From 2c7e958673c945279f8e30d1ad162c460b9c0926 Mon Sep 17 00:00:00 2001 From: Kaustubh Dhokte Date: Thu, 24 Mar 2022 14:52:27 -0400 Subject: [PATCH] revert to v1.4.11 Signed-off-by: Kaustubh Dhokte --- .github/workflows/ci.yml | 12 +- .github/workflows/nightly.yml | 4 +- .github/workflows/release.yml | 2 +- .travis.yml | 2 +- .zuul/playbooks/containerd-build/run.yaml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- images/image.go | 55 -------- images/image_test.go | 150 ---------------------- releases/v1.4.12.toml | 23 ---- remotes/docker/fetcher.go | 4 - remotes/docker/resolver.go | 35 ++--- remotes/docker/schema1/converter.go | 9 +- version/version.go | 2 +- 14 files changed, 28 insertions(+), 276 deletions(-) delete mode 100644 images/image_test.go delete mode 100644 releases/v1.4.12.toml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8f7a3a7a6..4ee47e5d1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash @@ -82,7 +82,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash @@ -128,7 +128,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash @@ -166,7 +166,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash @@ -199,7 +199,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash @@ -285,7 +285,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index b050bbf18..1cb92a34b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Checkout uses: actions/checkout@v1 @@ -138,7 +138,7 @@ jobs: steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Checkout uses: actions/checkout@v1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d9e5a3eab..ec9971a4a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,7 +62,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.8' - name: Set env shell: bash diff --git a/.travis.yml b/.travis.yml index 8314c796b..1726cf6d5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,7 +15,7 @@ os: - linux go: - - "1.16.10" + - "1.16.8" env: - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct diff --git a/.zuul/playbooks/containerd-build/run.yaml b/.zuul/playbooks/containerd-build/run.yaml index c3ebc7eae..815b4ec62 100644 --- a/.zuul/playbooks/containerd-build/run.yaml +++ b/.zuul/playbooks/containerd-build/run.yaml @@ -2,7 +2,7 @@ become: yes roles: - role: config-golang - go_version: '1.16.10' + go_version: '1.16.8' arch: arm64 tasks: - name: Build containerd diff --git a/Vagrantfile b/Vagrantfile index b31dfaa34..d1f30c559 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -77,7 +77,7 @@ Vagrant.configure("2") do |config| config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10", + 'GO_VERSION': ENV['GO_VERSION'] || "1.16.8", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 020008ceb..875c457f0 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -10,7 +10,7 @@ # # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../ -ARG GOLANG_VERSION=1.16.10 +ARG GOLANG_VERSION=1.16.8 FROM golang:${GOLANG_VERSION} AS golang-base RUN mkdir -p /go/src/github.com/containerd/containerd diff --git a/images/image.go b/images/image.go index 2e42ca09a..1868ee88d 100644 --- a/images/image.go +++ b/images/image.go @@ -19,7 +19,6 @@ package images import ( "context" "encoding/json" - "fmt" "sort" "time" @@ -155,10 +154,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } - if err := validateMediaType(p, desc.MediaType); err != nil { - return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) - } - var manifest ocispec.Manifest if err := json.Unmarshal(p, &manifest); err != nil { return nil, err @@ -199,10 +194,6 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc return nil, err } - if err := validateMediaType(p, desc.MediaType); err != nil { - return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) - } - var idx ocispec.Index if err := json.Unmarshal(p, &idx); err != nil { return nil, err @@ -345,10 +336,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } - if err := validateMediaType(p, desc.MediaType); err != nil { - return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) - } - // TODO(stevvooe): We just assume oci manifest, for now. There may be // subtle differences from the docker version. var manifest ocispec.Manifest @@ -364,10 +351,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return nil, err } - if err := validateMediaType(p, desc.MediaType); err != nil { - return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) - } - var index ocispec.Index if err := json.Unmarshal(p, &index); err != nil { return nil, err @@ -385,44 +368,6 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr return descs, nil } -// unknownDocument represents a manifest, manifest list, or index that has not -// yet been validated. -type unknownDocument struct { - MediaType string `json:"mediaType,omitempty"` - Config json.RawMessage `json:"config,omitempty"` - Layers