Image inspect rework

[apostasie]

Apologies for the big commit here, but I do not believe we can fix image inspect incrementally, as some of the core assumptions are wrong (specifically in the way we walk images, in the returned data types, etc).

Furthermore, there is more work needed here.
Other command which are doing images lookup (rmi) are also faulty.
Fixing these as well would turn this PR into a large monster, and I would rather do that separately as a follow-up once this one is reviewed and accepted.

So, this PR fixes the following:

• image inspect (Current implementation of images inspect is faulty (eg: RepoTags) #3004 among other things):
  • allow querying all sort of references:
    • repo short name
    • repo full name
    • repo with tag and/or digest
    • digest, with or without sha prefix
    • short ids
  • properly populate RepoTags and RepoDigests
  • always return a JSON array, instead of a stream, for example when multiple references are provided (fixes docker / nerdctl inconsistent return value from image inspect --format json #2988)
• dockercompat:
  • implement Parent (if it has been set on the image - note: I am not sure nerdctl does add the label when committing, but this is a different problem)
  • implement Variant
  • add GraphDriverData struct for future implementation
  • updated Image struct to the latest version at https://github.com/moby/moby/blob/v26.1.2/api/types/types.go#L34-L140
  • implement (deprecated) VirtualSize for compatibility

Obviously, the reworked image inspect should be wired into inspect at a later point, and the overall revised lookup mechanics should be generalized and used by other methods (like rmi) - again, as a follow-up.
Overall the current ImageWalker should either be removed or replaced with the updated workflow here.

Please note that our implementation also diverges from Docker, for good reasons:
For example, when retrieving an image using a digest and a tagged name, we do verify the tag name against the result, unlike Moby which only verifies the image name (because of their use of ParseDockerRef, which should be banned from existence IMHO…).
Because of that, Moby will allow inspecting images using random bogus tag names as long as the digest matches and return a different image than the requested one altogether.
This has had far reaching consequences: specifically, mind-bending bugs for build caching invalidation.
I do believe Moby must fix it, but it’s not my problem.

What is left overall:

• nerdctl images displays the wrong image id #3011 is a problem - we need to look into it and this might have consequences for the lookup implementation here - specifically wrt ContentStore
• generalizing the lookup method so that other commands can leverage it (will fix nerdctl rmi can be broken by using tag names with repo short sha #3016 for example)
• rewrite overall inspect to fix nerdctl inspect does not allow inspecting networks, volumes #3005, nerdctl inspect should not return a stream of json array, but a single array #3006

Also, this PR adds a bunch of integration tests on the above.

PTAL

cc @AkihiroSuda

[apostasie]

Light cleanup:

• improve variable name readability
• introduce Variant, Parent and VirtualSize
• populate RepoDigest

[apostasie]

Provisional for future implementation

[apostasie]

Updated with latest definition and reordered a bit for readability.

• moved down deprecated fields
• added VirtualSize, Parent, Variant

[apostasie]

Unnecessary.

[apostasie]

Just a note for newcomers.

[apostasie]

Cannot use the one in testutil, as it assumes single entry array.

[apostasie]

If really necessary, I could split this in two parts - the part that is docker compatible and the part that is not.

Either way we need first to resolve #3011

[apostasie]

Reviewer:

I don't want to introduce churn here by regularly adding more fixes.
The PR in its current state may have some minor issues (specifically there is one: Docker Hub names are not shortened properly before being added to RepoTags).
In the name of keeping our sanity, and if these minor issues are not a big deal for you, I will fix these in a follow-up once this is merged.

[apostasie]

Windows CI failure is on me.
Will try to fix it.
I need help with that Windows thing.
I do not have access to a Windows system, and not quite sure how to use it properly so we can test with linux images.

[apostasie]

Note this is likely fixing issues like #2061

[Zheaoli]

I will convert this PR to a draft before we solve the Windows issue together. I will help to figure out what happened.

[Zheaoli]

https://github.com/containerd/nerdctl/blob/main/cmd/nerdctl/image_save_test.go#L35C22-L35C44

You can output the inspect.RepoDigests[0] in test during the debug, I think there one more : char in the string

[apostasie]

https://github.com/containerd/nerdctl/blob/main/cmd/nerdctl/image_save_test.go#L35C22-L35C44

You can output the inspect.RepoDigests[0] in test during the debug, I think there one more : char in the string

Thanks @Zheaoli

I believe the failure on save_test (TestSaveById) are unrelated, and are just flakyness.

The actual test failing is the one I introduced, and the issue here is that I am using test images that do not have a Windows version, so, pull fails on windows: https://github.com/containerd/nerdctl/actions/runs/9133230483/job/25136088395?pr=3017#step:8:569

As I said, unfortunately, I know very little about Win...

[apostasie]

More accurately, the issue is:
time="2024-05-18T17:41:26Z" level=fatal msg="failed to extract layer sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820: hcsshim::ProcessBaseLayer \\\\?\\C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\106: The system cannot find the path specified.: unknown"

And I know nothing about hcsshim, or why it would fail extracting an image.

[apostasie]

@Zheaoli @AkihiroSuda
CI is green.
I disabled the test on window for now.
Will revisit soon when I get a Windows environment to test on.

[ktock]

Can we use more readable string like ! or a very long tag?

FYI: https://docs.docker.com/reference/cli/docker/image/tag/#description

The tag must be valid ASCII and can contain lowercase and uppercase letters, digits, underscores, periods, and hyphens. It can't start with a period or hyphen and must be no longer than 128 characters.

[apostasie]

I prefer something outside of the ASCII range if you don't mind, as this tends to uncover issues not necessarily seen without.

[ktock]

LGTM on green

[Zheaoli]

LGTM

[AkihiroSuda]

@ktock @Zheaoli You can merge PRs