daemon/containerd/image_commit.go - third_party/github.com/moby/moby - Git at Google

 package containerd

 import (
 	"bytes"
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"runtime"
 	"strings"
 	"time"

 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/diff"
 	cerrdefs "github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/leases"
 	"github.com/containerd/containerd/rootfs"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	"github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )

 /*
 This code is based on `commit` support in nerdctl, under Apache License
 https://github.com/containerd/nerdctl/blob/master/pkg/imgutil/commit/commit.go
 with adaptations to match the Moby data model and services.
 */

 // CommitImage creates a new image from a commit config.
 func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig) (image.ID, error) {
 	container := i.containers.Get(cc.ContainerID)
 	cs := i.client.ContentStore()

 	imageManifest, err := getContainerImageManifest(container)
 	if err != nil {
 		return "", err
 	}

 	imageManifestBytes, err := content.ReadBlob(ctx, cs, imageManifest)
 	if err != nil {
 		return "", err
 	}

 	var manifest ocispec.Manifest
 	if err := json.Unmarshal(imageManifestBytes, &manifest); err != nil {
 		return "", err
 	}

 	imageConfigBytes, err := content.ReadBlob(ctx, cs, manifest.Config)
 	if err != nil {
 		return "", err
 	}
 	var ociimage ocispec.Image
 	if err := json.Unmarshal(imageConfigBytes, &ociimage); err != nil {
 		return "", err
 	}

 	var (
 		differ = i.client.DiffService()
 		sn     = i.client.SnapshotService(container.Driver)
 	)

 	// Don't gc me and clean the dirty data after 1 hour!
 	ctx, done, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
 	if err != nil {
 		return "", fmt.Errorf("failed to create lease for commit: %w", err)
 	}
 	defer done(ctx)

 	diffLayerDesc, diffID, err := createDiff(ctx, cc.ContainerID, sn, cs, differ)
 	if err != nil {
 		return "", fmt.Errorf("failed to export layer: %w", err)
 	}

 	imageConfig := generateCommitImageConfig(ociimage, diffID, cc)

 	rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
 	if err := applyDiffLayer(ctx, rootfsID, ociimage, sn, differ, diffLayerDesc); err != nil {
 		return "", fmt.Errorf("failed to apply diff: %w", err)
 	}

 	layers := append(manifest.Layers, diffLayerDesc)
 	commitManifestDesc, err := writeContentsForImage(ctx, container.Driver, cs, imageConfig, layers)
 	if err != nil {
 		return "", err
 	}

 	// image create
 	img := images.Image{
 		Name:      danglingImageName(commitManifestDesc.Digest),
 		Target:    commitManifestDesc,
 		CreatedAt: time.Now(),
 	}

 	if _, err := i.client.ImageService().Update(ctx, img); err != nil {
 		if !cerrdefs.IsNotFound(err) {
 			return "", err
 		}

 		if _, err := i.client.ImageService().Create(ctx, img); err != nil {
 			return "", fmt.Errorf("failed to create new image: %w", err)
 		}
 	}
 	return image.ID(img.Target.Digest), nil
 }

 // generateCommitImageConfig generates an OCI Image config based on the
 // container's image and the CommitConfig options.
 func generateCommitImageConfig(baseConfig ocispec.Image, diffID digest.Digest, opts backend.CommitConfig) ocispec.Image {
 	if opts.Author == "" {
 		opts.Author = baseConfig.Author
 	}

