2018-02-05 21:05:59 +00:00
|
|
|
package image // import "github.com/docker/docker/image"
|
2013-03-18 07:15:35 +00:00
|
|
|
|
|
|
|
|
import (
|
2015-07-20 17:57:15 +00:00
|
|
|
"encoding/json"
|
2015-11-18 22:18:07 +00:00
|
|
|
"errors"
|
|
|
|
|
"io"
|
2021-01-21 21:55:29 +00:00
|
|
|
"reflect"
|
2017-05-25 21:03:29 +00:00
|
|
|
"runtime"
|
|
|
|
|
"strings"
|
2015-07-20 17:57:15 +00:00
|
|
|
"time"
|
|
|
|
|
|
2016-09-06 18:18:12 +00:00
|
|
|
"github.com/docker/docker/api/types/container"
|
2017-05-14 18:18:48 +00:00
|
|
|
"github.com/docker/docker/dockerversion"
|
|
|
|
|
"github.com/docker/docker/layer"
|
2022-03-04 13:49:42 +00:00
|
|
|
"github.com/opencontainers/go-digest"
|
2013-03-18 07:15:35 +00:00
|
|
|
)
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// ID is the content-addressable ID of an image.
|
|
|
|
|
type ID digest.Digest
|
2015-05-13 18:42:45 +00:00
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
func (id ID) String() string {
|
2016-09-15 23:37:32 +00:00
|
|
|
return id.Digest().String()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Digest converts ID into a digest
|
|
|
|
|
func (id ID) Digest() digest.Digest {
|
|
|
|
|
return digest.Digest(id)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// IDFromDigest creates an ID from a digest
|
|
|
|
|
func IDFromDigest(digest digest.Digest) ID {
|
|
|
|
|
return ID(digest)
|
2015-08-26 21:58:56 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// V1Image stores the V1 image configuration.
|
|
|
|
|
type V1Image struct {
|
2016-12-13 14:15:08 +00:00
|
|
|
// ID is a unique 64 character identifier of the image
|
2015-08-26 21:58:56 +00:00
|
|
|
ID string `json:"id,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Parent is the ID of the parent image.
|
|
|
|
|
//
|
|
|
|
|
// Depending on how the image was created, this field may be empty and
|
|
|
|
|
// is only set for images that were built/created locally. This field
|
|
|
|
|
// is empty if the image was pulled from an image registry.
|
2015-07-21 05:49:27 +00:00
|
|
|
Parent string `json:"parent,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Comment is an optional message that can be set when committing or
|
|
|
|
|
// importing the image.
|
2015-07-21 05:49:27 +00:00
|
|
|
Comment string `json:"comment,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
2016-12-13 14:15:08 +00:00
|
|
|
// Created is the timestamp at which the image was created
|
2015-07-21 05:49:27 +00:00
|
|
|
Created time.Time `json:"created"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Container is the ID of the container that was used to create the image.
|
|
|
|
|
//
|
|
|
|
|
// Depending on how the image was created, this field may be empty.
|
2015-07-21 05:49:27 +00:00
|
|
|
Container string `json:"container,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// ContainerConfig is the configuration of the container that was committed
|
|
|
|
|
// into the image.
|
2015-12-18 18:36:17 +00:00
|
|
|
ContainerConfig container.Config `json:"container_config,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// DockerVersion is the version of Docker that was used to build the image.
|
|
|
|
|
//
|
|
|
|
|
// Depending on how the image was created, this field may be empty.
|
2015-07-21 05:49:27 +00:00
|
|
|
DockerVersion string `json:"docker_version,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Author is the name of the author that was specified when committing the
|
|
|
|
|
// image, or as specified through MAINTAINER (deprecated) in the Dockerfile.
|
2015-07-21 05:49:27 +00:00
|
|
|
Author string `json:"author,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Config is the configuration of the container received from the client.
|
2015-12-18 18:36:17 +00:00
|
|
|
Config *container.Config `json:"config,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Architecture is the hardware CPU architecture that the image runs on.
