[Alternative to 148] go.mod: github.com/containerd/containerd/v2 v2.0.0-rc.0

Makefile

@@ -34,10 +34,10 @@ build: $(BINARIES)
 FORCE:
 
 bin/ctd-decoder: cmd/ctd-decoder FORCE
-	go build -o $@ -v ./cmd/ctd-decoder/
+	cd cmd && go build -o ../$@ -v ./ctd-decoder/
 
 bin/ctr-enc: cmd/ctr FORCE
-	go build -o $@ ${CTR_LDFLAGS} -v ./cmd/ctr/
+	cd cmd && go build -o ../$@ ${CTR_LDFLAGS} -v ./ctr/
 
 check:
 	@echo "$@"

cmd/ctr/app/main.go

@@ -29,14 +29,14 @@ import (
 	"github.com/containerd/containerd/cmd/ctr/commands/plugins"
 	"github.com/containerd/containerd/cmd/ctr/commands/pprof"
 	"github.com/containerd/containerd/cmd/ctr/commands/snapshots"
-	"github.com/containerd/containerd/cmd/ctr/commands/tasks"
 	versionCmd "github.com/containerd/containerd/cmd/ctr/commands/version"
 	"github.com/containerd/containerd/defaults"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/version"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/containers"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/images"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/run"
+	"github.com/containerd/imgcrypt/cmd/ctr/commands/tasks"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 	"google.golang.org/grpc/grpclog"

cmd/ctr/commands/containers/containers.go

@@ -31,7 +31,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/flags"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/run"
-	"github.com/containerd/typeurl"
+	"github.com/containerd/typeurl/v2"
 	"github.com/urfave/cli"
 )
 
@@ -281,7 +281,7 @@ var infoCommand = cli.Command{
 			return nil
 		}
 
-		if info.Spec != nil && info.Spec.Value != nil {
+		if info.Spec != nil && info.Spec.GetValue() != nil {
 			v, err := typeurl.UnmarshalAny(info.Spec)
 			if err != nil {
 				return err

cmd/ctr/commands/images/crypt_utils.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/img"
+	"github.com/containerd/imgcrypt/cmd/ctr/v1v2glue"
 	imgenc "github.com/containerd/imgcrypt/images/encryption"
 	"github.com/containerd/imgcrypt/images/encryption/parsehelpers"
 	encconfig "github.com/containers/ocicrypt/config"
@@ -126,10 +127,12 @@ func cryptImage(client *containerd.Client, ctx gocontext.Context, name, newName
 	}
 	defer done(ctx)
 
+	contentStore := &v1v2glue.ContentStore{Store: client.ContentStore()}
+
 	if encrypt {
-		newSpec, modified, err = imgenc.EncryptImage(ctx, client.ContentStore(), image.Target, cc, lf)
+		newSpec, modified, err = imgenc.EncryptImage(ctx, contentStore, image.Target, cc, lf)
 	} else {
-		newSpec, modified, err = imgenc.DecryptImage(ctx, client.ContentStore(), image.Target, cc, lf)
+		newSpec, modified, err = imgenc.DecryptImage(ctx, contentStore, image.Target, cc, lf)
 	}
 	if err != nil {
 		return image, err

cmd/ctr/commands/images/import.go

@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/imgcrypt"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/flags"
+	"github.com/containerd/imgcrypt/cmd/ctr/v2v1glue"
 	"github.com/containerd/imgcrypt/images/encryption"
 	"github.com/containerd/imgcrypt/images/encryption/parsehelpers"
 	"github.com/urfave/cli"
@@ -173,7 +174,7 @@ decrypting the image later on.
 			ltdd := imgcrypt.Payload{
 				DecryptConfig: *cc.DecryptConfig,
 			}
-			opts := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
+			opts := v2v1glue.UnpackOpts(encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd)))
 			log.G(ctx).Debugf("unpacking %d images", len(imgs))
 
 			for _, img := range imgs {
@@ -184,7 +185,7 @@ decrypting the image later on.
 
