Add support for BASHBREW_BUILDKIT_SBOM_GENERATOR and provenance

tianon · tianon · commit eeaf85b4d283 · 2023-03-02T14:40:46.000-08:00
Since Docker's image store can't represent these, we round trip them through our self-managed (or external) containerd image store, which also makes pushing more efficient.
diff --git a/cmd/bashbrew/cmd-build.go b/cmd/bashbrew/cmd-build.go
@@ -81,7 +81,11 @@ func cmdBuild(c *cli.Context) error {
 			tags := append([]string{cacheTag}, imageTags...)
 
 			// check whether we've already built this artifact
-			_, err = dockerInspect("{{.Id}}", cacheTag)
+			cachedDesc, err := containerdImageLookup(cacheTag)
+			if err != nil {
+				cachedDesc = nil
+				_, err = dockerInspect("{{.Id}}", cacheTag)
+			}
 			if err != nil {
 				fmt.Printf("Building %s (%s)\n", cacheTag, r.EntryIdentifier(entry))
 				if !dryRun {
@@ -116,13 +120,13 @@ func cmdBuild(c *cli.Context) error {
 						archive.Close() // be sure this happens sooner rather than later (defer might take a while, and we want to reap zombies more aggressively)
 
 					case "oci-import":
-						err := ociImportBuild(tags, commit, entry.ArchDirectory(arch), entry.ArchFile(arch))
+						desc, err := ociImportBuild(tags, commit, entry.ArchDirectory(arch), entry.ArchFile(arch))
 						if err != nil {
 							return cli.NewMultiError(fmt.Errorf(`failed oci-import build of %q (tags %q)`, r.RepoName, entry.TagsString()), err)
 						}
 
-						fmt.Printf("Importing %s into Docker\n", r.EntryIdentifier(entry))
-						err = ociImportDockerLoad(imageTags)
+						fmt.Printf("Importing %s (%s) into Docker\n", r.EntryIdentifier(entry), desc.Digest)
+						err = containerdDockerLoad(*desc, imageTags)
 						if err != nil {
 							return cli.NewMultiError(fmt.Errorf(`failed oci-import into Docker of %q (tags %q)`, r.RepoName, entry.TagsString()), err)
 						}
@@ -135,11 +139,19 @@ func cmdBuild(c *cli.Context) error {
 				fmt.Printf("Using %s (%s)\n", cacheTag, r.EntryIdentifier(entry))
 
 				if !dryRun {
-					// https://github.com/docker-library/bashbrew/pull/61/files#r1044926620
-					// abusing "docker build" for "tag something a lot of times, but efficiently" 👀
-					err := dockerBuild(imageTags, "", strings.NewReader("FROM "+cacheTag), "")
-					if err != nil {
-						return cli.NewMultiError(fmt.Errorf(`failed tagging %q: %q`, cacheTag, strings.Join(imageTags, ", ")), err)
+					if cachedDesc == nil {
+						// https://github.com/docker-library/bashbrew/pull/61#discussion_r1044926620
+						// abusing "docker build" for "tag something a lot of times, but efficiently" 👀
+						err := dockerBuild(imageTags, "", strings.NewReader("FROM "+cacheTag), "")
+						if err != nil {
+							return cli.NewMultiError(fmt.Errorf(`failed tagging %q: %q`, cacheTag, strings.Join(imageTags, ", ")), err)
+						}
+					} else {
+						fmt.Printf("Importing %s into Docker\n", cachedDesc.Digest)
+						err = containerdDockerLoad(*cachedDesc, tags)
+						if err != nil {
+							return cli.NewMultiError(fmt.Errorf(`failed (re-)import into Docker of %q (tags %q)`, r.RepoName, entry.TagsString()), err)
+						}
 					}
 				}
 			}
diff --git a/cmd/bashbrew/cmd-list.go b/cmd/bashbrew/cmd-list.go
@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"path"
 
-	"github.com/urfave/cli"
 	"github.com/docker-library/bashbrew/manifest"
+	"github.com/urfave/cli"
 )
 
 func cmdList(c *cli.Context) error {
diff --git a/cmd/bashbrew/cmd-parents.go b/cmd/bashbrew/cmd-parents.go
@@ -33,7 +33,7 @@ func cmdParents(c *cli.Context) error {
 				if err != nil {
 					var (
 						manifestNotFoundErr manifest.ManifestNotFoundError
-						tagNotFoundErr manifest.TagNotFoundError
+						tagNotFoundErr      manifest.TagNotFoundError
 					)
 					if d != depth && (errors.As(err, &manifestNotFoundErr) || errors.As(err, &tagNotFoundErr)) {
 						// if this repo isn't one of the original top-level arguments and our error is just that it's not a supported tag, walk no further ("FROM mcr.microsoft.com/...", etc)
diff --git a/cmd/bashbrew/cmd-push.go b/cmd/bashbrew/cmd-push.go
@@ -49,17 +49,19 @@ func cmdPush(c *cli.Context) error {
 				tags = append(tags, tag)
 			}
 