 	createdTime := time.Now()
 	arch := baseConfig.Architecture
 	if arch == "" {
 		arch = runtime.GOARCH
 		logrus.Warnf("assuming arch=%q", arch)
 	}
 	os := baseConfig.OS
 	if os == "" {
 		os = runtime.GOOS
 		logrus.Warnf("assuming os=%q", os)
 	}
 	logrus.Debugf("generateCommitImageConfig(): arch=%q, os=%q", arch, os)
 	return ocispec.Image{
 		Architecture: arch,
 		OS:           os,
 		Created:      &createdTime,
 		Author:       opts.Author,
 		Config:       containerConfigToOciImageConfig(opts.Config),
 		RootFS: ocispec.RootFS{
 			Type:    "layers",
 			DiffIDs: append(baseConfig.RootFS.DiffIDs, diffID),
 		},
 		History: append(baseConfig.History, ocispec.History{
 			Created:    &createdTime,
 			CreatedBy:  strings.Join(opts.ContainerConfig.Cmd, " "),
 			Author:     opts.Author,
 			Comment:    opts.Comment,
 			EmptyLayer: diffID == "",
 		}),
 	}
 }

 // writeContentsForImage will commit oci image config and manifest into containerd's content store.
 func writeContentsForImage(ctx context.Context, snName string, cs content.Store, newConfig ocispec.Image, layers []ocispec.Descriptor) (ocispec.Descriptor, error) {
 	newConfigJSON, err := json.Marshal(newConfig)
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}

 	configDesc := ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageConfig,
 		Digest:    digest.FromBytes(newConfigJSON),
 		Size:      int64(len(newConfigJSON)),
 	}

 	newMfst := struct {
 		MediaType string `json:"mediaType,omitempty"`
 		ocispec.Manifest
 	}{
 		MediaType: ocispec.MediaTypeImageManifest,
 		Manifest: ocispec.Manifest{
 			Versioned: specs.Versioned{
 				SchemaVersion: 2,
 			},
 			Config: configDesc,
 			Layers: layers,
 		},
 	}

 	newMfstJSON, err := json.MarshalIndent(newMfst, "", "    ")
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}

 	newMfstDesc := ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageManifest,
 		Digest:    digest.FromBytes(newMfstJSON),
 		Size:      int64(len(newMfstJSON)),
 	}

 	// new manifest should reference the layers and config content
 	labels := map[string]string{
 		"containerd.io/gc.ref.content.0": configDesc.Digest.String(),
 	}
 	for i, l := range layers {
 		labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = l.Digest.String()
 	}

 	err = content.WriteBlob(ctx, cs, newMfstDesc.Digest.String(), bytes.NewReader(newMfstJSON), newMfstDesc, content.WithLabels(labels))
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}

 	// config should reference to snapshotter
 	labelOpt := content.WithLabels(map[string]string{
 		fmt.Sprintf("containerd.io/gc.ref.snapshot.%s", snName): identity.ChainID(newConfig.RootFS.DiffIDs).String(),
 	})
 	err = content.WriteBlob(ctx, cs, configDesc.Digest.String(), bytes.NewReader(newConfigJSON), configDesc, labelOpt)
 	if err != nil {
 		return ocispec.Descriptor{}, err
 	}

 	return newMfstDesc, nil
 }

 // createDiff creates a layer diff into containerd's content store.
 func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (ocispec.Descriptor, digest.Digest, error) {
 	newDesc, err := rootfs.CreateDiff(ctx, name, sn, comparer)
 	if err != nil {
 		return ocispec.Descriptor{}, "", err
 	}

 	info, err := cs.Info(ctx, newDesc.Digest)
 	if err != nil {
 		return ocispec.Descriptor{}, "", err
 	}

 	diffIDStr, ok := info.Labels["containerd.io/uncompressed"]
 	if !ok {
 		return ocispec.Descriptor{}, "", fmt.Errorf("invalid differ response with no diffID")
 	}

 	diffID, err := digest.Parse(diffIDStr)
 	if err != nil {
 		return ocispec.Descriptor{}, "", err
 	}

 	return ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayerGzip,
 		Digest:    newDesc.Digest,
 		Size:      info.Size,
 	}, diffID, nil
 }