 				// TODO: Show unpack status
 				fmt.Printf("unpacking %s (%s)...", img.Name, img.Target.Digest)
-				err = image.Unpack(ctx, context.String("snapshotter"), opts)
+				err = image.Unpack(ctx, context.String("snapshotter"), opts...)
 				if err != nil {
 					return err
 				}

cmd/ctr/commands/images/pull.go

@@ -28,6 +28,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/imgcrypt"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/flags"
+	"github.com/containerd/imgcrypt/cmd/ctr/v2v1glue"
 	"github.com/containerd/imgcrypt/images/encryption"
 	"github.com/containerd/imgcrypt/images/encryption/parsehelpers"
 
@@ -133,13 +134,13 @@ command. As part of this process, we do the following:
 		ltdd := imgcrypt.Payload{
 			DecryptConfig: *cc.DecryptConfig,
 		}
-		opts := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
+		opts := v2v1glue.UnpackOpts(encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd)))
 
 		start := time.Now()
 		for _, platform := range p {
 			fmt.Printf("unpacking %s %s...\n", platforms.Format(platform), img.Target.Digest)
 			i := containerd.NewImageWithPlatform(client, img, platforms.Only(platform))
-			err = i.Unpack(ctx, context.String("snapshotter"), opts)
+			err = i.Unpack(ctx, context.String("snapshotter"), opts...)
 			if err != nil {
 				return err
 			}

cmd/ctr/commands/img/utils.go

@@ -73,7 +73,7 @@ func GetImageLayerDescriptors(ctx context.Context, cs content.Store, desc ocispe
 
 			lis = append(lis, tmp...)
 		}
-	case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
+	case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig, "application/vnd.in-toto+json":
 	default:
 		return nil, fmt.Errorf("unhandled media type %s: %w", desc.MediaType, errdefs.ErrInvalidArgument)
 	}

cmd/ctr/commands/run/run.go

@@ -28,13 +28,13 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/cmd/ctr/commands"
-	"github.com/containerd/containerd/cmd/ctr/commands/tasks"
 	"github.com/containerd/containerd/containers"
 	clabels "github.com/containerd/containerd/labels"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	gocni "github.com/containerd/go-cni"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/flags"
+	"github.com/containerd/imgcrypt/cmd/ctr/commands/tasks"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"

cmd/ctr/commands/run/run_unix.go

@@ -20,6 +20,7 @@
 package run
 
 import (
+	"context"
 	gocontext "context"
 	"errors"
 	"fmt"
@@ -38,11 +39,15 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/runtime/v2/runc/options"
 	"github.com/containerd/containerd/snapshots"
+	"github.com/containerd/errdefs"
 	"github.com/containerd/imgcrypt"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands"
 	"github.com/containerd/imgcrypt/cmd/ctr/commands/images"
+	"github.com/containerd/imgcrypt/cmd/ctr/v1v2glue"
+	"github.com/containerd/imgcrypt/cmd/ctr/v2v1glue"
 	"github.com/containerd/imgcrypt/images/encryption"
 	"github.com/containerd/imgcrypt/images/encryption/parsehelpers"
+	encconfig "github.com/containers/ocicrypt/config"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
@@ -157,8 +162,8 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 				ltdd := imgcrypt.Payload{
 					DecryptConfig: *cc.DecryptConfig,
 				}
-				opts := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
-				if err := image.Unpack(ctx, snapshotter, opts); err != nil {
+				opts := v2v1glue.UnpackOpts(encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd)))
+				if err := image.Unpack(ctx, snapshotter, opts...); err != nil {
 					return nil, err
 				}
 			}
@@ -369,14 +374,28 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 	}
 
 	if !context.IsSet("skip-decrypt-auth") {
-		cOpts = append(cOpts, encryption.WithAuthorizationCheck(cc.DecryptConfig))
+		cOpts = append(cOpts, withAuthorizationCheck(cc.DecryptConfig))
 	}
 
