make image listing more resilient

Handle more TOCTOUs operating on listed images. Also pull in containers/common/pull/1520 and containers/common/pull/1522 which do the same on the internal layer tree. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2216700 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2025-07-18 10:08:07 +08:00 · 2023-06-23 13:43:36 +02:00
parent 1bca2d6a1e
commit db37d66cd1
11 changed files with 202 additions and 67 deletions
--- a/vendor/github.com/containers/common/libimage/image.go
+++ b/vendor/github.com/containers/common/libimage/image.go
@ -402,7 +402,7 @@ func (i *Image) removeRecursive(ctx context.Context, rmMap map[string]*RemoveIma
 	// have a closer look at the errors.  On top, image removal should be
 	// tolerant toward corrupted images.
 	handleError := func(err error) error {
-		if errors.Is(err, storage.ErrImageUnknown) || errors.Is(err, storage.ErrNotAnImage) || errors.Is(err, storage.ErrLayerUnknown) {
+		if ErrorIsImageUnknown(err) {
 			// The image or layers of the image may already have been removed
 			// in which case we consider the image to be removed.
 			return nil
--- a/vendor/github.com/containers/common/libimage/layer_tree.go
+++ b/vendor/github.com/containers/common/libimage/layer_tree.go
@ -2,8 +2,10 @@ package libimage

 import (
 	"context"
+	"errors"

 	"github.com/containers/storage"
+	storageTypes "github.com/containers/storage/types"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
@ -30,7 +32,19 @@ func (t *layerTree) node(layerID string) *layerNode {
 	return node
 }

+// ErrorIsImageUnknown returns true if the specified error indicates that an
+// image is unknown or has been partially removed (e.g., a missing layer).
+func ErrorIsImageUnknown(err error) bool {
+	return errors.Is(err, storage.ErrImageUnknown) ||
+		errors.Is(err, storageTypes.ErrLayerUnknown) ||
+		errors.Is(err, storageTypes.ErrSizeUnknown) ||
+		errors.Is(err, storage.ErrNotAnImage)
+}
+
 // toOCI returns an OCI image for the specified image.
+//
+// WARNING: callers are responsible for handling cases where the target image
+// has been (partially) removed and can use `ErrorIsImageUnknown` to detect it.
 func (t *layerTree) toOCI(ctx context.Context, i *Image) (*ociv1.Image, error) {
 	var err error
 	oci, exists := t.ociCache[i.ID()]
@ -155,6 +169,9 @@ func (t *layerTree) children(ctx context.Context, parent *Image, all bool) ([]*I
 	parentID := parent.ID()
 	parentOCI, err := t.toOCI(ctx, parent)
 	if err != nil {
+		if ErrorIsImageUnknown(err) {
+			return nil, nil
+		}
 		return nil, err
 	}

@ -165,6 +182,9 @@ func (t *layerTree) children(ctx context.Context, parent *Image, all bool) ([]*I
 		}
 		childOCI, err := t.toOCI(ctx, child)
 		if err != nil {
+			if ErrorIsImageUnknown(err) {
+				return false, nil
+			}
 			return false, err
 		}
 		// History check.
@ -255,6 +275,9 @@ func (t *layerTree) parent(ctx context.Context, child *Image) (*Image, error) {
 	childID := child.ID()
 	childOCI, err := t.toOCI(ctx, child)
 	if err != nil {
+		if ErrorIsImageUnknown(err) {
+			return nil, nil
+		}
 		return nil, err
 	}

@ -268,6 +291,9 @@ func (t *layerTree) parent(ctx context.Context, child *Image) (*Image, error) {
 			}
 			emptyOCI, err := t.toOCI(ctx, empty)
 			if err != nil {
+				if ErrorIsImageUnknown(err) {
+					return nil, nil
+				}
 				return nil, err
 			}
 			// History check.
@ -300,6 +326,9 @@ func (t *layerTree) parent(ctx context.Context, child *Image) (*Image, error) {
 		}
 		parentOCI, err := t.toOCI(ctx, parent)
 		if err != nil {
+			if ErrorIsImageUnknown(err) {
+				return nil, nil
+			}
 			return nil, err
 		}
 		// History check.