fix: support container extraction with OCI layout export

leodido · ona-agent · leodido · commit d0c01ae86887 · 2025-11-21T10:03:07.000+01:00
When exportToCache is enabled, images are in OCI layout format (not Docker daemon).
Container extraction code was checking Docker daemon with 'docker image inspect',
which fails for OCI layout images.

Changes:
- Add checkOCILayoutExists() to validate OCI layout before extraction
- Update PostProcess to use appropriate check based on exportToCache flag
- Add unit tests for OCI layout validation (4 test cases)
- Add integration test for both Docker daemon and OCI layout paths
- Add workflow_dispatch trigger to integration tests workflow

All tests passing:
- Unit tests: TestCheckOCILayoutExists (4/4)
- Integration: TestDockerPackage_ContainerExtraction_Integration (2/2)

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
@@ -12,6 +12,7 @@ on:
   push:
     branches:
       - 'main'
+  workflow_dispatch:
 
 env:
   GO_VERSION: '1.24'
diff --git a/pkg/leeway/build.go b/pkg/leeway/build.go
@@ -2044,13 +2044,29 @@ func (p *Package) buildDocker(buildctx *buildContext, wd, result string) (res *p
 			})
 			extractLogger.Debug("Extracting container filesystem")
 
-			// First, verify the image exists
-			imageExists, err := checkImageExists(version)
-			if err != nil {
-				return xerrors.Errorf("failed to check if image exists: %w", err)
-			}
-			if !imageExists {
-				return xerrors.Errorf("image %s not found - build may have failed silently", version)
+			// Verify the image exists (check OCI layout or Docker daemon based on export mode)
+			if *cfg.ExportToCache {
+				// Check OCI layout
+				extractLogger.Debug("Checking OCI layout image.tar")
+				ociExists, err := checkOCILayoutExists(buildDir)
+				if err != nil {
+					return xerrors.Errorf("failed to check OCI layout: %w", err)
+				}
+				if !ociExists {
+					return xerrors.Errorf("OCI layout image.tar not found in %s - build may have failed silently", buildDir)
+				}
+				extractLogger.Debug("OCI layout image.tar found and valid")
+			} else {
+				// Check Docker daemon
+				extractLogger.Debug("Checking Docker daemon for image")
+				imageExists, err := checkImageExists(version)
+				if err != nil {
+					return xerrors.Errorf("failed to check if image exists in Docker daemon: %w", err)
+				}
+				if !imageExists {
+					return xerrors.Errorf("image %s not found in Docker daemon - build may have failed silently", version)
+				}
+				extractLogger.Debug("Image found in Docker daemon")
 			}
 
 			// Use the OCI libraries for extraction with more robust error handling
@@ -2803,6 +2819,31 @@ func checkImageExists(imageName string) (bool, error) {
 	return true, nil
 }
 
+// checkOCILayoutExists checks if an OCI layout image.tar exists and is valid
+func checkOCILayoutExists(buildDir string) (bool, error) {
+	imageTarPath := filepath.Join(buildDir, "image.tar")
+	
+	// Check if image.tar exists
+	info, err := os.Stat(imageTarPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("failed to stat image.tar: %w", err)
+	}
+	
+	// Check if it's a regular file and not empty
+	if !info.Mode().IsRegular() {
+		return false, xerrors.Errorf("image.tar is not a regular file")
+	}
+	
+	if info.Size() == 0 {
+		return false, xerrors.Errorf("image.tar is empty")
+	}
+	
+	return true, nil
+}
+
 // logDirectoryStructure logs the directory structure for debugging
 func logDirectoryStructure(dir string, logger *log.Entry) error {
 	cmd := exec.Command("find", dir, "-type", "f", "-o", "-type", "d", "|", "sort")
diff --git a/pkg/leeway/build_integration_test.go b/pkg/leeway/build_integration_test.go
@@ -109,9 +109,9 @@ func TestDockerPackage_ExportToCache_Integration(t *testing.T) {
 			name:             "export without image config",
 			exportToCache:    true,
 			hasImages:        false,
-			expectFiles:      []string{"content"},
-			expectError:      true, // OCI layout export requires an image tag
-			expectErrorMatch: "(?i)(not found|failed)", // Build fails without image config in OCI mode
+			expectFiles:      []string{"content"}, // Without image config, extracts container filesystem
+			expectError:      false,
+			expectErrorMatch: "",
 		},
 	}
 
@@ -122,6 +122,26 @@ func TestDockerPackage_ExportToCache_Integration(t *testing.T) {
 				t.Skip(tt.skipReason)
 			}
 