 // applyDiffLayer will apply diff layer content created by createDiff into the snapshotter.
 func applyDiffLayer(ctx context.Context, name string, baseImg ocispec.Image, sn snapshots.Snapshotter, differ diff.Applier, diffDesc ocispec.Descriptor) (retErr error) {
 	var (
 		key    = uniquePart() + "-" + name
 		parent = identity.ChainID(baseImg.RootFS.DiffIDs).String()
 	)

 	mount, err := sn.Prepare(ctx, key, parent)
 	if err != nil {
 		return err
 	}

 	defer func() {
 		if retErr != nil {
 			// NOTE: the snapshotter should be hold by lease. Even
 			// if the cleanup fails, the containerd gc can delete it.
 			if err := sn.Remove(ctx, key); err != nil {
 				logrus.Warnf("failed to cleanup aborted apply %s: %s", key, err)
 			}
 		}
 	}()

 	if _, err = differ.Apply(ctx, diffDesc, mount); err != nil {
 		return err
 	}

 	if err = sn.Commit(ctx, name, key); err != nil {
 		if cerrdefs.IsAlreadyExists(err) {
 			return nil
 		}
 		return err
 	}
 	return nil
 }

 // copied from github.com/containerd/containerd/rootfs/apply.go
 func uniquePart() string {
 	t := time.Now()
 	var b [3]byte
 	// Ignore read failures, just decreases uniqueness
 	rand.Read(b[:])
 	return fmt.Sprintf("%d-%s", t.Nanosecond(), base64.URLEncoding.EncodeToString(b[:]))
 }

 // CommitBuildStep is used by the builder to create an image for each step in
 // the build.
 //
 // This method is different from CreateImageFromContainer:
 //   - it doesn't attempt to validate container state
 //   - it doesn't send a commit action to metrics
 //   - it doesn't log a container commit event
 //
 // This is a temporary shim. Should be removed when builder stops using commit.
 func (i *ImageService) CommitBuildStep(ctx context.Context, c backend.CommitConfig) (image.ID, error) {
 	return "", errdefs.NotImplemented(errors.New("not implemented"))
 }
	package containerd

	import (
	"bytes"
	"context"
	"crypto/rand"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"runtime"
	"strings"
	"time"

	"github.com/containerd/containerd/content"
	"github.com/containerd/containerd/diff"
	cerrdefs "github.com/containerd/containerd/errdefs"
	"github.com/containerd/containerd/images"
	"github.com/containerd/containerd/leases"
	"github.com/containerd/containerd/rootfs"
	"github.com/containerd/containerd/snapshots"
	"github.com/docker/docker/api/types/backend"
	"github.com/docker/docker/errdefs"
	"github.com/docker/docker/image"
	"github.com/opencontainers/go-digest"
	"github.com/opencontainers/image-spec/identity"
	"github.com/opencontainers/image-spec/specs-go"
	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
	"github.com/sirupsen/logrus"
	)

	/*
	This code is based on `commit` support in nerdctl, under Apache License
	https://github.com/containerd/nerdctl/blob/master/pkg/imgutil/commit/commit.go
	with adaptations to match the Moby data model and services.
	*/

	// CommitImage creates a new image from a commit config.
	func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig) (image.ID, error) {
	container := i.containers.Get(cc.ContainerID)
	cs := i.client.ContentStore()

	imageManifest, err := getContainerImageManifest(container)
	if err != nil {
	return "", err
	}

	imageManifestBytes, err := content.ReadBlob(ctx, cs, imageManifest)
	if err != nil {
	return "", err
	}

	var manifest ocispec.Manifest
	if err := json.Unmarshal(imageManifestBytes, &manifest); err != nil {
	return "", err
	}

	imageConfigBytes, err := content.ReadBlob(ctx, cs, manifest.Config)
	if err != nil {
	return "", err
	}
	var ociimage ocispec.Image
	if err := json.Unmarshal(imageConfigBytes, &ociimage); err != nil {
	return "", err
	}

	var (
	differ = i.client.DiffService()
	sn = i.client.SnapshotService(container.Driver)
	)

