unmarshal(configBytes, &parsedConfig); err !=
nil {
- s.cacheDataResult = errors.Wrapf(err, "Error decoding
tar config %s", tarManifest[0].Config)
- return
- }
+ // Check to make sure length is 1
+ if len(tarManifest) != 1 {
+ return errors.Errorf("Unexpected tar manifest.json: expected 1
item, got %d", len(tarManifest))
+ }
- knownLayers, err := s.prepareLayerData(&tarManifest[0],
&parsedConfig)
- if err != nil {
- s.cacheDataResult = err
- return
- }
+ // Read and parse config.
+ configBytes, err := s.readTarComponent(tarManifest[0].Config)
+ if err != nil {
+ return err
+ }
+ var parsedConfig manifest.Schema2Image // There's a lot of info there,
but we only really care about layer DiffIDs.
+ if err := json.Unmarshal(configBytes, &parsedConfig); err != nil {
+ return errors.Wrapf(err, "Error decoding tar config %s",
tarManifest[0].Config)
+ }
- // Success; commit.
- s.tarManifest = &tarManifest[0]
- s.configBytes = configBytes
- s.configDigest = digest.FromBytes(configBytes)
- s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
- s.knownLayers = knownLayers
- })
- return s.cacheDataResult
+ knownLayers, err := s.prepareLayerData(&tarManifest[0], &parsedConfig)
+ if err != nil {
+ return err
+ }
+
+ // Success; commit.
+ s.tarManifest = &tarManifest[0]
+ s.configBytes = configBytes
+ s.configDigest = digest.FromBytes(configBytes)
+ s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
+ s.knownLayers = knownLayers
+ return nil
}
// loadTarManifest loads and decodes the manifest.json.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docs/containers-registries.conf.5.md
new/image-3.0.0/docs/containers-registries.conf.5.md
--- old/image-2.0.0/docs/containers-registries.conf.5.md 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/docs/containers-registries.conf.5.md 2019-08-02
11:13:02.000000000 +0200
@@ -83,7 +83,7 @@
`internal-registry-for-example.net/bar/myimage:latest` image.
`mirror`
-: An array of TOML tables specifiying (possibly-partial) mirrors for the
+: An array of TOML tables specifying (possibly-partial) mirrors for the
`prefix`-rooted namespace.
The mirrors are attempted in the specified order; the first one that can be
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docs/containers-signature.5.md
new/image-3.0.0/docs/containers-signature.5.md
--- old/image-2.0.0/docs/containers-signature.5.md 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/docs/containers-signature.5.md 2019-08-02
11:13:02.000000000 +0200
@@ -48,7 +48,7 @@
Consumers of container signatures SHOULD verify the cryptographic signature
against one or more trusted public keys
-(e.g. defined in a [policy.json signature verification policy
file](policy.json.md))
+(e.g. defined in a [policy.json signature verification policy
file](containers-policy.json.5.md))
before parsing or processing the JSON payload in _any_ way,
in particular they SHOULD stop processing the container signature
if the cryptographic signature verification fails, without even starting to
process the JSON payload.
@@ -193,10 +193,10 @@
(e.g. ignoring the tag value in the signature when pulling the `:latest` tag
or when referencing an image by digest),
or they may require `critical.identity.docker-reference` values with a
completely different namespace to the reference used to refer to/download the
image
(e.g. requiring a `critical.identity.docker-reference` value which identifies
the image as coming from a supplier when fetching it from a company-internal
mirror of approved images).
-The software performing this verification SHOULD allow the users to define
such a policy using the [policy.json signature verification policy file
format](policy.json.md).
+The software performing this verification SHOULD allow the users to define
such a policy using the [policy.json signature verification policy file
format](containers-policy.json.5.md).
The `critical.identity.docker-reference` value SHOULD contain either a tag or
digest;
-in most cases, it SHOULD use a tag rather than a digest. (See also the
default [`matchRepoDigestOrExact` matching semantics in
`policy.json`](policy.json.md#signedby).)
+in most cases, it SHOULD use a tag rather than a digest. (See also the
default [`matchRepoDigestOrExact` matching semantics in
`policy.json`](containers-policy.json.5.md#signedby).)
### `optional`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/docs/containers-transports.5.md
new/image-3.0.0/docs/containers-transports.5.md
--- old/image-2.0.0/docs/containers-transports.5.md 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/docs/containers-transports.5.md 2019-08-02
11:13:02.000000000 +0200
@@ -11,7 +11,7 @@
Tools which use the containers/image library, including skopeo(1), buildah(1),
podman(1), all share a common syntax for referring to container images in
various locations.
The general form of the syntax is _transport:details_, where details are
dependent on the specified transport, which are documented below.
-### **containers-storage:**
[storage-specifier]{image-id|docker-reference[@image-id]}
+###
**containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]}
An image located in a local containers storage.
