ggcr: panic on getting image layers with config `application/vnd.buildkit.cacheconfig.v0` from tar

[bthuilot]

Describe the bug

When calling v1.Image.Layers() from an imported 'tar' image whose config is media type application/vnd.buildkit.cacheconfig.v0, the function will panic.

This is due to the layer code attempting to read layer information from DiffIDs array which does not exist in the cacheconfig type (linked here).

To Reproduce

1. Export a build cache image to tar using tarball.WriteToFile()
2. Import the tar using the tarball.ImageFromPath()
3. Call the Layers() function

Below is a script that will reproduce, if the first CLI argument is a reference to a build cache image

package main

import (
	"fmt"
	"os"
	"path"

	"github.com/google/go-containerregistry/pkg/authn"
	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/remote"
	"github.com/google/go-containerregistry/pkg/v1/tarball"
)

func main() {
	if len(os.Args) < 2 {
		fmt.Println("please provide the image reference as an arugment")
		os.Exit(1)
	}

	imageRef, err := name.ParseReference(os.Args[1])
	if err != nil {
		fmt.Println("unable to parse name reference", err)
		os.Exit(1)
	}

	remoteImg, err := remote.Image(imageRef, remote.WithAuthFromKeychain(authn.DefaultKeychain))
	if err != nil {
		fmt.Println("unable to get remote image", err)
		os.Exit(1)
	}
	
	tmpTar := path.Join(os.TempDir(), "test.tar")
	defer func() {
		if err = os.Remove(tmpTar); err != nil {
			fmt.Println("error removing tar", err)
		}
	}()
	fmt.Printf("writing tar to %s\n", tmpTar)

	if err = tarball.WriteToFile(tmpTar, imageRef, remoteImg); err != nil {
		fmt.Println("unable to get write image", err)
		os.Exit(1)
	}

	fmt.Println("importing image")
	img, err := tarball.ImageFromPath(tmpTar, nil)

	if err != nil {
		fmt.Println("unable to read exported image", err)
		os.Exit(1)
	}

	fmt.Println("getting layers")
	layers, err := img.Layers() // this will panic
	if err != nil {
		fmt.Println("unable to get layers", err)
		os.Exit(1)
	}

	fmt.Printf("found %d layers\n", len(layers))
}

Expected behavior

Layers() should still return as expected, with []v1.Layer

Additional context

A Build cache image can be built & pushed to registry via the github action docker/build-push-action and setting cache-to: type=registry,ref=$REF where $REF is the image ref to push the cache to

[imjasonh]

Thanks for the repro. I don't have the ability to easily generate a build cache image, can you push one to some public registry? (ideally free of sensitive information)

And/or, could you add the specific panic stacktrace you get in your repro script in this case?

[bthuilot]

@imjasonh I ended up finding a somewhat hacky way to get a cached image locally. It seems that when docker uses a registry to store the cache it will preform a push so I just ran a local registry and stored the image there.

1. Run a locally registry at localhost:5000 using docker

   docker run --rm -it -p 5000:5000 --name registry registry:latest

2. Build a docker image using cache, below is a simple Dockerfile and the command to build it

   FROM ubuntu:latest
   
   WORKDIR /build
   RUN apt-get update && apt-get install -y build-essential
   
   ADD https://home.adelphi.edu/sbloch/class/archive/271/fall2011/examples/c/mycat.c /build/main.c
   
   RUN gcc main.c -o /entrypoint
   
   ENTRYPOINT ["/entrypoint"]

   Then run

   docker buildx build . -t test-image:local --cache-to type=registry,ref=localhost:5000/test-image:cache

3. Run the above script with go run main.go localhost:5000/test-image:cache and you should see the panic

    writing tar to /var/folders/jw/j1jm7xns62b632dpqsdbvq6m0000gn/T/test.tar
    importing image
    getting layers
    panic: runtime error: index out of range [0] with length 0
    
    goroutine 1 [running]:
    github.com/google/go-containerregistry/pkg/v1/tarball.(*compressedImage).Manifest(0x140002265e8)
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/tarball/image.go:368 +0x6ac
    github.com/google/go-containerregistry/pkg/v1/partial.RawManifest({0x100b8f6c8?, 0x140002265e8?})
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/partial/with.go:177 +0x2c
    github.com/google/go-containerregistry/pkg/v1/tarball.(*compressedImage).RawManifest(0x1400002bb88?)
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/tarball/image.go:394 +0x28
    github.com/google/go-containerregistry/pkg/v1/partial.Manifest({0x100b90520?, 0x1400020ead0?})
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/partial/with.go:162 +0x2c
    github.com/google/go-containerregistry/pkg/v1/partial.(*compressedImageExtender).Manifest(0x1400002bbf8?)
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/partial/compressed.go:175 +0x28
    github.com/google/go-containerregistry/pkg/v1/partial.FSLayers({0x100b90560?, 0x1400020ead0?})
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/partial/with.go:195 +0x30
    github.com/google/go-containerregistry/pkg/v1/partial.(*compressedImageExtender).Layers(0x1400020ead0)
    	/home/user/go/pkg/mod/github.com/google/go-containerregistry@v0.20.7/pkg/v1/partial/compressed.go:135 +0x30
    main.main()
    	/home/user/build/test-docker/main.go:54 +0x3f0
    exit status 2