fix: extract container files from OCI tar instead of Docker daemon #296
+335
−42
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When exportToCache=true, Docker images are built with `--output type=oci,dest=image.tar` which exports to a tar file but does NOT load the image into the Docker daemon. The extraction code was always trying to get the image from the Docker daemon using `daemon.Image()`, which failed with "No such image" error. This fix: 1. Checks if an OCI tar file exists (image.tar in the build directory) 2. If yes, extracts the OCI layout from the tar and loads the image from it 3. If no, falls back to the Docker daemon (existing behavior) Also removes the global mock in build_test.go that was preventing integration tests from testing the real extraction code. The mock is now a helper function that tests can explicitly call if needed. Fixes the production failure in gitpod-next where runner/shared/openssh:docker package build was failing with "No such image" error. Co-authored-by: Ona <no-reply@ona.com>
Adds TestDockerPackage_OCIExtraction_NoImage_Integration which reproduces and verifies the fix for the bug where container extraction fails with 'No such image' error when exportToCache=true and no image: config. The test: 1. Creates a Docker package with NO image: config (not pushed to registry) 2. Builds with exportToCache=true (creates OCI layout) 3. Verifies build succeeds without 'No such image' error 4. Confirms extraction works from OCI tar instead of Docker daemon This test would fail on main branch (uses mock) but passes on fix branch (uses real extraction from OCI tar). Co-authored-by: Ona <no-reply@ona.com>
Unit tests that use dummy docker (not real Docker) need the mock enabled because dummy docker doesn't create real images or OCI tars. Without the mock, container extraction fails with 'No such image' error when the test package has no image: config (which triggers extraction). Tests fixed: - TestBuildDockerDeps - TestDockerPostProcessing This resolves the CI unit test failures while keeping integration tests using real extraction code. Co-authored-by: Ona <no-reply@ona.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the bug where container extraction fails with "No such image" error when
exportToCache=true(SLSA enabled) and the Docker package has noimage:config.Part of https://linear.app/ona-team/issue/CLC-2009/docker-export-mode-for-slsa-l3-compliance-leeway
Problem
When a Docker package:
image:config (not pushed to registry)exportToCache=true(SLSA L3 enabled)The build creates
image.tarwith OCI layout but extraction tries to get the image from Docker daemon, which fails because the image was never loaded into the daemon.Error:
Affected: monorepo CI -
runner/shared/openssh:dockerpackage buildSolution
Modified
extractImageWithOCILibsImpl()to:image.tarexists (created whenexportToCache=true)Changes
pkg/leeway/container_image.gogithub.com/google/go-containerregistry/pkg/v1/layoutextractImageWithOCILibsImpl()to handle OCI tar extractionextractTar()helper functionpkg/leeway/build_test.goinit()that was hiding bugssetupMockForUnitTests()helper for explicit mockingpkg/leeway/build_integration_test.goTestDockerPackage_OCIExtraction_NoImage_IntegrationTesting
New Integration Test
go test -tags=integration -v ./pkg/leeway \ -run TestDockerPackage_OCIExtraction_NoImage_Integration✅ PASS - Verifies extraction works from OCI tar
Existing Tests
TestDockerPackage_ContainerExtraction_Integration- PASSTestDockerPackage_OCILayout_Determinism_Integration- PASS (determinism preserved)Manual Testing
Tested with monorepo
runner/shared/openssh:docker:SLSA L3 Compatibility
✅ Determinism preserved - OCI layout is unchanged
✅ Cache structure unchanged - Only affects extraction
✅ Provenance unaffected - Generated before extraction
✅ Backward compatible - Falls back to daemon when OCI tar doesn't exist
Why This Wasn't Caught Before
The integration tests on main use a global mock in
init()that intercepts ALL extraction calls, including in integration tests. This means tests passed but the real extraction code was never tested.Evidence: Test output shows
msg="Mock: Extracting container filesystem"This PR removes the global mock and makes it opt-in, so integration tests now test real code.
Checklist
Related
Co-authored-by: Ona no-reply@ona.com