The format of _docker-reference_ is described in detail in the **docker**
transport.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/image/docker_schema1_test.go
new/image-3.0.0/image/docker_schema1_test.go
--- old/image-2.0.0/image/docker_schema1_test.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/image/docker_schema1_test.go 2019-08-02
11:13:02.000000000 +0200
@@ -278,6 +278,14 @@
"sha256:62e48e39dc5b30b75a97f05bccc66efbae6058b860ee20a5c9a184b9d5e25788",
"sha256:e623934bca8d1a74f51014256445937714481e49343a31bda2bc5f534748184d",
},
+ Env: []string{
+
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "container=oci",
+ "KOLLA_BASE_DISTRO=rhel",
+ "KOLLA_INSTALL_TYPE=binary",
+ "KOLLA_INSTALL_METATYPE=rhos",
+ "PS1=$(tput bold)($(printenv
KOLLA_SERVICE_NAME))$(tput sgr0)[$(id -un)@$(hostname -s) $(pwd)]$ ",
+ },
}, *ii)
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/image/docker_schema2_test.go
new/image-3.0.0/image/docker_schema2_test.go
--- old/image-2.0.0/image/docker_schema2_test.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/image/docker_schema2_test.go 2019-08-02
11:13:02.000000000 +0200
@@ -288,6 +288,14 @@
"sha256:bbd6b22eb11afce63cc76f6bc41042d99f10d6024c96b655dafba930b8d25909",
"sha256:960e52ecf8200cbd84e70eb2ad8678f4367e50d14357021872c10fa3fc5935fa",
},
+ Env: []string{
+
"PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "HTTPD_PREFIX=/usr/local/apache2",
+ "HTTPD_VERSION=2.4.23",
+ "HTTPD_SHA1=5101be34ac4a509b245adb70a56690a84fcc4e7f",
+
"HTTPD_BZ2_URL=https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-2.4.23.tar.bz2";,
+
"HTTPD_ASC_URL=https://www.apache.org/dist/httpd/httpd-2.4.23.tar.bz2.asc";,
+ },
}, *ii)
// nil configBlob will trigger an error in m.ConfigBlob()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/image/oci_test.go
new/image-3.0.0/image/oci_test.go
--- old/image-2.0.0/image/oci_test.go 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/image/oci_test.go 2019-08-02 11:13:02.000000000 +0200
@@ -268,6 +268,14 @@
"sha256:bbd6b22eb11afce63cc76f6bc41042d99f10d6024c96b655dafba930b8d25909",
"sha256:960e52ecf8200cbd84e70eb2ad8678f4367e50d14357021872c10fa3fc5935fa",
},
+ Env: []string{
+
"PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "HTTPD_PREFIX=/usr/local/apache2",
+ "HTTPD_VERSION=2.4.23",
+ "HTTPD_SHA1=5101be34ac4a509b245adb70a56690a84fcc4e7f",
+
"HTTPD_BZ2_URL=https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-2.4.23.tar.bz2";,
+
"HTTPD_ASC_URL=https://www.apache.org/dist/httpd/httpd-2.4.23.tar.bz2.asc";,
+ },
}, *ii)
// nil configBlob will trigger an error in m.ConfigBlob()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/manifest/docker_schema1.go
new/image-3.0.0/manifest/docker_schema1.go
--- old/image-2.0.0/manifest/docker_schema1.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/manifest/docker_schema1.go 2019-08-02 11:13:02.000000000
+0200
@@ -226,6 +226,7 @@
}
if s1.Config != nil {
i.Labels = s1.Config.Labels
+ i.Env = s1.Config.Env
}
return i, nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/manifest/docker_schema2.go
new/image-3.0.0/manifest/docker_schema2.go
--- old/image-2.0.0/manifest/docker_schema2.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/manifest/docker_schema2.go 2019-08-02 11:13:02.000000000
+0200
@@ -241,6 +241,7 @@
}
if s2.Config != nil {
i.Labels = s2.Config.Labels
+ i.Env = s2.Config.Env
}
return i, nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/manifest/oci.go
new/image-3.0.0/manifest/oci.go
--- old/image-2.0.0/manifest/oci.go 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/manifest/oci.go 2019-08-02 11:13:02.000000000 +0200
@@ -116,6 +116,7 @@
Architecture: v1.Architecture,
Os: v1.OS,
Layers: layerInfosToStrings(m.LayerInfos()),
+ Env: d1.Config.Env,
}
return i, nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/ostree/ostree_dest.go
new/image-3.0.0/ostree/ostree_dest.go
--- old/image-2.0.0/ostree/ostree_dest.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/ostree/ostree_dest.go 2019-08-02 11:13:02.000000000
+0200
@@ -1,4 +1,4 @@
-// +build !containers_image_ostree_stub
+// +build containers_image_ostree
package ostree
@@ -218,7 +218,7 @@
defer C.free(unsafe.Pointer(fullpathC))
res, err = C.lsetfilecon_raw(fullpathC, context)
if int(res) < 0 {
- return errors.Wrapf(err, "cannot
setfilecon_raw %s", fullpath)
+ return errors.Wrapf(err, "cannot
setfilecon_raw %s to %s", fullpath, C.GoString(context))
}
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/ostree/ostree_src.go
new/image-3.0.0/ostree/ostree_src.go
--- old/image-2.0.0/ostree/ostree_src.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/ostree/ostree_src.go 2019-08-02 11:13:02.000000000
+0200
@@ -1,4 +1,4 @@
-// +build !containers_image_ostree_stub
+// +build containers_image_ostree
package ostree
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/ostree/ostree_transport.go
new/image-3.0.0/ostree/ostree_transport.go
--- old/image-2.0.0/ostree/ostree_transport.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/ostree/ostree_transport.go 2019-08-02 11:13:02.000000000
+0200
@@ -1,4 +1,4 @@
-// +build !containers_image_ostree_stub
+// +build containers_image_ostree
package ostree
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/ostree/ostree_transport_test.go
new/image-3.0.0/ostree/ostree_transport_test.go
--- old/image-2.0.0/ostree/ostree_transport_test.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/ostree/ostree_transport_test.go 2019-08-02
11:13:02.000000000 +0200
@@ -1,4 +1,4 @@
-// +build !containers_image_ostree_stub
+// +build containers_image_ostree
package ostree
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/docker/config/config.go
new/image-3.0.0/pkg/docker/config/config.go
--- old/image-2.0.0/pkg/docker/config/config.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/pkg/docker/config/config.go 2019-08-02 11:13:02.000000000
+0200
@@ -35,6 +35,8 @@
// ErrNotLoggedIn is returned for users not logged into a registry
// that they are trying to logout of
ErrNotLoggedIn = errors.New("not logged in")
+ // ErrNotSupported is returned for unsupported methods
+ ErrNotSupported = errors.New("not supported")
)
// SetAuthentication stores the username and password in the auth.json file
@@ -44,6 +46,18 @@
return false, setAuthToCredHelper(ch, registry,
username, password)
}
+ // Set the credentials to kernel keyring if sys.AuthFile is not
specified.
+ // The keyring might not work in all environments (e.g.,
missing capability) and isn't supported on all platforms.
+ // Hence, we want to fall-back to using the authfile in case
the keyring failed.
+ // However, if the sys.AuthFilePath is set, we want adhere to
the user specification and not use the keyring.
