cmd: support nerdctl manifeset inspect

Signed-off-by: ChengyuZhu6 <hudson@cyzhu.com>

Author: ChengyuZhu6

cmd/nerdctl/image/image_inspect.go

@@ -34,7 +34,7 @@ import (
 func inspectCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:               "inspect [flags] IMAGE [IMAGE...]",
-		Args:              cobra.MinimumNArgs(1),
+		Args:              helpers.IsExactArgs(1),
 		Short:             "Display detailed information on one or more images.",
 		Long:              "Hint: set `--mode=native` for showing the full output",
 		RunE:              imageInspectAction,

cmd/nerdctl/main.go

@@ -40,6 +40,7 @@ import (
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/internal"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/ipfs"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/login"
+	"github.com/containerd/nerdctl/v2/cmd/nerdctl/manifest"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/namespace"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/network"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/system"
@@ -344,6 +345,10 @@ Config file ($NERDCTL_TOML): %s
 
 		// IPFS
 		ipfs.NewIPFSCommand(),
+
+		// Manifest
+		manifest.Command(),
+		manifest.InspectCommand(),
 	)
 	addApparmorCommand(rootCmd)
 	container.AddCpCommand(rootCmd)

cmd/nerdctl/manifest/manifest.go

@@ -0,0 +1,39 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package manifest
+
+import (
+	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
+	"github.com/spf13/cobra"
+)
+
+func Command() *cobra.Command {
+	cmd := &cobra.Command{
+		Annotations:   map[string]string{helpers.Category: helpers.Management},
+		Use:           "manifest",
+		Short:         "Manage image manifests and manifest lists.",
+		RunE:          helpers.UnknownSubcommandAction,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+
+	cmd.AddCommand(
+		InspectCommand(),
+	)
+
+	return cmd
+}

cmd/nerdctl/manifest/manifest_inspect.go

@@ -0,0 +1,91 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package manifest
+
+import (
+	"github.com/containerd/log"
+	"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion"
+	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
+	"github.com/containerd/nerdctl/v2/pkg/api/types"
+	"github.com/containerd/nerdctl/v2/pkg/clientutil"
+	"github.com/containerd/nerdctl/v2/pkg/cmd/manifest"
+	"github.com/containerd/nerdctl/v2/pkg/formatter"
+	"github.com/spf13/cobra"
+)
+
+func InspectCommand() *cobra.Command {
+	var cmd = &cobra.Command{
+		Use:               "inspect [OPTIONS] [MANIFEST_LIST] MANIFEST",
+		Short:             "Display the contents of a manifest list or manifest",
+		Args:              cobra.MinimumNArgs(1),
+		RunE:              inspectAction,
+		ValidArgsFunction: inspectShellComplete,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
+	}
+	cmd.Flags().BoolP("insecure", "i", false, "Allow insecure TLS connections to the registry")
+	cmd.Flags().BoolP("verbose", "v", false, "Verbose output additional info including layers and platform")
+	return cmd
+}
+
+func processInspectFlags(cmd *cobra.Command) (types.ManifestInspectOptions, error) {
+	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
+	if err != nil {
+		return types.ManifestInspectOptions{}, err
+	}
+	insecure, err := cmd.Flags().GetBool("insecure")
+	if err != nil {
+		return types.ManifestInspectOptions{}, err
+	}
+	verbose, err := cmd.Flags().GetBool("verbose")
+	if err != nil {
+		return types.ManifestInspectOptions{}, err
+	}
+	return types.ManifestInspectOptions{
+		Stdout:   cmd.OutOrStdout(),
+		GOptions: globalOptions,
+		Insecure: insecure,
+		Verbose:  verbose,
+	}, nil
+}
+
+func inspectAction(cmd *cobra.Command, args []string) error {
+	inspectOptions, err := processInspectFlags(cmd)
+	if err != nil {
+		return err
+	}
+	rawRef := args[0]
+
+	client, ctx, cancel, err := clientutil.NewClient(cmd.Context(), inspectOptions.GOptions.Namespace, inspectOptions.GOptions.Address)
+	if err != nil {
+		return err
+	}
+	defer cancel()
+
+	res, err := manifest.Inspect(ctx, client, rawRef, inspectOptions)
+	if err != nil {
+		return err
+	}
+	if formatErr := formatter.FormatSlice("", inspectOptions.Stdout, res); formatErr != nil {
+		log.G(ctx).Error(formatErr)
+	}
+	return nil
+}
+
+func inspectShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return completion.ImageNames(cmd)
+}

