image/save: Fix untagged images not present in index.json

[vvoland]

• fixes: [v25] docker save <IMAGE>@<DIGEST> produces index.json with "manifest": null #47210
• closes: integration test: Check OCI Manifest layers order  #47165

Saving an image via digested reference, ID or truncated ID doesn't store the image reference in the archive. This also causes the save code to not add the image's manifest to the index.json.
This PR explicitly adds the untagged manifests to the index.json if no tagged manifests were added.

- How to verify it

• TestSaveOCI integration test

By digest

$ docker save hello-world@sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6 | tar xO index.json | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:411caf340c828657e915a83ed561a79d2b8150dabad4dc079d881cbfe6f86afe",
      "size": 447,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ]
}

By tag

$ docker save hello-world | tar xO index.json | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:411caf340c828657e915a83ed561a79d2b8150dabad4dc079d881cbfe6f86afe",
      "size": 447,
      "annotations": {
        "io.containerd.image.name": "docker.io/library/hello-world:latest",
        "org.opencontainers.image.ref.name": "latest"
      },
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ]
}

Tag and digest

$ docker tag hello-world my:hello
$ docker save hello-world my:hello \
   hello-world@sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6 | \
   tar xO index.json | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:411caf340c828657e915a83ed561a79d2b8150dabad4dc079d881cbfe6f86afe",
      "size": 447,
      "annotations": {
        "io.containerd.image.name": "docker.io/library/hello-world:latest",
        "org.opencontainers.image.ref.name": "latest"
      },
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:411caf340c828657e915a83ed561a79d2b8150dabad4dc079d881cbfe6f86afe",
      "size": 447,
      "annotations": {
        "io.containerd.image.name": "docker.io/library/my:hello",
        "org.opencontainers.image.ref.name": "hello"
      },
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ]
}

- Description for the changelog

- Fix `docker save <image>@<digest>` producing an OCI archive with index without manifests

- A picture of a cute animal (not mandatory but encouraged)

[cpuguy83]

I would really like to see these hard-coded values moved up the stack. With it like this it makes the test more confusing, for me, to work through.
Likewise with the layer contents.

[vvoland]

Extracted another function and moved the hardcoded values up. Let me know if that works for you!

[thaJeztah]

@vvoland could you have a peek at the review comment above?

[thaJeztah]

Failures are Windows + containerd snapshotter, and are known to still fail, so can be ignored

[thaJeztah]

quick blurb, as I started to look (so far nothing blocking) but had to drop off, so let me post what I had

[thaJeztah]

I honestly somewhat more liked the struct-literal here, to prevent any possible confusion that things / fields could be used by-reference 🤔

It would result in some small amount of duplication (constructing the struct twice), just have been bit by maps or slices not being properly de-referenced on some occasions.

[thaJeztah]

LGTM

[tianon]

FWIW, it's fully valid for this to include the full reference:

https://github.com/opencontainers/image-spec/blob/5325ec48851022d6ded604199a3566254e72842a/annotations.md#:~:text=org.opencontainers.image.ref.name

[thaJeztah]

Hm.. interesting; so that would mean duplicating the same information (and implicitly; requiring the reader of that information having to parse the format to get the tag only?).

One thing I notice in that section is that it looks like separator as part of components seems to have been conflated with separator between name and tag (or digest);

• org.opencontainers.image.ref.name Name of the reference for a target (string).

  • SHOULD only be considered valid when on descriptors on index.json within image layout.

  • Character set of the value SHOULD conform to alphanum of A-Za-z0-9 and separator set of -._:@/+

  • A valid reference matches the following grammar:

    ref       ::= component ("/" component)*
    component ::= alphanum (separator alphanum)*
    alphanum  ::= [A-Za-z0-9]+
    separator ::= [-._:@+] | "--"

The distribution/reference grammar uses a different definition;

separator := /[_.]|__|[-]*/

• it only allows -._ as separators
• 2 consecutive underscores (__)
• zero or more hypens (-)

The :, @ would be to separate tag or digest, and

If I read the OCI spec there correctly, something like docker.io/github.com/he:llo@sha256+fo--b_ar would be a valid value, but not parseable with the distribution/reference package 😬

[thaJeztah]

Hm.. for org.opencontainers.image.base.name, there's a mention that it should be in the format described in distribution/reference; should that also be done for the above?

• org.opencontainers.image.base.name Image reference of the image this image is based on (string)
• This SHOULD be image references in the format defined by [distribution/distribution][distribution-reference].