Merge pull request from GHSA-xw73-rw38-6vjc

thaJeztah · web-flow · commit fca702de7f71 · 2024-02-01T01:12:23.000+01:00
[24.0 backport] image/cache: Restrict cache candidates to locally built images
diff --git a/builder/builder.go b/builder/builder.go
@@ -15,6 +15,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 const (
@@ -89,7 +90,7 @@ type ImageCacheBuilder interface {
 type ImageCache interface {
 	// GetCache returns a reference to a cached image whose parent equals `parent`
 	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
-	GetCache(parentID string, cfg *container.Config) (imageID string, err error)
+	GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)
 }
 
 // Image represents a Docker image used by the builder.
diff --git a/builder/dockerfile/copy.go b/builder/dockerfile/copy.go
@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"runtime"
 	"sort"
 	"strings"
 	"time"
@@ -74,7 +73,7 @@ type copier struct {
 	source      builder.Source
 	pathCache   pathCache
 	download    sourceDownloader
-	platform    *ocispec.Platform
+	platform    ocispec.Platform
 	// for cleanup. TODO: having copier.cleanup() is error prone and hard to
 	// follow. Code calling performCopy should manage the lifecycle of its params.
 	// Copier should take override source as input, not imageMount.
@@ -83,19 +82,7 @@ type copier struct {
 }
 
 func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
-	platform := req.builder.platform
-	if platform == nil {
-		// May be nil if not explicitly set in API/dockerfile
-		platform = &ocispec.Platform{}
-	}
-	if platform.OS == "" {
-		// Default to the dispatch requests operating system if not explicit in API/dockerfile
-		platform.OS = req.state.operatingSystem
-	}
-	if platform.OS == "" {
-		// This is a failsafe just in case. Shouldn't be hit.
-		platform.OS = runtime.GOOS
-	}
+	platform := req.builder.getPlatform(req.state)
 
 	return copier{
 		source:      req.source,
diff --git a/builder/dockerfile/dispatchers.go b/builder/dockerfile/dispatchers.go
@@ -349,9 +349,16 @@ func dispatchRun(ctx context.Context, d dispatchRequest, c *instructions.RunComm
 		saveCmd = prependEnvOnCmd(d.state.buildArgs, buildArgs, cmdFromArgs)
 	}
 
+	cacheArgsEscaped := argsEscaped
+	// ArgsEscaped is not persisted in the committed image on Windows.
+	// Use the original from previous build steps for cache probing.
+	if d.state.operatingSystem == "windows" {
+		cacheArgsEscaped = stateRunConfig.ArgsEscaped
+	}
+
 	runConfigForCacheProbe := copyRunConfig(stateRunConfig,
 		withCmd(saveCmd),
-		withArgsEscaped(argsEscaped),
+		withArgsEscaped(cacheArgsEscaped),
 		withEntrypointOverride(saveCmd, nil))
 	if hit, err := d.builder.probeCache(d.state, runConfigForCacheProbe); err != nil || hit {
 		return err
diff --git a/builder/dockerfile/imageprobe.go b/builder/dockerfile/imageprobe.go
@@ -5,14 +5,15 @@ import (
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/builder"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
 
 // ImageProber exposes an Image cache to the Builder. It supports resetting a
 // cache.
 type ImageProber interface {
 	Reset(ctx context.Context) error
-	Probe(parentID string, runConfig *container.Config) (string, error)
+	Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)
 }
 
 type resetFunc func(context.Context) (builder.ImageCache, error)
@@ -51,11 +52,11 @@ func (c *imageProber) Reset(ctx context.Context) error {
 
 // Probe checks if cache match can be found for current build instruction.
 // It returns the cachedID if there is a hit, and the empty string on miss
-func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
+func (c *imageProber) Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error) {
 	if c.cacheBusted {
 		return "", nil
 	}
-	cacheID, err := c.cache.GetCache(parentID, runConfig)
+	cacheID, err := c.cache.GetCache(parentID, runConfig, platform)
 	if err != nil {
 		return "", err
 	}
@@ -74,6 +75,6 @@ func (c *nopProber) Reset(ctx context.Context) error {
 	return nil
 }
 
