Merge pull request #6423 from jsternberg/v0.26.3-picks

jsternberg · web-flow · commit c70e8e666f8f · 2025-12-16T13:06:30.000-06:00
[v0.26] cherry-picks for v0.26.3
diff --git a/Dockerfile b/Dockerfile
@@ -316,7 +316,7 @@ ARG NYDUS_VERSION
 ARG TARGETOS
 ARG TARGETARCH
 SHELL ["/bin/bash", "-c"]
-RUN wget https://github.com/dragonflyoss/image-service/releases/download/$NYDUS_VERSION/nydus-static-$NYDUS_VERSION-$TARGETOS-$TARGETARCH.tgz
+RUN wget https://github.com/dragonflyoss/nydus/releases/download/$NYDUS_VERSION/nydus-static-$NYDUS_VERSION-$TARGETOS-$TARGETARCH.tgz
 RUN mkdir -p /out/nydus-static && tar xzvf nydus-static-$NYDUS_VERSION-$TARGETOS-$TARGETARCH.tgz -C /out
 
 FROM gobuild-base AS gotestsum
diff --git a/client/policy_test.go b/client/policy_test.go
@@ -299,7 +299,8 @@ func testSourcePolicyParallelSession(t *testing.T, sb integration.Sandbox) {
 
 func testSourcePolicySignedCommit(t *testing.T, sb integration.Sandbox) {
 	requiresLinux(t)
-	c, err := New(sb.Context(), sb.Address())
+	ctx := sb.Context()
+	c, err := New(ctx, sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
@@ -532,4 +533,101 @@ func testSourcePolicySignedCommit(t *testing.T, sb integration.Sandbox) {
 			require.ErrorContains(t, err, tt.expectedErr, "test case %q failed", tt.name)
 		})
 	}
+
+	// session policy based test cases
+
+	type tcase struct {
+		name          string
+		state         func() llb.State
+		callbacks     []policysession.PolicyCallback
+		expectedError string
+	}
+
+	tcases := []tcase{
+		{
+			name:  "gitchecksum",
+			state: func() llb.State { return llb.Git(server.URL+"/.git", "", llb.GitRef("v2.0")) },
+			callbacks: []policysession.PolicyCallback{
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.Nil(t, req.Source.Git)
+					return nil, &pb.ResolveSourceMetaRequest{
+						Source:   req.Source.Source,
+						Platform: req.Platform,
+					}, nil
+				},
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.NotNil(t, req.Source.Git)
+					require.Len(t, req.Source.Git.Checksum, 40)
+					require.Len(t, req.Source.Git.CommitChecksum, 40)
+					require.NotEqual(t, req.Source.Git.Checksum, req.Source.Git.CommitChecksum)
+					require.Nil(t, req.Source.Git.CommitObject)
+					return &policysession.DecisionResponse{
+						Action: sourcepolicypb.PolicyAction_ALLOW,
+					}, nil, nil
+				},
+			},
+		},
+		{
+			name:  "gitobjects",
+			state: func() llb.State { return llb.Git(server.URL+"/.git", "", llb.GitRef("v2.0")) },
+			callbacks: []policysession.PolicyCallback{
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.Nil(t, req.Source.Git)
+					return nil, &pb.ResolveSourceMetaRequest{
+						Source:   req.Source.Source,
+						Platform: req.Platform,
+						Git: &pb.ResolveSourceGitRequest{
+							ReturnObject: true,
+						},
+					}, nil
+				},
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.NotNil(t, req.Source.Git)
+					require.Len(t, req.Source.Git.Checksum, 40)
+					require.Len(t, req.Source.Git.CommitChecksum, 40)
+					require.NotEqual(t, req.Source.Git.Checksum, req.Source.Git.CommitChecksum)
+					require.NotNil(t, req.Source.Git.CommitObject)
+					require.Greater(t, len(req.Source.Git.CommitObject), 50)
+					return &policysession.DecisionResponse{
+						Action: sourcepolicypb.PolicyAction_ALLOW,
+					}, nil, nil
+				},
+			},
+		},
+	}
+
+	for _, tc := range tcases {
+		t.Run(tc.name, func(t *testing.T) {
+			st := tc.state()
+			def, err := st.Marshal(ctx)
+			require.NoError(t, err)
+
+			callCounter := 0
+
+			p := policysession.NewPolicyProvider(func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+				if callCounter >= len(tc.callbacks) {
+					return nil, nil, errors.Errorf("too many calls to policy callback %d", callCounter)
+				}
+				cb := tc.callbacks[callCounter]
+				callCounter++
+				return cb(ctx, req)
+			})
+
+			_, err = c.Solve(ctx, def, SolveOpt{
+				SourcePolicyProvider: p,
+			}, nil)
+			if tc.expectedError != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedError)
+				return
+			}
+			require.NoError(t, err)
+
+			require.Equal(t, len(tc.callbacks), callCounter, "not all policy callbacks were called")
+		})
+	}
 }
diff --git a/docs/nydus.md b/docs/nydus.md
@@ -1,6 +1,6 @@
 ## Nydus image formats
 
