Vendor in latest containers/(common, storage, image)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/containers/image/v5/copy/copy.go

@@ -150,6 +150,11 @@ type Options struct {
 	ForceManifestMIMEType string
 	ImageListSelection    ImageListSelection // set to either CopySystemImage (the default), CopyAllImages, or CopySpecificImages to control which instances we copy when the source reference is a list; ignored if the source reference is not a list
 	Instances             []digest.Digest    // if ImageListSelection is CopySpecificImages, copy only these instances and the list itself
+	// Give priority to pulling gzip images if multiple images are present when configured to OptionalBoolTrue,
+	// prefers the best compression if this is configured as OptionalBoolFalse. Choose automatically (and the choice may change over time)
+	// if this is set to OptionalBoolUndefined (which is the default behavior, and recommended for most callers).
+	// This only affects CopySystemImage.
+	PreferGzipInstances types.OptionalBool
 
 	// If OciEncryptConfig is non-nil, it indicates that an image should be encrypted.
 	// The encryption options is derived from the construction of EncryptConfig object.
@@ -322,7 +327,7 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 		if err != nil {
 			return nil, fmt.Errorf("parsing primary manifest as list for %s: %w", transports.ImageName(srcRef), err)
 		}
-		instanceDigest, err := manifestList.ChooseInstance(options.SourceCtx) // try to pick one that matches options.SourceCtx
+		instanceDigest, err := manifestList.ChooseInstanceByCompression(options.SourceCtx, options.PreferGzipInstances) // try to pick one that matches options.SourceCtx
 		if err != nil {
 			return nil, fmt.Errorf("choosing an image from manifest list %s: %w", transports.ImageName(srcRef), err)
 		}

vendor/github.com/containers/image/v5/docker/daemon/daemon_dest.go

@@ -69,6 +69,7 @@ func newImageDestination(ctx context.Context, sys *types.SystemContext, ref daem
 
 // imageLoadGoroutine accepts tar stream on reader, sends it to c, and reports error or success by writing to statusChannel
 func imageLoadGoroutine(ctx context.Context, c *client.Client, reader *io.PipeReader, statusChannel chan<- error) {
+	defer c.Close()
 	err := errors.New("Internal error: unexpected panic in imageLoadGoroutine")
 	defer func() {
 		logrus.Debugf("docker-daemon: sending done, status %v", err)

vendor/github.com/containers/image/v5/docker/daemon/daemon_src.go

@@ -28,6 +28,8 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref daemonRef
 	if err != nil {
 		return nil, fmt.Errorf("initializing docker engine client: %w", err)
 	}
+	defer c.Close()
+
 	// Per NewReference(), ref.StringWithinTransport() is either an image ID (config digest), or a !reference.NameOnly() reference.
 	// Either way ImageSave should create a tarball with exactly one image.
 	inputStream, err := c.ImageSave(ctx, []string{ref.StringWithinTransport()})

vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -213,6 +213,7 @@ func dockerCertDir(sys *types.SystemContext, hostPort string) (string, error) {
 // newDockerClientFromRef returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
 // “write” specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection)
 // signatureBase is always set in the return value
+// The caller must call .Close() on the returned client when done.
 func newDockerClientFromRef(sys *types.SystemContext, ref dockerReference, registryConfig *registryConfiguration, write bool, actions string) (*dockerClient, error) {
 	auth, err := config.GetCredentialsForRef(sys, ref.ref)
 	if err != nil {
@@ -247,6 +248,7 @@ func newDockerClientFromRef(sys *types.SystemContext, ref dockerReference, regis
 // (e.g., "registry.com[:5000][/some/namespace]/repo").
 // Please note that newDockerClient does not set all members of dockerClient
 // (e.g., username and password); those must be set by callers if necessary.
+// The caller must call .Close() on the returned client when done.
 func newDockerClient(sys *types.SystemContext, registry, reference string) (*dockerClient, error) {
 	hostName := registry
 	if registry == dockerHostname {
@@ -302,6 +304,7 @@ func CheckAuth(ctx context.Context, sys *types.SystemContext, username, password
 	if err != nil {
 		return fmt.Errorf("creating new docker client: %w", err)
 	}
+	defer client.Close()
 	client.auth = types.DockerAuthConfig{
 		Username: username,
 		Password: password,
@@ -371,6 +374,7 @@ func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, ima
 	if err != nil {
 		return nil, fmt.Errorf("creating new docker client: %w", err)
 	}
+	defer client.Close()
 	client.auth = auth
 	if sys != nil {
 		client.registryToken = sys.DockerBearerRegistryToken
@@ -1084,3 +1088,11 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
 func sigstoreAttachmentTag(d digest.Digest) string {
 	return strings.Replace(d.String(), ":", "-", 1) + ".sig"
 }
+
+// Close removes resources associated with an initialized dockerClient, if any.
+func (c *dockerClient) Close() error {
+	if c.client != nil {
+		c.client.CloseIdleConnections()
+	}
+	return nil
+}

