dockerfile: fetch oci-*-tools with go install

We also need to switch to "go install" entirely because we are about to update to a newer Go version that has disallowed "go get" outside of repos. For both tools, we need to pin an older version in order to make sure our tests function properly: * oci-runtime-tool since v0.6.0 validates that reserved annotations are not used. However, due to an oversight the OCI image-spec defined org.opencontainers.image.* annotations are considered "reserved" by the OCI runtime-spec. [1] should resolve this issue (once it is merged and oci-runtime-tool is updated with the relevant fixes) but in the meantime we need to use an older version of this tool. So we need to use v0.5.0 for the time being. * oci-image-tool appears to have become non-functional for our needs since v1.0.0-rc1, where support for scanning an entire image layout (i.e. complete OCI image) appears to have been removed. We need to use v0.3.0 for the time being. [1]: opencontainers/runtime-spec#1197 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar · Apr 21, 2023 · c99bc38 · c99bc38
1 parent 701c194
commit c99bc38
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,10 +41,10 @@ jobs:
       - name: install dependencies
         run: |
           # TODO: Move this to 'make fetch-deps'.
-          GO111MODULE=off go get -u github.com/cpuguy83/go-md2man
-          GO111MODULE=off go get -u golang.org/x/lint/golint
-          GO111MODULE=off go get -u github.com/securego/gosec/cmd/gosec
-          GO111MODULE=off go get -u github.com/client9/misspell/cmd/misspell
+          go install github.com/cpuguy83/go-md2man/v2@latest
+          go install golang.org/x/lint/golint@latest
+          go install github.com/securego/gosec/cmd/gosec@latest
+          go install github.com/client9/misspell/cmd/misspell@latest
       - run: |
           make local-validate
 

diff --git a/Dockerfile b/Dockerfile
@@ -39,8 +39,6 @@ RUN zypper -n in \
 		libcap-progs \
 		make \
 		moreutils \
-		oci-image-tools \
-		oci-runtime-tools \
 		python-setuptools \
 		python-xattr \
 		runc \
@@ -50,10 +48,22 @@ RUN zypper -n in \
 RUN useradd -u 1000 -m -d /home/rootless -s /bin/bash rootless
 
 ENV GOPATH=/go PATH=/go/bin:$PATH
-RUN go get -u github.com/cpuguy83/go-md2man && \
-    go get -u golang.org/x/lint/golint && \
-    go get -u github.com/securego/gosec/cmd/gosec && \
-    go get -u github.com/client9/misspell/cmd/misspell
+RUN go install github.com/cpuguy83/go-md2man/v2@latest && \
+	go install golang.org/x/lint/golint@latest && \
+	go install github.com/securego/gosec/cmd/gosec@latest && \
+	go install github.com/client9/misspell/cmd/misspell@latest
+# FIXME: We need to get an ancient version of oci-runtime-tools because the
+#        config.json conversion we do is technically not spec-compliant due to
+#        an oversight and new versions of oci-runtime-tools verify this.
+#        See <https://github.com/opencontainers/runtime-spec/pull/1197>.
+RUN go install github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool@v0.5.0
+# FIXME: oci-image-tool was basically broken for our needs after v0.3.0 (it
+#        cannot scan image layouts). The source is so old we need to manually
+#        build it (including doing "go mod init").
+RUN git clone -b v0.3.0 https://github.com/opencontainers/image-tools.git /tmp/oci-image-tools && \
+	( cd /tmp/oci-image-tools && go mod init github.com/opencontainers/image-tools && go mod tidy && go mod vendor; ) && \
+	make -C /tmp/oci-image-tools all install && \
+	rm -rf /tmp/oci-image-tools
 
 ENV SOURCE_IMAGE=/opensuse SOURCE_TAG=latest
 ARG DOCKER_IMAGE=registry.opensuse.org/opensuse/leap:15.2