 	// oci.WithImageConfig (WithUsername, WithUserID) depends on access to rootfs for resolving via
 	// the /etc/{passwd,group} files. So cOpts needs to have precedence over opts.
 	return client.NewContainer(ctx, id, cOpts...)
 }
 
+func withAuthorizationCheck(dc *encconfig.DecryptConfig) containerd.NewContainerOpts {
+	return func(ctx context.Context, client *containerd.Client, c *containers.Container) error {
+		image, err := client.ImageService().Get(ctx, c.Image)
+		if errdefs.IsNotFound(err) {
+			// allow creation of container without a existing image
+			return nil
+		} else if err != nil {
+			return err
+		}
+
+		return encryption.CheckAuthorization(ctx, &v1v2glue.ContentStore{Store: client.ContentStore()}, image.Target, dc)
+	}
+}
+
 func getRuncOptions(context *cli.Context) (*options.Options, error) {
 	runtimeOpts := &options.Options{}
 	if runcBinary := context.String("runc-binary"); runcBinary != "" {

vendor/github.com/containerd/containerd/cmd/ctr/commands/tasks/attach.go → cmd/ctr/commands/tasks/attach.go

@@ -26,7 +26,7 @@ import (
 
 var attachCommand = cli.Command{
 	Name:      "attach",
-	Usage:     "attach to the IO of a running container",
+	Usage:     "Attach to the IO of a running container",
 	ArgsUsage: "CONTAINER",
 	Action: func(context *cli.Context) error {
 		client, ctx, cancel, err := commands.NewClient(context)

vendor/github.com/containerd/containerd/cmd/ctr/commands/tasks/checkpoint.go → cmd/ctr/commands/tasks/checkpoint.go

@@ -30,20 +30,20 @@ import (
 
 var checkpointCommand = cli.Command{
 	Name:      "checkpoint",
-	Usage:     "checkpoint a container",
+	Usage:     "Checkpoint a container",
 	ArgsUsage: "[flags] CONTAINER",
 	Flags: []cli.Flag{
 		cli.BoolFlag{
 			Name:  "exit",
-			Usage: "stop the container after the checkpoint",
+			Usage: "Stop the container after the checkpoint",
 		},
 		cli.StringFlag{
 			Name:  "image-path",
-			Usage: "path to criu image files",
+			Usage: "Path to criu image files",
 		},
 		cli.StringFlag{
 			Name:  "work-path",
-			Usage: "path to criu work files and logs",
+			Usage: "Path to criu work files and logs",
 		},
 	},
 	Action: func(context *cli.Context) error {

vendor/github.com/containerd/containerd/cmd/ctr/commands/tasks/delete.go → cmd/ctr/commands/tasks/delete.go

@@ -28,17 +28,17 @@ import (
 
 var deleteCommand = cli.Command{
 	Name:      "delete",
-	Usage:     "delete one or more tasks",
+	Usage:     "Delete one or more tasks",
 	ArgsUsage: "CONTAINER [CONTAINER, ...]",
 	Aliases:   []string{"del", "remove", "rm"},
 	Flags: []cli.Flag{
 		cli.BoolFlag{
 			Name:  "force, f",
-			Usage: "force delete task process",
+			Usage: "Force delete task process",
 		},
 		cli.StringFlag{
 			Name:  "exec-id",
-			Usage: "process ID to kill",
+			Usage: "Process ID to kill",
 		},
 	},
 	Action: func(context *cli.Context) error {

vendor/github.com/containerd/containerd/cmd/ctr/commands/tasks/exec.go → cmd/ctr/commands/tasks/exec.go

