Merge pull request from GHSA-xw73-rw38-6vjc
[24.0 backport] image/cache: Restrict cache candidates to locally built images
diff --git a/builder/builder.go b/builder/builder.go
index d3521dd..79ba19d 100644
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -15,6 +15,7 @@
"github.com/docker/docker/image"
"github.com/docker/docker/layer"
"github.com/opencontainers/go-digest"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
const (
@@ -89,7 +90,7 @@
type ImageCache interface {
// GetCache returns a reference to a cached image whose parent equals `parent`
// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
- GetCache(parentID string, cfg *container.Config) (imageID string, err error)
+ GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)
}
// Image represents a Docker image used by the builder.
diff --git a/builder/dockerfile/copy.go b/builder/dockerfile/copy.go
index 7919c97..f22b19a 100644
--- a/builder/dockerfile/copy.go
+++ b/builder/dockerfile/copy.go
@@ -8,7 +8,6 @@
"net/url"
"os"
"path/filepath"
- "runtime"
"sort"
"strings"
"time"
@@ -74,7 +73,7 @@
source builder.Source
pathCache pathCache
download sourceDownloader
- platform *ocispec.Platform
+ platform ocispec.Platform
// for cleanup. TODO: having copier.cleanup() is error prone and hard to
// follow. Code calling performCopy should manage the lifecycle of its params.
// Copier should take override source as input, not imageMount.
@@ -83,19 +82,7 @@
}
func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
- platform := req.builder.platform
- if platform == nil {
- // May be nil if not explicitly set in API/dockerfile
- platform = &ocispec.Platform{}
- }
- if platform.OS == "" {
- // Default to the dispatch requests operating system if not explicit in API/dockerfile
- platform.OS = req.state.operatingSystem
- }
- if platform.OS == "" {
- // This is a failsafe just in case. Shouldn't be hit.
- platform.OS = runtime.GOOS
- }
+ platform := req.builder.getPlatform(req.state)
return copier{
source: req.source,
diff --git a/builder/dockerfile/dispatchers.go b/builder/dockerfile/dispatchers.go
index 6634567..508e397 100644
--- a/builder/dockerfile/dispatchers.go
+++ b/builder/dockerfile/dispatchers.go
@@ -349,9 +349,16 @@
saveCmd = prependEnvOnCmd(d.state.buildArgs, buildArgs, cmdFromArgs)
}
+ cacheArgsEscaped := argsEscaped
+ // ArgsEscaped is not persisted in the committed image on Windows.
+ // Use the original from previous build steps for cache probing.
+ if d.state.operatingSystem == "windows" {
+ cacheArgsEscaped = stateRunConfig.ArgsEscaped
+ }
+
runConfigForCacheProbe := copyRunConfig(stateRunConfig,
withCmd(saveCmd),
- withArgsEscaped(argsEscaped),
+ withArgsEscaped(cacheArgsEscaped),
withEntrypointOverride(saveCmd, nil))
if hit, err := d.builder.probeCache(d.state, runConfigForCacheProbe); err != nil || hit {
return err
diff --git a/builder/dockerfile/imageprobe.go b/builder/dockerfile/imageprobe.go
index 5ef6221..8023bf3 100644
--- a/builder/dockerfile/imageprobe.go
+++ b/builder/dockerfile/imageprobe.go
@@ -5,6 +5,7 @@
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/builder"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/sirupsen/logrus"
)
@@ -12,7 +13,7 @@
// cache.
type ImageProber interface {
Reset(ctx context.Context) error
- Probe(parentID string, runConfig *container.Config) (string, error)
+ Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)
}
type resetFunc func(context.Context) (builder.ImageCache, error)
@@ -51,11 +52,11 @@
// Probe checks if cache match can be found for current build instruction.