+ if sys.AuthFilePath == "" {
+ err := setAuthToKernelKeyring(registry, username,
password)
+ if err == nil {
+ logrus.Debugf("credentials for (%s, %s) were
stored in the kernel keyring\n", registry, username)
+ return false, nil
+ }
+ logrus.Debugf("failed to authenticate with the kernel
keyring, falling back to authfiles. %v", err)
+ }
creds := base64.StdEncoding.EncodeToString([]byte(username +
":" + password))
newCreds := dockerAuthConfig{Auth: creds}
auths.AuthConfigs[registry] = newCreds
@@ -56,9 +70,16 @@
// If an entry is not found empty strings are returned for the username and
password
func GetAuthentication(sys *types.SystemContext, registry string) (string,
string, error) {
if sys != nil && sys.DockerAuthConfig != nil {
+ logrus.Debug("Returning credentials from DockerAuthConfig")
return sys.DockerAuthConfig.Username,
sys.DockerAuthConfig.Password, nil
}
+ username, password, err := getAuthFromKernelKeyring(registry)
+ if err == nil {
+ logrus.Debug("returning credentials from kernel keyring")
+ return username, password, nil
+ }
+
dockerLegacyPath := filepath.Join(homedir.Get(), dockerLegacyHomePath)
var paths []string
pathToAuth, err := getPathToAuth(sys)
@@ -76,12 +97,15 @@
legacyFormat := path == dockerLegacyPath
username, password, err := findAuthentication(registry, path,
legacyFormat)
if err != nil {
+ logrus.Debugf("Credentials not found")
return "", "", err
}
if username != "" && password != "" {
+ logrus.Debugf("Returning credentials from %s", path)
return username, password, nil
}
}
+ logrus.Debugf("Credentials not found")
return "", "", nil
}
@@ -93,6 +117,14 @@
return false, deleteAuthFromCredHelper(ch, registry)
}
+ // Next try kernel keyring
+ err := deleteAuthFromKernelKeyring(registry)
+ if err == nil {
+ logrus.Debugf("credentials for %s were deleted from the
kernel keyring", registry)
+ return false, nil
+ }
+ logrus.Debugf("failed to delete credentials from the kernel
keyring, falling back to authfiles")
+
if _, ok := auths.AuthConfigs[registry]; ok {
delete(auths.AuthConfigs, registry)
} else if _, ok :=
auths.AuthConfigs[normalizeRegistry(registry)]; ok {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/docker/config/config_linux.go
new/image-3.0.0/pkg/docker/config/config_linux.go
--- old/image-2.0.0/pkg/docker/config/config_linux.go 1970-01-01
01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/docker/config/config_linux.go 2019-08-02
11:13:02.000000000 +0200
@@ -0,0 +1,79 @@
+package config
+
+import (
+ "fmt"
+ "strings"
+
+ "github.com/containers/image/pkg/keyctl"
+ "github.com/pkg/errors"
+)
+
+func getAuthFromKernelKeyring(registry string) (string, string, error) {
+ userkeyring, err := keyctl.UserKeyring()
+ if err != nil {
+ return "", "", err
+ }
+ key, err := userkeyring.Search(genDescription(registry))
+ if err != nil {
+ return "", "", err
+ }
+ authData, err := key.Get()
+ if err != nil {
+ return "", "", err
+ }
+ parts := strings.SplitN(string(authData), "\x00", 2)
+ if len(parts) != 2 {
+ return "", "", nil
+ }
+ return parts[0], parts[1], nil
+}
+
+func deleteAuthFromKernelKeyring(registry string) error {
+ userkeyring, err := keyctl.UserKeyring()
+
+ if err != nil {
+ return err
+ }
+ key, err := userkeyring.Search(genDescription(registry))
+ if err != nil {
+ return err
+ }
+ return key.Unlink()
+}
+
+func setAuthToKernelKeyring(registry, username, password string) error {
+ keyring, err := keyctl.SessionKeyring()
+ if err != nil {
+ return err
+ }
+ id, err := keyring.Add(genDescription(registry),
[]byte(fmt.Sprintf("%s\x00%s", username, password)))
+ if err != nil {
+ return err
+ }
+
+ // sets all permission(view,read,write,search,link,set attribute) for
current user
+ // it enables the user to search the key after it linked to user
keyring and unlinked from session keyring
+ err = keyctl.SetPerm(id, keyctl.PermUserAll)
+ if err != nil {
+ return err
+ }
+ // link the key to userKeyring
+ userKeyring, err := keyctl.UserKeyring()
+ if err != nil {
+ return errors.Wrapf(err, "error getting user keyring")
+ }
+ err = keyctl.Link(userKeyring, id)
+ if err != nil {
+ return errors.Wrapf(err, "error linking the key to user
keyring")
+ }
+ // unlink the key from session keyring
+ err = keyctl.Unlink(keyring, id)
+ if err != nil {
+ return errors.Wrapf(err, "error unlinking the key from session
keyring")
+ }
+ return nil
+}
+
+func genDescription(registry string) string {
+ return fmt.Sprintf("container-registry-login:%s", registry)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/docker/config/config_unsupported.go
new/image-3.0.0/pkg/docker/config/config_unsupported.go
--- old/image-2.0.0/pkg/docker/config/config_unsupported.go 1970-01-01
01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/docker/config/config_unsupported.go 2019-08-02
11:13:02.000000000 +0200
@@ -0,0 +1,16 @@
+// +build !linux
+// +build !386 !amd64
+
+package config
+
+func getAuthFromKernelKeyring(registry string) (string, string, error) {
+ return "", "", ErrNotSupported
+}
+
+func deleteAuthFromKernelKeyring(registry string) error {
+ return ErrNotSupported
+}
+
+func setAuthToKernelKeyring(registry, username, password string) error {
+ return ErrNotSupported
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/key.go
new/image-3.0.0/pkg/keyctl/key.go
--- old/image-2.0.0/pkg/keyctl/key.go 1970-01-01 01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/keyctl/key.go 2019-08-02 11:13:02.000000000 +0200
@@ -0,0 +1,65 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+// +build 386 amd64
+
+package keyctl
+
+import (
+ "unsafe"
+)
+
+// Key represents a single key linked to one or more kernel keyrings.
