Merge pull request #14622 from rhatdan/storage

Vendor in latest containers/storage
2025-08-06 19:44:14 +08:00 · 2022-06-17 07:54:59 +00:00
parent 05fc5959ec 3af047b63d
commit c936d1e611
11 changed files with 135 additions and 45 deletions
--- a/go.mod
+++ b/go.mod
@ -17,7 +17,7 @@ require (
 	github.com/containers/image/v5 v5.21.2-0.20220520105616-e594853d6471
 	github.com/containers/ocicrypt v1.1.4-0.20220428134531-566b808bdf6f
 	github.com/containers/psgo v1.7.2
-	github.com/containers/storage v1.41.1-0.20220607143333-8951d0153bf6
+	github.com/containers/storage v1.41.1-0.20220616120034-7df64288ef35
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/coreos/stream-metadata-go v0.0.0-20210225230131-70edb9eb47b3
 	github.com/cyphar/filepath-securejoin v0.2.3
--- a/go.sum
+++ b/go.sum
@ -361,8 +361,9 @@ github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c
 github.com/containers/storage v1.38.0/go.mod h1:lBzt28gAk5ADZuRtwdndRJyqX22vnRaXmlF+7ktfMYc=
 github.com/containers/storage v1.40.2/go.mod h1:zUyPC3CFIGR1OhY1CKkffxgw9+LuH76PGvVcFj38dgs=
 github.com/containers/storage v1.41.0/go.mod h1:Pb0l5Sm/89kolX3o2KolKQ5cCHk5vPNpJrhNaLcdS5s=
-github.com/containers/storage v1.41.1-0.20220607143333-8951d0153bf6 h1:AWGEIiqWFIfzTIv4Q3k6vJt/EYyo8dh35ny7WhnOd0s=
 github.com/containers/storage v1.41.1-0.20220607143333-8951d0153bf6/go.mod h1:6XQ68cEG8ojfP/m3HIupFV1rZsnqeFmaE8N1ctBP94Y=
+github.com/containers/storage v1.41.1-0.20220616120034-7df64288ef35 h1:6o+kw2z0BrdJ1wNYUbwLVzlb/65KPmZSy+32GNfppzM=
+github.com/containers/storage v1.41.1-0.20220616120034-7df64288ef35/go.mod h1:6XQ68cEG8ojfP/m3HIupFV1rZsnqeFmaE8N1ctBP94Y=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
--- a/vendor/github.com/containers/storage/drivers/chown_unix.go
+++ b/vendor/github.com/containers/storage/drivers/chown_unix.go
@ -21,12 +21,12 @@ type inode struct {

 type platformChowner struct {
 	mutex  sync.Mutex
-	inodes map[inode]bool
+	inodes map[inode]string
 }

 func newLChowner() *platformChowner {
 	return &platformChowner{
-		inodes: make(map[inode]bool),
+		inodes: make(map[inode]string),
 	}
 }

@ -40,15 +40,33 @@ func (c *platformChowner) LChown(path string, info os.FileInfo, toHost, toContai
 		Dev: uint64(st.Dev),
 		Ino: uint64(st.Ino),
 	}
+
 	c.mutex.Lock()
-	_, found := c.inodes[i]
+
+	oldTarget, found := c.inodes[i]
 	if !found {
-		c.inodes[i] = true
+		c.inodes[i] = path
+	}
+
+	// If we are dealing with a file with multiple links then keep the lock until the file is
+	// chowned to avoid a race where we link to the old version if the file is copied up.
+	if found || st.Nlink > 1 {
+		defer c.mutex.Unlock()
+	} else {
+		c.mutex.Unlock()
 	}
-	c.mutex.Unlock()

 	if found {
-		return nil
+		// If the dev/inode was already chowned then create a link to the old target instead
+		// of chowning it again.  This is necessary when the underlying file system breaks
+		// inodes on copy-up (as it is with overlay with index=off) to maintain the original
+		// link and correct file ownership.
+
+		// The target already exists so remove it before creating the link to the new target.
+		if err := os.Remove(path); err != nil {
+			return err
+		}
+		return os.Link(oldTarget, path)
 	}

 	// Map an on-disk UID/GID pair from host to container
--- a/vendor/github.com/containers/storage/drivers/driver_linux.go
+++ b/vendor/github.com/containers/storage/drivers/driver_linux.go
@ -1,3 +1,4 @@
+//go:build linux
 // +build linux

 package graphdriver
@ -162,11 +163,32 @@ func (c *defaultChecker) IsMounted(path string) bool {
 	return m
 }

