Update SOCI index manifest V2 db references

When we convert images to SOCI index manifest v2, we first create SOCI
indexes, then add the annotations to the image manifests. In the process
of creating the SOCI indexes, we create an artifacts DB reference to the
SOCI index using the original manifest and image ids. This change goes
back after everything is done and updates the artifacts DB so the index
is associated with the new manifest and image.

Signed-off-by: Kern Walster <walster@amazon.com>

Author: Kern--

integration/pull_modes_test.go

@@ -34,17 +34,20 @@ var (
 
 func createAndPushV2Index(t *testing.T, sh *dockershell.Shell, srcInfo imageInfo, dstInfo imageInfo) string {
 	sh.X("nerdctl", "pull", "--all-platforms", srcInfo.ref)
-	sh.X("soci", "convert", "--min-layer-size", "0", srcInfo.ref, dstInfo.ref)
+	sh.X("soci", "convert", "--all-platforms", "--min-layer-size", "0", srcInfo.ref, dstInfo.ref)
 	sh.X("nerdctl", "push", "--all-platforms", dstInfo.ref)
 
 	indexDigest, err := sh.OLog("soci",
 		"index", "list",
-		"-q", "--ref", srcInfo.ref,
+		"-q", "--ref", dstInfo.ref,
 		"--platform", platforms.Format(platforms.DefaultSpec()),
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
+	if len(indexDigest) == 0 {
+		t.Fatal("index digest is empty")
+	}
 
 	return strings.Trim(string(indexDigest), "\n")
 }
@@ -264,7 +267,7 @@ func testDanglingV2Annotation(t *testing.T, imgName string) {
 	dstInfo := regConfig.mirror(imgName)
 
 	sh.X("nerdctl", "pull", "--all-platforms", srcInfo.ref)
-	sh.X("soci", "convert", "--min-layer-size", "0", srcInfo.ref, dstInfo.ref)
+	sh.X("soci", "convert", "--all-platforms", "--min-layer-size", "0", srcInfo.ref, dstInfo.ref)
 
 	manifest, err := getManifestDigest(sh, dstInfo.ref, platforms.DefaultSpec())
 	if err != nil {
@@ -273,14 +276,17 @@ func testDanglingV2Annotation(t *testing.T, imgName string) {
 
 	v2IndexDigest, err := sh.OLog("soci",
 		"index", "list",
-		"-q", "--ref", srcInfo.ref,
+		"-q", "--ref", dstInfo.ref,
 		"--platform", platforms.Format(platforms.DefaultSpec()),
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
+	if len(v2IndexDigest) == 0 {
+		t.Fatal("index digest is empty")
+	}
 
-	// Nither nerdctl nor ctr expose a way to "elevate" a platform-specific
+	// Neither nerdctl nor ctr expose a way to "elevate" a platform-specific
 	// manifest to a top level image directly, so we do a little registry dance:
 	// push image:tag
 	// pull image@sha256:... (the specific manifest we want to elevate)

soci/artifacts.go

@@ -323,24 +323,22 @@ func (db *ArtifactsDb) addNewArtifacts(ctx context.Context, blobStorePath string
 
 // GetArtifactEntry loads a single ArtifactEntry from the ArtifactsDB by digest
 func (db *ArtifactsDb) GetArtifactEntry(digest string) (*ArtifactEntry, error) {
-	entry := ArtifactEntry{}
+	var entry *ArtifactEntry
 	err := db.db.View(func(tx *bolt.Tx) error {
-		bucket, err := getArtifactsBucket(tx)
-		if err != nil {
-			return err
-		}
-		e, err := getArtifactEntryByDigest(bucket, digest)
-		if err != nil {
-			return err
-		}
-		entry = *e
-		return nil
+		var err error
+		entry, err = db.getArtifactEntry(tx, digest)
+		return err
 	})
 
