image_commit.go 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
  1. package containerd
  2. import (
  3. "bytes"
  4. "context"
  5. "crypto/rand"
  6. "encoding/base64"
  7. "encoding/json"
  8. "fmt"
  9. "runtime"
  10. "strings"
  11. "time"
  12. "github.com/containerd/containerd/content"
  13. "github.com/containerd/containerd/diff"
  14. cerrdefs "github.com/containerd/containerd/errdefs"
  15. "github.com/containerd/containerd/images"
  16. "github.com/containerd/containerd/leases"
  17. "github.com/containerd/containerd/log"
  18. "github.com/containerd/containerd/rootfs"
  19. "github.com/containerd/containerd/snapshots"
  20. "github.com/docker/docker/api/types/backend"
  21. "github.com/docker/docker/image"
  22. imagespec "github.com/docker/docker/image/spec/specs-go/v1"
  23. "github.com/docker/docker/pkg/archive"
  24. "github.com/opencontainers/go-digest"
  25. "github.com/opencontainers/image-spec/identity"
  26. "github.com/opencontainers/image-spec/specs-go"
  27. ocispec "github.com/opencontainers/image-spec/specs-go/v1"
  28. )
  29. /*
  30. This code is based on `commit` support in nerdctl, under Apache License
  31. https://github.com/containerd/nerdctl/blob/master/pkg/imgutil/commit/commit.go
  32. with adaptations to match the Moby data model and services.
  33. */
  34. // CommitImage creates a new image from a commit config.
  35. func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig) (image.ID, error) {
  36. container := i.containers.Get(cc.ContainerID)
  37. cs := i.client.ContentStore()
  38. var parentManifest ocispec.Manifest
  39. var parentImage imagespec.DockerOCIImage
  40. // ImageManifest can be nil when committing an image with base FROM scratch
  41. if container.ImageManifest != nil {
  42. imageManifestBytes, err := content.ReadBlob(ctx, cs, *container.ImageManifest)
  43. if err != nil {
  44. return "", err
  45. }
  46. if err := json.Unmarshal(imageManifestBytes, &parentManifest); err != nil {
  47. return "", err
  48. }
  49. imageConfigBytes, err := content.ReadBlob(ctx, cs, parentManifest.Config)
  50. if err != nil {
  51. return "", err
  52. }
  53. if err := json.Unmarshal(imageConfigBytes, &parentImage); err != nil {
  54. return "", err
  55. }
  56. }
  57. var (
  58. differ = i.client.DiffService()
  59. sn = i.client.SnapshotService(container.Driver)
  60. )
  61. // Don't gc me and clean the dirty data after 1 hour!
  62. ctx, release, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
  63. if err != nil {
  64. return "", fmt.Errorf("failed to create lease for commit: %w", err)
  65. }
  66. defer func() {
  67. if err := release(ctx); err != nil {
  68. log.G(ctx).WithError(err).Warn("failed to release lease created for commit")
  69. }
  70. }()
  71. diffLayerDesc, diffID, err := createDiff(ctx, cc.ContainerID, sn, cs, differ)
  72. if err != nil {
  73. return "", fmt.Errorf("failed to export layer: %w", err)
  74. }
  75. imageConfig := generateCommitImageConfig(parentImage, diffID, cc)
  76. layers := parentManifest.Layers
  77. if diffLayerDesc != nil {
  78. rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
  79. if err := applyDiffLayer(ctx, rootfsID, parentImage, sn, differ, *diffLayerDesc); err != nil {
  80. return "", fmt.Errorf("failed to apply diff: %w", err)
  81. }
  82. layers = append(layers, *diffLayerDesc)
  83. }
  84. commitManifestDesc, err := writeContentsForImage(ctx, container.Driver, cs, imageConfig, layers)
  85. if err != nil {
  86. return "", err
  87. }
  88. // image create
  89. img := images.Image{
  90. Name: danglingImageName(commitManifestDesc.Digest),
  91. Target: commitManifestDesc,
  92. CreatedAt: time.Now(),
  93. Labels: map[string]string{
  94. imageLabelClassicBuilderParent: cc.ParentImageID,
  95. },
  96. }
  97. if _, err := i.client.ImageService().Update(ctx, img); err != nil {
  98. if !cerrdefs.IsNotFound(err) {
  99. return "", err
  100. }
  101. if _, err := i.client.ImageService().Create(ctx, img); err != nil {
  102. return "", fmt.Errorf("failed to create new image: %w", err)
  103. }
  104. }
  105. return image.ID(img.Target.Digest), nil
  106. }
  107. // generateCommitImageConfig generates an OCI Image config based on the
  108. // container's image and the CommitConfig options.