@@ -33,38 +33,38 @@ import (
 
 var execCommand = cli.Command{
 	Name:           "exec",
-	Usage:          "execute additional processes in an existing container",
+	Usage:          "Execute additional processes in an existing container",
 	ArgsUsage:      "[flags] CONTAINER CMD [ARG...]",
 	SkipArgReorder: true,
 	Flags: []cli.Flag{
 		cli.StringFlag{
 			Name:  "cwd",
-			Usage: "working directory of the new process",
+			Usage: "Working directory of the new process",
 		},
 		cli.BoolFlag{
 			Name:  "tty,t",
-			Usage: "allocate a TTY for the container",
+			Usage: "Allocate a TTY for the container",
 		},
 		cli.BoolFlag{
 			Name:  "detach,d",
-			Usage: "detach from the task after it has started execution",
+			Usage: "Detach from the task after it has started execution",
 		},
 		cli.StringFlag{
 			Name:     "exec-id",
 			Required: true,
-			Usage:    "exec specific id for the process",
+			Usage:    "Exec specific id for the process",
 		},
 		cli.StringFlag{
 			Name:  "fifo-dir",
-			Usage: "directory used for storing IO FIFOs",
+			Usage: "Directory used for storing IO FIFOs",
 		},
 		cli.StringFlag{
 			Name:  "log-uri",
-			Usage: "log uri for custom shim logging",
+			Usage: "Log uri for custom shim logging",
 		},
 		cli.StringFlag{
 			Name:  "user",
-			Usage: "user id or name",
+			Usage: "User id or name",
 		},
 	},
 	Action: func(context *cli.Context) error {

vendor/github.com/containerd/containerd/cmd/ctr/commands/tasks/kill.go → cmd/ctr/commands/tasks/kill.go

@@ -17,33 +17,67 @@
 package tasks
 
 import (
+	"context"
 	"errors"
+	"fmt"
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cmd/ctr/commands"
+	gocni "github.com/containerd/go-cni"
+	"github.com/containerd/typeurl/v2"
 	"github.com/moby/sys/signal"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
 
 const defaultSignal = "SIGTERM"
 
+func RemoveCniNetworkIfExist(ctx context.Context, container containerd.Container) error {
+	exts, err := container.Extensions(ctx)
+	if err != nil {
+		return err
+	}
+	networkMeta, ok := exts[commands.CtrCniMetadataExtension]
+	if !ok {
+		return nil
+	}
+
+	data, err := typeurl.UnmarshalAny(networkMeta)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal cni metadata extension  %s", commands.CtrCniMetadataExtension)
+	}
+	networkMetaData := data.(*commands.NetworkMetaData)
+
+	var network gocni.CNI
+	if networkMetaData.EnableCni {
+		if network, err = gocni.New(gocni.WithDefaultConf); err != nil {
+			return err
+		}
+		if err := network.Remove(ctx, commands.FullID(ctx, container), ""); err != nil {
+			logrus.WithError(err).Error("network remove error")
+			return err
+		}
+	}
+	return nil
+}
+
 var killCommand = cli.Command{
 	Name:      "kill",
-	Usage:     "signal a container (default: SIGTERM)",
+	Usage:     "Signal a container (default: SIGTERM)",
 	ArgsUsage: "[flags] CONTAINER",
 	Flags: []cli.Flag{
 		cli.StringFlag{
 			Name:  "signal, s",
 			Value: "",
-			Usage: "signal to send to the container",
+			Usage: "Signal to send to the container",
 		},
 		cli.StringFlag{
 			Name:  "exec-id",
-			Usage: "process ID to kill",
+			Usage: "Process ID to kill",
 		},
 		cli.BoolFlag{
 			Name:  "all, a",
-			Usage: "send signal to all processes inside the container",
+			Usage: "Send signal to all processes inside the container",
 		},
 	},
 	Action: func(context *cli.Context) error {
@@ -93,6 +127,10 @@ var killCommand = cli.Command{
 		if err != nil {
 			return err
 		}
+		err = RemoveCniNetworkIfExist(ctx, container)
+		if err != nil {
+			return err
+		}
 		return task.Kill(ctx, sig, opts...)
 	},
 }