	// Don't gc me and clean the dirty data after 1 hour!
	ctx, done, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
	if err != nil {
	return "", fmt.Errorf("failed to create lease for commit: %w", err)
	}
	defer done(ctx)

	diffLayerDesc, diffID, err := createDiff(ctx, cc.ContainerID, sn, cs, differ)
	if err != nil {
	return "", fmt.Errorf("failed to export layer: %w", err)
	}

	imageConfig := generateCommitImageConfig(ociimage, diffID, cc)

	rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
	if err := applyDiffLayer(ctx, rootfsID, ociimage, sn, differ, diffLayerDesc); err != nil {
	return "", fmt.Errorf("failed to apply diff: %w", err)
	}

	layers := append(manifest.Layers, diffLayerDesc)
	commitManifestDesc, err := writeContentsForImage(ctx, container.Driver, cs, imageConfig, layers)
	if err != nil {
	return "", err
	}

	// image create
	img := images.Image{
	Name: danglingImageName(commitManifestDesc.Digest),
	Target: commitManifestDesc,
	CreatedAt: time.Now(),
	}

	if _, err := i.client.ImageService().Update(ctx, img); err != nil {
	if !cerrdefs.IsNotFound(err) {
	return "", err
	}

	if _, err := i.client.ImageService().Create(ctx, img); err != nil {
	return "", fmt.Errorf("failed to create new image: %w", err)
	}
	}
	return image.ID(img.Target.Digest), nil
	}

	// generateCommitImageConfig generates an OCI Image config based on the
	// container's image and the CommitConfig options.
	func generateCommitImageConfig(baseConfig ocispec.Image, diffID digest.Digest, opts backend.CommitConfig) ocispec.Image {
	if opts.Author == "" {
	opts.Author = baseConfig.Author
	}

	createdTime := time.Now()
	arch := baseConfig.Architecture
	if arch == "" {
	arch = runtime.GOARCH
	logrus.Warnf("assuming arch=%q", arch)
	}
	os := baseConfig.OS
	if os == "" {
	os = runtime.GOOS
	logrus.Warnf("assuming os=%q", os)
	}
	logrus.Debugf("generateCommitImageConfig(): arch=%q, os=%q", arch, os)
	return ocispec.Image{
	Architecture: arch,
	OS: os,
	Created: &createdTime,
	Author: opts.Author,
	Config: containerConfigToOciImageConfig(opts.Config),
	RootFS: ocispec.RootFS{
	Type: "layers",
	DiffIDs: append(baseConfig.RootFS.DiffIDs, diffID),
	},
	History: append(baseConfig.History, ocispec.History{
	Created: &createdTime,
	CreatedBy: strings.Join(opts.ContainerConfig.Cmd, " "),
	Author: opts.Author,
	Comment: opts.Comment,
	EmptyLayer: diffID == "",
	}),
	}
	}

	// writeContentsForImage will commit oci image config and manifest into containerd's content store.
	func writeContentsForImage(ctx context.Context, snName string, cs content.Store, newConfig ocispec.Image, layers []ocispec.Descriptor) (ocispec.Descriptor, error) {
	newConfigJSON, err := json.Marshal(newConfig)
	if err != nil {
	return ocispec.Descriptor{}, err
	}

	configDesc := ocispec.Descriptor{
	MediaType: ocispec.MediaTypeImageConfig,
	Digest: digest.FromBytes(newConfigJSON),
	Size: int64(len(newConfigJSON)),
	}

	newMfst := struct {
	MediaType string `json:"mediaType,omitempty"`
	ocispec.Manifest
	}{
	MediaType: ocispec.MediaTypeImageManifest,
	Manifest: ocispec.Manifest{
	Versioned: specs.Versioned{
	SchemaVersion: 2,
	},
	Config: configDesc,
	Layers: layers,
	},
	}

	newMfstJSON, err := json.MarshalIndent(newMfst, "", " ")
	if err != nil {
	return ocispec.Descriptor{}, err
	}

	newMfstDesc := ocispec.Descriptor{
	MediaType: ocispec.MediaTypeImageManifest,
	Digest: digest.FromBytes(newMfstJSON),
	Size: int64(len(newMfstJSON)),
	}