-Nydus is an OCI/Docker-compatible accelerated image format provided by the Dragonfly [image-service](https://github.com/dragonflyoss/image-service) project, which offers the ability to pull image data on-demand, without waiting for the entire image pull to complete and then start the container. It has been put in production usage and shown vast improvements to significantly reduce the overhead costs on time, network, disk IO of pulling image or starting container.
+Nydus is an OCI/Docker-compatible accelerated image format provided by the Dragonfly [image-service](https://github.com/dragonflyoss/nydus) project, which offers the ability to pull image data on-demand, without waiting for the entire image pull to complete and then start the container. It has been put in production usage and shown vast improvements to significantly reduce the overhead costs on time, network, disk IO of pulling image or starting container.
 
 Nydus image can be flexibly configured as a FUSE-based user-space filesystem or in-kernel [EROFS](https://www.kernel.org/doc/html/latest/filesystems/erofs.html) (from Linux kernel v5.16) with nydus daemon in user-space, integrating with VM-based container runtime like [KataContainers](https://katacontainers.io/) is much easier.
 
@@ -16,7 +16,7 @@ go build -tags=nydus -o ./bin/buildkitd ./cmd/buildkitd
 
 ### Building Nydus with BuildKit
 
-Download `nydus-image` binary from [nydus release page](https://github.com/dragonflyoss/image-service/releases) (require v2.1.6 or higher), then put the `nydus-image` binary path into $PATH or specifying it on `NYDUS_BUILDER` environment variable for buildkitd:
+Download `nydus-image` binary from [nydus release page](https://github.com/dragonflyoss/nydus/releases) (require v2.1.6 or higher), then put the `nydus-image` binary path into $PATH or specifying it on `NYDUS_BUILDER` environment variable for buildkitd:
 
 ```
 env NYDUS_BUILDER=/path/to/nydus-image buildkitd ...
@@ -33,7 +33,7 @@ buildctl build ... \
 
 ### Known limitations
 
-- The export of Nydus image and runtime (e.g. [docker](https://github.com/dragonflyoss/image-service/tree/master/contrib/docker-nydus-graphdriver), [containerd](https://github.com/containerd/nydus-snapshotter), etc.) is currently only supported on linux platform.
+- The export of Nydus image and runtime (e.g. [docker](https://github.com/nydusaccelerator/docker-nydus-graphdriver), [containerd](https://github.com/containerd/nydus-snapshotter), etc.) is currently only supported on linux platform.
 - Nydus image layers cannot be mixed with other compression types in the same image, so the `force-compression=true` option must be enabled when exporting both Nydus and other compression types.
 - Specifying a Nydus image as a base image in a Dockerfile is supported, but it does not currently support lazy pulling.
 - Since exported Nydus image will always have one more metadata layer than images in other compression types, Nydus image cannot be exported/imported as cache.
@@ -42,6 +42,6 @@ buildctl build ... \
 
 Pre-converted nydus images are available at [`ghcr.io/dragonflyoss/image-service` repository](https://github.com/orgs/dragonflyoss/packages?ecosystem=container) (mainly for testing purpose).
 