pkg/api/types/manifest_types.go

@@ -0,0 +1,27 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package types
+
+import "io"
+
+// ManifestInspectOptions specifies options for `nerdctl manifest inspect`.
+type ManifestInspectOptions struct {
+	Stdout   io.Writer
+	GOptions GlobalCommandOptions
+	// Insecure allows insecure TLS connections to the registry.
+	Insecure bool
+}

pkg/cmd/image/inspect.go

@@ -31,11 +31,12 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/containerdutil"
 	"github.com/containerd/nerdctl/v2/pkg/imageinspector"
+	"github.com/containerd/nerdctl/v2/pkg/imgutil"
 	"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat"
 	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 )
 
-func inspectIdentifier(ctx context.Context, client *containerd.Client, identifier string) ([]images.Image, string, string, error) {
+func InspectIdentifier(ctx context.Context, client *containerd.Client, identifier string) ([]images.Image, string, string, error) {
 	// Figure out what we have here - digest, tag, name
 	parsedReference, err := referenceutil.Parse(identifier)
 	if err != nil {
@@ -71,14 +72,20 @@ func inspectIdentifier(ctx context.Context, client *containerd.Client, identifie
 			digest = imageList[0].Target.Digest.String()
 		}
 	}
-
 	// At this point, we DO have a digest (or short id), so, that is what we are retrieving
 	filters = []string{fmt.Sprintf("target.digest~=^%s$", digest)}
 	imageList, err = client.ImageService().List(ctx, filters...)
 	if err != nil {
 		return nil, "", "", fmt.Errorf("containerd image service failed: %w", err)
 	}
 
+	// We do have a manifest digest, so we need to find the image that contains it
+	if len(imageList) == 0 && digest != "" {
+		img, err := imgutil.FindImageByManifestDigest(ctx, client, digest)
+		if err == nil && img != nil {
+			imageList = append(imageList, *img)
+		}
+	}
 	// TODO: docker does allow retrieving images by Id, so implement as a last ditch effort (probably look-up the store)
 
 	// Return the list we found, along with normalized name and tag
@@ -98,7 +105,7 @@ func Inspect(ctx context.Context, client *containerd.Client, identifiers []strin
 	snapshotter := containerdutil.SnapshotService(client, options.GOptions.Snapshotter)
 	// We have to query per provided identifier, as we need to post-process results for the case name + digest
 	for _, identifier := range identifiers {
-		candidateImageList, requestedName, requestedTag, err := inspectIdentifier(ctx, client, identifier)
+		candidateImageList, requestedName, requestedTag, err := InspectIdentifier(ctx, client, identifier)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("%w: %s", err, identifier))
 			continue