-func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
+func (c *nopProber) Probe(_ string, _ *container.Config, _ ocispec.Platform) (string, error) {
 	return "", nil
 }
diff --git a/builder/dockerfile/internals.go b/builder/dockerfile/internals.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/containerd/containerd/platforms"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
@@ -328,7 +329,7 @@ func getShell(c *container.Config, os string) []string {
 }
 
 func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
-	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
+	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig, b.getPlatform(dispatchState))
 	if cachedID == "" || err != nil {
 		return false, err
 	}
@@ -388,3 +389,17 @@ func hostConfigFromOptions(options *types.ImageBuildOptions) *container.HostConf
 	}
 	return hc
 }
+
+func (b *Builder) getPlatform(state *dispatchState) ocispec.Platform {
+	// May be nil if not explicitly set in API/dockerfile
+	out := platforms.DefaultSpec()
+	if b.platform != nil {
+		out = *b.platform
+	}
+
+	if state.operatingSystem != "" {
+		out.OS = state.operatingSystem
+	}
+
+	return out
+}
diff --git a/builder/dockerfile/mockbackend_test.go b/builder/dockerfile/mockbackend_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // MockBackend implements the builder.Backend interface for unit testing
@@ -111,7 +112,7 @@ type mockImageCache struct {
 	getCacheFunc func(parentID string, cfg *container.Config) (string, error)
 }
 
-func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
+func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config, _ ocispec.Platform) (string, error) {
 	if mic.getCacheFunc != nil {
 		return mic.getCacheFunc(parentID, cfg)
 	}
diff --git a/daemon/containerd/cache.go b/daemon/containerd/cache.go
@@ -8,7 +8,9 @@ import (
 	"github.com/docker/docker/api/types/container"
 	imagetype "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/builder"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // MakeImageCache creates a stateful image cache.
@@ -29,16 +31,19 @@ type imageCache struct {
 	c      *ImageService
 }
 
-func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID string, err error) {
+func (ic *imageCache) GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error) {
 	ctx := context.TODO()
 
 	if parentID == "" {
 		// TODO handle "parentless" image cache lookups ("FROM scratch")
 		return "", nil
 	}
 
-	parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{})
+	parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{Platform: &platform})
 	if err != nil {
+		if errdefs.IsNotFound(err) {
+			return "", nil
+		}
 		return "", err
 	}
 
@@ -54,8 +59,11 @@ func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID
 	}
 
 	for _, children := range children {
-		childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{})
+		childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{Platform: &platform})
 		if err != nil {
+			if errdefs.IsNotFound(err) {
+				continue
+			}
 			return "", err
 		}
 
diff --git a/daemon/images/image_builder.go b/daemon/images/image_builder.go
@@ -257,6 +257,9 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 			return nil, errors.Wrapf(err, "failed to set parent %s", parent)
 		}
 	}
+	if err := i.imageStore.SetBuiltLocally(id); err != nil {
+		return nil, errors.Wrapf(err, "failed to mark image %s as built locally", id)
+	}
 
 	return i.imageStore.Get(id)
 }
diff --git a/daemon/images/image_commit.go b/daemon/images/image_commit.go
@@ -62,6 +62,9 @@ func (i *ImageService) CommitImage(ctx context.Context, c backend.CommitConfig)
 	if err != nil {
 		return "", err
 	}
+	if err := i.imageStore.SetBuiltLocally(id); err != nil {
+		return "", err
+	}
 
 	if c.ParentImageID != "" {
 		if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {
diff --git a/image/cache/cache.go b/image/cache/cache.go
@@ -6,11 +6,14 @@ import (
 	"reflect"
 	"strings"
 
+	"github.com/containerd/containerd/platforms"
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/dockerversion"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // NewLocal returns a local image cache, based on parent chain
@@ -26,8 +29,8 @@ type LocalImageCache struct {
 }
 
 // GetCache returns the image id found in the cache
-func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config) (string, error) {
-	return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config))
+func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config, platform ocispec.Platform) (string, error) {
+	return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config, platform))
 }
 
 // New returns an image cache, based on history objects
@@ -51,8 +54,8 @@ func (ic *ImageCache) Populate(image *image.Image) {
 }
 
