WithImageConfigLabels sets the image config labels on the container. The existing labels are cleared as this is expected to be the first operation in setting up a container's labels. Use WithAdditionalContainerLabels to add/overwrite the existing image config labels. Image config labels in the name
(image Image)
| 121 | // (containerd.io/) and the CRI plugin (io.cri-containerd) are not copied |
| 122 | // to the container. |
| 123 | func WithImageConfigLabels(image Image) NewContainerOpts { |
| 124 | return func(ctx context.Context, _ *Client, c *containers.Container) error { |
| 125 | ic, err := image.Config(ctx) |
| 126 | if err != nil { |
| 127 | return err |
| 128 | } |
| 129 | if !images.IsConfigType(ic.MediaType) { |
| 130 | return fmt.Errorf("unknown image config media type %s", ic.MediaType) |
| 131 | } |
| 132 | |
| 133 | var ( |
| 134 | ociimage v1.Image |
| 135 | config v1.ImageConfig |
| 136 | ) |
| 137 | p, err := content.ReadBlob(ctx, image.ContentStore(), ic) |
| 138 | if err != nil { |
| 139 | return err |
| 140 | } |
| 141 | |
| 142 | if err = json.Unmarshal(p, &ociimage); err != nil { |
| 143 | return err |
| 144 | } |
| 145 | config = ociimage.Config |
| 146 | |
| 147 | c.Labels = config.Labels |
| 148 | // Labels in the containerd.io/* namespace are interpreted by containerd |
| 149 | // itself, and labels in the io.cri-containerd.* namespace are interpreted |
| 150 | // by the CRI plugin, so they are not copied from untrusted image configs. |
| 151 | maps.DeleteFunc(c.Labels, func(k, _ string) bool { |
| 152 | if labels.IsReserved(k) { |
| 153 | log.G(ctx).Warnf("skipping image label %q: the label namespace is reserved for containerd; possible malicious image attempting to alter containerd behavior", k) |
| 154 | return true |
| 155 | } |
| 156 | return false |
| 157 | }) |
| 158 | return nil |
| 159 | } |
| 160 | } |
| 161 | |
| 162 | // WithAdditionalContainerLabels adds the provided labels to the container |
| 163 | // The existing labels are preserved as long as they do not conflict with the added labels. |
searching dependent graphs…