containerimage: force oci-mediatypes for annotations/attestations

jedevc · jedevc · commit ec5084fccaa8 · 2022-08-26T10:07:15.000+01:00
The new annotations and attestations features both utilize annotations
in the oci image format. Many registries allow setting these annotation
fields on docker formats, however, notably, GCR will reject these
objects and only allow them for OCI media types.

To work around this, we enable oci-mediatypes when annotations that
require OCI are enabled by the user, printing a warning to the user,
similar to how we already do for stargz compression.

Signed-off-by: Justin Chadwell &lt;me@jedevc.com&gt;
diff --git a/client/client_test.go b/client/client_test.go
@@ -171,6 +171,7 @@ func TestIntegration(t *testing.T) {
 		testCallInfo,
 		testPullWithLayerLimit,
 		testExportAnnotations,
+		testExportAnnotationsMediaTypes,
 		testExportAttestations,
 	)
 	tests = append(tests, diffOpTestCases()...)
@@ -6306,6 +6307,125 @@ func testExportAnnotations(t *testing.T, sb integration.Sandbox) {
 	}
 }
 
+func testExportAnnotationsMediaTypes(t *testing.T, sb integration.Sandbox) {
+	requiresLinux(t)
+	c, err := New(sb.Context(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	p := platforms.DefaultSpec()
+	ps := []ocispecs.Platform{p}
+
+	frontend := func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+		res := gateway.NewResult()
+		expPlatforms := &exptypes.Platforms{
+			Platforms: make([]exptypes.Platform, len(ps)),
+		}
+		for i, p := range ps {
+			st := llb.Scratch().File(
+				llb.Mkfile("platform", 0600, []byte(platforms.Format(p))),
+			)
+
+			def, err := st.Marshal(ctx)
+			if err != nil {
+				return nil, err
+			}
+
+			r, err := c.Solve(ctx, gateway.SolveRequest{
+				Definition: def.ToPB(),
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			ref, err := r.SingleRef()
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = ref.ToState()
+			if err != nil {
+				return nil, err
+			}
+
+			k := platforms.Format(p)
+			res.AddRef(k, ref)
+
+			expPlatforms.Platforms[i] = exptypes.Platform{
+				ID:       k,
+				Platform: p,
+			}
+		}
+		dt, err := json.Marshal(expPlatforms)
+		if err != nil {
+			return nil, err
+		}
+		res.AddMeta(exptypes.ExporterPlatformsKey, dt)
+
+		return res, nil
+	}
+
+	target := "testannotationsmedia:1"
+	_, err = c.Build(sb.Context(), SolveOpt{
+		Exports: []ExportEntry{
+			{
+				Type: ExporterImage,
+				Attrs: map[string]string{
+					"name":                  target,
+					"annotation-manifest.x": "y",
+				},
+			},
+		},
+	}, "", frontend, nil)
+	require.NoError(t, err)
+
+	target2 := "testannotationsmedia:2"
+	_, err = c.Build(sb.Context(), SolveOpt{
+		Exports: []ExportEntry{
+			{
+				Type: ExporterImage,
+				Attrs: map[string]string{
+					"name":               target2,
+					"annotation-index.x": "y",
+				},
+			},
+		},
+	}, "", frontend, nil)
+	require.NoError(t, err)
+
+	ctx := namespaces.WithNamespace(sb.Context(), "buildkit")
+	cdAddress := sb.ContainerdAddress()
+	if cdAddress != "" {
+		client, err := newContainerd(cdAddress)
+		require.NoError(t, err)
+		defer client.Close()
+
+		// test annotation in manifest
+		img, err := client.GetImage(ctx, target)
+		require.NoError(t, err)
+
+		var index ocispecs.Index
+		indexBytes, err := content.ReadBlob(ctx, client.ContentStore(), img.Target())
+		require.NoError(t, err)
+		require.NoError(t, json.Unmarshal(indexBytes, &index))
+		require.Equal(t, images.MediaTypeDockerSchema2ManifestList, index.MediaType)
+
+		mfst, err := images.Manifest(ctx, client.ContentStore(), img.Target(), platforms.Only(p))
+		require.NoError(t, err)
+		require.Equal(t, "y", mfst.Annotations["x"])
+
+		// test annotation in index
+		img, err = client.GetImage(ctx, target2)
+		require.NoError(t, err)
+
+		indexBytes, err = content.ReadBlob(ctx, client.ContentStore(), img.Target())
+		require.NoError(t, err)
+		require.NoError(t, json.Unmarshal(indexBytes, &index))
+		require.Equal(t, ocispecs.MediaTypeImageIndex, index.MediaType)
+		require.Equal(t, "y", index.Annotations["x"])
+	}
+}
+
 func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 	requiresLinux(t)
 	c, err := New(sb.Context(), sb.Address())
@@ -6443,6 +6563,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 	atts := imgs.Filter("unknown/unknown")
 	require.Equal(t, len(ps), len(atts.Images))
 	for i, att := range atts.Images {
+		require.Equal(t, ocispecs.MediaTypeImageManifest, att.Desc.MediaType)
 		require.Equal(t, "unknown/unknown", platforms.Format(*att.Desc.Platform))
 		require.Equal(t, "unknown/unknown", att.Img.OS+"/"+att.Img.Architecture)
 		require.Equal(t, attestation.DockerAnnotationReferenceTypeDefault, att.Desc.Annotations[attestation.DockerAnnotationReferenceType])
diff --git a/exporter/containerimage/export.go b/exporter/containerimage/export.go
@@ -78,8 +78,7 @@ func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exp
 			RefCfg: cacheconfig.RefConfig{
 				Compression: compression.New(compression.Default),
 			},
-			BuildInfo:   true,
-			Annotations: make(AnnotationsGroup),
+			BuildInfo: true,
 		},
 		store: true,
 	}
@@ -210,7 +209,7 @@ func (e *imageExporterInstance) Export(ctx context.Context, src *exporter.Source
 	if err != nil {
 		return nil, err
 	}
-	opts.Annotations = as.Merge(opts.Annotations)
+	opts.AddAnnotations(as)
 