vendor/github.com/containers/image/v5/docker/docker_image.go

@@ -68,6 +68,7 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
 	if err != nil {
 		return nil, fmt.Errorf("failed to create client: %w", err)
 	}
+	defer client.Close()
 
 	tags := make([]string, 0)
 
@@ -136,6 +137,7 @@ func GetDigest(ctx context.Context, sys *types.SystemContext, ref types.ImageRef
 	if err != nil {
 		return "", fmt.Errorf("failed to create client: %w", err)
 	}
+	defer client.Close()
 
 	path := fmt.Sprintf(manifestPath, reference.Path(dr.ref), tagOrDigest)
 	headers := map[string][]string{

vendor/github.com/containers/image/v5/docker/docker_image_dest.go

@@ -93,7 +93,7 @@ func (d *dockerImageDestination) Reference() types.ImageReference {
 
 // Close removes resources associated with an initialized ImageDestination, if any.
 func (d *dockerImageDestination) Close() error {
-	return nil
+	return d.c.Close()
 }
 
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.

vendor/github.com/containers/image/v5/docker/docker_image_src.go

@@ -153,6 +153,7 @@ func newImageSourceAttempt(ctx context.Context, sys *types.SystemContext, logica
 	s.Compat = impl.AddCompat(s)
 
 	if err := s.ensureManifestIsLoaded(ctx); err != nil {
+		client.Close()
 		return nil, err
 	}
 	return s, nil
@@ -166,7 +167,7 @@ func (s *dockerImageSource) Reference() types.ImageReference {
 
 // Close removes resources associated with an initialized ImageSource, if any.
 func (s *dockerImageSource) Close() error {
-	return nil
+	return s.c.Close()
 }
 
 // simplifyContentType drops parameters from a HTTP media type (see https://tools.ietf.org/html/rfc7231#section-3.1.1.1)
@@ -605,6 +606,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
 	if err != nil {
 		return err
 	}
+	defer c.Close()
 
 	headers := map[string][]string{
 		"Accept": manifest.DefaultRequestedManifestMIMETypes,

vendor/github.com/containers/image/v5/internal/manifest/docker_schema2_list.go

@@ -90,6 +90,11 @@ func (list *Schema2ListPublic) UpdateInstances(updates []ListUpdate) error {
 	return nil
 }
 
+func (list *Schema2ListPublic) ChooseInstanceByCompression(ctx *types.SystemContext, preferGzip types.OptionalBool) (digest.Digest, error) {
+	// ChooseInstanceByCompression is same as ChooseInstance for schema2 manifest list.
+	return list.ChooseInstance(ctx)
+}
+
 // ChooseInstance parses blob as a schema2 manifest list, and returns the digest
 // of the image which is appropriate for the current environment.
 func (list *Schema2ListPublic) ChooseInstance(ctx *types.SystemContext) (digest.Digest, error) {

vendor/github.com/containers/image/v5/internal/manifest/list.go

@@ -51,6 +51,10 @@ type List interface {
 	ListPublic
 	// CloneInternal returns a deep copy of this list and its contents.
 	CloneInternal() List
+	// ChooseInstanceInstanceByCompression selects which manifest is most appropriate for the platform and compression described by the
+	// SystemContext ( or for the current platform if the SystemContext doesn't specify any detail ) and preferGzip for compression which
+	// when configured to OptionalBoolTrue and chooses best available compression when it is OptionalBoolFalse or left OptionalBoolUndefined.
+	ChooseInstanceByCompression(ctx *types.SystemContext, preferGzip types.OptionalBool) (digest.Digest, error)
 }
 
