Description

When utilizing the content store returned from the containerd client here, it is possible to send writes that exceed the grpc limits of the connection through the io.Writer obtained from the Writer method.

This bug causes an error in downstream buildkit which uses these APIs to write content, such as SBOM's, directly to the content store.

When content.WriteBlob is used to write content to the content store, it invokes Copy which invokes copyWithBuffer. If the io.Reader implements io.WriterTo, it will use that method instead of copying in chunks. The bytes.Buffer type implements io.WriterTo and the implementation just sends the entire byte chunk all at once to the Write method.

The easiest way to fix this problem for all code that runs into this situation would be to have the io.Writer for the client connection implement the buffered sending in multiple byte chunks rather than relying on the copy code.

Steps to reproduce the issue

1. Obtain a ContentStore from the client.
2. Create a very large binary blob that exceeds 16 << 20 bytes in length and put it in bytes.Buffer.
3. Use content.WriteBlob to attempt to write it.

Sample patch to the integration tests that causes the failure.

containerd-integration-client.patch

Describe the results you received and expected

I expected the call to succeed. The call will fail with an error similar to:

error writing data blob sha256:<digest>: failed to copy: failed to send write: trying to send message larger than max (<large byte size> vs. 16777216): unknown

What version of containerd are you using?

main

Any other relevant information

No response

Show configuration if it is related to CRI plugin.

No response