-[`Nydusify`](https://github.com/dragonflyoss/image-service/blob/master/docs/nydusify.md) The Nydusify CLI tool pulls & converts an OCIv1 image into a nydus image, and pushes nydus image to registry.
+[`Nydusify`](https://github.com/dragonflyoss/nydus/blob/master/docs/nydusify.md) The Nydusify CLI tool pulls & converts an OCIv1 image into a nydus image, and pushes nydus image to registry.
 
-[`Harbor Acceld`](https://github.com/goharbor/acceleration-service) Harbor acceld provides a general service to convert OCIv1 image to acceleration image like [Nydus](https://github.com/dragonflyoss/image-service) and [eStargz](https://github.com/containerd/stargz-snapshotter) etc.
+[`Harbor Acceld`](https://github.com/goharbor/acceleration-service) Harbor acceld provides a general service to convert OCIv1 image to acceleration image like [Nydus](https://github.com/dragonflyoss/nydus) and [eStargz](https://github.com/containerd/stargz-snapshotter) etc.
diff --git a/frontend/gateway/gateway.go b/frontend/gateway/gateway.go
@@ -653,43 +653,7 @@ func (lbf *llbBridgeForwarder) ResolveSourceMeta(ctx context.Context, req *pb.Re
 	if err != nil {
 		return nil, err
 	}
-
-	r := &pb.ResolveSourceMetaResponse{
-		Source: resp.Op,
-	}
-
-	if resp.Image != nil {
-		r.Image = &pb.ResolveSourceImageResponse{
-			Digest: string(resp.Image.Digest),
-			Config: resp.Image.Config,
-		}
-		if resp.Image.AttestationChain != nil {
-			r.Image.AttestationChain = toPBAttestationChain(resp.Image.AttestationChain)
-		}
-	}
-	if resp.Git != nil {
-		r.Git = &pb.ResolveSourceGitResponse{
-			Checksum:       resp.Git.Checksum,
-			Ref:            resp.Git.Ref,
-			CommitChecksum: resp.Git.CommitChecksum,
-			CommitObject:   resp.Git.CommitObject,
-			TagObject:      resp.Git.TagObject,
-		}
-	}
-	if resp.HTTP != nil {
-		var lastModified *timestamp.Timestamp
-		if resp.HTTP.LastModified != nil {
-			lastModified = &timestamp.Timestamp{
-				Seconds: resp.HTTP.LastModified.Unix(),
-			}
-		}
-		r.HTTP = &pb.ResolveSourceHTTPResponse{
-			Checksum:     resp.HTTP.Digest.String(),
-			Filename:     resp.HTTP.Filename,
-			LastModified: lastModified,
-		}
-	}
-	return r, nil
+	return ToPBResolveSourceMetaResponse(resp), nil
 }
 
 func (lbf *llbBridgeForwarder) ResolveImageConfig(ctx context.Context, req *pb.ResolveImageConfigRequest) (*pb.ResolveImageConfigResponse, error) {
@@ -1705,6 +1669,45 @@ func getCaps(label string) map[string]struct{} {
 	return out
 }
 
+func ToPBResolveSourceMetaResponse(in *sourceresolver.MetaResponse) *pb.ResolveSourceMetaResponse {
+	r := &pb.ResolveSourceMetaResponse{
+		Source: in.Op,
+	}
+
+	if in.Image != nil {
+		r.Image = &pb.ResolveSourceImageResponse{
+			Digest: string(in.Image.Digest),
+			Config: in.Image.Config,
+		}
+		if in.Image.AttestationChain != nil {
+			r.Image.AttestationChain = toPBAttestationChain(in.Image.AttestationChain)
+		}
+	}
+	if in.Git != nil {
+		r.Git = &pb.ResolveSourceGitResponse{
+			Checksum:       in.Git.Checksum,
+			Ref:            in.Git.Ref,
+			CommitChecksum: in.Git.CommitChecksum,
+			CommitObject:   in.Git.CommitObject,
+			TagObject:      in.Git.TagObject,
+		}
+	}
+	if in.HTTP != nil {
+		var lastModified *timestamp.Timestamp
+		if in.HTTP.LastModified != nil {
+			lastModified = &timestamp.Timestamp{
+				Seconds: in.HTTP.LastModified.Unix(),
+			}
+		}
+		r.HTTP = &pb.ResolveSourceHTTPResponse{