+// isMountPoint checks that the given path is a mount point
+func isMountPoint(mountPath string) (bool, error) {
+	// it is already the root
+	if mountPath == "/" {
+		return true, nil
+	}
+
+	var s1, s2 unix.Stat_t
+	if err := unix.Stat(mountPath, &s1); err != nil {
+		return true, err
+	}
+	if err := unix.Stat(filepath.Dir(mountPath), &s2); err != nil {
+		return true, err
+	}
+	return s1.Dev != s2.Dev, nil
+}
+
 // Mounted checks if the given path is mounted as the fs type
 func Mounted(fsType FsMagic, mountPath string) (bool, error) {
 	var buf unix.Statfs_t
+
 	if err := unix.Statfs(mountPath, &buf); err != nil {
 		return false, err
 	}
-	return FsMagic(buf.Type) == fsType, nil
+	if FsMagic(buf.Type) != fsType {
+		return false, nil
+	}
+	return isMountPoint(mountPath)
 }
--- a/vendor/github.com/containers/storage/pkg/idtools/idtools_supported.go
+++ b/vendor/github.com/containers/storage/pkg/idtools/idtools_supported.go
@ -1,8 +1,10 @@
+//go:build linux && cgo && libsubid
 // +build linux,cgo,libsubid

 package idtools

 import (
+	"os/user"
 	"unsafe"

 	"github.com/pkg/errors"
@ -32,19 +34,34 @@ import "C"

 func readSubid(username string, isUser bool) (ranges, error) {
 	var ret ranges
+	uidstr := ""
+
 	if username == "ALL" {
 		return nil, errors.New("username ALL not supported")
 	}

+	if u, err := user.Lookup(username); err == nil {
+		uidstr = u.Uid
+	}
+
 	cUsername := C.CString(username)
 	defer C.free(unsafe.Pointer(cUsername))

+	cuidstr := C.CString(uidstr)
+	defer C.free(unsafe.Pointer(cuidstr))
+
 	var nRanges C.int
 	var cRanges *C.struct_subid_range
 	if isUser {
 		nRanges = C.subid_get_uid_ranges(cUsername, &cRanges)
+		if nRanges <= 0 {
+			nRanges = C.subid_get_uid_ranges(cuidstr, &cRanges)
+		}
 	} else {
 		nRanges = C.subid_get_gid_ranges(cUsername, &cRanges)
+		if nRanges <= 0 {
+			nRanges = C.subid_get_gid_ranges(cuidstr, &cRanges)
+		}
 	}
 	if nRanges < 0 {
 		return nil, errors.New("cannot read subids")
--- a/vendor/github.com/containers/storage/pkg/lockfile/lockfile_unix.go
+++ b/vendor/github.com/containers/storage/pkg/lockfile/lockfile_unix.go
@ -1,15 +1,19 @@
+//go:build linux || solaris || darwin || freebsd
 // +build linux solaris darwin freebsd

 package lockfile

 import (
+	"bytes"
+	cryptorand "crypto/rand"
+	"encoding/binary"
 	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
+	"sync/atomic"
 	"time"

-	"github.com/containers/storage/pkg/stringid"
 	"github.com/containers/storage/pkg/system"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
@ -23,13 +27,44 @@ type lockfile struct {
 	counter    int64
 	file       string
 	fd         uintptr
-	lw         string
+	lw         []byte // "last writer"-unique value valid as of the last .Touch() or .Modified(), generated by newLastWriterID()
 	locktype   int16
 	locked     bool
 	ro         bool
 	recursive  bool
 }