	// new manifest should reference the layers and config content
	labels := map[string]string{
	"containerd.io/gc.ref.content.0": configDesc.Digest.String(),
	}
	for i, l := range layers {
	labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = l.Digest.String()
	}

	err = content.WriteBlob(ctx, cs, newMfstDesc.Digest.String(), bytes.NewReader(newMfstJSON), newMfstDesc, content.WithLabels(labels))
	if err != nil {
	return ocispec.Descriptor{}, err
	}

	// config should reference to snapshotter
	labelOpt := content.WithLabels(map[string]string{
	fmt.Sprintf("containerd.io/gc.ref.snapshot.%s", snName): identity.ChainID(newConfig.RootFS.DiffIDs).String(),
	})
	err = content.WriteBlob(ctx, cs, configDesc.Digest.String(), bytes.NewReader(newConfigJSON), configDesc, labelOpt)
	if err != nil {
	return ocispec.Descriptor{}, err
	}

	return newMfstDesc, nil
	}

	// createDiff creates a layer diff into containerd's content store.
	func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (ocispec.Descriptor, digest.Digest, error) {
	newDesc, err := rootfs.CreateDiff(ctx, name, sn, comparer)
	if err != nil {
	return ocispec.Descriptor{}, "", err
	}

	info, err := cs.Info(ctx, newDesc.Digest)
	if err != nil {
	return ocispec.Descriptor{}, "", err
	}

	diffIDStr, ok := info.Labels["containerd.io/uncompressed"]
	if !ok {
	return ocispec.Descriptor{}, "", fmt.Errorf("invalid differ response with no diffID")
	}

	diffID, err := digest.Parse(diffIDStr)
	if err != nil {
	return ocispec.Descriptor{}, "", err
	}

	return ocispec.Descriptor{
	MediaType: ocispec.MediaTypeImageLayerGzip,
	Digest: newDesc.Digest,
	Size: info.Size,
	}, diffID, nil
	}

	// applyDiffLayer will apply diff layer content created by createDiff into the snapshotter.
	func applyDiffLayer(ctx context.Context, name string, baseImg ocispec.Image, sn snapshots.Snapshotter, differ diff.Applier, diffDesc ocispec.Descriptor) (retErr error) {
	var (
	key = uniquePart() + "-" + name
	parent = identity.ChainID(baseImg.RootFS.DiffIDs).String()
	)

	mount, err := sn.Prepare(ctx, key, parent)
	if err != nil {
	return err
	}

	defer func() {
	if retErr != nil {
	// NOTE: the snapshotter should be hold by lease. Even
	// if the cleanup fails, the containerd gc can delete it.
	if err := sn.Remove(ctx, key); err != nil {
	logrus.Warnf("failed to cleanup aborted apply %s: %s", key, err)
	}
	}
	}()

	if _, err = differ.Apply(ctx, diffDesc, mount); err != nil {
	return err
	}

	if err = sn.Commit(ctx, name, key); err != nil {
	if cerrdefs.IsAlreadyExists(err) {
	return nil
	}
	return err
	}
	return nil
	}

	// copied from github.com/containerd/containerd/rootfs/apply.go
	func uniquePart() string {
	t := time.Now()
	var b [3]byte
	// Ignore read failures, just decreases uniqueness
	rand.Read(b[:])
	return fmt.Sprintf("%d-%s", t.Nanosecond(), base64.URLEncoding.EncodeToString(b[:]))
	}

	// CommitBuildStep is used by the builder to create an image for each step in
	// the build.
	//
	// This method is different from CreateImageFromContainer:
	// - it doesn't attempt to validate container state
	// - it doesn't send a commit action to metrics
	// - it doesn't log a container commit event
	//
	// This is a temporary shim. Should be removed when builder stops using commit.
	func (i *ImageService) CommitBuildStep(ctx context.Context, c backend.CommitConfig) (image.ID, error) {
	return "", errdefs.NotImplemented(errors.New("not implemented"))
	}