+type Key struct {
+ Name string
+
+ id, ring keyID
+ size int
+}
+
+// ID returns the 32-bit kernel identifier for a specific key
+func (k *Key) ID() int32 {
+ return int32(k.id)
+}
+
+// Get the key's value as a byte slice
+func (k *Key) Get() ([]byte, error) {
+ var (
+ b []byte
+ err error
+ sizeRead int
+ )
+
+ if k.size == 0 {
+ k.size = 512
+ }
+
+ size := k.size
+
+ b = make([]byte, int(size))
+ sizeRead = size + 1
+ for sizeRead > size {
+ r1, _, err := keyctl(keyctlRead, uintptr(k.id),
uintptr(unsafe.Pointer(&b[0])), uintptr(size))
+ if err != nil {
+ return nil, err
+ }
+
+ if sizeRead = int(r1); sizeRead > size {
+ b = make([]byte, sizeRead)
+ size = sizeRead
+ sizeRead = size + 1
+ } else {
+ k.size = sizeRead
+ }
+ }
+ return b[:k.size], err
+}
+
+// Unlink a key from the keyring it was loaded from (or added to). If the key
+// is not linked to any other keyrings, it is destroyed.
+func (k *Key) Unlink() error {
+ _, _, err := keyctl(keyctlUnlink, uintptr(k.id), uintptr(k.ring))
+ return err
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/keyring.go
new/image-3.0.0/pkg/keyctl/keyring.go
--- old/image-2.0.0/pkg/keyctl/keyring.go 1970-01-01 01:00:00.000000000
+0100
+++ new/image-3.0.0/pkg/keyctl/keyring.go 2019-08-02 11:13:02.000000000
+0200
@@ -0,0 +1,73 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+// +build 386 amd64
+
+// Package keyctl is a Go interface to linux kernel keyrings (keyctl interface)
+package keyctl
+
+// Keyring is the basic interface to a linux keyctl keyring.
+type Keyring interface {
+ ID
+ Add(string, []byte) (*Key, error)
+ Search(string) (*Key, error)
+}
+
+type keyring struct {
+ id keyID
+}
+
+// ID is unique 32-bit serial number identifiers for all Keys and Keyrings
have.
+type ID interface {
+ ID() int32
+}
+
+// Add a new key to a keyring. The key can be searched for later by name.
+func (kr *keyring) Add(name string, key []byte) (*Key, error) {
+ r, err := addkey("user", name, key, int32(kr.id))
+ if err == nil {
+ key := &Key{Name: name, id: keyID(r), ring: kr.id}
+ return key, nil
+ }
+ return nil, err
+}
+
+// Search for a key by name, this also searches child keyrings linked to this
+// one. The key, if found, is linked to the top keyring that Search() was
called
+// from.
+func (kr *keyring) Search(name string) (*Key, error) {
+ id, err := searchKeyring(kr.id, name, "user")
+ if err == nil {
+ return &Key{Name: name, id: id, ring: kr.id}, nil
+ }
+ return nil, err
+}
+
+// ID returns the 32-bit kernel identifier of a keyring
+func (kr *keyring) ID() int32 {
+ return int32(kr.id)
+}
+
+// SessionKeyring returns the current login session keyring
+func SessionKeyring() (Keyring, error) {
+ return newKeyring(keySpecSessionKeyring)
+}
+
+// UserKeyring returns the keyring specific to the current user.
+func UserKeyring() (Keyring, error) {
+ return newKeyring(keySpecUserKeyring)
+}
+
+// Unlink an object from a keyring
+func Unlink(parent Keyring, child ID) error {
+ _, _, err := keyctl(keyctlUnlink, uintptr(child.ID()),
uintptr(parent.ID()))
+ return err
+}
+
+// Link a key into a keyring
+func Link(parent Keyring, child ID) error {
+ _, _, err := keyctl(keyctlLink, uintptr(child.ID()),
uintptr(parent.ID()))
+ return err
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/keyring_test.go
new/image-3.0.0/pkg/keyctl/keyring_test.go
--- old/image-2.0.0/pkg/keyctl/keyring_test.go 1970-01-01 01:00:00.000000000
+0100
+++ new/image-3.0.0/pkg/keyctl/keyring_test.go 2019-08-02 11:13:02.000000000
+0200
@@ -0,0 +1,124 @@
+// +build linux
+// +build 386 amd64
+
+package keyctl
+
+import (
+ "crypto/rand"
+ "testing"
+)
+
+func TestSessionKeyring(t *testing.T) {
+
+ token := make([]byte, 20)
+ rand.Read(token)
+
+ testname := "testname"
+ keyring, err := SessionKeyring()
+ if err != nil {
+ t.Fatal(err)
+ }
+ _, err = keyring.Add(testname, token)
+ if err != nil {
+ t.Fatal(err)
+ }
+ key, err := keyring.Search(testname)
+ if err != nil {
+ t.Fatal(err)
+ }
+ data, err := key.Get()
+ if err != nil {
+ t.Fatal(err)
+ }
+ if string(data) != string(token) {
+ t.Errorf("Expected data %v, but get %v", token, data)
+ }
+}
+
+func TestUserKeyring(t *testing.T) {
+ token := make([]byte, 20)
+ rand.Read(token)
+
+ testname := "testuser"
+
+ userKeyring, err := UserKeyring()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ userKey, err := userKeyring.Add(testname, token)
+ if err != nil {
+ t.Fatal(err, userKey)
+ }
+
+ searchRet, err := userKeyring.Search(testname)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if searchRet.Name != testname {
+ t.Errorf("Expected data %v, but get %v", testname,
searchRet.Name)
+ }
+}
+
+func TestLink(t *testing.T) {
+ token := make([]byte, 20)
+ rand.Read(token)
+
+ testname := "testlink"
+
+ userKeyring, err := UserKeyring()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sessionKeyring, err := SessionKeyring()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ key, err := sessionKeyring.Add(testname, token)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = userKeyring.Search(testname)
+ ExpectedError := "required key not available"
+ if err.Error() != ExpectedError {
+ t.Fatal(err)
+ }
+
+ err = Link(userKeyring, key)
+ if err != nil {
+ t.Fatal(err)
+ }
+ _, err = userKeyring.Search(testname)
+ if err != nil {
+ t.Fatal(err)
+ }
+}
+
+func TestUnlink(t *testing.T) {
+ token := make([]byte, 20)
+ rand.Read(token)
+
+ testname := "testunlink"
+ keyring, err := SessionKeyring()
+ if err != nil {
+ t.Fatal(err)
+ }
+ key, err := keyring.Add(testname, token)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ err = Unlink(keyring, key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = keyring.Search(testname)
+ ExpectedError := "required key not available"
+ if err.Error() != ExpectedError {
+ t.Fatal(err)
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/perm.go
new/image-3.0.0/pkg/keyctl/perm.go
--- old/image-2.0.0/pkg/keyctl/perm.go 1970-01-01 01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/keyctl/perm.go 2019-08-02 11:13:02.000000000 +0200
@@ -0,0 +1,29 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package keyctl
+
+// KeyPerm represents in-kernel access control permission to keys and keyrings
+// as a 32-bit integer broken up into four permission sets, one per byte.