 // ListUpdate includes the fields which a List's UpdateInstances() method will modify.

vendor/github.com/containers/image/v5/internal/manifest/oci_index.go

@@ -3,6 +3,7 @@ package manifest
 import (
 	"encoding/json"
 	"fmt"
+	"math"
 	"runtime"
 
 	platform "github.com/containers/image/v5/internal/pkg/platform"
@@ -14,6 +15,16 @@ import (
 	"golang.org/x/exp/slices"
 )
 
+const (
+	// OCI1InstanceAnnotationCompressionZSTD is an annotation name that can be placed on a manifest descriptor in an OCI index.
+	// The value of the annotation must be the string "true".
+	// If this annotation is present on a manifest, consuming that image instance requires support for Zstd compression.
+	// That also suggests that this instance benefits from
+	// Zstd compression, so it can be preferred by compatible consumers over instances that
+	// use gzip, depending on their local policy.
+	OCI1InstanceAnnotationCompressionZSTD = "io.github.containers.compression.zstd"
+)
+
 // OCI1IndexPublic is just an alias for the OCI index type, but one which we can
 // provide methods for.
 // This is publicly visible as c/image/manifest.OCI1Index
@@ -73,39 +84,92 @@ func (index *OCI1IndexPublic) UpdateInstances(updates []ListUpdate) error {
 	return nil
 }
 