// It returns the cachedID if there is a hit, and the empty string on miss
-func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
+func (c *imageProber) Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error) {
if c.cacheBusted {
return "", nil
}
- cacheID, err := c.cache.GetCache(parentID, runConfig)
+ cacheID, err := c.cache.GetCache(parentID, runConfig, platform)
if err != nil {
return "", err
}
@@ -74,6 +75,6 @@
return nil
}
-func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
+func (c *nopProber) Probe(_ string, _ *container.Config, _ ocispec.Platform) (string, error) {
return "", nil
}
diff --git a/builder/dockerfile/internals.go b/builder/dockerfile/internals.go
index 050deb1..42c17f8 100644
--- a/builder/dockerfile/internals.go
+++ b/builder/dockerfile/internals.go
@@ -10,6 +10,7 @@
"fmt"
"strings"
+ "github.com/containerd/containerd/platforms"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/api/types/container"
@@ -328,7 +329,7 @@
}
func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
- cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
+ cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig, b.getPlatform(dispatchState))
if cachedID == "" || err != nil {
return false, err
}
@@ -388,3 +389,17 @@
}
return hc
}
+
+func (b *Builder) getPlatform(state *dispatchState) ocispec.Platform {
+ // May be nil if not explicitly set in API/dockerfile
+ out := platforms.DefaultSpec()
+ if b.platform != nil {
+ out = *b.platform
+ }
+
+ if state.operatingSystem != "" {
+ out.OS = state.operatingSystem
+ }
+
+ return out
+}
diff --git a/builder/dockerfile/mockbackend_test.go b/builder/dockerfile/mockbackend_test.go
index a9e43e9..a561c7d 100644
--- a/builder/dockerfile/mockbackend_test.go
+++ b/builder/dockerfile/mockbackend_test.go
@@ -14,6 +14,7 @@
"github.com/docker/docker/image"
"github.com/docker/docker/layer"
"github.com/opencontainers/go-digest"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
// MockBackend implements the builder.Backend interface for unit testing
@@ -111,7 +112,7 @@
getCacheFunc func(parentID string, cfg *container.Config) (string, error)
}
-func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
+func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config, _ ocispec.Platform) (string, error) {
if mic.getCacheFunc != nil {
return mic.getCacheFunc(parentID, cfg)
}
diff --git a/daemon/containerd/cache.go b/daemon/containerd/cache.go
index 5e696c5..4bab9c1 100644
--- a/daemon/containerd/cache.go
+++ b/daemon/containerd/cache.go
@@ -8,7 +8,9 @@
"github.com/docker/docker/api/types/container"
imagetype "github.com/docker/docker/api/types/image"
"github.com/docker/docker/builder"
+ "github.com/docker/docker/errdefs"
"github.com/docker/docker/image"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
// MakeImageCache creates a stateful image cache.
@@ -29,7 +31,7 @@
c *ImageService
}
-func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID string, err error) {
+func (ic *imageCache) GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error) {
ctx := context.TODO()
if parentID == "" {
@@ -37,8 +39,11 @@
return "", nil
}
- parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{})
+ parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{Platform: &platform})
if err != nil {
+ if errdefs.IsNotFound(err) {
+ return "", nil
+ }
return "", err
}
@@ -54,8 +59,11 @@
}
for _, children := range children {
- childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{})
+ childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{Platform: &platform})
if err != nil {
+ if errdefs.IsNotFound(err) {
+ continue
+ }
return "", err
}
diff --git a/daemon/images/image_builder.go b/daemon/images/image_builder.go
index 9569651..fd6e535 100644
--- a/daemon/images/image_builder.go
+++ b/daemon/images/image_builder.go
@@ -257,6 +257,9 @@
return nil, errors.Wrapf(err, "failed to set parent %s", parent)
}
}
+ if err := i.imageStore.SetBuiltLocally(id); err != nil {
+ return nil, errors.Wrapf(err, "failed to mark image %s as built locally", id)
+ }
return i.imageStore.Get(id)
}
diff --git a/daemon/images/image_commit.go b/daemon/images/image_commit.go
index f620b41..00ce4fb 100644
--- a/daemon/images/image_commit.go
+++ b/daemon/images/image_commit.go
@@ -62,6 +62,9 @@
if err != nil {
return "", err
}
+ if err := i.imageStore.SetBuiltLocally(id); err != nil {
+ return "", err
+ }
if c.ParentImageID != "" {
if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {
diff --git a/image/cache/cache.go b/image/cache/cache.go
index 6d3f4c5..ee89a17 100644
--- a/image/cache/cache.go
+++ b/image/cache/cache.go
@@ -6,11 +6,14 @@
"reflect"
"strings"
+ "github.com/containerd/containerd/platforms"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/dockerversion"
"github.com/docker/docker/image"
"github.com/docker/docker/layer"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// NewLocal returns a local image cache, based on parent chain
@@ -26,8 +29,8 @@
}
// GetCache returns the image id found in the cache
-func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config) (string, error) {
- return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config))
+func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config, platform ocispec.Platform) (string, error) {
+ return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config, platform))
}
// New returns an image cache, based on history objects
@@ -51,8 +54,8 @@
}
// GetCache returns the image id found in the cache
-func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config) (string, error) {
- imgID, err := ic.localImageCache.GetCache(parentID, cfg)
+func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config, platform ocispec.Platform) (string, error) {
+ imgID, err := ic.localImageCache.GetCache(parentID, cfg, platform)
if err != nil {
return "", err
}
@@ -215,7 +218,23 @@
// of the image with imgID, that had the same config when it was
// created. nil is returned if a child cannot be found. An error is
// returned if the parent image cannot be found.
