local image lookup by digest

Detect local-image lookups by digest. Those clearly refer to local images only, so we must not proceed to remote lookups. Note that the specifed digest refers to an image ID and not to the digest of an image's manifest. Fixes: #2836 Signed-off-by: Valentin Rothberg <[email protected]>
containers · Jan 25, 2021 · d5bd97c · d5bd97c
1 parent 1a04337
commit d5bd97c
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 4 deletions.
diff --git a/new.go b/new.go
@@ -150,10 +150,10 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
 		return nil, "", nil, err
 	}
 
-	// If we could resolve the image locally, check if it was referenced by
-	// ID.  In that case, we don't need to bother any further and can
-	// prevent prompting the user.
-	if localImage != nil && strings.HasPrefix(localImage.ID, options.FromImage) {
+	// If we could resolve the image locally, check if it was clearly
+	// referring to a local image, either by ID or digest.  In that case,
+	// we don't need to perform a remote lookup.
+	if localImage != nil && (strings.HasPrefix(localImage.ID, options.FromImage) || strings.HasPrefix(options.FromImage, "sha256:")) {
 		return localImageRef, localImageRef.Transport().Name(), localImage, nil
 	}
 

diff --git a/tests/from.bats b/tests/from.bats
@@ -19,6 +19,18 @@ load helpers
   check_options_flag_err "--cred=fake fake"
 }
 
+@test "from-with-digest" {
+  run_buildah pull alpine
+  run_buildah inspect --format "{{.FromImageID}}" alpine
+  digest=$output
+
+  run_buildah from "sha256:$digest"
+  run_buildah rm $output
+
+  run_buildah 125 from sha256:1111111111111111111111111111111111111111111111111111111111111111
+  expect_output --substring "error locating image with ID \"1111111111111111111111111111111111111111111111111111111111111111\""
+}
+
 @test "commit-to-from-elsewhere" {
   elsewhere=${TESTDIR}/elsewhere-img
   mkdir -p ${elsewhere}

diff --git a/util/util.go b/util/util.go
@@ -20,6 +20,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/storage"
 	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -68,6 +69,19 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto
 			return []string{img.ID}, "", false, nil
 		}
 	}
+	// If we're referring to an image by digest, it *must* be local and we
+	// should not have any fall through/back logic.
+	if strings.HasPrefix(name, "sha256:") {
+		d, err := digest.Parse(name)
+		if err != nil {
+			return nil, "", false, err
+		}
+		img, err := store.Image(d.Encoded())
+		if err != nil {
+			return nil, "", false, err
+		}
+		return []string{img.ID}, "", false, nil
+	}
 
 	// Transports are not supported for local image look ups.
 	srcRef, err := alltransports.ParseImageName(name)