fix(oci/config): ensure unique OCI image config

radu-matei · rajatjindal · endocrimes · radu-matei · commit 14cdc4224c54 · 2024-03-05T14:01:14.000+01:00
This commit ensures that applications pushed to OCI have unique image config fields for unique Spin application content and metadata by adding a label in the OCI image config to the content digest (SHA256) of the Spin locked application file. This is to address the issue of the Containerd Spin shim serving outdated content, because all images of Spin apps on a node would have the same image ID (the content digest of the OCI config object, which was identical for all Spin apps). ref spinframework/spin-operator#40 Signed-off-by: Radu Matei <radu@fermyon.com> Co-authored-by: Rajat Jindal <rajatjindal83@gmail.com> Co-authored-by: Danielle Lancashire <dani@builds.terrible.systems> Co-authored-by: Michelle Dhanani <michelle@fermyon.com>
diff --git a/crates/oci/src/client.rs b/crates/oci/src/client.rs
@@ -1,5 +1,6 @@
 //! Spin's client for distributing applications via OCI registries
 
+use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 
 use anyhow::{bail, Context, Result};
@@ -174,15 +175,31 @@ impl Client {
             SPIN_APPLICATION_MEDIA_TYPE.to_string(),
             None,
         );
+        let config_layer_digest = locked_config_layer.sha256_digest().clone();
         layers.push(locked_config_layer);
 
+        let mut labels = HashMap::new();
+        labels.insert(
+            "com.fermyon.spin.lockedAppDigest".to_string(),
+            config_layer_digest,
+        );
+        let cfg = oci_distribution::config::Config {
+            labels: Some(labels),
+            ..Default::default()
+        };
+
         // Construct empty/default OCI config file. Data may be parsed according to
         // the expected config structure per the image spec, so we want to ensure it conforms.
         // (See https://github.com/opencontainers/image-spec/blob/main/config.md)
         // TODO: Explore adding data applicable to the Spin app being published.
         let oci_config_file = ConfigFile {
             architecture: oci_distribution::config::Architecture::Wasm,
             os: oci_distribution::config::Os::Wasip1,
+            // We need to ensure that the image config for different content is updated.
+            // Without referencing the digest of the locked application in the OCI image config,
+            // all Spin applications would get the same image config digest, resulting in the same
+            // image ID in container runtimes.
+            config: Some(cfg),
             ..Default::default()
         };
         let oci_config =