+			// Create docker-container builder for OCI export if needed
+			if tt.exportToCache {
+				builderName := "leeway-export-test-builder"
+				createBuilder := exec.Command("docker", "buildx", "create", "--name", builderName, "--driver", "docker-container", "--bootstrap")
+				if err := createBuilder.Run(); err != nil {
+					// Builder might already exist, try to use it
+					t.Logf("Builder creation failed (might already exist): %v", err)
+				}
+				defer func() {
+					removeBuilder := exec.Command("docker", "buildx", "rm", builderName)
+					_ = removeBuilder.Run()
+				}()
+
+				// Set builder as default for this test
+				useBuilder := exec.Command("docker", "buildx", "use", builderName)
+				if err := useBuilder.Run(); err != nil {
+					t.Fatalf("Failed to use builder: %v", err)
+				}
+			}
+
 			// Create temporary workspace
 			tmpDir := t.TempDir()
 
@@ -334,6 +354,22 @@ func TestDockerPackage_CacheRoundTrip_Integration(t *testing.T) {
 		t.Skip("Docker not available, skipping integration test")
 	}
 
+	// Create docker-container builder for OCI export
+	builderName := "leeway-roundtrip-test-builder"
+	createBuilder := exec.Command("docker", "buildx", "create", "--name", builderName, "--driver", "docker-container", "--bootstrap")
+	if err := createBuilder.Run(); err != nil {
+		t.Logf("Builder creation failed (might already exist): %v", err)
+	}
+	defer func() {
+		removeBuilder := exec.Command("docker", "buildx", "rm", builderName)
+		_ = removeBuilder.Run()
+	}()
+
+	useBuilder := exec.Command("docker", "buildx", "use", builderName)
+	if err := useBuilder.Run(); err != nil {
+		t.Fatalf("Failed to use builder: %v", err)
+	}
+
 	// This test verifies that a Docker image can be:
 	// 1. Built and exported to cache
 	// 2. Extracted from cache
@@ -969,3 +1005,164 @@ CMD ["cat", "/build-time.txt"]
 	t.Logf("✅ No 'docker inspect' error occurred")
 	t.Logf("✅ This confirms the fix works: digest extracted from OCI layout instead of Docker daemon")
 }
+
+// TestDockerPackage_ContainerExtraction_Integration tests container filesystem extraction
+// with both Docker daemon and OCI layout paths
+func TestDockerPackage_ContainerExtraction_Integration(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	// Ensure Docker is available
+	if err := exec.Command("docker", "version").Run(); err != nil {
+		t.Skip("Docker not available, skipping integration test")
+	}
+
+	// Ensure buildx is available
+	if err := exec.Command("docker", "buildx", "version").Run(); err != nil {
+		t.Skip("Docker buildx not available, skipping integration test")
+	}
+
+	// Create docker-container builder for OCI export
+	builderName := "leeway-extract-test-builder"
+	createBuilder := exec.Command("docker", "buildx", "create", "--name", builderName, "--driver", "docker-container", "--bootstrap")
+	if err := createBuilder.Run(); err != nil {
+		t.Logf("Warning: failed to create builder (might already exist): %v", err)
+	}
+	defer func() {
+		exec.Command("docker", "buildx", "rm", builderName).Run()
+	}()
+
+	useBuilder := exec.Command("docker", "buildx", "use", builderName)
+	if err := useBuilder.Run(); err != nil {
+		t.Fatalf("Failed to use builder: %v", err)
+	}
+	defer func() {
+		exec.Command("docker", "buildx", "use", "default").Run()
+	}()
+
+	// Test both paths
+	testCases := []struct {
+		name            string
+		exportToCache   bool
+		expectedMessage string
+	}{
+		{
+			name:            "with_docker_daemon",
+			exportToCache:   false,
+			expectedMessage: "Image found in Docker daemon",
+		},
+		{
+			name:            "with_oci_layout",
+			exportToCache:   true,
+			expectedMessage: "OCI layout image.tar found and valid",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tmpDir := t.TempDir()
+			wsDir := filepath.Join(tmpDir, "workspace")
+			if err := os.MkdirAll(wsDir, 0755); err != nil {
+				t.Fatal(err)
+			}
+
+			// Create WORKSPACE.yaml
+			workspaceYAML := `defaultTarget: ":test-extract"`
+			if err := os.WriteFile(filepath.Join(wsDir, "WORKSPACE.yaml"), []byte(workspaceYAML), 0644); err != nil {
+				t.Fatal(err)
+			}
+
+			// Create Dockerfile
+			dockerfile := `FROM alpine:3.18
+RUN echo "test content" > /test.txt
+`
+			if err := os.WriteFile(filepath.Join(wsDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+				t.Fatal(err)
+			}
+
+			// Create BUILD.yaml with container extraction
+			buildYAML := fmt.Sprintf(`packages:
+  - name: test-extract
+    type: docker
+    config:
+      dockerfile: Dockerfile
+      exportToCache: %v
+`, tc.exportToCache)
+			if err := os.WriteFile(filepath.Join(wsDir, "BUILD.yaml"), []byte(buildYAML), 0644); err != nil {
+				t.Fatal(err)
+			}
+
+			// Initialize git repo
+			gitInit := exec.Command("git", "init")
+			gitInit.Dir = wsDir
+			if err := gitInit.Run(); err != nil {
+				t.Fatal(err)
+			}
+
+			gitConfigName := exec.Command("git", "config", "user.name", "Test User")
+			gitConfigName.Dir = wsDir
+			if err := gitConfigName.Run(); err != nil {
+				t.Fatal(err)
+			}
+
+			gitConfigEmail := exec.Command("git", "config", "user.email", "test@example.com")
+			gitConfigEmail.Dir = wsDir
+			if err := gitConfigEmail.Run(); err != nil {
+				t.Fatal(err)
+			}
+
+			gitAdd := exec.Command("git", "add", ".")
+			gitAdd.Dir = wsDir
+			if err := gitAdd.Run(); err != nil {
+				t.Fatal(err)
+			}
+
+			gitCommit := exec.Command("git", "commit", "-m", "initial")
+			gitCommit.Dir = wsDir
+			gitCommit.Env = append(os.Environ(),
+				"GIT_AUTHOR_DATE=2021-01-01T00:00:00Z",
+				"GIT_COMMITTER_DATE=2021-01-01T00:00:00Z",
+			)
+			if err := gitCommit.Run(); err != nil {
+				t.Fatal(err)
+			}
+
+			// Build
+			cacheDir := filepath.Join(tmpDir, "cache")
+			cache, err := local.NewFilesystemCache(cacheDir)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			buildCtx, err := newBuildContext(buildOptions{
+				LocalCache:          cache,
+				DockerExportToCache: tc.exportToCache,
+				DockerExportSet:     true,
+				Reporter:            NewConsoleReporter(),
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ws, err := FindWorkspace(wsDir, Arguments{}, "", "")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			pkg, ok := ws.Packages["//:test-extract"]
+			if !ok {
+				t.Fatal("package //:test-extract not found")
+			}
+
+			// Build the package - this should extract the container filesystem
+			if err := pkg.build(buildCtx); err != nil {
+				t.Fatalf("build failed: %v", err)
+			}
+
+			t.Logf("✅ Build succeeded with exportToCache=%v", tc.exportToCache)
+			t.Logf("✅ Container filesystem extraction completed")
+			t.Logf("✅ No 'image not found' error occurred")
+		})
+	}
+}
diff --git a/pkg/leeway/build_oci_test.go b/pkg/leeway/build_oci_test.go
@@ -145,6 +145,85 @@ func TestExtractDigestFromOCILayout_MissingFile(t *testing.T) {
 	}
 }
 
