20833b06a0
Signed-off-by: John Howard <jhoward@microsoft.com> Also fixes https://github.com/moby/moby/issues/22874 This commit is a pre-requisite to moving moby/moby on Windows to using Containerd for its runtime. The reason for this is that the interface between moby and containerd for the runtime is an OCI spec which must be unambigious. It is the responsibility of the runtime (runhcs in the case of containerd on Windows) to ensure that arguments are escaped prior to calling into HCS and onwards to the Win32 CreateProcess call. Previously, the builder was always escaping arguments which has led to several bugs in moby. Because the local runtime in libcontainerd had context of whether or not arguments were escaped, it was possible to hack around in daemon/oci_windows.go with knowledge of the context of the call (from builder or not). With a remote runtime, this is not possible as there's rightly no context of the caller passed across in the OCI spec. Put another way, as I put above, the OCI spec must be unambigious. The other previous limitation (which leads to various subtle bugs) is that moby is coded entirely from a Linux-centric point of view. Unfortunately, Windows != Linux. Windows CreateProcess uses a command line, not an array of arguments. And it has very specific rules about how to escape a command line. Some interesting reading links about this are: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017 For this reason, the OCI spec has recently been updated to cater for more natural syntax by including a CommandLine option in Process. What does this commit do? Primary objective is to ensure that the built OCI spec is unambigious. It changes the builder so that `ArgsEscaped` as commited in a layer is only controlled by the use of CMD or ENTRYPOINT. Subsequently, when calling in to create a container from the builder, if follows a different path to both `docker run` and `docker create` using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows a RUN from the builder to control how to escape in the OCI spec. It changes the builder so that when shell form is used for RUN, CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line using the original as put by the user in the dockerfile, not the parsed version as a set of args which loses fidelity. This command line is put into args[0] and `ArgsEscaped` is set to true for CMD or ENTRYPOINT. A RUN statement does not commit `ArgsEscaped` to the commited layer regardless or whether shell or exec form were used.
232 lines
6.8 KiB
Go
232 lines
6.8 KiB
Go
package image // import "github.com/docker/docker/image"
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"io"
|
|
"runtime"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/dockerversion"
|
|
"github.com/docker/docker/layer"
|
|
"github.com/opencontainers/go-digest"
|
|
)
|
|
|
|
// ID is the content-addressable ID of an image.
|
|
type ID digest.Digest
|
|
|
|
func (id ID) String() string {
|
|
return id.Digest().String()
|
|
}
|
|
|
|
// Digest converts ID into a digest
|
|
func (id ID) Digest() digest.Digest {
|
|
return digest.Digest(id)
|
|
}
|
|
|
|
// IDFromDigest creates an ID from a digest
|
|
func IDFromDigest(digest digest.Digest) ID {
|
|
return ID(digest)
|
|
}
|
|
|
|
// V1Image stores the V1 image configuration.
|
|
type V1Image struct {
|
|
// ID is a unique 64 character identifier of the image
|
|
ID string `json:"id,omitempty"`
|
|
// Parent is the ID of the parent image
|
|
Parent string `json:"parent,omitempty"`
|
|
// Comment is the commit message that was set when committing the image
|
|
Comment string `json:"comment,omitempty"`
|
|
// Created is the timestamp at which the image was created
|
|
Created time.Time `json:"created"`
|
|
// Container is the id of the container used to commit
|
|
Container string `json:"container,omitempty"`
|
|
// ContainerConfig is the configuration of the container that is committed into the image
|
|
ContainerConfig container.Config `json:"container_config,omitempty"`
|
|
// DockerVersion specifies the version of Docker that was used to build the image
|
|
DockerVersion string `json:"docker_version,omitempty"`
|
|
// Author is the name of the author that was specified when committing the image
|
|
Author string `json:"author,omitempty"`
|
|
// Config is the configuration of the container received from the client
|
|
Config *container.Config `json:"config,omitempty"`
|
|
// Architecture is the hardware that the image is built and runs on
|
|
Architecture string `json:"architecture,omitempty"`
|
|
// OS is the operating system used to build and run the image
|
|
OS string `json:"os,omitempty"`
|
|
// Size is the total size of the image including all layers it is composed of
|
|
Size int64 `json:",omitempty"`
|
|
}
|
|
|
|
// Image stores the image configuration
|
|
type Image struct {
|
|
V1Image
|
|
Parent ID `json:"parent,omitempty"`
|
|
RootFS *RootFS `json:"rootfs,omitempty"`
|
|
History []History `json:"history,omitempty"`
|
|
OSVersion string `json:"os.version,omitempty"`
|
|
OSFeatures []string `json:"os.features,omitempty"`
|
|
|
|
// rawJSON caches the immutable JSON associated with this image.
|
|
rawJSON []byte
|
|
|
|
// computedID is the ID computed from the hash of the image config.
|
|
// Not to be confused with the legacy V1 ID in V1Image.
|
|
computedID ID
|
|
}
|
|
|
|
// RawJSON returns the immutable JSON associated with the image.
|
|
func (img *Image) RawJSON() []byte {
|
|
return img.rawJSON
|
|
}
|
|
|
|
// ID returns the image's content-addressable ID.
|
|
func (img *Image) ID() ID {
|
|
return img.computedID
|
|
}
|
|
|
|
// ImageID stringifies ID.