|
2015-07-21 05:49:27 +00:00
|
|
|
Architecture string `json:"architecture,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Variant is the CPU architecture variant (presently ARM-only).
|
2019-04-26 22:12:43 +00:00
|
|
|
Variant string `json:"variant,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// OS is the Operating System the image is built to run on.
|
2015-07-21 05:49:27 +00:00
|
|
|
OS string `json:"os,omitempty"`
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Size is the total size of the image including all layers it is composed of.
|
2015-11-18 22:18:07 +00:00
|
|
|
Size int64 `json:",omitempty"`
|
2015-07-20 17:57:15 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// Image stores the image configuration
|
|
|
|
|
type Image struct {
|
|
|
|
|
V1Image
|
2022-02-28 18:06:42 +00:00
|
|
|
|
|
|
|
|
// Parent is the ID of the parent image.
|
|
|
|
|
//
|
|
|
|
|
// Depending on how the image was created, this field may be empty and
|
|
|
|
|
// is only set for images that were built/created locally. This field
|
|
|
|
|
// is empty if the image was pulled from an image registry.
|
|
|
|
|
Parent ID `json:"parent,omitempty"` //nolint:govet
|
|
|
|
|
|
|
|
|
|
// RootFS contains information about the image's RootFS, including the
|
|
|
|
|
// layer IDs.
|
|
|
|
|
RootFS *RootFS `json:"rootfs,omitempty"`
|
|
|
|
|
History []History `json:"history,omitempty"`
|
|
|
|
|
|
|
|
|
|
// OsVersion is the version of the Operating System the image is built to
|
|
|
|
|
// run on (especially for Windows).
|
|
|
|
|
OSVersion string `json:"os.version,omitempty"`
|
|
|
|
|
OSFeatures []string `json:"os.features,omitempty"`
|
2015-07-20 17:57:15 +00:00
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// rawJSON caches the immutable JSON associated with this image.
|
|
|
|
|
rawJSON []byte
|
|
|
|
|
|
|
|
|
|
// computedID is the ID computed from the hash of the image config.
|
|
|
|
|
// Not to be confused with the legacy V1 ID in V1Image.
|
|
|
|
|
computedID ID
|
2015-07-20 17:57:15 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// RawJSON returns the immutable JSON associated with the image.
|
|
|
|
|
func (img *Image) RawJSON() []byte {
|
|
|
|
|
return img.rawJSON
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ID returns the image's content-addressable ID.
|
|
|
|
|
func (img *Image) ID() ID {
|
|
|
|
|
return img.computedID
|
2015-03-29 21:17:23 +00:00
|
|
|
}
|
2015-08-26 21:58:56 +00:00
|
|
|
|
2016-09-15 23:37:32 +00:00
|
|
|
// ImageID stringifies ID.
|
2016-01-20 23:32:02 +00:00
|
|
|
func (img *Image) ImageID() string {
|
2016-09-15 23:37:32 +00:00
|
|
|
return img.ID().String()
|
2016-01-20 23:32:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RunConfig returns the image's container config.
|
|
|
|
|
func (img *Image) RunConfig() *container.Config {
|
|
|
|
|
return img.Config
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-09 10:33:42 +00:00
|
|
|
// BaseImgArch returns the image's architecture. If not populated, defaults to the host runtime arch.
|
|
|
|
|
func (img *Image) BaseImgArch() string {
|
|
|
|
|
arch := img.Architecture
|
|
|
|
|
if arch == "" {
|
|
|
|
|
arch = runtime.GOARCH
|
|
|
|
|
}
|
|
|
|
|
return arch
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-26 22:12:43 +00:00
|
|
|
// BaseImgVariant returns the image's variant, whether populated or not.
|
|
|
|
|
// This avoids creating an inconsistency where the stored image variant
|
|
|
|
|
// is "greater than" (i.e. v8 vs v6) the actual image variant.
|
|
|
|
|
func (img *Image) BaseImgVariant() string {
|
|
|
|
|
return img.Variant
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-08 19:43:48 +00:00
|
|
|
// OperatingSystem returns the image's operating system. If not populated, defaults to the host runtime OS.
|
|
|
|
|
func (img *Image) OperatingSystem() string {
|
2017-05-16 21:35:28 +00:00
|
|
|
os := img.OS
|
|
|
|
|
if os == "" {
|
|
|
|
|
os = runtime.GOOS
|
|
|
|
|
}
|
|
|
|
|
return os
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// MarshalJSON serializes the image to JSON. It sorts the top-level keys so
|
|
|
|
|
// that JSON that's been manipulated by a push/pull cycle with a legacy
|
|
|
|
|
// registry won't end up with a different key order.
|
|
|
|
|
func (img *Image) MarshalJSON() ([]byte, error) {
|
|
|
|
|
type MarshalImage Image
|
2015-08-26 21:58:56 +00:00
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
pass1, err := json.Marshal(MarshalImage(*img))
|
2015-08-26 21:58:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var c map[string]*json.RawMessage
|
2015-11-18 22:18:07 +00:00
|
|
|
if err := json.Unmarshal(pass1, &c); err != nil {
|
2015-08-26 21:58:56 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return json.Marshal(c)
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-14 18:18:48 +00:00
|
|
|
// ChildConfig is the configuration to apply to an Image to create a new
|
|
|
|
|
// Child image. Other properties of the image are copied from the parent.
|
|
|
|
|
type ChildConfig struct {
|
|
|
|
|
ContainerID string
|
|
|
|
|
Author string
|
|
|
|
|
Comment string
|
|
|
|
|
DiffID layer.DiffID
|
|
|
|
|
ContainerConfig *container.Config
|
|
|
|
|
Config *container.Config
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-25 21:03:29 +00:00
|
|
|
// NewChildImage creates a new Image as a child of this image.
|
Windows: (WCOW) Generate OCI spec that remote runtime can escape
Signed-off-by: John Howard <jhoward@microsoft.com>
Also fixes https://github.com/moby/moby/issues/22874
This commit is a pre-requisite to moving moby/moby on Windows to using
Containerd for its runtime.
The reason for this is that the interface between moby and containerd
for the runtime is an OCI spec which must be unambigious.
It is the responsibility of the runtime (runhcs in the case of
containerd on Windows) to ensure that arguments are escaped prior
to calling into HCS and onwards to the Win32 CreateProcess call.
Previously, the builder was always escaping arguments which has
led to several bugs in moby. Because the local runtime in
libcontainerd had context of whether or not arguments were escaped,
it was possible to hack around in daemon/oci_windows.go with
knowledge of the context of the call (from builder or not).
With a remote runtime, this is not possible as there's rightly
no context of the caller passed across in the OCI spec. Put another
way, as I put above, the OCI spec must be unambigious.
The other previous limitation (which leads to various subtle bugs)
is that moby is coded entirely from a Linux-centric point of view.
Unfortunately, Windows != Linux. Windows CreateProcess uses a
command line, not an array of arguments. And it has very specific
rules about how to escape a command line. Some interesting reading
links about this are:
https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess
https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017
For this reason, the OCI spec has recently been updated to cater
for more natural syntax by including a CommandLine option in
Process.
What does this commit do?
Primary objective is to ensure that the built OCI spec is unambigious.
It changes the builder so that `ArgsEscaped` as commited in a
layer is only controlled by the use of CMD or ENTRYPOINT.
Subsequently, when calling in to create a container from the builder,
if follows a different path to both `docker run` and `docker create`
using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows
a RUN from the builder to control how to escape in the OCI spec.
It changes the builder so that when shell form is used for RUN,
CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line
using the original as put by the user in the dockerfile, not
the parsed version as a set of args which loses fidelity.
This command line is put into args[0] and `ArgsEscaped` is set
to true for CMD or ENTRYPOINT. A RUN statement does not commit
`ArgsEscaped` to the commited layer regardless or whether shell
or exec form were used.
