| package containerd |
| |
| import ( |
| "context" |
| "encoding/json" |
| "strings" |
| "time" |
| |
| "github.com/containerd/containerd" |
| "github.com/containerd/containerd/content" |
| cerrdefs "github.com/containerd/containerd/errdefs" |
| "github.com/containerd/containerd/images" |
| "github.com/containerd/containerd/labels" |
| "github.com/containerd/containerd/platforms" |
| "github.com/docker/distribution/reference" |
| "github.com/docker/docker/api/types" |
| "github.com/docker/docker/api/types/filters" |
| timetypes "github.com/docker/docker/api/types/time" |
| "github.com/moby/buildkit/util/attestation" |
| "github.com/opencontainers/go-digest" |
| "github.com/opencontainers/image-spec/identity" |
| v1 "github.com/opencontainers/image-spec/specs-go/v1" |
| "github.com/pkg/errors" |
| "github.com/sirupsen/logrus" |
| ) |
| |
| var acceptedImageFilterTags = map[string]bool{ |
| "dangling": true, |
| "label": true, |
| "label!": true, |
| "before": true, |
| "since": true, |
| "reference": true, |
| "until": true, |
| } |
| |
| // Images returns a filtered list of images. |
| // |
| // TODO(thaJeztah): sort the results by created (descending); see https://github.com/moby/moby/issues/43848 |
| // TODO(thaJeztah): implement opts.ContainerCount (used for docker system df); see https://github.com/moby/moby/issues/43853 |
| // TODO(thaJeztah): add labels to results; see https://github.com/moby/moby/issues/43852 |
| // TODO(thaJeztah): verify behavior of `RepoDigests` and `RepoTags` for images without (untagged) or multiple tags; see https://github.com/moby/moby/issues/43861 |
| // TODO(thaJeztah): verify "Size" vs "VirtualSize" in images; see https://github.com/moby/moby/issues/43862 |
| func (i *ImageService) Images(ctx context.Context, opts types.ImageListOptions) ([]*types.ImageSummary, error) { |
| if err := opts.Filters.Validate(acceptedImageFilterTags); err != nil { |
| return nil, err |
| } |
| |
| listFilters, filter, err := i.setupFilters(ctx, opts.Filters) |
| if err != nil { |
| return nil, err |
| } |
| |
| imgs, err := i.client.ImageService().List(ctx, listFilters...) |
| if err != nil { |
| return nil, err |
| } |
| |
| // TODO(thaJeztah): do we need to take multiple snapshotters into account? See https://github.com/moby/moby/issues/45273 |
| snapshotter := i.client.SnapshotService(i.snapshotter) |
| sizeCache := make(map[digest.Digest]int64) |
| snapshotSizeFn := func(d digest.Digest) (int64, error) { |
| if s, ok := sizeCache[d]; ok { |
| return s, nil |
| } |
| usage, err := snapshotter.Usage(ctx, d.String()) |
| if err != nil { |
| return 0, err |
| } |
| sizeCache[d] = usage.Size |
| return usage.Size, nil |
| } |
| |
| var ( |
| summaries = make([]*types.ImageSummary, 0, len(imgs)) |
| root []*[]digest.Digest |
| layers map[digest.Digest]int |
| ) |
| if opts.SharedSize { |
| root = make([]*[]digest.Digest, 0, len(imgs)) |
| layers = make(map[digest.Digest]int) |
| } |
| |
| contentStore := i.client.ContentStore() |
| for _, img := range imgs { |
| if !filter(img) { |
| continue |
| } |
| |
| err := images.Walk(ctx, images.HandlerFunc(func(ctx context.Context, desc v1.Descriptor) ([]v1.Descriptor, error) { |
| if images.IsIndexType(desc.MediaType) { |
| return images.Children(ctx, contentStore, desc) |
| } |
| |
| if images.IsManifestType(desc.MediaType) { |
| // Ignore buildkit attestation manifests |
| // https://github.com/moby/buildkit/blob/v0.11.4/docs/attestations/attestation-storage.md |
| // This would have also been caught by the isImageManifest call below, but it requires |
| // an additional content read and deserialization of Manifest. |
| if _, has := desc.Annotations[attestation.DockerAnnotationReferenceType]; has { |
| return nil, nil |
| } |
| |
| mfst, err := images.Manifest(ctx, contentStore, desc, platforms.All) |
| if err != nil { |
| if cerrdefs.IsNotFound(err) { |
| return nil, nil |
| } |
| return nil, err |
| } |
| |
| if !isImageManifest(mfst) { |
| return nil, nil |
| } |
| |
| platform, err := getManifestPlatform(ctx, contentStore, desc, mfst.Config) |
| if err != nil { |
| if cerrdefs.IsNotFound(err) { |
| return nil, nil |
| } |
| return nil, err |
| } |
| |
| pm := platforms.OnlyStrict(platform) |
