container: Add application layer to the correct end of the layer stack #51
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
euanh
force-pushed
the
application-layer-ordering
branch
7 times, most recently
from
5a22a6b to
5e1c2ab
Compare
euanh
added
kind/bug
euanh
force-pushed
the
application-layer-ordering
branch
3 times, most recently
from
18b60a4 to
326e007
Compare
euanh
force-pushed
the
application-layer-ordering
branch
from
326e007 to
bd0e66f
Compare
euanh
changed the title
`containertool` currently prepends the app layer to the layer stack, but it should append it. This means that a later layer will not override a file with the same path in an earlier layer. This commit adds an integration tests which stacks two layers on top of each other using containertool and verifies that the second layer overrides the first.
containertool currently adds the app layer to the beginning of the
layer stack array in the manifest. This results in the app layer
being the first to be unpacked, with the others stacked on top. We
can show this by adding a plain text file as the executable. If we
stack another layer on top with a file of the same name, it should
replace the underlying one but it does not:
echo first > bar
swift run containertool --repository localhost:5555/bar bar
podman run --pull=always -it --rm --entrypoint=cat localhost:5555/bar:latest bar
# prints: first
echo second > bar
swift run containertool --repository localhost:5555/bar bar --from localhost:5555/bar:latest
podman run --pull=always -it --rm --entrypoint=cat localhost:5555/bar:latest bar
# prints: first
# should print: second
Currently containertool is only used to add the application binary
to the application layer. This bug will only cause a problem if the
base layer adds a binary at the same path, because this will override
the application.
This bug probably arose because the specification for the rootfs.diff_ids
field of the image configuration defines the layers as being "in
order from first to last", which could be read ambiguously:
https://github.com/opencontainers/image-spec/blob/main/config.md?plain=1#L220-L222
The specification for the manifest.layers field is much more explicit
about the ordering:
https://github.com/opencontainers/image-spec/blob/fbb4662eb53b80bd38f7597406cf1211317768f0/manifest.md?plain=1#L70-L71
This with this change, the second build and container run in the
example above prints "second" as expected.
euanh
force-pushed
the
application-layer-ordering
branch
from
bd0e66f to
322dd0b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
containertool currently adds the app layer to the beginning of the
layer stack array in the manifest. This results in the app layer
being the first to be unpacked, with the others stacked on top. We
can show this by adding a plain text file as the executable. If we
stack another layer on top with a file of the same name, it should
replace the underlying one but it does not:
Currently containertool is only used to add the application binary
to the application layer. This bug will only cause a problem if the
base layer adds a binary at the same path, because this will override
the application.
This bug probably arose because the specification for the rootfs.diff_ids
field of the image configuration defines the layers as being "in
order from first to last", which could be read ambiguously:
https://github.com/opencontainers/image-spec/blob/main/config.md?plain=1#L220-L222
The specification for the manifest.layers field is much more explicit
about the ordering:
https://github.com/opencontainers/image-spec/blob/fbb4662eb53b80bd38f7597406cf1211317768f0/manifest.md?plain=1#L70-L71
Modifications
Append the application layer to layer stacks in the manifest and configuration blobs, instead of prepending.
Result
This with this change, the second build and container run in the
example above prints "second" as expected.
Test Plan
This PR adds a new integration test which uses
containertoolto build two layers and check that they override each other correctly.All existing tests continue to pass.
Fixes #57