-			switch builder := entry.ArchBuilder(arch); builder {
-			case "oci-import":
-				cacheTag, err := r.DockerCacheName(entry)
-				if err != nil {
-					return cli.NewMultiError(fmt.Errorf(`failed calculating "cache hash" for %q (tags %q)`, r.RepoName, entry.TagsString()), err)
-				}
-				desc, err := ociImportLookup(cacheTag)
-				if err != nil {
-					return cli.NewMultiError(fmt.Errorf(`failed looking up descriptor for %q (tags %q)`, r.RepoName, entry.TagsString()), err)
+			// if we can't successfully calculate our "cache hash", we can't possibly have built the image we're trying to push 🙈
+			cacheTag, err := r.DockerCacheName(entry)
+			if err != nil {
+				return cli.NewMultiError(fmt.Errorf(`failed calculating "cache hash" for %q (tags %q)`, r.RepoName, entry.TagsString()), err)
+			}
+
+			// if the appropriate "bashbrew/cache:xxx" image exists in the containerd image store, we should prefer that (the nature of the cache hash should make this assumption safe)
+			desc, err := containerdImageLookup(cacheTag)
+			if err == nil {
+				if debugFlag {
+					fmt.Printf("Found %s (via %q) in containerd image store\n", desc.Digest, cacheTag)
 				}
-				skip, update, err := ociImportPushFilter(*desc, tags)
+				skip, update, err := containerdPushFilter(*desc, tags)
 				if err != nil {
 					return cli.NewMultiError(fmt.Errorf(`failed looking up tags for %q (tags %q)`, r.RepoName, entry.TagsString()), err)
 				}
@@ -71,20 +73,33 @@ func cmdPush(c *cli.Context) error {
 				}
 				fmt.Printf("Pushing %s to %s\n", desc.Digest, strings.Join(update, ", "))
 				if !dryRun {
-					err := ociImportPush(*desc, update)
+					err := containerdPush(*desc, update)
 					if err != nil {
 						return cli.NewMultiError(fmt.Errorf(`failed pushing %q`, r.EntryIdentifier(entry)), err)
 					}
 				}
+				return nil
+			}
+
+			switch builder := entry.ArchBuilder(arch); builder {
+			case "oci-import":
+				// if after all that checking above, we still didn't push, then we must've failed to lookup
+				return cli.NewMultiError(fmt.Errorf(`failed looking up descriptor for %q (tags %q)`, r.RepoName, entry.TagsString()), err)
 
 			default:
 			TagsLoop:
 				for _, tag := range tags {
 					if !force {
-						localImageId, _ := dockerInspect("{{.Id}}", tag)
+						localImageId, err := dockerInspect("{{.Id}}", tag)
+						if err != nil {
+							return cli.NewMultiError(fmt.Errorf(`failed looking up local image ID for %q`, tag), err)
+						}
 						if debugFlag {
 							fmt.Printf("DEBUG: docker inspect %q -> %q\n", tag, localImageId)
 						}
+						if localImageId == "" {
+							return fmt.Errorf("local image for %q does not seem to exist (or has an empty ID somehow)", tag)
+						}
 						registryImageIds := fetchRegistryImageIds(tag)
 						if debugFlag {
 							fmt.Printf("DEBUG: registry inspect %q -> %+v\n", tag, registryImageIds)
diff --git a/cmd/bashbrew/config.go b/cmd/bashbrew/config.go
@@ -8,8 +8,8 @@ import (
 	"os"
 	"strings"
 
-	"github.com/urfave/cli"
 	"github.com/docker-library/bashbrew/pkg/stripper"
+	"github.com/urfave/cli"
 	"pault.ag/go/debian/control"
 )
 
diff --git a/cmd/bashbrew/containerd.go b/cmd/bashbrew/containerd.go
@@ -42,7 +42,7 @@ var containerdClientCache *containerd.Client = nil
 
 // the returned client is cached, don't Close() it!
 func newContainerdClient(ctx context.Context) (context.Context, *containerd.Client, error) {
-	ns := "bashbrew"
+	ns := "bashbrew-" + arch
 	for _, envKey := range []string{
 		`BASHBREW_CONTAINERD_NAMESPACE`,
 		`CONTAINERD_NAMESPACE`,
diff --git a/cmd/bashbrew/docker.go b/cmd/bashbrew/docker.go
@@ -291,7 +291,11 @@ func dockerBuild(tags []string, file string, context io.Reader, platform string)
 	}
 }
 