 // GetCache returns the image id found in the cache
-func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config) (string, error) {
-	imgID, err := ic.localImageCache.GetCache(parentID, cfg)
+func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config, platform ocispec.Platform) (string, error) {
+	imgID, err := ic.localImageCache.GetCache(parentID, cfg, platform)
 	if err != nil {
 		return "", err
 	}
@@ -215,7 +218,23 @@ func getImageIDAndError(img *image.Image, err error) (string, error) {
 // of the image with imgID, that had the same config when it was
 // created. nil is returned if a child cannot be found. An error is
 // returned if the parent image cannot be found.
-func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config) (*image.Image, error) {
+func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config, platform ocispec.Platform) (*image.Image, error) {
+	if config == nil {
+		return nil, nil
+	}
+
+	isBuiltLocally := func(id image.ID) bool {
+		builtLocally, err := imageStore.IsBuiltLocally(id)
+		if err != nil {
+			logrus.WithFields(logrus.Fields{
+				"error": err,
+				"id":    id,
+			}).Warn("failed to check if image was built locally")
+			return false
+		}
+		return builtLocally
+	}
+
 	// Loop on the children of the given image and check the config
 	getMatch := func(siblings []image.ID) (*image.Image, error) {
 		var match *image.Image
@@ -225,6 +244,25 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
 				return nil, fmt.Errorf("unable to find image %q", id)
 			}
 
+			if !isBuiltLocally(id) {
+				continue
+			}
+
+			imgPlatform := ocispec.Platform{
+				Architecture: img.Architecture,
+				OS:           img.OS,
+				OSVersion:    img.OSVersion,
+				OSFeatures:   img.OSFeatures,
+				Variant:      img.Variant,
+			}
+			// Discard old linux/amd64 images with empty platform.
+			if imgPlatform.OS == "" && imgPlatform.Architecture == "" {
+				continue
+			}
+			if !platforms.OnlyStrict(platform).Match(imgPlatform) {
+				continue
+			}
+
 			if compare(&img.ContainerConfig, config) {
 				// check for the most up to date match
 				if match == nil || match.Created.Before(img.Created) {
@@ -238,11 +276,29 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
 	// In this case, this is `FROM scratch`, which isn't an actual image.
 	if imgID == "" {
 		images := imageStore.Map()
+
 		var siblings []image.ID
 		for id, img := range images {
-			if img.Parent == imgID {
-				siblings = append(siblings, id)
+			if img.Parent != "" {
+				continue
 			}
+
+			if !isBuiltLocally(id) {
+				continue
+			}
+
+			// Do a quick initial filter on the Cmd to avoid adding all
+			// non-local images with empty parent to the siblings slice and
+			// performing a full config compare.
+			//
+			// config.Cmd is set to the current Dockerfile instruction so we
+			// check it against the img.ContainerConfig.Cmd which is the
+			// command of the last layer.
+			if !strSliceEqual(img.ContainerConfig.Cmd, config.Cmd) {
+				continue
+			}
+
+			siblings = append(siblings, id)
 		}
 		return getMatch(siblings)
 	}
@@ -251,3 +307,15 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
 	siblings := imageStore.Children(imgID)
 	return getMatch(siblings)
 }
+
+func strSliceEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := 0; i < len(a); i++ {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/image/cache/compare.go b/image/cache/compare.go
diff --git a/image/store.go b/image/store.go