+// In MSB order, the perms are: Processor, User, Group, Other.
+type KeyPerm uint32
+
+const (
+ // PermOtherAll sets all permission for Other
+ PermOtherAll KeyPerm = 0x3f << (8 * iota)
+ // PermGroupAll sets all permission for Group
+ PermGroupAll
+ // PermUserAll sets all permission for User
+ PermUserAll
+ // PermProcessAll sets all permission for Processor
+ PermProcessAll
+)
+
+// SetPerm sets the permissions on a key or keyring.
+func SetPerm(k ID, p KeyPerm) error {
+ _, _, err := keyctl(keyctlSetPerm, uintptr(k.ID()), uintptr(p))
+ return err
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/sys_linux.go
new/image-3.0.0/pkg/keyctl/sys_linux.go
--- old/image-2.0.0/pkg/keyctl/sys_linux.go 1970-01-01 01:00:00.000000000
+0100
+++ new/image-3.0.0/pkg/keyctl/sys_linux.go 2019-08-02 11:13:02.000000000
+0200
@@ -0,0 +1,121 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+// +build 386 amd64
+
+package keyctl
+
+import (
+ "syscall"
+ "unsafe"
+)
+
+type keyctlCommand int
+
+type keyID int32
+
+const (
+ keySpecSessionKeyring keyID = -3
+ keySpecUserKeyring keyID = -4
+)
+
+const (
+ keyctlGetKeyringID keyctlCommand = 0
+ keyctlSetPerm keyctlCommand = 5
+ keyctlLink keyctlCommand = 8
+ keyctlUnlink keyctlCommand = 9
+ keyctlSearch keyctlCommand = 10
+ keyctlRead keyctlCommand = 11
+)
+
+func (id keyID) ID() int32 {
+ return int32(id)
+}
+
+func keyctl(cmd keyctlCommand, args ...uintptr) (r1 int32, r2 int32, err
error) {
+ a := make([]uintptr, 6)
+ l := len(args)
+ if l > 5 {
+ l = 5
+ }
+ a[0] = uintptr(cmd)
+ for idx, v := range args[:l] {
+ a[idx+1] = v
+ }
+ v1, v2, errno := syscall.Syscall6(syscallKeyctl, a[0], a[1], a[2],
a[3], a[4], a[5])
+ if errno != 0 {
+ err = errno
+ return
+ }
+
+ r1 = int32(v1)
+ r2 = int32(v2)
+ return
+}
+
+func addkey(keyType, keyDesc string, payload []byte, id int32) (int32, error) {
+ var (
+ err error
+ errno syscall.Errno
+ b1, b2 *byte
+ r1 uintptr
+ pptr unsafe.Pointer
+ )
+
+ if b1, err = syscall.BytePtrFromString(keyType); err != nil {
+ return 0, err
+ }
+
+ if b2, err = syscall.BytePtrFromString(keyDesc); err != nil {
+ return 0, err
+ }
+
+ if len(payload) > 0 {
+ pptr = unsafe.Pointer(&payload[0])
+ }
+ r1, _, errno = syscall.Syscall6(syscallAddKey,
+ uintptr(unsafe.Pointer(b1)),
+ uintptr(unsafe.Pointer(b2)),
+ uintptr(pptr),
+ uintptr(len(payload)),
+ uintptr(id),
+ 0)
+
+ if errno != 0 {
+ err = errno
+ return 0, err
+ }
+ return int32(r1), nil
+}
+
+func newKeyring(id keyID) (*keyring, error) {
+ r1, _, err := keyctl(keyctlGetKeyringID, uintptr(id), uintptr(1))
+ if err != nil {
+ return nil, err
+ }
+
+ if id < 0 {
+ r1 = int32(id)
+ }
+ return &keyring{id: keyID(r1)}, nil
+}
+
+func searchKeyring(id keyID, name, keyType string) (keyID, error) {
+ var (
+ r1 int32
+ b1, b2 *byte
+ err error
+ )
+
+ if b1, err = syscall.BytePtrFromString(keyType); err != nil {
+ return 0, err
+ }
+ if b2, err = syscall.BytePtrFromString(name); err != nil {
+ return 0, err
+ }
+
+ r1, _, err = keyctl(keyctlSearch, uintptr(id),
uintptr(unsafe.Pointer(b1)), uintptr(unsafe.Pointer(b2)))
+ return keyID(r1), err
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/sys_linux_386.go
new/image-3.0.0/pkg/keyctl/sys_linux_386.go
--- old/image-2.0.0/pkg/keyctl/sys_linux_386.go 1970-01-01 01:00:00.000000000
+0100
+++ new/image-3.0.0/pkg/keyctl/sys_linux_386.go 2019-08-02 11:13:02.000000000
+0200
@@ -0,0 +1,12 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package keyctl
+
+const (
+ syscallKeyctl uintptr = 288
+ syscallAddKey uintptr = 286
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/keyctl/sys_linux_amd64.go
new/image-3.0.0/pkg/keyctl/sys_linux_amd64.go
--- old/image-2.0.0/pkg/keyctl/sys_linux_amd64.go 1970-01-01
01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/keyctl/sys_linux_amd64.go 2019-08-02
11:13:02.000000000 +0200
@@ -0,0 +1,12 @@
+// Copyright 2015 Jesse Sipprell. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package keyctl
+
+const (
+ syscallKeyctl uintptr = 250
+ syscallAddKey uintptr = 248
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/pkg/sysregistries/system_registries.go
new/image-3.0.0/pkg/sysregistries/system_registries.go
--- old/image-2.0.0/pkg/sysregistries/system_registries.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/pkg/sysregistries/system_registries.go 1970-01-01
01:00:00.000000000 +0100
@@ -1,103 +0,0 @@
-package sysregistries
-
-import (
- "strings"
-
- "github.com/BurntSushi/toml"
- "github.com/containers/image/types"
- "io/ioutil"
- "path/filepath"
-)
-
-// systemRegistriesConfPath is the path to the system-wide registry
configuration file
-// and is used to add/subtract potential registries for obtaining images.