-func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config) (*image.Image, error) {
+func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config, platform ocispec.Platform) (*image.Image, error) {
+ if config == nil {
+ return nil, nil
+ }
+
+ isBuiltLocally := func(id image.ID) bool {
+ builtLocally, err := imageStore.IsBuiltLocally(id)
+ if err != nil {
+ logrus.WithFields(logrus.Fields{
+ "error": err,
+ "id": id,
+ }).Warn("failed to check if image was built locally")
+ return false
+ }
+ return builtLocally
+ }
+
// Loop on the children of the given image and check the config
getMatch := func(siblings []image.ID) (*image.Image, error) {
var match *image.Image
@@ -225,6 +244,25 @@
return nil, fmt.Errorf("unable to find image %q", id)
}
+ if !isBuiltLocally(id) {
+ continue
+ }
+
+ imgPlatform := ocispec.Platform{
+ Architecture: img.Architecture,
+ OS: img.OS,
+ OSVersion: img.OSVersion,
+ OSFeatures: img.OSFeatures,
+ Variant: img.Variant,
+ }
+ // Discard old linux/amd64 images with empty platform.
+ if imgPlatform.OS == "" && imgPlatform.Architecture == "" {
+ continue
+ }
+ if !platforms.OnlyStrict(platform).Match(imgPlatform) {
+ continue
+ }
+
if compare(&img.ContainerConfig, config) {
// check for the most up to date match
if match == nil || match.Created.Before(img.Created) {
@@ -238,11 +276,29 @@
// In this case, this is `FROM scratch`, which isn't an actual image.
if imgID == "" {
images := imageStore.Map()
+
var siblings []image.ID
for id, img := range images {
- if img.Parent == imgID {
- siblings = append(siblings, id)
+ if img.Parent != "" {
+ continue
}
+
+ if !isBuiltLocally(id) {
+ continue
+ }
+
+ // Do a quick initial filter on the Cmd to avoid adding all
+ // non-local images with empty parent to the siblings slice and
+ // performing a full config compare.
+ //
+ // config.Cmd is set to the current Dockerfile instruction so we
+ // check it against the img.ContainerConfig.Cmd which is the
+ // command of the last layer.
+ if !strSliceEqual(img.ContainerConfig.Cmd, config.Cmd) {
+ continue
+ }
+
+ siblings = append(siblings, id)
}
return getMatch(siblings)
}
@@ -251,3 +307,15 @@
siblings := imageStore.Children(imgID)
return getMatch(siblings)
}
+
+func strSliceEqual(a, b []string) bool {
+ if len(a) != len(b) {
+ return false
+ }
+ for i := 0; i < len(a); i++ {
+ if a[i] != b[i] {
+ return false
+ }
+ }
+ return true
+}
diff --git a/image/cache/compare.go b/image/cache/compare.go
index e31e9c8..d438b65 100644
--- a/image/cache/compare.go
+++ b/image/cache/compare.go
@@ -4,42 +4,69 @@
"github.com/docker/docker/api/types/container"
)
-// compare two Config struct. Do not compare the "Image" nor "Hostname" fields
-// If OpenStdin is set, then it differs
+// TODO: Remove once containerd image service directly uses the ImageCache and
+// LocalImageCache structs.
+func CompareConfig(a, b *container.Config) bool {
+ return compare(a, b)
+}
+
+// compare two Config struct. Do not container-specific fields:
+// - Image
+// - Hostname
+// - Domainname
+// - MacAddress
func compare(a, b *container.Config) bool {
- if a == nil || b == nil ||
- a.OpenStdin || b.OpenStdin {
- return false
- }
- if a.AttachStdout != b.AttachStdout ||
- a.AttachStderr != b.AttachStderr ||
- a.User != b.User ||
- a.OpenStdin != b.OpenStdin ||
- a.Tty != b.Tty {
+ if a == nil || b == nil {
return false
}
- if len(a.Cmd) != len(b.Cmd) ||
- len(a.Env) != len(b.Env) ||
- len(a.Labels) != len(b.Labels) ||
- len(a.ExposedPorts) != len(b.ExposedPorts) ||
- len(a.Entrypoint) != len(b.Entrypoint) ||
- len(a.Volumes) != len(b.Volumes) {
+ if len(a.Env) != len(b.Env) {
+ return false
+ }
+ if len(a.Cmd) != len(b.Cmd) {
+ return false
+ }
+ if len(a.Entrypoint) != len(b.Entrypoint) {
+ return false