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ import (`
`15`	`15`	`"github.com/docker/docker/image"`
`16`	`16`	`"github.com/docker/docker/layer"`
`17`	`17`	`"github.com/opencontainers/go-digest"`
	`18`	`+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"`
`18`	`19`	`)`
`19`	`20`
`20`	`21`	`const (`
`@@ -89,7 +90,7 @@ type ImageCacheBuilder interface {`
`89`	`90`	`type ImageCache interface {`
`90`	`91`	// GetCache returns a reference to a cached image whose parent equals `parent`
`91`	`92`	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
`92`		`- GetCache(parentID string, cfg *container.Config) (imageID string, err error)`
	`93`	`+ GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)`
`93`	`94`	`}`
`94`	`95`
`95`	`96`	`// Image represents a Docker image used by the builder.`
Original file line number	Diff line number	Diff line change
`@@ -5,14 +5,15 @@ import (`
`5`	`5`
`6`	`6`	`"github.com/docker/docker/api/types/container"`
`7`	`7`	`"github.com/docker/docker/builder"`
	`8`	`+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"`
`8`	`9`	`"github.com/sirupsen/logrus"`
`9`	`10`	`)`
`10`	`11`
`11`	`12`	`// ImageProber exposes an Image cache to the Builder. It supports resetting a`
`12`	`13`	`// cache.`
`13`	`14`	`type ImageProber interface {`
`14`	`15`	`Reset(ctx context.Context) error`
`15`		`- Probe(parentID string, runConfig *container.Config) (string, error)`
	`16`	`+ Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`type resetFunc func(context.Context) (builder.ImageCache, error)`
`@@ -51,11 +52,11 @@ func (c *imageProber) Reset(ctx context.Context) error {`
`51`	`52`
`52`	`53`	`// Probe checks if cache match can be found for current build instruction.`
`53`	`54`	`// It returns the cachedID if there is a hit, and the empty string on miss`
`54`		`-func (c imageProber) Probe(parentID string, runConfig container.Config) (string, error) {`
	`55`	`+func (c imageProber) Probe(parentID string, runConfig container.Config, platform ocispec.Platform) (string, error) {`
`55`	`56`	`if c.cacheBusted {`
`56`	`57`	`return "", nil`
`57`	`58`	`}`
`58`		`- cacheID, err := c.cache.GetCache(parentID, runConfig)`
	`59`	`+ cacheID, err := c.cache.GetCache(parentID, runConfig, platform)`
`59`	`60`	`if err != nil {`
`60`	`61`	`return "", err`
`61`	`62`	`}`
`@@ -74,6 +75,6 @@ func (c *nopProber) Reset(ctx context.Context) error {`
`74`	`75`	`return nil`
`75`	`76`	`}`
`76`	`77`
`77`		`-func (c nopProber) Probe(_ string, _ container.Config) (string, error) {`
	`78`	`+func (c nopProber) Probe(_ string, _ container.Config, _ ocispec.Platform) (string, error) {`
`78`	`79`	`return "", nil`
`79`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`	`"github.com/docker/docker/image"`
`15`	`15`	`"github.com/docker/docker/layer"`
`16`	`16`	`"github.com/opencontainers/go-digest"`
	`17`	`+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"`
`17`	`18`	`)`
`18`	`19`
`19`	`20`	`// MockBackend implements the builder.Backend interface for unit testing`
`@@ -111,7 +112,7 @@ type mockImageCache struct {`
`111`	`112`	`getCacheFunc func(parentID string, cfg *container.Config) (string, error)`
`112`	`113`	`}`
`113`	`114`
`114`		`-func (mic mockImageCache) GetCache(parentID string, cfg container.Config) (string, error) {`
	`115`	`+func (mic mockImageCache) GetCache(parentID string, cfg container.Config, _ ocispec.Platform) (string, error) {`
`115`	`116`	`if mic.getCacheFunc != nil {`
`116`	`117`	`return mic.getCacheFunc(parentID, cfg)`
`117`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -257,6 +257,9 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st`
`257`	`257`	`return nil, errors.Wrapf(err, "failed to set parent %s", parent)`
`258`	`258`	`}`
`259`	`259`	`}`
	`260`	`+ if err := i.imageStore.SetBuiltLocally(id); err != nil {`
	`261`	`+ return nil, errors.Wrapf(err, "failed to mark image %s as built locally", id)`
	`262`	`+ }`
`260`	`263`
`261`	`264`	`return i.imageStore.Get(id)`
`262`	`265`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,9 @@ func (i *ImageService) CommitImage(ctx context.Context, c backend.CommitConfig)`
`62`	`62`	`if err != nil {`
`63`	`63`	`return "", err`
`64`	`64`	`}`
	`65`	`+ if err := i.imageStore.SetBuiltLocally(id); err != nil {`
	`66`	`+ return "", err`
	`67`	`+ }`
`65`	`68`
`66`	`69`	`if c.ParentImageID != "" {`
`67`	`70`	`if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {`