Merge pull request #20192 from umohnani8/images

Fix broken podman images filters
2025-11-30 10:07:33 +08:00 · 2023-10-02 17:49:40 +00:00
parent a0eb80c4c7 ba788c1bb8
commit fe828d2238
17 changed files with 157 additions and 30 deletions
--- a/vendor/github.com/containers/common/libimage/filters.go
+++ b/vendor/github.com/containers/common/libimage/filters.go
@@ -11,7 +11,6 @@ import (
 	filtersPkg "github.com/containers/common/pkg/filters"
 	"github.com/containers/common/pkg/timetype"
 	"github.com/containers/image/v5/docker/reference"
-	"github.com/opencontainers/go-digest"
 	"github.com/sirupsen/logrus"
 )

@@ -394,18 +393,17 @@ func filterDangling(ctx context.Context, value bool, tree *layerTree) filterFunc
 // filterID creates an image-ID filter for matching the specified value.
 func filterID(value string) filterFunc {
 	return func(img *Image) (bool, error) {
-		return img.ID() == value, nil
+		return strings.HasPrefix(img.ID(), value), nil
 	}
 }

 // filterDigest creates a digest filter for matching the specified value.
 func filterDigest(value string) (filterFunc, error) {
-	d, err := digest.Parse(value)
-	if err != nil {
-		return nil, fmt.Errorf("invalid value %q for digest filter: %w", value, err)
+	if !strings.HasPrefix(value, "sha256:") {
+		return nil, fmt.Errorf("invalid value %q for digest filter", value)
 	}
 	return func(img *Image) (bool, error) {
-		return img.hasDigest(d), nil
+		return img.containsDigestPrefix(value), nil
 	}, nil
 }

--- a/vendor/github.com/containers/common/libimage/image.go
+++ b/vendor/github.com/containers/common/libimage/image.go
@@ -169,6 +169,17 @@ func (i *Image) hasDigest(wantedDigest digest.Digest) bool {
 	return false
 }

+// containsDigestPrefix returns whether the specified value matches any digest of the
+// image. It checks for the prefix and not a full match.
+func (i *Image) containsDigestPrefix(wantedDigestPrefix string) bool {
+	for _, d := range i.Digests() {
+		if strings.HasPrefix(d.String(), wantedDigestPrefix) {
+			return true
+		}
+	}
+	return false
+}
+
 // IsReadOnly returns whether the image is set read only.
 func (i *Image) IsReadOnly() bool {
 	return i.storageImage.ReadOnly
--- a/vendor/github.com/containers/common/libimage/manifest_list.go
+++ b/vendor/github.com/containers/common/libimage/manifest_list.go
@@ -440,6 +440,8 @@ func (m *ManifestList) Push(ctx context.Context, destination string, options *Ma
 		SignSigstorePrivateKeyPassphrase: options.SignSigstorePrivateKeyPassphrase,
 		RemoveSignatures:                 options.RemoveSignatures,
 		ManifestType:                     options.ManifestMIMEType,
+		MaxRetries:                       options.MaxRetries,
+		RetryDelay:                       options.RetryDelay,
 		ForceCompressionFormat:           options.ForceCompressionFormat,
 	}

--- a/vendor/github.com/containers/common/libimage/manifests/manifests.go
+++ b/vendor/github.com/containers/common/libimage/manifests/manifests.go
@@ -6,8 +6,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"time"

 	"github.com/containers/common/pkg/manifests"
+	"github.com/containers/common/pkg/retry"
 	"github.com/containers/common/pkg/supplemented"
 	cp "github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/docker/reference"
@@ -27,6 +29,10 @@ import (
 	"github.com/sirupsen/logrus"
 )

+const (
+	defaultMaxRetries = 3
+)
+
 const instancesData = "instances.json"

 // LookupReferenceFunc return an image reference based on the specified one.
@@ -72,6 +78,11 @@ type PushOptions struct {
 	SourceFilter                     LookupReferenceFunc   // filter the list source
 	AddCompression                   []string              // add existing instances with requested compression algorithms to manifest list
 	ForceCompressionFormat           bool                  // force push with requested compression ignoring the blobs which can be reused.
+	// Maximum number of retries with exponential backoff when facing
+	// transient network errors. Default 3.
+	MaxRetries *uint
+	// RetryDelay used for the exponential back off of MaxRetries.
+	RetryDelay *time.Duration
 }

 // Create creates a new list containing information about the specified image,
@@ -262,16 +273,31 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 		ForceCompressionFormat:           options.ForceCompressionFormat,
 	}

+	retryOptions := retry.Options{}
+	retryOptions.MaxRetry = defaultMaxRetries
+	if options.MaxRetries != nil {
+		retryOptions.MaxRetry = int(*options.MaxRetries)
+	}
+	if options.RetryDelay != nil {
+		retryOptions.Delay = *options.RetryDelay
+	}
+
 	// Copy whatever we were asked to copy.
-	manifestBytes, err := cp.Image(ctx, policyContext, dest, src, copyOptions)
-	if err != nil {
-		return nil, "", err
+	var manifestDigest digest.Digest
+	f := func() error {
+		opts := copyOptions
+		var manifestBytes []byte
+		var digest digest.Digest
+		var err error
+		if manifestBytes, err = cp.Image(ctx, policyContext, dest, src, opts); err == nil {
+			if digest, err = manifest.Digest(manifestBytes); err == nil {
+				manifestDigest = digest
+			}
+		}
+		return err
 	}
-	manifestDigest, err := manifest.Digest(manifestBytes)
-	if err != nil {
-		return nil, "", err
-	}
-	return nil, manifestDigest, nil
+	err = retry.IfNecessary(ctx, f, &retryOptions)
+	return nil, manifestDigest, err
 }

 func prepareAddWithCompression(variants []string) ([]cp.OptionCompressionVariant, error) {
--- a/vendor/github.com/containers/common/libnetwork/netavark/config.go
+++ b/vendor/github.com/containers/common/libnetwork/netavark/config.go
@@ -204,7 +204,10 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
 				}
 				// rust only support "true" or "false" while go can parse 1 and 0 as well so we need to change it
 				newNetwork.Options[types.NoDefaultRoute] = strconv.FormatBool(val)
-
+			case types.VRFOption:
+				if len(value) == 0 {
+					return nil, errors.New("invalid vrf name")
+				}
 			default:
 				return nil, fmt.Errorf("unsupported bridge network option %s", key)
 			}
--- a/vendor/github.com/containers/common/libnetwork/types/const.go
+++ b/vendor/github.com/containers/common/libnetwork/types/const.go
@@ -43,6 +43,7 @@ const (
 	MetricOption   = "metric"
 	NoDefaultRoute = "no_default_route"
 	BclimOption    = "bclim"
+	VRFOption      = "vrf"
 )

 type NetworkBackend string
--- a/vendor/github.com/containers/common/libnetwork/util/filters.go
+++ b/vendor/github.com/containers/common/libnetwork/util/filters.go
@@ -67,7 +67,7 @@ func createPruneFilterFuncs(key string, filterValues []string) (types.FilterFunc
 		}, nil
 	case "label!":
 		return func(net types.Network) bool {
-			return !filters.MatchLabelFilters(filterValues, net.Labels)
+			return filters.MatchNegatedLabelFilters(filterValues, net.Labels)
 		}, nil
 	case "until":
 		until, err := filters.ComputeUntilTimestamp(filterValues)
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@@ -362,6 +362,35 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
 		}
 		*mounts = append(*mounts, m)
 	}
+
+	// Make sure we set the config to FIPS so that the container does not overwrite
+	// /etc/crypto-policies/back-ends when crypto-policies-scripts is reinstalled.
+	cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config")
+	file, err := os.Create(cryptoPoliciesConfigFile)
+	if err != nil {
+		return fmt.Errorf("creating fips config file in container for FIPS mode: %w", err)
+	}
+	defer file.Close()
+	if _, err := file.WriteString("FIPS\n"); err != nil {
+		return fmt.Errorf("writing fips config file in container for FIPS mode: %w", err)
+	}
+	if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil {
+		return fmt.Errorf("applying correct labels on fips-config file: %w", err)
+	}
+	if err := file.Chown(uid, gid); err != nil {
+		return fmt.Errorf("chown fips-config file: %w", err)
+	}
+
+	policyConfig := "/etc/crypto-policies/config"
+	if !mountExists(*mounts, policyConfig) {
+		m := rspec.Mount{
+			Source:      cryptoPoliciesConfigFile,
+			Destination: policyConfig,
+			Type:        "bind",
+			Options:     []string{"bind", "rprivate"},
+		}
+		*mounts = append(*mounts, m)
+	}
 	return nil
 }

--- a/vendor/github.com/onsi/gomega/CHANGELOG.md
+++ b/vendor/github.com/onsi/gomega/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 1.28.0
+
+### Features
+- Add VerifyHost handler to ghttp (#698) [0b03b36]
+
+### Fixes
+- Read Body for Newer Responses in HaveHTTPBodyMatcher (#686) [18d6673]
+
+### Maintenance
+- Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 (#693) [55a33f3]
+- Typo in matchers.go (#691) [de68e8f]
+- Bump commonmarker from 0.23.9 to 0.23.10 in /docs (#690) [ab17f5e]
+- chore: update test matrix for Go 1.21 (#689) [5069017]
+- Bump golang.org/x/net from 0.12.0 to 0.14.0 (#688) [babe25f]
+
 ## 1.27.10

 ### Fixes
--- a/vendor/github.com/onsi/gomega/gomega_dsl.go
+++ b/vendor/github.com/onsi/gomega/gomega_dsl.go
@@ -22,7 +22,7 @@ import (
 	"github.com/onsi/gomega/types"
 )

-const GOMEGA_VERSION = "1.27.10"
+const GOMEGA_VERSION = "1.28.0"

 const nilGomegaPanic = `You are trying to make an assertion, but haven't registered Gomega's fail handler.
 If you're using Ginkgo then you probably forgot to put your assertion in an It().
--- a/vendor/github.com/onsi/gomega/matchers.go
+++ b/vendor/github.com/onsi/gomega/matchers.go
@@ -94,7 +94,7 @@ func Succeed() types.GomegaMatcher {
 //
 //	Expect(err).Should(MatchError("an error")) //asserts that err.Error() == "an error"
 //	Expect(err).Should(MatchError(SomeError)) //asserts that err == SomeError (via reflect.DeepEqual)
-//	Expect(err).Should(MatchError(ContainSubstring("sprocket not found"))) // asserts that edrr.Error() contains substring "sprocket not found"
+//	Expect(err).Should(MatchError(ContainSubstring("sprocket not found"))) // asserts that err.Error() contains substring "sprocket not found"
 //
 // It is an error for err to be nil or an object that does not implement the
 // Error interface
--- a/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go
@@ -11,8 +11,9 @@ import (
 )

 type HaveHTTPBodyMatcher struct {
-	Expected   interface{}
-	cachedBody []byte
+	Expected       interface{}
+	cachedResponse interface{}
+	cachedBody     []byte
 }

 func (matcher *HaveHTTPBodyMatcher) Match(actual interface{}) (bool, error) {
@@ -73,7 +74,7 @@ func (matcher *HaveHTTPBodyMatcher) NegatedFailureMessage(actual interface{}) (m
 // the Reader is closed and it is not readable again in FailureMessage()
 // or NegatedFailureMessage()
 func (matcher *HaveHTTPBodyMatcher) body(actual interface{}) ([]byte, error) {
-	if matcher.cachedBody != nil {
+	if matcher.cachedResponse == actual && matcher.cachedBody != nil {
 		return matcher.cachedBody, nil
 	}

@@ -91,8 +92,10 @@ func (matcher *HaveHTTPBodyMatcher) body(actual interface{}) ([]byte, error) {

 	switch a := actual.(type) {
 	case *http.Response:
+		matcher.cachedResponse = a
 		return body(a)
 	case *httptest.ResponseRecorder:
+		matcher.cachedResponse = a
 		return body(a.Result())
 	default:
 		return nil, fmt.Errorf("HaveHTTPBody matcher expects *http.Response or *httptest.ResponseRecorder. Got:\n%s", format.Object(actual, 1))