| available, _, _, missing, err := images.Check(ctx, contentStore, img.Target, pm) |
| if err != nil { |
| logrus.WithFields(logrus.Fields{ |
| logrus.ErrorKey: err, |
| "platform": platform, |
| "image": img.Target, |
| }).Warn("checking availability of platform content failed") |
| return nil, nil |
| } |
| if !available || len(missing) > 0 { |
| return nil, nil |
| } |
| |
| c8dImage := containerd.NewImageWithPlatform(i.client, img, pm) |
| image, chainIDs, err := i.singlePlatformImage(ctx, contentStore, c8dImage) |
| if err != nil { |
| return nil, err |
| } |
| |
| summaries = append(summaries, image) |
| |
| if opts.SharedSize { |
| root = append(root, &chainIDs) |
| for _, id := range chainIDs { |
| layers[id] = layers[id] + 1 |
| } |
| } |
| } |
| |
| return nil, nil |
| }), img.Target) |
| |
| if err != nil { |
| return nil, err |
| } |
| |
| } |
| |
| if opts.SharedSize { |
| for n, chainIDs := range root { |
| sharedSize, err := computeSharedSize(*chainIDs, layers, snapshotSizeFn) |
| if err != nil { |
| return nil, err |
| } |
| summaries[n].SharedSize = sharedSize |
| } |
| } |
| |
| return summaries, nil |
| } |
| |
| func (i *ImageService) singlePlatformImage(ctx context.Context, contentStore content.Store, image containerd.Image) (*types.ImageSummary, []digest.Digest, error) { |
| diffIDs, err := image.RootFS(ctx) |
| if err != nil { |
| return nil, nil, err |
| } |
| chainIDs := identity.ChainIDs(diffIDs) |
| |
| size, err := image.Size(ctx) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| // TODO(thaJeztah): do we need to take multiple snapshotters into account? See https://github.com/moby/moby/issues/45273 |
| snapshotter := i.client.SnapshotService(i.snapshotter) |
| sizeCache := make(map[digest.Digest]int64) |
| |
| snapshotSizeFn := func(d digest.Digest) (int64, error) { |
| if s, ok := sizeCache[d]; ok { |
| return s, nil |
| } |
| usage, err := snapshotter.Usage(ctx, d.String()) |
| if err != nil { |
| if cerrdefs.IsNotFound(err) { |
| return 0, nil |
| } |
| return 0, err |
| } |
| sizeCache[d] = usage.Size |
| return usage.Size, nil |
| } |
| snapshotSize, err := computeSnapshotSize(chainIDs, snapshotSizeFn) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| // totalSize is the size of the image's packed layers and snapshots |
| // (unpacked layers) combined. |
| totalSize := size + snapshotSize |
| |
| var repoTags, repoDigests []string |
| rawImg := image.Metadata() |
| target := rawImg.Target.Digest |
| |
| logger := logrus.WithFields(logrus.Fields{ |
| "name": rawImg.Name, |
| "digest": target, |
| }) |
| |
| ref, err := reference.ParseNamed(rawImg.Name) |
| if err != nil { |
| // If the image has unexpected name format (not a Named reference or a dangling image) |
| // add the offending name to RepoTags but also log an error to make it clear to the |
| // administrator that this is unexpected. |
| // TODO: Reconsider when containerd is more strict on image names, see: |
| // https://github.com/containerd/containerd/issues/7986 |
| if !isDanglingImage(rawImg) { |
| logger.WithError(err).Error("failed to parse image name as reference") |
| repoTags = append(repoTags, rawImg.Name) |
| } |
| } else { |
| repoTags = append(repoTags, reference.TagNameOnly(ref).String()) |
| |
| digested, err := reference.WithDigest(reference.TrimNamed(ref), target) |
| if err != nil { |
| logger.WithError(err).Error("failed to create digested reference") |
| } else { |
| repoDigests = append(repoDigests, digested.String()) |
| } |
| } |
| |
| summary := &types.ImageSummary{ |
| ParentID: "", |
| ID: target.String(), |
| Created: rawImg.CreatedAt.Unix(), |
| RepoDigests: repoDigests, |
| RepoTags: repoTags, |
| Size: totalSize, |
| VirtualSize: totalSize, //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44. |
| // -1 indicates that the value has not been set (avoids ambiguity |
| // between 0 (default) and "not set". We cannot use a pointer (nil) |
| // for this, as the JSON representation uses "omitempty", which would |
| // consider both "0" and "nil" to be "empty". |
| SharedSize: -1, |
| Containers: -1, |
| } |
| |
| return summary, chainIDs, nil |
| } |
| |
| type imageFilterFunc func(image images.Image) bool |
| |