+// TestCheckOCILayoutExists tests the OCI layout validation function
+func TestCheckOCILayoutExists(t *testing.T) {
+	tests := []struct {
+		name        string
+		setup       func(string) error
+		wantExists  bool
+		wantErr     bool
+		errContains string
+	}{
+		{
+			name: "valid image.tar exists",
+			setup: func(dir string) error {
+				return os.WriteFile(filepath.Join(dir, "image.tar"), []byte("fake tar content"), 0644)
+			},
+			wantExists: true,
+			wantErr:    false,
+		},
+		{
+			name: "image.tar missing",
+			setup: func(dir string) error {
+				// Don't create image.tar
+				return nil
+			},
+			wantExists: false,
+			wantErr:    false,
+		},
+		{
+			name: "image.tar is empty",
+			setup: func(dir string) error {
+				return os.WriteFile(filepath.Join(dir, "image.tar"), []byte{}, 0644)
+			},
+			wantExists:  false,
+			wantErr:     true,
+			errContains: "empty",
+		},
+		{
+			name: "image.tar is a directory",
+			setup: func(dir string) error {
+				return os.Mkdir(filepath.Join(dir, "image.tar"), 0755)
+			},
+			wantExists:  false,
+			wantErr:     true,
+			errContains: "not a regular file",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir := t.TempDir()
+			
+			if err := tt.setup(tmpDir); err != nil {
+				t.Fatalf("setup failed: %v", err)
+			}
+
+			exists, err := checkOCILayoutExists(tmpDir)
+
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("checkOCILayoutExists() expected error, got nil")
+					return
+				}
+				if tt.errContains != "" && !strings.Contains(err.Error(), tt.errContains) {
+					t.Errorf("checkOCILayoutExists() error = %v, want error containing %q", err, tt.errContains)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("checkOCILayoutExists() unexpected error: %v", err)
+				return
+			}
+
+			if exists != tt.wantExists {
+				t.Errorf("checkOCILayoutExists() = %v, want %v", exists, tt.wantExists)
+			}
+		})
+	}
+}
+
 // TestCreateOCILayoutSubjectsFunction tests the OCI layout subjects function
 // Note: This function is set up regardless of SLSA being enabled, but is only
 // called when SLSA provenance generation is active. This test verifies the
