image_commit.go 9.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. package containerd
  2. import (
  3. "bytes"
  4. "context"
  5. "crypto/rand"
  6. "encoding/base64"
  7. "encoding/json"
  8. "errors"
  9. "fmt"
  10. "runtime"
  11. "time"
  12. "github.com/containerd/containerd/content"
  13. "github.com/containerd/containerd/diff"
  14. cerrdefs "github.com/containerd/containerd/errdefs"
  15. "github.com/containerd/containerd/images"
  16. "github.com/containerd/containerd/leases"
  17. "github.com/containerd/containerd/platforms"
  18. "github.com/containerd/containerd/rootfs"
  19. "github.com/containerd/containerd/snapshots"
  20. "github.com/docker/docker/api/types/backend"
  21. containerapi "github.com/docker/docker/api/types/container"
  22. "github.com/docker/docker/errdefs"
  23. "github.com/docker/docker/image"
  24. "github.com/opencontainers/go-digest"
  25. "github.com/opencontainers/image-spec/identity"
  26. "github.com/opencontainers/image-spec/specs-go"
  27. ocispec "github.com/opencontainers/image-spec/specs-go/v1"
  28. "github.com/sirupsen/logrus"
  29. )
  30. /*
  31. This code is based on `commit` support in nerdctl, under Apache License
  32. https://github.com/containerd/nerdctl/blob/master/pkg/imgutil/commit/commit.go
  33. with adaptations to match the Moby data model and services.
  34. */
  35. // CommitImage creates a new image from a commit config.
  36. func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig) (image.ID, error) {
  37. container := i.containers.Get(cc.ContainerID)
  38. desc, err := i.resolveDescriptor(ctx, container.Config.Image)
  39. if err != nil {
  40. return "", err
  41. }
  42. cs := i.client.ContentStore()
  43. ocimanifest, err := images.Manifest(ctx, cs, desc, platforms.DefaultStrict())
  44. if err != nil {
  45. return "", err
  46. }
  47. imageConfigBytes, err := content.ReadBlob(ctx, cs, ocimanifest.Config)
  48. if err != nil {
  49. return "", err
  50. }
  51. var ociimage ocispec.Image
  52. if err := json.Unmarshal(imageConfigBytes, &ociimage); err != nil {
  53. return "", err
  54. }
  55. var (
  56. differ = i.client.DiffService()
  57. sn = i.client.SnapshotService(i.snapshotter)
  58. )
  59. // Don't gc me and clean the dirty data after 1 hour!
  60. ctx, done, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
  61. if err != nil {
  62. return "", fmt.Errorf("failed to create lease for commit: %w", err)
  63. }
  64. defer done(ctx)
  65. diffLayerDesc, diffID, err := createDiff(ctx, cc.ContainerID, sn, cs, differ)
  66. if err != nil {
  67. return "", fmt.Errorf("failed to export layer: %w", err)
  68. }
  69. imageConfig, err := generateCommitImageConfig(ctx, container.Config, ociimage, diffID, cc)
  70. if err != nil {
  71. return "", fmt.Errorf("failed to generate commit image config: %w", err)
  72. }
  73. rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
  74. if err := applyDiffLayer(ctx, rootfsID, ociimage, sn, differ, diffLayerDesc); err != nil {
  75. return "", fmt.Errorf("failed to apply diff: %w", err)
  76. }
  77. layers := append(ocimanifest.Layers, diffLayerDesc)
  78. commitManifestDesc, configDigest, err := writeContentsForImage(ctx, i.snapshotter, cs, imageConfig, layers)
  79. if err != nil {
  80. return "", err
  81. }
  82. // image create
  83. img := images.Image{
  84. Name: configDigest.String(),
  85. Target: commitManifestDesc,
  86. CreatedAt: time.Now(),
  87. }
  88. if _, err := i.client.ImageService().Update(ctx, img); err != nil {
  89. if !cerrdefs.IsNotFound(err) {
  90. return "", err
  91. }
  92. if _, err := i.client.ImageService().Create(ctx, img); err != nil {
  93. return "", fmt.Errorf("failed to create new image: %w", err)
  94. }
  95. }
  96. return image.ID(img.Target.Digest), nil
  97. }
  98. // generateCommitImageConfig returns commit oci image config based on the container's image.