-// You can override this at build time with
-// -ldflags '-X
github.com/containers/image/sysregistries.systemRegistriesConfPath=$your_path'
-var systemRegistriesConfPath = builtinRegistriesConfPath
-
-// builtinRegistriesConfPath is the path to registry configuration file
-// DO NOT change this, instead see systemRegistriesConfPath above.
-const builtinRegistriesConfPath = "/etc/containers/registries.conf"
-
-type registries struct {
- Registries []string `toml:"registries"`
-}
-
-type tomlConfig struct {
- Registries struct {
- Search registries `toml:"search"`
- Insecure registries `toml:"insecure"`
- Block registries `toml:"block"`
- } `toml:"registries"`
-}
-
-// normalizeRegistries removes trailing slashes from registries, which is a
-// common pitfall when configuring registries (e.g., "docker.io/library/).
-func normalizeRegistries(regs *registries) {
- for i := range regs.Registries {
- regs.Registries[i] = strings.TrimRight(regs.Registries[i], "/")
- }
-}
-
-// Reads the global registry file from the filesystem. Returns
-// a byte array
-func readRegistryConf(sys *types.SystemContext) ([]byte, error) {
- return ioutil.ReadFile(RegistriesConfPath(sys))
-}
-
-// For mocking in unittests
-var readConf = readRegistryConf
-
-// Loads the registry configuration file from the filesystem and
-// then unmarshals it. Returns the unmarshalled object.
-func loadRegistryConf(sys *types.SystemContext) (*tomlConfig, error) {
- config := &tomlConfig{}
-
- configBytes, err := readConf(sys)
- if err != nil {
- return nil, err
- }
-
- err = toml.Unmarshal(configBytes, &config)
- normalizeRegistries(&config.Registries.Search)
- normalizeRegistries(&config.Registries.Insecure)
- normalizeRegistries(&config.Registries.Block)
- return config, err
-}
-
-// GetRegistries returns an array of strings that contain the names
-// of the registries as defined in the system-wide
-// registries file. it returns an empty array if none are
-// defined
-func GetRegistries(sys *types.SystemContext) ([]string, error) {
- config, err := loadRegistryConf(sys)
- if err != nil {
- return nil, err
- }
- return config.Registries.Search.Registries, nil
-}
-
-// GetInsecureRegistries returns an array of strings that contain the names
-// of the insecure registries as defined in the system-wide
-// registries file. it returns an empty array if none are
-// defined
-func GetInsecureRegistries(sys *types.SystemContext) ([]string, error) {
- config, err := loadRegistryConf(sys)
- if err != nil {
- return nil, err
- }
- return config.Registries.Insecure.Registries, nil
-}
-
-// RegistriesConfPath is the path to the system-wide registry configuration
file
-func RegistriesConfPath(ctx *types.SystemContext) string {
- path := systemRegistriesConfPath
- if ctx != nil {
- if ctx.SystemRegistriesConfPath != "" {
- path = ctx.SystemRegistriesConfPath
- } else if ctx.RootForImplicitAbsolutePaths != "" {
- path = filepath.Join(ctx.RootForImplicitAbsolutePaths,
systemRegistriesConfPath)
- }
- }
- return path
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/pkg/sysregistries/system_registries_test.go
new/image-3.0.0/pkg/sysregistries/system_registries_test.go
--- old/image-2.0.0/pkg/sysregistries/system_registries_test.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/pkg/sysregistries/system_registries_test.go 1970-01-01
01:00:00.000000000 +0100
@@ -1,72 +0,0 @@
-package sysregistries
-
-import (
- "github.com/containers/image/types"
- "github.com/stretchr/testify/assert"
- "testing"
-)
-
-var testConfig = []byte("")
-
-func init() {
- readConf = func(_ *types.SystemContext) ([]byte, error) {
- return testConfig, nil
- }
-}
-
-func TestGetRegistriesWithBlankData(t *testing.T) {
- testConfig = []byte("")
- registriesConfig, _ := GetRegistries(nil)
- assert.Nil(t, registriesConfig)
-}
-
-func TestGetRegistriesWithData(t *testing.T) {
- answer := []string{"one.com"}
- testConfig = []byte(`[registries.search]
-registries= ['one.com']
-`)
- registriesConfig, err := GetRegistries(nil)
- assert.Nil(t, err)
- assert.Equal(t, registriesConfig, answer)
-}
-
-func TestGetRegistriesWithBadData(t *testing.T) {
- testConfig = []byte(`registries:
- - one.com
- ,`)
- _, err := GetRegistries(nil)
- assert.Error(t, err)
-}
-
-func TestGetRegistriesWithTrailingSlash(t *testing.T) {
- answer := []string{"no-slash.com:5000/path", "one-slash.com",
"two-slashes.com", "three-slashes.com:5000"}
- testConfig = []byte(`[registries.search]
- registries= ['no-slash.com:5000/path', 'one-slash.com',
'two-slashes.com//', 'three-slashes.com:5000///']
-`)
- // note: only one trailing gets removed
- registriesConfig, err := GetRegistries(nil)
- assert.Nil(t, err)
- assert.Equal(t, registriesConfig, answer)
-}
-
-func TestGetInsecureRegistriesWithBlankData(t *testing.T) {
- answer := []string(nil)
- testConfig = []byte("")
- insecureRegistriesConfig, err := GetInsecureRegistries(nil)
- assert.Nil(t, err)
- assert.Equal(t, insecureRegistriesConfig, answer)
-}
-
-func TestGetInsecureRegistriesWithData(t *testing.T) {
- answer := []string{"two.com", "three.com"}
- testConfig = []byte(`[registries.search]
-registries = ['one.com']
-[registries.insecure]
-registries = ['two.com', 'three.com']
-`)
- insecureRegistriesConfig, err := GetInsecureRegistries(nil)
- if err != nil {
- t.Fail()
- }
- assert.Equal(t, insecureRegistriesConfig, answer)
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/pkg/sysregistriesv2/system_registries_v2.go
new/image-3.0.0/pkg/sysregistriesv2/system_registries_v2.go
--- old/image-2.0.0/pkg/sysregistriesv2/system_registries_v2.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/pkg/sysregistriesv2/system_registries_v2.go 2019-08-02
11:13:02.000000000 +0200
@@ -30,10 +30,10 @@
// Endpoint describes a remote location of a registry.
type Endpoint struct {
// The endpoint's remote location.
