almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Fix a Podman regression regarding Buildkit images

Browse source 
Loading an image built with Buildkit in Podman 3.4 messes up its name.
The tag somehow becomes the name of the loaded image.

We know that older Podman versions are not generally affected, since
Podman v3.0.1 on Debian Bullseye works properly. Also, Podman v4.0 is
not affected, so it makes sense to target only Podman v3.4 for a fix.

The fix is simple, tag the image properly based on the expected tag from
`share/image-id.txt` and delete the incorrect tag.

Refs containers/podman#16490
This commit is contained in:
Alex Pyrgiotis 2025-02-26 17:50:18 +02:00
parent 51f432be6b
commit a1402d5b6b
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
3 changed files with 55 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
dangerzone/container_utils.py
View file

@ -95,18 +95,26 @@ def list_image_tags() -> List[str]:
) )
def add_image_tag(image_id: str, new_tag: str) -> None:
"""Add a tag to the Dangerzone image."""
log.debug(f"Adding tag '{new_tag}' to image '{image_id}'")
subprocess.check_output(
[get_runtime(), "tag", image_id, new_tag],
startupinfo=get_subprocess_startupinfo(),
)
def delete_image_tag(tag: str) -> None: def delete_image_tag(tag: str) -> None:
"""Delete a Dangerzone image tag.""" """Delete a Dangerzone image tag."""
name = CONTAINER_NAME + ":" + tag log.warning(f"Deleting old container image: {tag}")
log.warning(f"Deleting old container image: {name}")
try: try:
subprocess.check_output( subprocess.check_output(
[get_runtime(), "rmi", "--force", name], [get_runtime(), "rmi", "--force", tag],
startupinfo=get_subprocess_startupinfo(), startupinfo=get_subprocess_startupinfo(),
) )
except Exception as e: except Exception as e:
log.warning( log.warning(
f"Couldn't delete old container image '{name}', so leaving it there." f"Couldn't delete old container image '{tag}', so leaving it there."
f" Original error: {e}" f" Original error: {e}"
) )
@ -120,11 +128,9 @@ def get_expected_tag() -> str:
def load_image_tarball() -> None: def load_image_tarball() -> None:
log.info("Installing Dangerzone container image...") log.info("Installing Dangerzone container image...")
tarball_path = get_resource_path("container.tar") tarball_path = get_resource_path("container.tar")
with open(tarball_path) as f:
try: try:
subprocess.run( res = subprocess.run(
[get_runtime(), "load"], [get_runtime(), "load", "-i", tarball_path],
stdin=f,
startupinfo=get_subprocess_startupinfo(), startupinfo=get_subprocess_startupinfo(),
capture_output=True, capture_output=True,
check=True, check=True,
@ -138,4 +144,27 @@ def load_image_tarball() -> None:
f"Could not install container image: {error}" f"Could not install container image: {error}"
) )
# Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag
# somehow becomes the name of the loaded image [1].
#
# We know that older Podman versions are not generally affected, since Podman v3.0.1
# on Debian Bullseye works properly. Also, Podman v4.0 is not affected, so it makes
# sense to target only Podman v3.4 for a fix.
#
# The fix is simple, tag the image properly based on the expected tag from
# `share/image-id.txt` and delete the incorrect tag.
#
# [1] https://github.com/containers/podman/issues/16490
if get_runtime_name() == "podman" and get_runtime_version() == (3, 4):
expected_tag = get_expected_tag()
bad_tag = f"localhost/{expected_tag}:latest"
good_tag = f"{CONTAINER_NAME}:{expected_tag}"
log.debug(
f"Dangerzone images loaded in Podman v3.4 usually have an invalid tag."
" Fixing it..."
)
add_image_tag(bad_tag, good_tag)
delete_image_tag(bad_tag)
log.info("Successfully installed container image") log.info("Successfully installed container image")

1
dangerzone/isolation_provider/container.py
View file

@ -97,6 +97,7 @@ class Container(IsolationProvider):
f"Could not find a Dangerzone container image with tag '{expected_tag}'" f"Could not find a Dangerzone container image with tag '{expected_tag}'"
) )
for tag in old_tags: for tag in old_tags:
tag = container_utils.CONTAINER_NAME + ":" + tag
container_utils.delete_image_tag(tag) container_utils.delete_image_tag(tag)
else: else:
return True return True

4
tests/isolation_provider/test_container.py
View file

@ -86,6 +86,10 @@ class TestContainer(IsolationProviderTest):
self, provider: Container, fp: FakeProcess self, provider: Container, fp: FakeProcess
) -> None: ) -> None:
"""When an image keep being not installed, it should return False""" """When an image keep being not installed, it should return False"""
fp.register_subprocess(
["podman", "version", "-f", "{{.Client.Version}}"],
stdout="4.0.0",
)
fp.register_subprocess( fp.register_subprocess(
[container_utils.get_runtime(), "image", "ls"], [container_utils.get_runtime(), "image", "ls"],