  99. func generateCommitImageConfig(ctx context.Context, container *containerapi.Config, baseConfig ocispec.Image, diffID digest.Digest, opts backend.CommitConfig) (ocispec.Image, error) {
  100. if opts.Config.Cmd != nil {
  101. baseConfig.Config.Cmd = opts.Config.Cmd
  102. }
  103. if opts.Config.Entrypoint != nil {
  104. baseConfig.Config.Entrypoint = opts.Config.Entrypoint
  105. }
  106. if opts.Author == "" {
  107. opts.Author = baseConfig.Author
  108. }
  109. createdTime := time.Now()
  110. arch := baseConfig.Architecture
  111. if arch == "" {
  112. arch = runtime.GOARCH
  113. logrus.Warnf("assuming arch=%q", arch)
  114. }
  115. os := baseConfig.OS
  116. if os == "" {
  117. os = runtime.GOOS
  118. logrus.Warnf("assuming os=%q", os)
  119. }
  120. logrus.Debugf("generateCommitImageConfig(): arch=%q, os=%q", arch, os)
  121. return ocispec.Image{
  122. Architecture: arch,
  123. OS: os,
  124. Created: &createdTime,
  125. Author: opts.Author,
  126. Config: baseConfig.Config,
  127. RootFS: ocispec.RootFS{
  128. Type: "layers",
  129. DiffIDs: append(baseConfig.RootFS.DiffIDs, diffID),
  130. },
  131. History: append(baseConfig.History, ocispec.History{
  132. Created: &createdTime,
  133. CreatedBy: "", // FIXME(ndeloof) ?
  134. Author: opts.Author,
  135. Comment: opts.Comment,
  136. EmptyLayer: diffID == "",
  137. }),
  138. }, nil
  139. }
  140. // writeContentsForImage will commit oci image config and manifest into containerd's content store.
  141. func writeContentsForImage(ctx context.Context, snName string, cs content.Store, newConfig ocispec.Image, layers []ocispec.Descriptor) (ocispec.Descriptor, image.ID, error) {
  142. newConfigJSON, err := json.Marshal(newConfig)
  143. if err != nil {
  144. return ocispec.Descriptor{}, "", err
  145. }
  146. configDesc := ocispec.Descriptor{
  147. MediaType: ocispec.MediaTypeImageConfig,
  148. Digest: digest.FromBytes(newConfigJSON),
  149. Size: int64(len(newConfigJSON)),
  150. }
  151. newMfst := struct {
  152. MediaType string `json:"mediaType,omitempty"`
  153. ocispec.Manifest
  154. }{
  155. MediaType: ocispec.MediaTypeImageManifest,
  156. Manifest: ocispec.Manifest{
  157. Versioned: specs.Versioned{
  158. SchemaVersion: 2,
  159. },
  160. Config: configDesc,
  161. Layers: layers,
  162. },
  163. }
  164. newMfstJSON, err := json.MarshalIndent(newMfst, "", " ")
  165. if err != nil {
  166. return ocispec.Descriptor{}, "", err
  167. }
  168. newMfstDesc := ocispec.Descriptor{
  169. MediaType: ocispec.MediaTypeImageManifest,
  170. Digest: digest.FromBytes(newMfstJSON),
  171. Size: int64(len(newMfstJSON)),
  172. }
  173. // new manifest should reference the layers and config content
  174. labels := map[string]string{
  175. "containerd.io/gc.ref.content.0": configDesc.Digest.String(),
  176. }
  177. for i, l := range layers {
  178. labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = l.Digest.String()
  179. }
  180. err = content.WriteBlob(ctx, cs, newMfstDesc.Digest.String(), bytes.NewReader(newMfstJSON), newMfstDesc, content.WithLabels(labels))
  181. if err != nil {
  182. return ocispec.Descriptor{}, "", err
  183. }
  184. // config should reference to snapshotter
  185. labelOpt := content.WithLabels(map[string]string{
  186. fmt.Sprintf("containerd.io/gc.ref.snapshot.%s", snName): identity.ChainID(newConfig.RootFS.DiffIDs).String(),
  187. })
  188. err = content.WriteBlob(ctx, cs, configDesc.Digest.String(), bytes.NewReader(newConfigJSON), configDesc, labelOpt)
  189. if err != nil {
  190. return ocispec.Descriptor{}, "", err
  191. }
  192. return newMfstDesc, image.ID(configDesc.Digest), nil
  193. }
  194. // createDiff creates a layer diff into containerd's content store.