- Location string `toml:"location"`
+ Location string `toml:"location,omitempty"`
// If true, certs verification will be skipped and HTTP (non-TLS)
// connections will be allowed.
- Insecure bool `toml:"insecure"`
+ Insecure bool `toml:"insecure,omitempty"`
}
// rewriteReference will substitute the provided reference `prefix` to the
@@ -56,22 +56,22 @@
// Registry represents a registry.
type Registry struct {
+ // Prefix is used for matching images, and to translate one namespace to
+ // another. If `Prefix="example.com/bar"`,
`location="example.com/foo/bar"`
+ // and we pull from "example.com/bar/myimage:latest", the image will
+ // effectively be pulled from "example.com/foo/bar/myimage:latest".
+ // If no Prefix is specified, it defaults to the specified location.
+ Prefix string `toml:"prefix"`
// A registry is an Endpoint too
Endpoint
// The registry's mirrors.
- Mirrors []Endpoint `toml:"mirror"`
+ Mirrors []Endpoint `toml:"mirror,omitempty"`
// If true, pulling from the registry will be blocked.
- Blocked bool `toml:"blocked"`
+ Blocked bool `toml:"blocked,omitempty"`
// If true, mirrors will only be used for digest pulls. Pulling images
by
// tag can potentially yield different images, depending on which
endpoint
// we pull from. Forcing digest-pulls for mirrors avoids that issue.
- MirrorByDigestOnly bool `toml:"mirror-by-digest-only"`
- // Prefix is used for matching images, and to translate one namespace to
- // another. If `Prefix="example.com/bar"`,
`location="example.com/foo/bar"`
- // and we pull from "example.com/bar/myimage:latest", the image will
- // effectively be pulled from "example.com/foo/bar/myimage:latest".
- // If no Prefix is specified, it defaults to the specified location.
- Prefix string `toml:"prefix"`
+ MirrorByDigestOnly bool `toml:"mirror-by-digest-only,omitempty"`
}
// PullSource consists of an Endpoint and a Reference. Note that the reference
is
@@ -303,9 +303,8 @@
return nil
}
-// getConfigPath returns the system-registries config path if specified.
-// Otherwise, systemRegistriesConfPath is returned.
-func getConfigPath(ctx *types.SystemContext) string {
+// ConfigPath returns the path to the system-wide registry configuration file.
+func ConfigPath(ctx *types.SystemContext) string {
confPath := systemRegistriesConfPath
if ctx != nil {
if ctx.SystemRegistriesConfPath != "" {
@@ -336,14 +335,27 @@
// getConfig returns the config object corresponding to ctx, loading it if it
is not yet cached.
func getConfig(ctx *types.SystemContext) (*V2RegistriesConf, error) {
- configPath := getConfigPath(ctx)
+ configPath := ConfigPath(ctx)
configMutex.Lock()
- defer configMutex.Unlock()
// if the config has already been loaded, return the cached registries
if config, inCache := configCache[configPath]; inCache {
+ configMutex.Unlock()
return config, nil
}
+ configMutex.Unlock()
+
+ return TryUpdatingCache(ctx)
+}
+
+// TryUpdatingCache loads the configuration from the provided `SystemContext`
+// without using the internal cache. On success, the loaded configuration will
+// be added into the internal registry cache.
+func TryUpdatingCache(ctx *types.SystemContext) (*V2RegistriesConf, error) {
+ configPath := ConfigPath(ctx)
+
+ configMutex.Lock()
+ defer configMutex.Unlock()
// load the config
config, err := loadRegistryConf(configPath)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/pkg/sysregistriesv2/system_registries_v2_test.go
new/image-3.0.0/pkg/sysregistriesv2/system_registries_v2_test.go
--- old/image-2.0.0/pkg/sysregistriesv2/system_registries_v2_test.go
2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/pkg/sysregistriesv2/system_registries_v2_test.go
2019-08-02 11:13:02.000000000 +0200
@@ -115,7 +115,7 @@
}
}
-func TestGetConfigPath(t *testing.T) {
+func TestConfigPath(t *testing.T) {
const nondefaultPath = "/this/is/not/the/default/registries.conf"
const variableReference = "$HOME"
const rootPrefix = "/root/prefix"
@@ -146,7 +146,7 @@
// No environment expansion happens in the overridden paths
{&types.SystemContext{SystemRegistriesConfPath:
variableReference}, variableReference},
} {
- path := getConfigPath(c.sys)
+ path := ConfigPath(c.sys)
assert.Equal(t, c.expected, path)
}
}
@@ -445,3 +445,22 @@
assert.Nil(t, err)
assert.Equal(t, 1, len(pullSources))
}
+
+func TestTryUpdatingCache(t *testing.T) {
+ ctx := &types.SystemContext{
+ SystemRegistriesConfPath:
"testdata/try-update-cache-valid.conf",
+ }
+ configCache = make(map[string]*V2RegistriesConf)
+ registries, err := TryUpdatingCache(ctx)
+ assert.Nil(t, err)
+ assert.Equal(t, 1, len(registries.Registries))
+ assert.Equal(t, 1, len(configCache))
+
+ ctxInvalid := &types.SystemContext{
+ SystemRegistriesConfPath:
"testdata/try-update-cache-invalid.conf",
+ }
+ registries, err = TryUpdatingCache(ctxInvalid)
+ assert.NotNil(t, err)
+ assert.Nil(t, registries)
+ assert.Equal(t, 1, len(configCache))
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/pkg/sysregistriesv2/testdata/try-update-cache-invalid.conf
new/image-3.0.0/pkg/sysregistriesv2/testdata/try-update-cache-invalid.conf
--- old/image-2.0.0/pkg/sysregistriesv2/testdata/try-update-cache-invalid.conf
1970-01-01 01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/sysregistriesv2/testdata/try-update-cache-invalid.conf
2019-08-02 11:13:02.000000000 +0200
@@ -0,0 +1 @@
+invalid
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/pkg/sysregistriesv2/testdata/try-update-cache-valid.conf
new/image-3.0.0/pkg/sysregistriesv2/testdata/try-update-cache-valid.conf
--- old/image-2.0.0/pkg/sysregistriesv2/testdata/try-update-cache-valid.conf
1970-01-01 01:00:00.000000000 +0100
+++ new/image-3.0.0/pkg/sysregistriesv2/testdata/try-update-cache-valid.conf
2019-08-02 11:13:02.000000000 +0200
@@ -0,0 +1,2 @@
+[[registry]]
+location = "registry.com"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/signature/policy_types.go
new/image-3.0.0/signature/policy_types.go
--- old/image-2.0.0/signature/policy_types.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/signature/policy_types.go 2019-08-02 11:13:02.000000000
+0200
@@ -6,7 +6,7 @@
package signature
-// NOTE: Keep this in sync with docs/policy.json.md!