pkg/cmd/manifest/inspect.go

@@ -0,0 +1,92 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package manifest
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	containerd "github.com/containerd/containerd/v2/client"
+	"github.com/containerd/nerdctl/v2/pkg/api/types"
+	imageinspect "github.com/containerd/nerdctl/v2/pkg/cmd/image"
+	"github.com/containerd/nerdctl/v2/pkg/containerdutil"
+	"github.com/containerd/nerdctl/v2/pkg/inspecttypes/native"
+	"github.com/containerd/nerdctl/v2/pkg/manifestinspector"
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
+)
+
+func Inspect(ctx context.Context, client *containerd.Client, rawRef string, options types.ManifestInspectOptions) ([]any, error) {
+	manifest, err := getManifest(ctx, client, rawRef, options)
+	if err != nil {
+		return nil, err
+	}
+	return manifest, nil
+}
+
+func getManifest(ctx context.Context, client *containerd.Client, rawRef string, options types.ManifestInspectOptions) ([]any, error) {
+	var errs []error
+	var entries []interface{}
+	snapshotter := containerdutil.SnapshotService(client, options.GOptions.Snapshotter)
+
+	candidateImageList, _, _, err := imageinspect.InspectIdentifier(ctx, client, rawRef)
+	if err != nil {
+		errs = append(errs, fmt.Errorf("%w: %s", err, rawRef))
+		return nil, err
+	}
+	for _, candidateImage := range candidateImageList {
+		entry, err := manifestinspector.Inspect(ctx, client, rawRef, candidateImage, snapshotter)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("%w: %s", err, candidateImage.Name))
+			continue
+		}
+		entry = filterEntries(entry, rawRef)
+		if entry.Index != nil {
+			entries = append(entries, entry.Index)
+		} else {
+			entries = append(entries, entry.Manifest)
+		}
+	}
+	if len(errs) > 0 {
+		return []any{}, fmt.Errorf("%d errors:\n%w", len(errs), errors.Join(errs...))
+	}
+
+	if len(entries) == 0 {
+		return []any{}, fmt.Errorf("no manifest found for %s", rawRef)
+	}
+
+	return entries, nil
+}
+
+func filterEntries(entries *native.Manifest, rawRef string) *native.Manifest {
+	parsedReference, err := referenceutil.Parse(rawRef)
+	if err != nil {
+		return nil
+	}
+	digest := ""
+	if parsedReference.Digest != "" {
+		digest = parsedReference.Digest.String()
+	}
+	if digest == "" {
+		return entries
+	}
+	if entries.Index != nil && digest != entries.IndexDesc.Digest.String() {
+		entries.Index = nil
+		entries.IndexDesc = nil
+	}
+	return entries
+}

pkg/imageinspector/imageinspector.go

@@ -49,7 +49,6 @@ func Inspect(ctx context.Context, client *containerd.Client, image images.Image,
 		n.ManifestDesc = maniDesc
 		n.Manifest = mani
 	}
-
 	imageConfig, imageConfigDesc, err := imgutil.ReadImageConfig(ctx, img)
 	if err != nil {
 		log.G(ctx).WithError(err).WithField("id", image.Name).Warnf("failed to inspect image config")

pkg/imgutil/imgutil.go

@@ -39,6 +39,7 @@ import (
 	"github.com/containerd/platforms"
 
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
+	"github.com/containerd/nerdctl/v2/pkg/containerdutil"
 	"github.com/containerd/nerdctl/v2/pkg/errutil"
 	"github.com/containerd/nerdctl/v2/pkg/healthcheck"
 	"github.com/containerd/nerdctl/v2/pkg/idutil/imagewalker"
@@ -498,3 +499,37 @@ func addHealthCheckToImageConfig(rawConfigContent []byte, config *ocispec.ImageC
 	}
 	return nil
 }
+
+func FindImageByManifestDigest(
+	ctx context.Context,
+	client *containerd.Client,
+	targetDigest string,
+) (*images.Image, error) {
+	imageList, err := client.ImageService().List(ctx)
+	if err != nil {
+		return nil, err
+	}
+	provider := containerdutil.NewProvider(client)
+	for _, img := range imageList {
+		desc := img.Target
+		if images.IsIndexType(desc.MediaType) {
+			indexData, err := containerdutil.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				continue
+			}
+			var index ocispec.Index
+			if err := json.Unmarshal(indexData, &index); err != nil {
+				continue
+			}
+			for _, mani := range index.Manifests {
+				if mani.Digest.String() == targetDigest {
+					return &img, nil
+				}
+			}
+		}
+		if images.IsManifestType(desc.MediaType) && desc.Digest.String() == targetDigest {
+			return &img, nil
+		}
+	}
+	return nil, fmt.Errorf("no image found for manifest digest %s", targetDigest)
+}