+			Checksum:     in.HTTP.Digest.String(),
+			Filename:     in.HTTP.Filename,
+			LastModified: lastModified,
+		}
+	}
+	return r
+}
+
 func toPBAttestationChain(ac *sourceresolver.AttestationChain) *pb.AttestationChain {
 	if ac == nil {
 		return nil
diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/containerd/stargz-snapshotter v0.17.0
 	github.com/containerd/stargz-snapshotter/estargz v0.17.0
 	github.com/containerd/typeurl/v2 v2.2.3
-	github.com/containernetworking/plugins v1.8.0
+	github.com/containernetworking/plugins v1.9.0
 	github.com/coreos/go-systemd/v22 v22.6.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli v28.5.0+incompatible
diff --git a/go.sum b/go.sum
@@ -136,8 +136,8 @@ github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++
 github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEmnuFjskwo=
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
-github.com/containernetworking/plugins v1.8.0 h1:WjGbV/0UQyo8A4qBsAh6GaDAtu1hevxVxsEuqtBqUFk=
-github.com/containernetworking/plugins v1.8.0/go.mod h1:JG3BxoJifxxHBhG3hFyxyhid7JgRVBu/wtooGEvWf1c=
+github.com/containernetworking/plugins v1.9.0 h1:Mg3SXBdRGkdXyFC4lcwr6u2ZB2SDeL6LC3U+QrEANuQ=
+github.com/containernetworking/plugins v1.9.0/go.mod h1:JG3BxoJifxxHBhG3hFyxyhid7JgRVBu/wtooGEvWf1c=
 github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo=
 github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU=
 github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
diff --git a/solver/llbsolver/policy.go b/solver/llbsolver/policy.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/moby/buildkit/client/llb/sourceresolver"
+	"github.com/moby/buildkit/frontend/gateway"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/sourcepolicy"
@@ -88,19 +89,26 @@ func (p *policyEvaluator) Evaluate(ctx context.Context, op *pb.Op) (bool, error)
 					Platform: toOCIPlatform(metareq.Platform),
 				}
 			}
+
+			if metareq.Image != nil {
+				if op.ImageOpt == nil {
+					op.ImageOpt = &sourceresolver.ResolveImageOpt{}
+				}
+				op.ImageOpt.NoConfig = metareq.Image.NoConfig
+				op.ImageOpt.AttestationChain = metareq.Image.AttestationChain
+			}
+
+			if metareq.Git != nil {
+				op.GitOpt = &sourceresolver.ResolveGitOpt{
+					ReturnObject: metareq.Git.ReturnObject,
+				}
+			}
+
 			resp, err := p.resolveSourceMetadata(ctx, metareq.Source, op, false)
 			if err != nil {
 				return false, errors.Wrap(err, "error resolving source metadata from policy request")
 			}
-			req.Source = &gatewaypb.ResolveSourceMetaResponse{
-				Source: resp.Op,
-			}
-			if resp.Image != nil {
-				req.Source.Image = &gatewaypb.ResolveSourceImageResponse{
-					Digest: resp.Image.Digest.String(),
-					Config: resp.Image.Config,
-				}
-			}
+			req.Source = gateway.ToPBResolveSourceMetaResponse(resp)
 			continue
 		}
 
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -502,7 +502,7 @@ github.com/containernetworking/cni/pkg/types/create
 github.com/containernetworking/cni/pkg/types/internal
 github.com/containernetworking/cni/pkg/utils
 github.com/containernetworking/cni/pkg/version
-# github.com/containernetworking/plugins v1.8.0
+# github.com/containernetworking/plugins v1.9.0
 ## explicit; go 1.24.2
 github.com/containernetworking/plugins/pkg/ns
 # github.com/coreos/go-systemd/v22 v22.6.0