2019-01-18 00:03:29 +00:00
|
|
|
func NewChildImage(img *Image, child ChildConfig, os string) *Image {
|
2017-05-14 18:18:48 +00:00
|
|
|
isEmptyLayer := layer.IsEmpty(child.DiffID)
|
2017-07-11 21:17:38 +00:00
|
|
|
var rootFS *RootFS
|
|
|
|
|
if img.RootFS != nil {
|
|
|
|
|
rootFS = img.RootFS.Clone()
|
|
|
|
|
} else {
|
2017-05-25 21:03:29 +00:00
|
|
|
rootFS = NewRootFS()
|
|
|
|
|
}
|
2017-07-11 21:17:38 +00:00
|
|
|
|
2017-05-14 18:18:48 +00:00
|
|
|
if !isEmptyLayer {
|
|
|
|
|
rootFS.Append(child.DiffID)
|
|
|
|
|
}
|
|
|
|
|
imgHistory := NewHistory(
|
|
|
|
|
child.Author,
|
|
|
|
|
child.Comment,
|
|
|
|
|
strings.Join(child.ContainerConfig.Cmd, " "),
|
|
|
|
|
isEmptyLayer)
|
|
|
|
|
|
|
|
|
|
return &Image{
|
|
|
|
|
V1Image: V1Image{
|
|
|
|
|
DockerVersion: dockerversion.Version,
|
|
|
|
|
Config: child.Config,
|
2018-04-09 10:33:42 +00:00
|
|
|
Architecture: img.BaseImgArch(),
|
2019-04-26 22:12:43 +00:00
|
|
|
Variant: img.BaseImgVariant(),
|
Windows: (WCOW) Generate OCI spec that remote runtime can escape
Signed-off-by: John Howard <jhoward@microsoft.com>
Also fixes https://github.com/moby/moby/issues/22874
This commit is a pre-requisite to moving moby/moby on Windows to using
Containerd for its runtime.
The reason for this is that the interface between moby and containerd
for the runtime is an OCI spec which must be unambigious.
It is the responsibility of the runtime (runhcs in the case of
containerd on Windows) to ensure that arguments are escaped prior
to calling into HCS and onwards to the Win32 CreateProcess call.
Previously, the builder was always escaping arguments which has
led to several bugs in moby. Because the local runtime in
libcontainerd had context of whether or not arguments were escaped,
it was possible to hack around in daemon/oci_windows.go with
knowledge of the context of the call (from builder or not).
With a remote runtime, this is not possible as there's rightly
no context of the caller passed across in the OCI spec. Put another
way, as I put above, the OCI spec must be unambigious.
The other previous limitation (which leads to various subtle bugs)
is that moby is coded entirely from a Linux-centric point of view.
Unfortunately, Windows != Linux. Windows CreateProcess uses a
command line, not an array of arguments. And it has very specific
rules about how to escape a command line. Some interesting reading
links about this are:
https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess
https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017
For this reason, the OCI spec has recently been updated to cater
for more natural syntax by including a CommandLine option in
Process.
What does this commit do?
Primary objective is to ensure that the built OCI spec is unambigious.
It changes the builder so that `ArgsEscaped` as commited in a
layer is only controlled by the use of CMD or ENTRYPOINT.
Subsequently, when calling in to create a container from the builder,
if follows a different path to both `docker run` and `docker create`
using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows
a RUN from the builder to control how to escape in the OCI spec.
It changes the builder so that when shell form is used for RUN,
CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line
using the original as put by the user in the dockerfile, not
the parsed version as a set of args which loses fidelity.
This command line is put into args[0] and `ArgsEscaped` is set
to true for CMD or ENTRYPOINT. A RUN statement does not commit
`ArgsEscaped` to the commited layer regardless or whether shell
or exec form were used.