  195. func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (ocispec.Descriptor, digest.Digest, error) {
  196. newDesc, err := rootfs.CreateDiff(ctx, name, sn, comparer)
  197. if err != nil {
  198. return ocispec.Descriptor{}, "", err
  199. }
  200. info, err := cs.Info(ctx, newDesc.Digest)
  201. if err != nil {
  202. return ocispec.Descriptor{}, "", err
  203. }
  204. diffIDStr, ok := info.Labels["containerd.io/uncompressed"]
  205. if !ok {
  206. return ocispec.Descriptor{}, "", fmt.Errorf("invalid differ response with no diffID")
  207. }
  208. diffID, err := digest.Parse(diffIDStr)
  209. if err != nil {
  210. return ocispec.Descriptor{}, "", err
  211. }
  212. return ocispec.Descriptor{
  213. MediaType: ocispec.MediaTypeImageLayerGzip,
  214. Digest: newDesc.Digest,
  215. Size: info.Size,
  216. }, diffID, nil
  217. }
  218. // applyDiffLayer will apply diff layer content created by createDiff into the snapshotter.
  219. func applyDiffLayer(ctx context.Context, name string, baseImg ocispec.Image, sn snapshots.Snapshotter, differ diff.Applier, diffDesc ocispec.Descriptor) (retErr error) {
  220. var (
  221. key = uniquePart() + "-" + name
  222. parent = identity.ChainID(baseImg.RootFS.DiffIDs).String()
  223. )
  224. mount, err := sn.Prepare(ctx, key, parent)
  225. if err != nil {
  226. return err
  227. }
  228. defer func() {
  229. if retErr != nil {
  230. // NOTE: the snapshotter should be hold by lease. Even
  231. // if the cleanup fails, the containerd gc can delete it.
  232. if err := sn.Remove(ctx, key); err != nil {
  233. logrus.Warnf("failed to cleanup aborted apply %s: %s", key, err)
  234. }
  235. }
  236. }()
  237. if _, err = differ.Apply(ctx, diffDesc, mount); err != nil {
  238. return err
  239. }
  240. if err = sn.Commit(ctx, name, key); err != nil {
  241. if cerrdefs.IsAlreadyExists(err) {
  242. return nil
  243. }
  244. return err
  245. }
  246. return nil
  247. }
  248. // copied from github.com/containerd/containerd/rootfs/apply.go
  249. func uniquePart() string {
  250. t := time.Now()
  251. var b [3]byte
  252. // Ignore read failures, just decreases uniqueness
  253. rand.Read(b[:])
  254. return fmt.Sprintf("%d-%s", t.Nanosecond(), base64.URLEncoding.EncodeToString(b[:]))
  255. }
  256. // CommitBuildStep is used by the builder to create an image for each step in
  257. // the build.
  258. //
  259. // This method is different from CreateImageFromContainer:
  260. // - it doesn't attempt to validate container state
  261. // - it doesn't send a commit action to metrics
  262. // - it doesn't log a container commit event
  263. //
  264. // This is a temporary shim. Should be removed when builder stops using commit.
  265. func (i *ImageService) CommitBuildStep(ctx context.Context, c backend.CommitConfig) (image.ID, error) {
  266. return "", errdefs.NotImplemented(errors.New("not implemented"))
  267. }