fix(deps): update github.com/containers/storage digest to 79aa304

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

vendor/github.com/containers/storage/drivers/driver.go

@@ -189,6 +189,9 @@ type DriverWithDifferOutput struct {
 	BigData            map[string][]byte
 	TarSplit           []byte
 	TOCDigest          digest.Digest
+	// Artifacts is a collection of additional artifacts
+	// generated by the differ that the storage driver can use.
+	Artifacts map[string]interface{}
 }
 
 type DifferOutputFormat int

vendor/github.com/containers/storage/drivers/overlay/composefs_notsupported.go

@@ -11,7 +11,7 @@ func composeFsSupported() bool {
 	return false
 }
 
-func generateComposeFsBlob(toc []byte, composefsDir string) error {
+func generateComposeFsBlob(verityDigests map[string]string, toc interface{}, composefsDir string) error {
 	return fmt.Errorf("composefs is not supported")
 }
 
@@ -19,6 +19,6 @@ func mountComposefsBlob(dataDir, mountPoint string) error {
 	return fmt.Errorf("composefs is not supported")
 }
 
-func enableVerityRecursive(path string) error {
-	return fmt.Errorf("composefs is not supported")
+func enableVerityRecursive(path string) (map[string]string, error) {
+	return nil, fmt.Errorf("composefs is not supported")
 }

vendor/github.com/containers/storage/drivers/overlay/composefs_supported.go

@@ -4,7 +4,6 @@
 package overlay
 
 import (
-	"bytes"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -16,6 +15,7 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/containers/storage/pkg/chunked/dump"
 	"github.com/containers/storage/pkg/loopback"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -29,7 +29,7 @@ var (
 
 func getComposeFsHelper() (string, error) {
 	composeFsHelperOnce.Do(func() {
-		composeFsHelperPath, composeFsHelperErr = exec.LookPath("composefs-from-json")
+		composeFsHelperPath, composeFsHelperErr = exec.LookPath("mkcomposefs")
 	})
 	return composeFsHelperPath, composeFsHelperErr
 }
@@ -53,7 +53,23 @@ func enableVerity(description string, fd int) error {
 	return nil
 }
 
-func enableVerityRecursive(path string) error {
+type verityDigest struct {
+	Fsv unix.FsverityDigest
+	Buf [64]byte
+}
+
+func measureVerity(description string, fd int) (string, error) {
+	var digest verityDigest
+	digest.Fsv.Size = 64
+	_, _, e1 := syscall.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.FS_IOC_MEASURE_VERITY), uintptr(unsafe.Pointer(&digest)))
+	if e1 != 0 {
+		return "", fmt.Errorf("failed to measure verity for %q: %w", description, e1)
+	}
+	return fmt.Sprintf("%x", digest.Buf[:digest.Fsv.Size]), nil
+}
+
+func enableVerityRecursive(root string) (map[string]string, error) {
+	digests := make(map[string]string)
 	walkFn := func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
@@ -71,24 +87,42 @@ func enableVerityRecursive(path string) error {
 		if err := enableVerity(path, int(f.Fd())); err != nil {
 			return err
 		}
+
+		verity, err := measureVerity(path, int(f.Fd()))
+		if err != nil {
+			return err
+		}
+
+		relPath, err := filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+
+		digests[relPath] = verity
 		return nil
 	}
-	return filepath.WalkDir(path, walkFn)
+	err := filepath.WalkDir(root, walkFn)
+	return digests, err
 }
 
 func getComposefsBlob(dataDir string) string {
 	return filepath.Join(dataDir, "composefs.blob")
 }
 
-func generateComposeFsBlob(toc []byte, composefsDir string) error {
+func generateComposeFsBlob(verityDigests map[string]string, toc interface{}, composefsDir string) error {
 	if err := os.MkdirAll(composefsDir, 0o700); err != nil {
 		return err
 	}
 
+	dumpReader, err := dump.GenerateDump(toc, verityDigests)
+	if err != nil {
+		return err
+	}
+
 	destFile := getComposefsBlob(composefsDir)
 	writerJson, err := getComposeFsHelper()
 	if err != nil {
-		return fmt.Errorf("failed to find composefs-from-json: %w", err)
+		return fmt.Errorf("failed to find mkcomposefs: %w", err)
 	}
 
 	fd, err := unix.Openat(unix.AT_FDCWD, destFile, unix.O_WRONLY|unix.O_CREAT|unix.O_TRUNC|unix.O_EXCL|unix.O_CLOEXEC, 0o644)
@@ -109,10 +143,10 @@ func generateComposeFsBlob(toc []byte, composefsDir string) error {
 		// a scope to close outFd before setting fsverity on the read-only fd.
 		defer outFd.Close()
 