+ }
+ if len(a.Shell) != len(b.Shell) {
+ return false
+ }
+ if len(a.ExposedPorts) != len(b.ExposedPorts) {
+ return false
+ }
+ if len(a.Volumes) != len(b.Volumes) {
+ return false
+ }
+ if len(a.Labels) != len(b.Labels) {
+ return false
+ }
+ if len(a.OnBuild) != len(b.OnBuild) {
return false
}
- for i := 0; i < len(a.Cmd); i++ {
- if a.Cmd[i] != b.Cmd[i] {
- return false
- }
- }
for i := 0; i < len(a.Env); i++ {
if a.Env[i] != b.Env[i] {
return false
}
}
- for k, v := range a.Labels {
- if v != b.Labels[k] {
+ for i := 0; i < len(a.OnBuild); i++ {
+ if a.OnBuild[i] != b.OnBuild[i] {
+ return false
+ }
+ }
+ for i := 0; i < len(a.Cmd); i++ {
+ if a.Cmd[i] != b.Cmd[i] {
+ return false
+ }
+ }
+ for i := 0; i < len(a.Entrypoint); i++ {
+ if a.Entrypoint[i] != b.Entrypoint[i] {
+ return false
+ }
+ }
+ for i := 0; i < len(a.Shell); i++ {
+ if a.Shell[i] != b.Shell[i] {
return false
}
}
@@ -48,16 +75,84 @@
return false
}
}
-
- for i := 0; i < len(a.Entrypoint); i++ {
- if a.Entrypoint[i] != b.Entrypoint[i] {
- return false
- }
- }
for key := range a.Volumes {
if _, exists := b.Volumes[key]; !exists {
return false
}
}
+ for k, v := range a.Labels {
+ if v != b.Labels[k] {
+ return false
+ }
+ }
+
+ if a.AttachStdin != b.AttachStdin {
+ return false
+ }
+ if a.AttachStdout != b.AttachStdout {
+ return false
+ }
+ if a.AttachStderr != b.AttachStderr {
+ return false
+ }
+ if a.NetworkDisabled != b.NetworkDisabled {
+ return false
+ }
+ if a.Tty != b.Tty {
+ return false
+ }
+ if a.OpenStdin != b.OpenStdin {
+ return false
+ }
+ if a.StdinOnce != b.StdinOnce {
+ return false
+ }
+ if a.ArgsEscaped != b.ArgsEscaped {
+ return false
+ }
+ if a.User != b.User {
+ return false
+ }
+ if a.WorkingDir != b.WorkingDir {
+ return false
+ }
+ if a.StopSignal != b.StopSignal {
+ return false
+ }
+
+ if (a.StopTimeout == nil) != (b.StopTimeout == nil) {
+ return false
+ }
+ if a.StopTimeout != nil && b.StopTimeout != nil {
+ if *a.StopTimeout != *b.StopTimeout {
+ return false
+ }
+ }
+ if (a.Healthcheck == nil) != (b.Healthcheck == nil) {
+ return false
+ }
+ if a.Healthcheck != nil && b.Healthcheck != nil {
+ if a.Healthcheck.Interval != b.Healthcheck.Interval {
+ return false
+ }
+ if a.Healthcheck.StartPeriod != b.Healthcheck.StartPeriod {
+ return false
+ }
+ if a.Healthcheck.Timeout != b.Healthcheck.Timeout {
+ return false
+ }
+ if a.Healthcheck.Retries != b.Healthcheck.Retries {
+ return false
+ }
+ if len(a.Healthcheck.Test) != len(b.Healthcheck.Test) {
+ return false
+ }
+ for i := 0; i < len(a.Healthcheck.Test); i++ {
+ if a.Healthcheck.Test[i] != b.Healthcheck.Test[i] {
+ return false
+ }
+ }
+ }
+
return true
}
diff --git a/image/store.go b/image/store.go
index c457bc3..8a83467 100644
--- a/image/store.go
+++ b/image/store.go
@@ -2,6 +2,7 @@
import (
"fmt"
+ "os"
"sync"
"time"
@@ -24,6 +25,8 @@
GetParent(id ID) (ID, error)
SetLastUpdated(id ID) error
GetLastUpdated(id ID) (time.Time, error)
+ SetBuiltLocally(id ID) error
+ IsBuiltLocally(id ID) (bool, error)
Children(id ID) []ID
Map() map[ID]*Image
Heads() map[ID]*Image
@@ -295,6 +298,23 @@
return time.Parse(time.RFC3339Nano, string(bytes))
}
+// SetBuiltLocally sets whether image can be used as a builder cache
+func (is *store) SetBuiltLocally(id ID) error {
+ return is.fs.SetMetadata(id.Digest(), "builtLocally", []byte{1})
+}
+
+// IsBuiltLocally returns whether image can be used as a builder cache
+func (is *store) IsBuiltLocally(id ID) (bool, error) {
+ bytes, err := is.fs.GetMetadata(id.Digest(), "builtLocally")
+ if err != nil || len(bytes) == 0 {
+ if errors.Is(err, os.ErrNotExist) {
+ err = nil
+ }
+ return false, err
+ }
+ return bytes[0] == 1, nil
+}
+
func (is *store) Children(id ID) []ID {
is.RLock()
defer is.RUnlock()