| // setupFilters constructs an imageFilterFunc from the given imageFilters. |
| // |
| // containerdListFilters is a slice of filters which should be passed to ImageService.List() |
| // filterFunc is a function that checks whether given image matches the filters. |
| // TODO(thaJeztah): reimplement filters using containerd filters: see https://github.com/moby/moby/issues/43845 |
| func (i *ImageService) setupFilters(ctx context.Context, imageFilters filters.Args) ( |
| containerdListFilters []string, filterFunc imageFilterFunc, outErr error) { |
| |
| var fltrs []imageFilterFunc |
| err := imageFilters.WalkValues("before", func(value string) error { |
| ref, err := reference.ParseDockerRef(value) |
| if err != nil { |
| return err |
| } |
| img, err := i.client.GetImage(ctx, ref.String()) |
| if img != nil { |
| t := img.Metadata().CreatedAt |
| fltrs = append(fltrs, func(image images.Image) bool { |
| created := image.CreatedAt |
| return created.Equal(t) || created.After(t) |
| }) |
| } |
| return err |
| }) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| err = imageFilters.WalkValues("since", func(value string) error { |
| ref, err := reference.ParseDockerRef(value) |
| if err != nil { |
| return err |
| } |
| img, err := i.client.GetImage(ctx, ref.String()) |
| if img != nil { |
| t := img.Metadata().CreatedAt |
| fltrs = append(fltrs, func(image images.Image) bool { |
| created := image.CreatedAt |
| return created.Equal(t) || created.Before(t) |
| }) |
| } |
| return err |
| }) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| err = imageFilters.WalkValues("until", func(value string) error { |
| ts, err := timetypes.GetTimestamp(value, time.Now()) |
| if err != nil { |
| return err |
| } |
| seconds, nanoseconds, err := timetypes.ParseTimestamps(ts, 0) |
| if err != nil { |
| return err |
| } |
| until := time.Unix(seconds, nanoseconds) |
| |
| fltrs = append(fltrs, func(image images.Image) bool { |
| created := image.CreatedAt |
| return created.Before(until) |
| }) |
| return err |
| }) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| labelFn, err := setupLabelFilter(i.client.ContentStore(), imageFilters) |
| if err != nil { |
| return nil, nil, err |
| } |
| if labelFn != nil { |
| fltrs = append(fltrs, labelFn) |
| } |
| |
| if imageFilters.Contains("dangling") { |
| danglingValue, err := imageFilters.GetBoolOrDefault("dangling", false) |
| if err != nil { |
| return nil, nil, err |
| } |
| fltrs = append(fltrs, func(image images.Image) bool { |
| return danglingValue == isDanglingImage(image) |
| }) |
| } |
| |
| var listFilters []string |
| err = imageFilters.WalkValues("reference", func(value string) error { |
| ref, err := reference.ParseNormalizedNamed(value) |
| if err != nil { |
| return err |
| } |
| ref = reference.TagNameOnly(ref) |
| listFilters = append(listFilters, "name=="+ref.String()) |
| return nil |
| }) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| return listFilters, func(image images.Image) bool { |
| for _, filter := range fltrs { |
| if !filter(image) { |
| return false |
| } |
| } |
| return true |
| }, nil |
| } |
| |
| // setupLabelFilter parses filter args for "label" and "label!" and returns a |
| // filter func which will check if any image config from the given image has |
| // labels that match given predicates. |
| func setupLabelFilter(store content.Store, fltrs filters.Args) (func(image images.Image) bool, error) { |
| type labelCheck struct { |
| key string |
| value string |
| onlyExists bool |
| negate bool |
| } |
| |
| var checks []labelCheck |
| for _, fltrName := range []string{"label", "label!"} { |
| for _, l := range fltrs.Get(fltrName) { |
| k, v, found := strings.Cut(l, "=") |
| err := labels.Validate(k, v) |
| if err != nil { |
| return nil, err |
| } |
| |
| negate := strings.HasSuffix(fltrName, "!") |
| |
| // If filter value is key!=value then flip the above. |
| if strings.HasSuffix(k, "!") { |
| k = strings.TrimSuffix(k, "!") |
| negate = !negate |
| } |
| |
| checks = append(checks, labelCheck{ |
| key: k, |
| value: v, |
| onlyExists: !found, |
| negate: negate, |
| }) |
| } |
| } |
| |
| return func(image images.Image) bool { |
| ctx := context.TODO() |
| |
| // This is not an error, but a signal to Dispatch that it should stop |