+	return entry, err
+}
+
+func (db *ArtifactsDb) getArtifactEntry(tx *bolt.Tx, digest string) (*ArtifactEntry, error) {
+	bucket, err := getArtifactsBucket(tx)
 	if err != nil {
 		return nil, err
 	}
-	return &entry, nil
+	return getArtifactEntryByDigest(bucket, digest)
 }
 
 // GetArtifactType gets Type of an ArtifactEntry from the ArtifactsDB by digest
@@ -411,15 +409,32 @@ func (db *ArtifactsDb) WriteArtifactEntry(entry *ArtifactEntry) error {
 	if entry == nil {
 		return fmt.Errorf("no entry to write")
 	}
-	err := db.db.Update(func(tx *bolt.Tx) error {
-		bucket, err := tx.CreateBucketIfNotExists(bucketKeySociArtifacts)
+	return db.db.Update(func(tx *bolt.Tx) error {
+		return db.writeArtifactEntry(tx, entry)
+	})
+}
+
+func (db *ArtifactsDb) writeArtifactEntry(tx *bolt.Tx, entry *ArtifactEntry) error {
+	bucket, err := tx.CreateBucketIfNotExists(bucketKeySociArtifacts)
+	if err != nil {
+		return err
+	}
+	return putArtifactEntry(bucket, entry)
+}
+
+// updateSociV2ArtifactReference updates the image and manifest digests associated with the SOCI index digest in the artifacts db.
+// the indexDigest is the SOCI index to updated, the manifestDigest is the specific image manifest that the SOCI index is bound to,
+// and the imageDigest is the target of the image (this is the same as the manifestDigest for single platform images, but different for mult-platform)
+func (db *ArtifactsDb) updateSociV2ArtifactReference(indexDigest string, manifestDigest string, imageDigest string) error {
+	return db.db.Update(func(tx *bolt.Tx) error {
+		ae, err := db.getArtifactEntry(tx, indexDigest)
 		if err != nil {
 			return err
 		}
-		err = putArtifactEntry(bucket, entry)
-		return err
+		ae.ImageDigest = imageDigest
+		ae.OriginalDigest = manifestDigest
+		return db.writeArtifactEntry(tx, ae)
 	})
-	return err
 }
 
 func getArtifactsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {

soci/soci_convert.go

@@ -146,6 +146,12 @@ func (b *IndexBuilder) Convert(ctx context.Context, img images.Image, opts ...Co
 		return nil, err
 	}
 
+	// Update artifacts DB references to the new image/index digests
+	err = b.updateSociV2ArtifactReferences(&ociIndex, ociIndexDesc.Digest.String())
+	if err != nil {
+		return nil, err
+	}
+
 	// Apply GC Labels
 	for i, desc := range ociIndex.Manifests {
 		err := store.LabelGCRefContent(ctx, b.blobStore, ociIndexDesc, fmt.Sprintf("m.%d", i), desc.Digest.String())
@@ -352,3 +358,21 @@ func (b *IndexBuilder) pushOCIObject(ctx context.Context, obj any) (ocispec.Desc
 	}
 	return desc, nil
 }
+
+// updateSociV2ArtifactReferences adjusts the artifacts DB so that the SOCI indexes contained in the OCI index
+// reference the correct digests.
+//
+// When we create the SOCI index manifest v2, we add it to the artifacts DB with the original image manifest digest
+// and image digest. When we add the annotations, we change the manifest digest and create a new image with a new
+// digest. This function goes back and fixes the artifacts DB so that the index is associated with the new manifest and image digests.
+func (b *IndexBuilder) updateSociV2ArtifactReferences(index *ocispec.Index, indexDigest string) error {
+	for _, manifestDesc := range index.Manifests {
+		if manifestDesc.ArtifactType == SociIndexArtifactTypeV2 {
+			err := b.config.artifactsDb.updateSociV2ArtifactReference(manifestDesc.Digest.String(), manifestDesc.Annotations[IndexAnnotationImageManifestDigest], indexDigest)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}