MCPcopy
hub / github.com/containerd/containerd / WithImageConfigLabels

Function WithImageConfigLabels

client/container_opts.go:123–160  ·  view source on GitHub ↗

WithImageConfigLabels sets the image config labels on the container. The existing labels are cleared as this is expected to be the first operation in setting up a container's labels. Use WithAdditionalContainerLabels to add/overwrite the existing image config labels. Image config labels in the name

(image Image)

Source from the content-addressed store, hash-verified

121// (containerd.io/) and the CRI plugin (io.cri-containerd) are not copied
122// to the container.
123func WithImageConfigLabels(image Image) NewContainerOpts {
124 return func(ctx context.Context, _ *Client, c *containers.Container) error {
125 ic, err := image.Config(ctx)
126 if err != nil {
127 return err
128 }
129 if !images.IsConfigType(ic.MediaType) {
130 return fmt.Errorf("unknown image config media type %s", ic.MediaType)
131 }
132
133 var (
134 ociimage v1.Image
135 config v1.ImageConfig
136 )
137 p, err := content.ReadBlob(ctx, image.ContentStore(), ic)
138 if err != nil {
139 return err
140 }
141
142 if err = json.Unmarshal(p, &ociimage); err != nil {
143 return err
144 }
145 config = ociimage.Config
146
147 c.Labels = config.Labels
148 // Labels in the containerd.io/* namespace are interpreted by containerd
149 // itself, and labels in the io.cri-containerd.* namespace are interpreted
150 // by the CRI plugin, so they are not copied from untrusted image configs.
151 maps.DeleteFunc(c.Labels, func(k, _ string) bool {
152 if labels.IsReserved(k) {
153 log.G(ctx).Warnf("skipping image label %q: the label namespace is reserved for containerd; possible malicious image attempting to alter containerd behavior", k)
154 return true
155 }
156 return false
157 })
158 return nil
159 }
160}
161
162// WithAdditionalContainerLabels adds the provided labels to the container
163// The existing labels are preserved as long as they do not conflict with the added labels.

Callers 1

Calls 6

IsConfigTypeFunction · 0.92
ReadBlobFunction · 0.92
IsReservedFunction · 0.92
UnmarshalMethod · 0.80
ConfigMethod · 0.65
ContentStoreMethod · 0.65

Tested by 1

Used in the wild real call sites across dependent graphs

searching dependent graphs…