+const lastWriterIDSize = 64    // This must be the same as len(stringid.GenerateRandomID)
+var lastWriterIDCounter uint64 // Private state for newLastWriterID
+
+// newLastWriterID returns a new "last writer" ID.
+// The value must be different on every call, and also differ from values
+// generated by other processes.
+func newLastWriterID() []byte {
+	// The ID is (PID, time, per-process counter, random)
+	// PID + time represents both a unique process across reboots,
+	// and a specific time within the process; the per-process counter
+	// is an extra safeguard for in-process concurrency.
+	// The random part disambiguates across process namespaces
+	// (where PID values might collide), serves as a general-purpose
+	// extra safety, _and_ is used to pad the output to lastWriterIDSize,
+	// because other versions of this code exist and they don't work
+	// efficiently if the size of the value changes.
+	pid := os.Getpid()
+	tm := time.Now().UnixNano()
+	counter := atomic.AddUint64(&lastWriterIDCounter, 1)
+
+	res := make([]byte, lastWriterIDSize)
+	binary.LittleEndian.PutUint64(res[0:8], uint64(tm))
+	binary.LittleEndian.PutUint64(res[8:16], counter)
+	binary.LittleEndian.PutUint32(res[16:20], uint32(pid))
+	if n, err := cryptorand.Read(res[20:lastWriterIDSize]); err != nil || n != lastWriterIDSize-20 {
+		panic(err) // This shouldn't happen
+	}
+
+	return res
+}
+
 // openLock opens the file at path and returns the corresponding file
 // descriptor.  Note that the path is opened read-only when ro is set.  If ro
 // is unset, openLock will open the path read-write and create the file if
@ -89,7 +124,7 @@ func createLockerForPath(path string, ro bool) (Locker, error) {
 		stateMutex: &sync.Mutex{},
 		rwMutex:    &sync.RWMutex{},
 		file:       path,
-		lw:         stringid.GenerateRandomID(),
+		lw:         newLastWriterID(),
 		locktype:   int16(locktype),
 		locked:     false,
 		ro:         ro}, nil
@ -212,13 +247,12 @@ func (l *lockfile) Touch() error {
 		panic("attempted to update last-writer in lockfile without the write lock")
 	}
 	defer l.stateMutex.Unlock()
-	l.lw = stringid.GenerateRandomID()
-	id := []byte(l.lw)
-	n, err := unix.Pwrite(int(l.fd), id, 0)
+	l.lw = newLastWriterID()
+	n, err := unix.Pwrite(int(l.fd), l.lw, 0)
 	if err != nil {
 		return err
 	}
-	if n != len(id) {
+	if n != len(l.lw) {
 		return unix.ENOSPC
 	}
 	return nil
@ -228,21 +262,21 @@ func (l *lockfile) Touch() error {
 // was loaded.
 func (l *lockfile) Modified() (bool, error) {
 	l.stateMutex.Lock()
-	id := []byte(l.lw)
 	if !l.locked {
 		panic("attempted to check last-writer in lockfile without locking it first")
 	}
 	defer l.stateMutex.Unlock()
-	n, err := unix.Pread(int(l.fd), id, 0)
+	currentLW := make([]byte, len(l.lw))
+	n, err := unix.Pread(int(l.fd), currentLW, 0)
 	if err != nil {
 		return true, err
 	}
-	if n != len(id) {
+	if n != len(l.lw) {
 		return true, nil
 	}
-	lw := l.lw
-	l.lw = string(id)
-	return l.lw != lw, nil
+	oldLW := l.lw
+	l.lw = currentLW
+	return !bytes.Equal(currentLW, oldLW), nil
 }

 // IsReadWriteLock indicates if the lock file is a read-write lock.
--- a/vendor/github.com/containers/storage/pkg/stringid/stringid.go
+++ b/vendor/github.com/containers/storage/pkg/stringid/stringid.go
@ -12,6 +12,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 )

@ -20,6 +21,9 @@ const shortLen = 12
 var (
 	validShortID = regexp.MustCompile("^[a-f0-9]{12}$")
 	validHex     = regexp.MustCompile(`^[a-f0-9]{64}$`)
+
+	rngLock sync.Mutex
+	rng     *rand.Rand // A RNG with seeding properties we control. It can only be accessed with randLock held.
 )

 // IsShortID determines if an arbitrary string *looks like* a short ID.
@ -67,7 +71,9 @@ func GenerateRandomID() string {
 // secure sources of random.
 // It helps you to save entropy.
 func GenerateNonCryptoID() string {
-	return generateID(readerFunc(rand.Read))
+	rngLock.Lock()
+	defer rngLock.Unlock()
+	return generateID(readerFunc(rng.Read))
 }

 // ValidateID checks whether an ID string is a valid image ID.
@ -79,7 +85,7 @@ func ValidateID(id string) error {
 }

 func init() {
-	// safely set the seed globally so we generate random ids. Tries to use a
+	// Initialize a private RNG so we generate random ids. Tries to use a
 	// crypto seed before falling back to time.
 	var seed int64
 	if cryptoseed, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64)); err != nil {
@ -89,7 +95,7 @@ func init() {
 		seed = cryptoseed.Int64()
 	}