-const dockerfileSyntaxEnv = "BASHBREW_BUILDKIT_SYNTAX"
+const (
+	dockerfileSyntaxEnv = "BASHBREW_BUILDKIT_SYNTAX"
+	sbomGeneratorEnv    = "BASHBREW_BUILDKIT_SBOM_GENERATOR"
+	buildxBuilderEnv    = "BUILDX_BUILDER"
+)
 
 func dockerBuildxBuild(tags []string, file string, context io.Reader, platform string) error {
 	dockerfileSyntax, ok := os.LookupEnv(dockerfileSyntaxEnv)
@@ -305,26 +309,88 @@ func dockerBuildxBuild(tags []string, file string, context io.Reader, platform s
 		"--progress", "plain",
 		"--build-arg", "BUILDKIT_SYNTAX=" + dockerfileSyntax,
 	}
+	buildxBuilder := "" != os.Getenv(buildxBuilderEnv)
+	if buildxBuilder {
+		args = append(args, "--provenance", "mode=max")
+	}
+	if sbomGenerator, ok := os.LookupEnv(sbomGeneratorEnv); ok {
+		if buildxBuilder {
+			args = append(args, "--sbom", "generator="+sbomGenerator)
+		} else {
+			return fmt.Errorf("have %q but missing %q", sbomGeneratorEnv, buildxBuilderEnv)
+		}
+	}
 	if platform != "" {
 		args = append(args, "--platform", platform)
 	}
 	for _, tag := range tags {
 		args = append(args, "--tag", tag)
 	}
-	args = append(args, "--file", file, "-")
+	if file != "" {
+		args = append(args, "--file", file)
+	}
+	args = append(args, "-")
+
+	if buildxBuilder {
+		args = append(args, "--output", "type=oci")
+		// TODO ,annotation.xyz.tianon.foo=bar,annotation-manifest-descriptor.xyz.tianon.foo=bar (for OCI source annotations, which this function doesn't currently have access to)
+	}
 
 	cmd := exec.Command("docker", args...)
 	cmd.Stdin = context
+
+	run := func() error {
+		return cmd.Run()
+	}
+	if buildxBuilder {
+		run = func() error {
+			pipe, err := cmd.StdoutPipe()
+			if err != nil {
+				return err
+			}
+			defer pipe.Close()
+
+			err = cmd.Start()
+			if err != nil {
+				return err
+			}
+			defer cmd.Process.Kill()
+
+			_, err = containerdImageLoad(pipe)
+			if err != nil {
+				return err
+			}
+			pipe.Close()
+
+			err = cmd.Wait()
+			if err != nil {
+				return err
+			}
+
+			desc, err := containerdImageLookup(tags[0])
+			if err != nil {
+				return err
+			}
+
+			fmt.Printf("Importing %s into Docker\n", desc.Digest)
+			err = containerdDockerLoad(*desc, tags)
+			if err != nil {
+				return err
+			}
+
+			return nil
+		}
+	}
+
+	// intentionally not touching os.Stdout because "buildx build" does *not* put any build output to stdout and in some cases (see above) we use stdout to capture an OCI tarball and pipe it into containerd
 	if debugFlag {
-		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		fmt.Printf("$ docker %q\n", args)
-		return cmd.Run()
+		return run()
 	} else {
 		buf := &bytes.Buffer{}
-		cmd.Stdout = buf
 		cmd.Stderr = buf
-		err := cmd.Run()
+		err := run()
 		if err != nil {
 			err = cli.NewMultiError(err, fmt.Errorf(`docker %q output:%s`, args, "\n"+buf.String()))
 		}
diff --git a/cmd/bashbrew/oci-builder.go b/cmd/bashbrew/oci-builder.go
diff --git a/pkg/gitfs/fs.go b/pkg/gitfs/fs.go
diff --git a/registry/docker-auth.go b/registry/docker-auth.go

Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,8 @@ import (`
`4`	`4`	`"fmt"`
`5`	`5`	`"path"`
`6`	`6`
`7`		`- "github.com/urfave/cli"`
`8`	`7`	`"github.com/docker-library/bashbrew/manifest"`
	`8`	`+ "github.com/urfave/cli"`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`func cmdList(c *cli.Context) error {`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func cmdParents(c *cli.Context) error {`
`33`	`33`	`if err != nil {`
`34`	`34`	`var (`
`35`	`35`	`manifestNotFoundErr manifest.ManifestNotFoundError`
`36`		`- tagNotFoundErr manifest.TagNotFoundError`
	`36`	`+ tagNotFoundErr manifest.TagNotFoundError`
`37`	`37`	`)`
`38`	`38`	`if d != depth && (errors.As(err, &manifestNotFoundErr) \|\| errors.As(err, &tagNotFoundErr)) {`
`39`	`39`	`// if this repo isn't one of the original top-level arguments and our error is just that it's not a supported tag, walk no further ("FROM mcr.microsoft.com/...", etc)`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,8 @@ import (`
`8`	`8`	`"os"`
`9`	`9`	`"strings"`
`10`	`10`
`11`		`- "github.com/urfave/cli"`
`12`	`11`	`"github.com/docker-library/bashbrew/pkg/stripper"`
	`12`	`+ "github.com/urfave/cli"`
`13`	`13`	`"pault.ag/go/debian/control"`
`14`	`14`	`)`
`15`	`15`