json.RawMessage `json:"layers,omitempty"` - Manifests json.RawMessage `json:"manifests,omitempty"` - FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 -} - -// validateMediaType returns an error if the byte slice is invalid JSON or if -// the media type identifies the blob as one format but it contains elements of -// another format. -func validateMediaType(b []byte, mt string) error { - var doc unknownDocument - if err := json.Unmarshal(b, &doc); err != nil { - return err - } - if len(doc.FSLayers) != 0 { - return fmt.Errorf("media-type: schema 1 not supported") - } - switch mt { - case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: - if len(doc.Manifests) != 0 || - doc.MediaType == MediaTypeDockerSchema2ManifestList || - doc.MediaType == ocispec.MediaTypeImageIndex { - return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) - } - case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: - if len(doc.Config) != 0 || len(doc.Layers) != 0 || - doc.MediaType == MediaTypeDockerSchema2Manifest || - doc.MediaType == ocispec.MediaTypeImageManifest { - return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) - } - } - return nil -} - // RootFS returns the unpacked diffids that make up and images rootfs. // // These are used to verify that a set of layers unpacked to the expected diff --git a/images/image_test.go b/images/image_test.go deleted file mode 100644 index 3e88e5076..000000000 --- a/images/image_test.go +++ /dev/null @@ -1,150 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package images - -import ( - "encoding/json" - "testing" - - ocispec "github.com/opencontainers/image-spec/specs-go/v1" -) - -func TestValidateMediaType(t *testing.T) { - docTests := []struct { - mt string - index bool - }{ - {MediaTypeDockerSchema2Manifest, false}, - {ocispec.MediaTypeImageManifest, false}, - {MediaTypeDockerSchema2ManifestList, true}, - {ocispec.MediaTypeImageIndex, true}, - } - for _, tc := range docTests { - t.Run("manifest-"+tc.mt, func(t *testing.T) { - manifest := ocispec.Manifest{ - Config: ocispec.Descriptor{Size: 1}, - Layers: []ocispec.Descriptor{{Size: 2}}, - } - b, err := json.Marshal(manifest) - if err != nil { - t.Fatal("failed to marshal manifest", err) - } - - err = validateMediaType(b, tc.mt) - if tc.index { - if err == nil { - t.Error("manifest should not be a valid index") - } - } else { - if err != nil { - t.Error("manifest should be valid") - } - } - }) - t.Run("index-"+tc.mt, func(t *testing.T) { - index := ocispec.Index{ - Manifests: []ocispec.Descriptor{{Size: 1}}, - } - b, err := json.Marshal(index) - if err != nil { - t.Fatal("failed to marshal index", err) - } - - err = validateMediaType(b, tc.mt) - if tc.index { - if err != nil { - t.Error("index should be valid") - } - } else { - if err == nil { - t.Error("index should not be a valid manifest") - } - } - }) - } - - mtTests := []struct { - mt string - valid []string - invalid []string - }{{ - MediaTypeDockerSchema2Manifest, - []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, - []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, - }, { - ocispec.MediaTypeImageManifest, - []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, - []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, - }, { - MediaTypeDockerSchema2ManifestList, - []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, - []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, - }, { - ocispec.MediaTypeImageIndex, - []string{MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex}, - []string{MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest}, - }} - for _, tc := range mtTests { - for _, v := range tc.valid { - t.Run("valid-"+tc.mt+"-"+v, func(t *testing.T) { - doc := struct { - MediaType string `json:"mediaType"` - }{MediaType: v} - b, err := json.Marshal(doc) - if err != nil { - t.Fatal("failed to marshal document", err) - } - - err = validateMediaType(b, tc.mt) - if err != nil { - t.Error("document should be valid", err) - } - }) - } - for _, iv := range tc.invalid { - t.Run("invalid-"+tc.mt+"-"+iv, func(t *testing.T) { - doc := struct { - MediaType string `json:"mediaType"` - }{MediaType: iv} - b, err := json.Marshal(doc) - if err != nil { - t.Fatal("failed to marshal document", err) - } - - err = validateMediaType(b, tc.mt) - if err == nil { - t.Error("document should not be valid") - } - }) - } - } - t.Run("schema1", func(t *testing.T) { - doc := struct { - FSLayers []string `json:"fsLayers"` - }{FSLayers: []string{"1"}} - b, err := json.Marshal(doc) - if err != nil { - t.Fatal("failed to marshal document", err) - } - - err = validateMediaType(b, "") - if err == nil { - t.Error("document should not be valid") - } - - }) -} diff --git a/releases/v1.4.12.toml b/releases/v1.4.12.toml deleted file mode 100644 index 072d6959a..000000000 --- a/releases/v1.4.12.toml +++ /dev/null @@ -1,23 +0,0 @@ -# commit to be tagged for new release -commit = "HEAD" - -project_name = "containerd" -github_repo = "containerd/containerd" -match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" - -# previous release -previous = "v1.4.11" - -pre_release = false - -preface = """\ -The twelfth patch release for containerd 1.4 contains a few minor bug fixes -and an update to mitigate [CVE-2021-41190](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m). - -### Notable Updates - -* **Handle ambiguous OCI manifest parsing** ([GHSA-5j5w-g665-5m35](https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35)) -* **Update pull to try next mirror for non-404 errors** ([#5275](https://github.com/containerd/containerd/pull/5275)) -* **Update pull to handle of non-https urls in descriptors** ([#6221](https://github.com/containerd/containerd/pull/6221)) - -See the changelog for complete list of changes""" diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go index 4b2c10e9a..5796fbf4a 100644 --- a/remotes/docker/fetcher.go +++ b/remotes/docker/fetcher.go @@ -60,10 +60,6 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R log.G(ctx).WithError(err).Debug("failed to parse") continue } - if u.Scheme != "http" && u.Scheme != "https" { - log.G(ctx).Debug("non-http(s) alternative url is unsupported") - continue - } log.G(ctx).Debug("trying alternative url") // Try this first, parse it diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go index d6ccd7072..06b08dee8 100644 --- a/remotes/docker/resolver.go +++ b/remotes/docker/resolver.go @@ -229,10 +229,10 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp } var ( - firstErr error - paths [][]string - dgst = refspec.Digest() - caps = HostCapabilityPull + lastErr error + paths [][]string + dgst = refspec.Digest() + caps = HostCapabilityPull ) if dgst != "" { @@ -283,8 +283,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization") } // Store the error for referencing later - if firstErr == nil { - firstErr = err + if lastErr == nil { + lastErr = err } continue // try another host } @@ -294,14 +294,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp if resp.StatusCode == http.StatusNotFound { continue } - if resp.StatusCode > 399 { - // Set firstErr when encountering the first non-404 status code. - if firstErr == nil { - firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status) - } - continue // try another host - } - return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status) + return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status) } size := resp.ContentLength contentType := getManifestMediaType(resp) @@ -364,8 +357,8 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp } // Prevent resolving to excessively large manifests if size > MaxManifestSize { - if firstErr == nil { - firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) + if lastErr == nil { + lastErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref) } continue } @@ -381,15 +374,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp } } - // If above loop terminates without return, then there was an error. - // "firstErr" contains the first non-404 error. That is, "firstErr == nil" - // means that either no registries were given or each registry returned 404. - - if firstErr == nil { - firstErr = errors.Wrap(errdefs.ErrNotFound, ref) + if lastErr == nil { + lastErr = errors.Wrap(errdefs.ErrNotFound, ref) } - return "", ocispec.Descriptor{}, firstErr + return "", ocispec.Descriptor{}, lastErr } func (r *dockerResolver) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) { diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go index f15a9acf3..8314c01d5 100644 --- a/remotes/docker/schema1/converter.go +++ b/remotes/docker/schema1/converter.go @@ -256,9 +256,6 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) if err := json.Unmarshal(b, &m); err != nil { return err } - if len(m.Manifests) != 0 || len(m.Layers) != 0 { - return errors.New("converter: expected schema1 document but found extra keys") - } c.pulledManifest = &m return nil @@ -475,10 +472,8 @@ type history struct { } type manifest struct { - FSLayers []fsLayer `json:"fsLayers"` - History []history `json:"history"` - Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest - Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index + FSLayers []fsLayer `json:"fsLayers"` + History []history `json:"history"` } type v1History struct { diff --git a/version/version.go b/version/version.go index dab4a1656..77f581f7c 100644 --- a/version/version.go +++ b/version/version.go @@ -23,7 +23,7 @@ var ( Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.4.12+unknown" + Version = "1.4.11+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time. -- 2.25.1