|
|
func (img *Image) ImageID() string {
|
|
return img.ID().String()
|
|
}
|
|
|
|
// RunConfig returns the image's container config.
|
|
func (img *Image) RunConfig() *container.Config {
|
|
return img.Config
|
|
}
|
|
|
|
// BaseImgArch returns the image's architecture. If not populated, defaults to the host runtime arch.
|
|
func (img *Image) BaseImgArch() string {
|
|
arch := img.Architecture
|
|
if arch == "" {
|
|
arch = runtime.GOARCH
|
|
}
|
|
return arch
|
|
}
|
|
|
|
// OperatingSystem returns the image's operating system. If not populated, defaults to the host runtime OS.
|
|
func (img *Image) OperatingSystem() string {
|
|
os := img.OS
|
|
if os == "" {
|
|
os = runtime.GOOS
|
|
}
|
|
return os
|
|
}
|
|
|
|
// MarshalJSON serializes the image to JSON. It sorts the top-level keys so
|
|
// that JSON that's been manipulated by a push/pull cycle with a legacy
|
|
// registry won't end up with a different key order.
|
|
func (img *Image) MarshalJSON() ([]byte, error) {
|
|
type MarshalImage Image
|
|
|
|
pass1, err := json.Marshal(MarshalImage(*img))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var c map[string]*json.RawMessage
|
|
if err := json.Unmarshal(pass1, &c); err != nil {
|
|
return nil, err
|
|
}
|
|
return json.Marshal(c)
|
|
}
|
|
|
|
// ChildConfig is the configuration to apply to an Image to create a new
|
|
// Child image. Other properties of the image are copied from the parent.
|
|
type ChildConfig struct {
|
|
ContainerID string
|
|
Author string
|
|
Comment string
|
|
DiffID layer.DiffID
|
|
ContainerConfig *container.Config
|
|
Config *container.Config
|
|
}
|
|
|
|
// NewChildImage creates a new Image as a child of this image.
|
|
func NewChildImage(img *Image, child ChildConfig, os string) *Image {
|
|
isEmptyLayer := layer.IsEmpty(child.DiffID)
|
|
var rootFS *RootFS
|
|
if img.RootFS != nil {
|
|
rootFS = img.RootFS.Clone()
|
|
} else {
|
|
rootFS = NewRootFS()
|
|
}
|
|
|
|
if !isEmptyLayer {
|
|
rootFS.Append(child.DiffID)
|
|
}
|
|
imgHistory := NewHistory(
|
|
child.Author,
|
|
child.Comment,
|
|
strings.Join(child.ContainerConfig.Cmd, " "),
|
|
isEmptyLayer)
|
|
|
|
return &Image{
|
|
V1Image: V1Image{
|
|
DockerVersion: dockerversion.Version,
|
|
Config: child.Config,
|
|
Architecture: img.BaseImgArch(),
|
|
OS: os,
|
|
Container: child.ContainerID,
|
|
ContainerConfig: *child.ContainerConfig,
|
|
Author: child.Author,
|
|
Created: imgHistory.Created,
|
|
},
|
|
RootFS: rootFS,
|
|
History: append(img.History, imgHistory),
|
|
OSFeatures: img.OSFeatures,
|
|
OSVersion: img.OSVersion,
|
|
}
|
|
}
|
|
|
|
// History stores build commands that were used to create an image
|
|
type History struct {
|
|
// Created is the timestamp at which the image was created
|
|
Created time.Time `json:"created"`
|
|
// Author is the name of the author that was specified when committing the image
|
|
Author string `json:"author,omitempty"`
|
|
// CreatedBy keeps the Dockerfile command used while building the image
|
|
CreatedBy string `json:"created_by,omitempty"`
|
|
// Comment is the commit message that was set when committing the image
|
|
Comment string `json:"comment,omitempty"`
|
|
// EmptyLayer is set to true if this history item did not generate a
|
|
// layer. Otherwise, the history item is associated with the next
|
|
// layer in the RootFS section.
|
|
EmptyLayer bool `json:"empty_layer,omitempty"`
|
|
}
|
|
|
|
// NewHistory creates a new history struct from arguments, and sets the created
|
|
// time to the current time in UTC
|
|
func NewHistory(author, comment, createdBy string, isEmptyLayer bool) History {
|
|
return History{
|
|
Author: author,
|
|
Created: time.Now().UTC(),
|
|
CreatedBy: createdBy,
|
|
Comment: comment,
|
|
EmptyLayer: isEmptyLayer,
|
|
}
|
|
}
|
|
|
|
// Exporter provides interface for loading and saving images
|
|
type Exporter interface {
|
|
Load(io.ReadCloser, io.Writer, bool) error
|
|
// TODO: Load(net.Context, io.ReadCloser, <- chan StatusMessage) error
|
|
Save([]string, io.Writer) error
|
|
}
|
|
|
|
// NewFromJSON creates an Image configuration from json.
|
|
func NewFromJSON(src []byte) (*Image, error) {
|
|
img := &Image{}
|
|
|
|
if err := json.Unmarshal(src, img); err != nil {
|
|
return nil, err
|
|
}
|
|
if img.RootFS == nil {
|
|
return nil, errors.New("invalid image JSON, no RootFS key")
|
|
}
|
|
|
|
img.rawJSON = src
|
|
|
|
return img, nil
|
|
}
|