+// NOTE: Keep this in sync with docs/containers-policy.json.5.md!
// Policy defines requirements for considering a signature, or an image, valid.
type Policy struct {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/storage/storage_image.go
new/image-3.0.0/storage/storage_image.go
--- old/image-2.0.0/storage/storage_image.go 2019-06-13 19:43:06.000000000
+0200
+++ new/image-3.0.0/storage/storage_image.go 2019-08-02 11:13:02.000000000
+0200
@@ -491,14 +491,21 @@
// Does the blob correspond to a known DiffID which we already have
available?
// Because we must return the size, which is unknown for unavailable
compressed blobs, the returned BlobInfo refers to the
- // uncompressed layer, and that can happen only if canSubstitute.
- if canSubstitute {
+ // uncompressed layer, and that can happen only if canSubstitute, or if
the incoming manifest already specifies the size.
+ if canSubstitute || blobinfo.Size != -1 {
if uncompressedDigest :=
cache.UncompressedDigest(blobinfo.Digest); uncompressedDigest != "" &&
uncompressedDigest != blobinfo.Digest {
layers, err :=
s.imageRef.transport.store.LayersByUncompressedDigest(uncompressedDigest)
if err != nil && errors.Cause(err) !=
storage.ErrLayerUnknown {
return false, types.BlobInfo{},
errors.Wrapf(err, `Error looking for layers with digest %q`, uncompressedDigest)
}
if len(layers) > 0 {
+ if blobinfo.Size != -1 {
+ s.blobDiffIDs[blobinfo.Digest] =
layers[0].UncompressedDigest
+ return true, blobinfo, nil
+ }
+ if !canSubstitute {
+ return false, types.BlobInfo{},
fmt.Errorf("Internal error: canSubstitute was expected to be true for blobInfo
%v", blobinfo)
+ }
s.blobDiffIDs[uncompressedDigest] =
layers[0].UncompressedDigest
return true, types.BlobInfo{
Digest: uncompressedDigest,
@@ -627,7 +634,7 @@
if !ok {
// Try to find the layer with contents matching that
blobsum.
layer := ""
- layers, err2 :=
s.imageRef.transport.store.LayersByUncompressedDigest(blob.Digest)
+ layers, err2 :=
s.imageRef.transport.store.LayersByUncompressedDigest(diffID)
if err2 == nil && len(layers) > 0 {
layer = layers[0].ID
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/image-2.0.0/transports/alltransports/alltransports.go
new/image-3.0.0/transports/alltransports/alltransports.go
--- old/image-2.0.0/transports/alltransports/alltransports.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/transports/alltransports/alltransports.go 2019-08-02
11:13:02.000000000 +0200
@@ -4,7 +4,7 @@
"strings"
// register all known transports
- // NOTE: Make sure docs/policy.json.md is updated when adding or
updating
+ // NOTE: Make sure docs/containers-policy.json.5.md is updated when
adding or updating
// a transport.
_ "github.com/containers/image/directory"
_ "github.com/containers/image/docker"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/transports/alltransports/ostree.go
new/image-3.0.0/transports/alltransports/ostree.go
--- old/image-2.0.0/transports/alltransports/ostree.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/transports/alltransports/ostree.go 2019-08-02
11:13:02.000000000 +0200
@@ -1,4 +1,4 @@
-// +build !containers_image_ostree_stub,linux
+// +build containers_image_ostree,linux
package alltransports
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/transports/alltransports/ostree_stub.go
new/image-3.0.0/transports/alltransports/ostree_stub.go
--- old/image-2.0.0/transports/alltransports/ostree_stub.go 2019-06-13
19:43:06.000000000 +0200
+++ new/image-3.0.0/transports/alltransports/ostree_stub.go 2019-08-02
11:13:02.000000000 +0200
@@ -1,4 +1,4 @@
-// +build containers_image_ostree_stub !linux
+// +build !containers_image_ostree !linux
package alltransports
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/types/types.go
new/image-3.0.0/types/types.go
--- old/image-2.0.0/types/types.go 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/types/types.go 2019-08-02 11:13:02.000000000 +0200
@@ -398,6 +398,7 @@
Architecture string
Os string
Layers []string
+ Env []string
}
// DockerAuthConfig contains authorization information for connecting to a
registry.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/vendor.conf new/image-3.0.0/vendor.conf
--- old/image-2.0.0/vendor.conf 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/vendor.conf 2019-08-02 11:13:02.000000000 +0200
@@ -46,6 +46,6 @@
github.com/klauspost/pgzip v1.2.1
github.com/klauspost/compress v1.4.1
github.com/klauspost/cpuid v1.2.0
-github.com/vbauerster/mpb v3.3.4
+github.com/vbauerster/mpb v3.4.0
github.com/mattn/go-isatty v0.0.4
github.com/VividCortex/ewma v1.1.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/image-2.0.0/version/version.go
new/image-3.0.0/version/version.go
--- old/image-2.0.0/version/version.go 2019-06-13 19:43:06.000000000 +0200
+++ new/image-3.0.0/version/version.go 2019-08-02 11:13:02.000000000 +0200
@@ -4,7 +4,7 @@
const (
// VersionMajor is for an API incompatible changes
- VersionMajor = 2
+ VersionMajor = 3
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 0
// VersionPatch is for backwards-compatible bug fixes
++++++ storage-1.12.13.tar.xz -> storage-1.12.16.tar.xz ++++++
++++ 720344 lines of diff (skipped)