-	rand.Seed(seed)
+	rng = rand.New(rand.NewSource(seed))
 }

 type readerFunc func(p []byte) (int, error)
--- a/vendor/github.com/containers/storage/pkg/system/meminfo_unsupported.go
+++ b/vendor/github.com/containers/storage/pkg/system/meminfo_unsupported.go
@ -1,5 +1,8 @@
-//go:build !linux && !windows && !solaris && !freebsd
-// +build !linux,!windows,!solaris,!freebsd
+//go:build !linux && !windows && !solaris && !(freebsd && cgo)
+// +build !linux
+// +build !windows
+// +build !solaris
+// +build !freebsd !cgo

 package system

--- a/vendor/github.com/containers/storage/store.go
+++ b/vendor/github.com/containers/storage/store.go
@ -21,7 +21,6 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/parsers"
-	"github.com/containers/storage/pkg/stringid"
 	"github.com/containers/storage/pkg/stringutils"
 	"github.com/containers/storage/pkg/system"
 	"github.com/containers/storage/types"
@ -1016,9 +1015,6 @@ func (s *store) PutLayer(id, parent string, names []string, mountLabel string, w
 	if err := rcstore.ReloadIfChanged(); err != nil {
 		return nil, -1, err
 	}
-	if id == "" {
-		id = stringid.GenerateRandomID()
-	}
 	if options == nil {
 		options = &LayerOptions{}
 	}
@ -1097,10 +1093,6 @@ func (s *store) CreateLayer(id, parent string, names []string, mountLabel string
 }

 func (s *store) CreateImage(id string, names []string, layer, metadata string, options *ImageOptions) (*Image, error) {
-	if id == "" {
-		id = stringid.GenerateRandomID()
-	}
-
 	if layer != "" {
 		lstore, err := s.LayerStore()
 		if err != nil {
@ -1279,9 +1271,6 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 	if err != nil {
 		return nil, err
 	}
-	if id == "" {
-		id = stringid.GenerateRandomID()
-	}

 	var imageTopLayer *Layer
 	imageID := ""
@ -1337,14 +1326,14 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 			}
 		}
 		if cimage == nil {
-			return nil, errors.Wrapf(ErrImageUnknown, "error locating image with ID %q", id)
+			return nil, errors.Wrapf(ErrImageUnknown, "error locating image with ID %q", image)
 		}
 		imageID = cimage.ID
 	}

 	if options.AutoUserNs {
 		var err error
-		options.UIDMap, options.GIDMap, err = s.getAutoUserNS(id, &options.AutoUserNsOpts, cimage)
+		options.UIDMap, options.GIDMap, err = s.getAutoUserNS(&options.AutoUserNsOpts, cimage)
 		if err != nil {
 			return nil, err
 		}
--- a/vendor/github.com/containers/storage/userns.go
+++ b/vendor/github.com/containers/storage/userns.go
@ -124,7 +124,7 @@ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {

 // getMaxSizeFromImage returns the maximum ID used by the specified image.
 // The layer stores must be already locked.
-func (s *store) getMaxSizeFromImage(id string, image *Image, passwdFile, groupFile string) (uint32, error) {
+func (s *store) getMaxSizeFromImage(image *Image, passwdFile, groupFile string) (uint32, error) {
 	lstore, err := s.LayerStore()
 	if err != nil {
 		return 0, err
@ -183,7 +183,7 @@ outer:

 	// We need to create a temporary layer so we can mount it and lookup the
 	// maximum IDs used.
-	clayer, err := rlstore.Create(id, topLayer, nil, "", nil, layerOptions, false)
+	clayer, err := rlstore.Create("", topLayer, nil, "", nil, layerOptions, false)
 	if err != nil {
 		return 0, err
 	}
@ -211,7 +211,7 @@ outer:
 }

 // getAutoUserNS creates an automatic user namespace
-func (s *store) getAutoUserNS(id string, options *types.AutoUserNsOptions, image *Image) ([]idtools.IDMap, []idtools.IDMap, error) {
+func (s *store) getAutoUserNS(options *types.AutoUserNsOptions, image *Image) ([]idtools.IDMap, []idtools.IDMap, error) {
 	requestedSize := uint32(0)
 	initialSize := uint32(1)
 	if options.Size > 0 {
@ -250,7 +250,7 @@ func (s *store) getAutoUserNS(id string, options *types.AutoUserNsOptions, image
 			size = s.autoNsMinSize
 		}
 		if image != nil {
-			sizeFromImage, err := s.getMaxSizeFromImage(id, image, options.PasswdFile, options.GroupFile)
+			sizeFromImage, err := s.getMaxSizeFromImage(image, options.PasswdFile, options.GroupFile)
 			if err != nil {
 				return nil, nil, err
 			}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -239,7 +239,7 @@ github.com/containers/psgo/internal/dev
 github.com/containers/psgo/internal/host
 github.com/containers/psgo/internal/proc
 github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.41.1-0.20220607143333-8951d0153bf6
+# github.com/containers/storage v1.41.1-0.20220616120034-7df64288ef35
 ## explicit
 github.com/containers/storage
 github.com/containers/storage/drivers