-		cmd := exec.Command(writerJson, "--format=erofs", "--out=/proc/self/fd/3", "/proc/self/fd/0")
+		cmd := exec.Command(writerJson, "--from-file", "-", "/proc/self/fd/3")
 		cmd.ExtraFiles = []*os.File{outFd}
 		cmd.Stderr = os.Stderr
-		cmd.Stdin = bytes.NewReader(toc)
+		cmd.Stdin = dumpReader
 		if err := cmd.Run(); err != nil {
 			return fmt.Errorf("failed to convert json to erofs: %w", err)
 		}

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -82,7 +82,7 @@ const (
 	lowerFile  = "lower"
 	maxDepth   = 500
 
-	zstdChunkedManifest = "zstd-chunked-manifest"
+	tocArtifact = "toc"
 
 	// idLength represents the number of random characters
 	// which can be used to create the unique link identifier
@@ -1003,8 +1003,10 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, disable
 		}
 	}
 	if parent != "" {
-		parentBase, parentImageStore, _ := d.dir2(parent)
-		if parentImageStore != "" {
+		parentBase, parentImageStore, inAdditionalStore := d.dir2(parent)
+		// If parentBase path is additional image store, select the image contained in parentBase.
+		// See https://github.com/containers/podman/issues/19748
+		if parentImageStore != "" && !inAdditionalStore {
 			parentBase = parentImageStore
 		}
 		st, err := system.Stat(filepath.Join(parentBase, "diff"))
@@ -1079,12 +1081,13 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, disable
 	}
 
 	if parent != "" {
-		parentDir, parentImageStore, _ := d.dir2(parent)
-		base := parentDir
-		if parentImageStore != "" {
-			base = parentImageStore
+		parentBase, parentImageStore, inAdditionalStore := d.dir2(parent)
+		// If parentBase path is additional image store, select the image contained in parentBase.
+		// See https://github.com/containers/podman/issues/19748
+		if parentImageStore != "" && !inAdditionalStore {
+			parentBase = parentImageStore
 		}
-		st, err := system.Stat(filepath.Join(base, "diff"))
+		st, err := system.Stat(filepath.Join(parentBase, "diff"))
 		if err != nil {
 			return err
 		}
@@ -1526,15 +1529,8 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 		defer cleanupFunc()
 	}
 
-	composefsLayers := filepath.Join(workDirBase, "composefs-layers")
-	if err := os.MkdirAll(composefsLayers, 0o700); err != nil {
-		return "", err
-	}
-
 	skipIDMappingLayers := make(map[string]string)
 
-	composeFsLayers := []string{}
-
 	composefsMounts := []string{}
 	defer func() {
 		for _, m := range composefsMounts {
@@ -1542,6 +1538,8 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 		}
 	}()
 
+	composeFsLayers := []string{}
+	composeFsLayersDir := filepath.Join(workDirBase, "composefs-layers")
 	maybeAddComposefsMount := func(lowerID string, i int, readWrite bool) (string, error) {
 		composefsBlob := d.getComposefsData(lowerID)
 		_, err = os.Stat(composefsBlob)
@@ -1557,7 +1555,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 			return "", fmt.Errorf("cannot mount a composefs layer as writeable")
 		}
 
-		dest := filepath.Join(composefsLayers, fmt.Sprintf("%d", i))
+		dest := filepath.Join(composeFsLayersDir, fmt.Sprintf("%d", i))
 		if err := os.MkdirAll(dest, 0o700); err != nil {
 			return "", err
 		}
@@ -2110,11 +2108,12 @@ func (d *Driver) ApplyDiffFromStagingDirectory(id, parent, stagingDirectory stri
 	if d.useComposeFs() {
 		// FIXME: move this logic into the differ so we don't have to open
 		// the file twice.
-		if err := enableVerityRecursive(stagingDirectory); err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
+		verityDigests, err := enableVerityRecursive(stagingDirectory)
+		if err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
 			logrus.Warningf("%s", err)
 		}
-		toc := diffOutput.BigData[zstdChunkedManifest]
-		if err := generateComposeFsBlob(toc, d.getComposefsData(id)); err != nil {
+		toc := diffOutput.Artifacts[tocArtifact]
+		if err := generateComposeFsBlob(verityDigests, toc, d.getComposefsData(id)); err != nil {
 			return err
 		}
 	}