2019-01-18 00:03:29 +00:00
|
|
|
OS: os,
|
2017-05-14 18:18:48 +00:00
|
|
|
Container: child.ContainerID,
|
|
|
|
|
ContainerConfig: *child.ContainerConfig,
|
|
|
|
|
Author: child.Author,
|
|
|
|
|
Created: imgHistory.Created,
|
|
|
|
|
},
|
|
|
|
|
RootFS: rootFS,
|
|
|
|
|
History: append(img.History, imgHistory),
|
|
|
|
|
OSFeatures: img.OSFeatures,
|
|
|
|
|
OSVersion: img.OSVersion,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-18 22:18:07 +00:00
|
|
|
// History stores build commands that were used to create an image
|
|
|
|
|
type History struct {
|
2016-12-13 14:15:08 +00:00
|
|
|
// Created is the timestamp at which the image was created
|
2015-11-18 22:18:07 +00:00
|
|
|
Created time.Time `json:"created"`
|
2022-02-28 18:06:42 +00:00
|
|
|
// Author is the name of the author that was specified when committing the
|
|
|
|
|
// image, or as specified through MAINTAINER (deprecated) in the Dockerfile.
|
2015-11-18 22:18:07 +00:00
|
|
|
Author string `json:"author,omitempty"`
|
2016-12-13 14:15:08 +00:00
|
|
|
// CreatedBy keeps the Dockerfile command used while building the image
|
2015-11-18 22:18:07 +00:00
|
|
|
CreatedBy string `json:"created_by,omitempty"`
|
2016-12-13 14:15:08 +00:00
|
|
|
// Comment is the commit message that was set when committing the image
|
2015-11-18 22:18:07 +00:00
|
|
|
Comment string `json:"comment,omitempty"`
|
|
|
|
|
// EmptyLayer is set to true if this history item did not generate a
|
|
|
|
|
// layer. Otherwise, the history item is associated with the next
|
|
|
|
|
// layer in the RootFS section.
|
|
|
|
|
EmptyLayer bool `json:"empty_layer,omitempty"`
|
2015-08-26 21:58:56 +00:00
|
|
|
}
|
|
|
|
|
|
2017-05-14 18:18:48 +00:00
|
|
|
// NewHistory creates a new history struct from arguments, and sets the created
|
|
|
|
|
// time to the current time in UTC
|
|
|
|
|
func NewHistory(author, comment, createdBy string, isEmptyLayer bool) History {
|
|
|
|
|
return History{
|
|
|
|
|
Author: author,
|
|
|
|
|
Created: time.Now().UTC(),
|
|
|
|
|
CreatedBy: createdBy,
|
|
|
|
|
Comment: comment,
|
|
|
|
|
EmptyLayer: isEmptyLayer,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-21 21:55:29 +00:00
|
|
|
// Equal compares two history structs for equality
|
|
|
|
|
func (h History) Equal(i History) bool {
|
|
|
|
|
if !h.Created.Equal(i.Created) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
i.Created = h.Created
|
|
|
|
|
|
|
|
|
|
return reflect.DeepEqual(h, i)
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-13 14:15:08 +00:00
|
|
|
// Exporter provides interface for loading and saving images
|
2015-11-18 22:18:07 +00:00
|
|
|
type Exporter interface {
|
2016-02-04 02:31:47 +00:00
|
|
|
Load(io.ReadCloser, io.Writer, bool) error
|
2015-11-18 22:18:07 +00:00
|
|
|
// TODO: Load(net.Context, io.ReadCloser, <- chan StatusMessage) error
|
|
|
|
|
Save([]string, io.Writer) error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewFromJSON creates an Image configuration from json.
|
|
|
|
|
func NewFromJSON(src []byte) (*Image, error) {
|
|
|
|
|
img := &Image{}
|
|
|
|
|
|
|
|
|
|
if err := json.Unmarshal(src, img); err != nil {
|
|
|
|
|
return nil, err
|
2015-08-26 21:58:56 +00:00
|
|
|
}
|
2015-11-18 22:18:07 +00:00
|
|
|
if img.RootFS == nil {
|
2016-12-13 14:15:08 +00:00
|
|
|
return nil, errors.New("invalid image JSON, no RootFS key")
|
2015-11-18 22:18:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
img.rawJSON = src
|
|
|
|
|
|
|
|
|
|
return img, nil
|
2015-08-26 21:58:56 +00:00
|
|
|
}
|