-// ChooseInstance parses blob as an oci v1 manifest index, and returns the digest
-// of the image which is appropriate for the current environment.
-func (index *OCI1IndexPublic) ChooseInstance(ctx *types.SystemContext) (digest.Digest, error) {
+// instanceIsZstd returns true if instance is a zstd instance otherwise false.
+func instanceIsZstd(manifest imgspecv1.Descriptor) bool {
+	if value, ok := manifest.Annotations[OCI1InstanceAnnotationCompressionZSTD]; ok && value == "true" {
+		return true
+	}
+	return false
+}
+
+type instanceCandidate struct {
+	platformIndex    int           // Index of the candidate in platform.WantedPlatforms: lower numbers are preferred; or math.maxInt if the candidate doesn’t have a platform
+	isZstd           bool          // tells if particular instance if zstd instance
+	manifestPosition int           // A zero-based index of the instance in the manifest list
+	digest           digest.Digest // Instance digest
+}
+
+func (ic instanceCandidate) isPreferredOver(other *instanceCandidate, preferGzip bool) bool {
+	switch {
+	case ic.platformIndex != other.platformIndex:
+		return ic.platformIndex < other.platformIndex
+	case ic.isZstd != other.isZstd:
+		if !preferGzip {
+			return ic.isZstd
+		} else {
+			return !ic.isZstd
+		}
+	case ic.manifestPosition != other.manifestPosition:
+		return ic.manifestPosition < other.manifestPosition
+	}
+	panic("internal error: invalid comparision between two candidates") // This should not be reachable because in all calls we make, the two candidates differ at least in manifestPosition.
+}
+
+// chooseInstance is a private equivalent to ChooseInstanceByCompression,
+// shared by ChooseInstance and ChooseInstanceByCompression.
+func (index *OCI1IndexPublic) chooseInstance(ctx *types.SystemContext, preferGzip types.OptionalBool) (digest.Digest, error) {
+	didPreferGzip := false
+	if preferGzip == types.OptionalBoolTrue {
+		didPreferGzip = true
+	}
 	wantedPlatforms, err := platform.WantedPlatforms(ctx)
 	if err != nil {
 		return "", fmt.Errorf("getting platform information %#v: %w", ctx, err)
 	}
-	for _, wantedPlatform := range wantedPlatforms {
-		for _, d := range index.Manifests {
-			if d.Platform == nil {
+	var bestMatch *instanceCandidate
+	bestMatch = nil
+	for manifestIndex, d := range index.Manifests {
+		candidate := instanceCandidate{platformIndex: math.MaxInt, manifestPosition: manifestIndex, isZstd: instanceIsZstd(d), digest: d.Digest}
+		if d.Platform != nil {
+			foundPlatform := false
+			for platformIndex, wantedPlatform := range wantedPlatforms {
+				imagePlatform := imgspecv1.Platform{
+					Architecture: d.Platform.Architecture,
+					OS:           d.Platform.OS,
+					OSVersion:    d.Platform.OSVersion,
+					OSFeatures:   slices.Clone(d.Platform.OSFeatures),
+					Variant:      d.Platform.Variant,
+				}
+				if platform.MatchesPlatform(imagePlatform, wantedPlatform) {
+					foundPlatform = true
+					candidate.platformIndex = platformIndex
+					break
+				}
+			}
+			if !foundPlatform {
 				continue
 			}
-			imagePlatform := imgspecv1.Platform{
-				Architecture: d.Platform.Architecture,
-				OS:           d.Platform.OS,
-				OSVersion:    d.Platform.OSVersion,
-				OSFeatures:   slices.Clone(d.Platform.OSFeatures),
-				Variant:      d.Platform.Variant,
-			}
-			if platform.MatchesPlatform(imagePlatform, wantedPlatform) {
-				return d.Digest, nil
-			}
+		}
+		if bestMatch == nil || candidate.isPreferredOver(bestMatch, didPreferGzip) {
+			bestMatch = &candidate
 		}
 	}
-
-	for _, d := range index.Manifests {
-		if d.Platform == nil {
-			return d.Digest, nil
-		}
+	if bestMatch != nil {
+		return bestMatch.digest, nil
 	}
 	return "", fmt.Errorf("no image found in image index for architecture %s, variant %q, OS %s", wantedPlatforms[0].Architecture, wantedPlatforms[0].Variant, wantedPlatforms[0].OS)
 }
 
+func (index *OCI1Index) ChooseInstanceByCompression(ctx *types.SystemContext, preferGzip types.OptionalBool) (digest.Digest, error) {
+	return index.chooseInstance(ctx, preferGzip)
+}
+
+// ChooseInstance parses blob as an oci v1 manifest index, and returns the digest
+// of the image which is appropriate for the current environment.
+func (index *OCI1IndexPublic) ChooseInstance(ctx *types.SystemContext) (digest.Digest, error) {
+	return index.chooseInstance(ctx, types.OptionalBoolFalse)
+}
+
 // Serialize returns the index in a blob format.
 // NOTE: Serialize() does not in general reproduce the original blob if this object was loaded from one, even if no modifications were made!
 func (index *OCI1IndexPublic) Serialize() ([]byte, error) {

vendor/github.com/containers/image/v5/oci/layout/oci_src.go

@@ -94,6 +94,7 @@ func (s *ociImageSource) Reference() types.ImageReference {
 
 // Close removes resources associated with an initialized ImageSource, if any.
 func (s *ociImageSource) Close() error {
+	s.client.CloseIdleConnections()
 	return nil
 }
 

vendor/github.com/containers/image/v5/pkg/tlsclientconfig/tlsclientconfig.go

@@ -96,8 +96,8 @@ func NewTransport() *http.Transport {
 		Proxy:               http.ProxyFromEnvironment,
 		DialContext:         direct.DialContext,
 		TLSHandshakeTimeout: 10 * time.Second,
-		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
-		DisableKeepAlives: true,
+		IdleConnTimeout:     90 * time.Second,
+		MaxIdleConns:        100,
 	}
 	return tr
 }

vendor/github.com/containers/image/v5/version/version.go

@@ -8,7 +8,7 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 24
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 2
+	VersionPatch = 3
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = "-dev"