 	ctx, done, err := leaseutil.WithLease(ctx, e.opt.LeaseManager, leaseutil.MakeTemporary)
 	if err != nil {
diff --git a/exporter/containerimage/opts.go b/exporter/containerimage/opts.go
@@ -42,7 +42,6 @@ func (c *ImageCommitOpts) Load(opt map[string]string) (map[string]string, error)
 	if err != nil {
 		return nil, err
 	}
-	c.Annotations = as
 	opt = toStringMap(optb)
 
 	for k, v := range opt {
@@ -91,14 +90,42 @@ func (c *ImageCommitOpts) Load(opt map[string]string) (map[string]string, error)
 		}
 	}
 
-	if esgz && !c.OCITypes {
-		logrus.Warn("forcibly turning on oci-mediatype mode for estargz")
-		c.OCITypes = true
+	if esgz {
+		c.EnableOCITypes("estargz")
 	}
 
+	c.AddAnnotations(as)
+
 	return rest, nil
 }
 
+func (c *ImageCommitOpts) AddAnnotations(annotations AnnotationsGroup) {
+	if annotations == nil {
+		return
+	}
+	if c.Annotations == nil {
+		c.Annotations = AnnotationsGroup{}
+	}
+	c.Annotations = c.Annotations.Merge(annotations)
+	for _, a := range annotations {
+		if len(a.Index)+len(a.IndexDescriptor)+len(a.ManifestDescriptor) > 0 {
+			c.EnableOCITypes("annotations")
+		}
+	}
+}
+
+func (c *ImageCommitOpts) EnableOCITypes(reason string) {
+	if !c.OCITypes {
+		message := "forcibly turning on oci-mediatype mode"
+		if reason != "" {
+			message += " for " + reason
+		}
+		logrus.Warn(message)
+
+		c.OCITypes = true
+	}
+}
+
 func parseBool(dest *bool, key string, value string) error {
 	b, err := strconv.ParseBool(value)
 	if err != nil {
diff --git a/exporter/containerimage/writer.go b/exporter/containerimage/writer.go
@@ -99,12 +99,16 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 		return mfstDesc, nil
 	}
 
-	refCount := len(p.Platforms)
+	attestCount := 0
 	for _, attests := range inp.Attestations {
-		refCount += len(attests)
+		attestCount += len(attests)
 	}
-	if refCount != len(inp.Refs) {
-		return nil, errors.Errorf("number of required refs does not match references %d %d", refCount, len(inp.Refs))
+	if count := attestCount + len(p.Platforms); count != len(inp.Refs) {
+		return nil, errors.Errorf("number of required refs does not match references %d %d", count, len(inp.Refs))
+	}
+
+	if attestCount > 0 {
+		opts.EnableOCITypes("attestations")
 	}
 
 	refs := make([]cache.ImmutableRef, 0, len(inp.Refs))
diff --git a/exporter/oci/export.go b/exporter/oci/export.go
@@ -57,9 +57,8 @@ func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exp
 			RefCfg: cacheconfig.RefConfig{
 				Compression: compression.New(compression.Default),
 			},
-			BuildInfo:   true,
-			OCITypes:    e.opt.Variant == VariantOCI,
-			Annotations: make(containerimage.AnnotationsGroup),
+			BuildInfo: true,
+			OCITypes:  e.opt.Variant == VariantOCI,
 		},
 	}
 
@@ -110,7 +109,7 @@ func (e *imageExporterInstance) Export(ctx context.Context, src *exporter.Source
 	if err != nil {
 		return nil, err
 	}
-	opts.Annotations = as.Merge(opts.Annotations)
+	opts.AddAnnotations(as)
 
 	ctx, done, err := leaseutil.WithLease(ctx, e.opt.LeaseManager, leaseutil.MakeTemporary)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -99,12 +99,16 @@ func (ic ImageWriter) Commit(ctx context.Context, inp exporter.Source, session`
`99`	`99`	`return mfstDesc, nil`
`100`	`100`	`}`
`101`	`101`
`102`		`- refCount := len(p.Platforms)`
	`102`	`+ attestCount := 0`
`103`	`103`	`for _, attests := range inp.Attestations {`
`104`		`- refCount += len(attests)`
	`104`	`+ attestCount += len(attests)`
`105`	`105`	`}`
`106`		`- if refCount != len(inp.Refs) {`
`107`		`- return nil, errors.Errorf("number of required refs does not match references %d %d", refCount, len(inp.Refs))`
	`106`	`+ if count := attestCount + len(p.Platforms); count != len(inp.Refs) {`
	`107`	`+ return nil, errors.Errorf("number of required refs does not match references %d %d", count, len(inp.Refs))`
	`108`	`+ }`
	`109`	`+`
	`110`	`+ if attestCount > 0 {`
	`111`	`+ opts.EnableOCITypes("attestations")`
`108`	`112`	`}`
`109`	`113`
`110`	`114`	`refs := make([]cache.ImmutableRef, 0, len(inp.Refs))`