| // processing more content (otherwise it will run for all children). |
| // It will be returned once a matching config is found. |
| errFoundConfig := errors.New("success, found matching config") |
| err := images.Dispatch(ctx, presentChildrenHandler(store, images.HandlerFunc(func(ctx context.Context, desc v1.Descriptor) (subdescs []v1.Descriptor, err error) { |
| if !images.IsConfigType(desc.MediaType) { |
| return nil, nil |
| } |
| // Subset of ocispec.Image that only contains Labels |
| var cfg struct { |
| Config struct { |
| Labels map[string]string `json:"Labels,omitempty"` |
| } `json:"Config,omitempty"` |
| } |
| if err := readConfig(ctx, store, desc, &cfg); err != nil { |
| return nil, err |
| } |
| |
| for _, check := range checks { |
| value, exists := cfg.Config.Labels[check.key] |
| |
| if check.onlyExists { |
| // label! given without value, check if doesn't exist |
| if check.negate { |
| // Label exists, config doesn't match |
| if exists { |
| return nil, nil |
| } |
| } else { |
| // Label should exist |
| if !exists { |
| // Label doesn't exist, config doesn't match |
| return nil, nil |
| } |
| } |
| continue |
| } else if !exists { |
| // We are checking value and label doesn't exist. |
| return nil, nil |
| } |
| |
| valueEquals := value == check.value |
| if valueEquals == check.negate { |
| return nil, nil |
| } |
| } |
| |
| // This config matches the filter so we need to shop this image, stop dispatch. |
| return nil, errFoundConfig |
| })), nil, image.Target) |
| |
| if err == errFoundConfig { |
| return true |
| } |
| if err != nil { |
| logrus.WithFields(logrus.Fields{ |
| logrus.ErrorKey: err, |
| "image": image.Name, |
| "checks": checks, |
| }).Error("failed to check image labels") |
| } |
| |
| return false |
| }, nil |
| } |
| |
| // computeSnapshotSize calculates the total size consumed by the snapshots |
| // for the given chainIDs. |
| func computeSnapshotSize(chainIDs []digest.Digest, sizeFn func(d digest.Digest) (int64, error)) (int64, error) { |
| var totalSize int64 |
| for _, chainID := range chainIDs { |
| size, err := sizeFn(chainID) |
| if err != nil { |
| return totalSize, err |
| } |
| totalSize += size |
| } |
| return totalSize, nil |
| } |
| |
| func computeSharedSize(chainIDs []digest.Digest, layers map[digest.Digest]int, sizeFn func(d digest.Digest) (int64, error)) (int64, error) { |
| var sharedSize int64 |
| for _, chainID := range chainIDs { |
| if layers[chainID] == 1 { |
| continue |
| } |
| size, err := sizeFn(chainID) |
| if err != nil { |
| return 0, err |
| } |
| sharedSize += size |
| } |
| return sharedSize, nil |
| } |
| |
| // getManifestPlatform returns a platform specified by the manifest descriptor |
| // or reads it from its config. |
| func getManifestPlatform(ctx context.Context, store content.Provider, manifestDesc, configDesc v1.Descriptor) (v1.Platform, error) { |
| var platform v1.Platform |
| if manifestDesc.Platform != nil { |
| platform = *manifestDesc.Platform |
| } else { |
| // Config is technically a v1.Image, but it has the same member as v1.Platform |
| // which makes the v1.Platform a subset of Image so we can unmarshal directly. |
| if err := readConfig(ctx, store, configDesc, &platform); err != nil { |
| return platform, err |
| } |
| } |
| return platforms.Normalize(platform), nil |
| } |
| |
| // isImageManifest returns true if the manifest has any layer that is a known image layer. |
| // Some manifests use the image media type for compatibility, even if they are not a real image. |
| func isImageManifest(mfst v1.Manifest) bool { |
| for _, l := range mfst.Layers { |
| if images.IsLayerType(l.MediaType) { |
| return true |
| } |
| } |
| return false |
| } |
| |
| // readConfig reads content pointed by the descriptor and unmarshals it into a specified output. |
| func readConfig(ctx context.Context, store content.Provider, desc v1.Descriptor, out interface{}) error { |
| data, err := content.ReadBlob(ctx, store, desc) |
| if err != nil { |
| return errors.Wrapf(err, "failed to read config content") |
| } |
| err = json.Unmarshal(data, out) |
| if err != nil { |
| return errors.Wrapf(err, "could not deserialize image config") |
| } |
| |
| return nil |
| } |