  109. func generateCommitImageConfig(baseConfig imagespec.DockerOCIImage, diffID digest.Digest, opts backend.CommitConfig) imagespec.DockerOCIImage {
  110. if opts.Author == "" {
  111. opts.Author = baseConfig.Author
  112. }
  113. createdTime := time.Now()
  114. arch := baseConfig.Architecture
  115. if arch == "" {
  116. arch = runtime.GOARCH
  117. log.G(context.TODO()).Warnf("assuming arch=%q", arch)
  118. }
  119. os := baseConfig.OS
  120. if os == "" {
  121. os = runtime.GOOS
  122. log.G(context.TODO()).Warnf("assuming os=%q", os)
  123. }
  124. log.G(context.TODO()).Debugf("generateCommitImageConfig(): arch=%q, os=%q", arch, os)
  125. diffIds := baseConfig.RootFS.DiffIDs
  126. if diffID != "" {
  127. diffIds = append(diffIds, diffID)
  128. }
  129. return imagespec.DockerOCIImage{
  130. Image: ocispec.Image{
  131. Platform: ocispec.Platform{
  132. Architecture: arch,
  133. OS: os,
  134. },
  135. Created: &createdTime,
  136. Author: opts.Author,
  137. RootFS: ocispec.RootFS{
  138. Type: "layers",
  139. DiffIDs: diffIds,
  140. },
  141. History: append(baseConfig.History, ocispec.History{
  142. Created: &createdTime,
  143. CreatedBy: strings.Join(opts.ContainerConfig.Cmd, " "),
  144. Author: opts.Author,
  145. Comment: opts.Comment,
  146. EmptyLayer: diffID == "",
  147. }),
  148. },
  149. Config: containerConfigToDockerOCIImageConfig(opts.Config),
  150. }
  151. }
  152. // writeContentsForImage will commit oci image config and manifest into containerd's content store.
  153. func writeContentsForImage(ctx context.Context, snName string, cs content.Store, newConfig imagespec.DockerOCIImage, layers []ocispec.Descriptor) (ocispec.Descriptor, error) {
  154. newConfigJSON, err := json.Marshal(newConfig)
  155. if err != nil {
  156. return ocispec.Descriptor{}, err
  157. }
  158. configDesc := ocispec.Descriptor{
  159. MediaType: ocispec.MediaTypeImageConfig,
  160. Digest: digest.FromBytes(newConfigJSON),
  161. Size: int64(len(newConfigJSON)),
  162. }
  163. newMfst := struct {
  164. MediaType string `json:"mediaType,omitempty"`
  165. ocispec.Manifest
  166. }{
  167. MediaType: ocispec.MediaTypeImageManifest,
  168. Manifest: ocispec.Manifest{
  169. Versioned: specs.Versioned{
  170. SchemaVersion: 2,
  171. },
  172. Config: configDesc,
  173. Layers: layers,
  174. },
  175. }
  176. newMfstJSON, err := json.MarshalIndent(newMfst, "", " ")
  177. if err != nil {
  178. return ocispec.Descriptor{}, err
  179. }
  180. newMfstDesc := ocispec.Descriptor{
  181. MediaType: ocispec.MediaTypeImageManifest,
  182. Digest: digest.FromBytes(newMfstJSON),
  183. Size: int64(len(newMfstJSON)),
  184. }
  185. // new manifest should reference the layers and config content
  186. labels := map[string]string{
  187. "containerd.io/gc.ref.content.0": configDesc.Digest.String(),
  188. }
  189. for i, l := range layers {
  190. labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = l.Digest.String()
  191. }
  192. err = content.WriteBlob(ctx, cs, newMfstDesc.Digest.String(), bytes.NewReader(newMfstJSON), newMfstDesc, content.WithLabels(labels))
  193. if err != nil {
  194. return ocispec.Descriptor{}, err
  195. }
  196. // config should reference to snapshotter
  197. labelOpt := content.WithLabels(map[string]string{
  198. fmt.Sprintf("containerd.io/gc.ref.snapshot.%s", snName): identity.ChainID(newConfig.RootFS.DiffIDs).String(),
  199. })
  200. err = content.WriteBlob(ctx, cs, configDesc.Digest.String(), bytes.NewReader(newConfigJSON), configDesc, labelOpt)
  201. if err != nil {
  202. return ocispec.Descriptor{}, err
  203. }
  204. return newMfstDesc, nil
  205. }
  206. // createDiff creates a layer diff into containerd's content store.
  207. // If the diff is empty it returns nil empty digest and no error.
  208. func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (*ocispec.Descriptor, digest.Digest, error) {
  209. newDesc, err := rootfs.CreateDiff(ctx, name, sn, comparer)
  210. if err != nil {
  211. return nil, "", err
  212. }
  213. ra, err := cs.ReaderAt(ctx, newDesc)
  214. if err != nil {
  215. return nil, "", fmt.Errorf("failed to read diff archive: %w", err)
  216. }
  217. defer ra.Close()
  218. empty, err := archive.IsEmpty(content.NewReader(ra))
  219. if err != nil {
  220. return nil, "", fmt.Errorf("failed to check if archive is empty: %w", err)
  221. }
  222. if empty {
  223. return nil, "", nil
  224. }
  225. info, err := cs.Info(ctx, newDesc.Digest)
  226. if err != nil {
  227. return nil, "", fmt.Errorf("failed to get content info: %w", err)
  228. }
  229. diffIDStr, ok := info.Labels["containerd.io/uncompressed"]
  230. if !ok {
  231. return nil, "", fmt.Errorf("invalid differ response with no diffID")
  232. }
  233. diffID, err := digest.Parse(diffIDStr)
  234. if err != nil {
  235. return nil, "", err
  236. }
  237. return &ocispec.Descriptor{
  238. MediaType: ocispec.MediaTypeImageLayerGzip,
  239. Digest: newDesc.Digest,
  240. Size: info.Size,
  241. }, diffID, nil
  242. }
  243. // applyDiffLayer will apply diff layer content created by createDiff into the snapshotter.
  244. func applyDiffLayer(ctx context.Context, name string, baseImg imagespec.DockerOCIImage, sn snapshots.Snapshotter, differ diff.Applier, diffDesc ocispec.Descriptor) (retErr error) {
  245. var (
  246. key = uniquePart() + "-" + name
  247. parent = identity.ChainID(baseImg.RootFS.DiffIDs).String()
  248. )
  249. mount, err := sn.Prepare(ctx, key, parent)
  250. if err != nil {
  251. return fmt.Errorf("failed to prepare snapshot: %w", err)
  252. }
  253. defer func() {
  254. if retErr != nil {
  255. // NOTE: the snapshotter should be hold by lease. Even
  256. // if the cleanup fails, the containerd gc can delete it.
  257. if err := sn.Remove(ctx, key); err != nil {
  258. log.G(ctx).Warnf("failed to cleanup aborted apply %s: %s", key, err)
  259. }
  260. }
  261. }()
  262. if _, err = differ.Apply(ctx, diffDesc, mount); err != nil {
  263. return err
  264. }
  265. if err = sn.Commit(ctx, name, key); err != nil {
  266. if cerrdefs.IsAlreadyExists(err) {
  267. return nil
  268. }
  269. return err
  270. }
  271. return nil
  272. }
  273. // copied from github.com/containerd/containerd/rootfs/apply.go
  274. func uniquePart() string {
  275. t := time.Now()
  276. var b [3]byte
  277. // Ignore read failures, just decreases uniqueness
  278. rand.Read(b[:])
  279. return fmt.Sprintf("%d-%s", t.Nanosecond(), base64.URLEncoding.EncodeToString(b[:]))
  280. }
  281. // CommitBuildStep is used by the builder to create an image for each step in
  282. // the build.
  283. //
  284. // This method is different from CreateImageFromContainer:
  285. // - it doesn't attempt to validate container state
  286. // - it doesn't send a commit action to metrics
  287. // - it doesn't log a container commit event
  288. //
  289. // This is a temporary shim. Should be removed when builder stops using commit.
  290. func (i *ImageService) CommitBuildStep(ctx context.Context, c backend.CommitConfig) (image.ID, error) {
  291. ctr := i.containers.Get(c.ContainerID)
  292. if ctr == nil {
  293. // TODO: use typed error
  294. return "", fmt.Errorf("container not found: %s", c.ContainerID)
  295. }
  296. c.ContainerMountLabel = ctr.MountLabel
  297. c.ContainerOS = ctr.OS
  298. c.ParentImageID = string(ctr.ImageID)
  299. return i.CommitImage(ctx, c)
  300. }