Merge pull request #2713 from stgraber/main

Author: tych0

client/oci_images.go

@@ -3,6 +3,7 @@ package incus
 import (
 	"compress/gzip"
 	"context"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -30,6 +31,7 @@ type ociInfo struct {
 	Digest       string    `json:"Digest"`
 	Created      time.Time `json:"Created"`
 	Architecture string    `json:"Architecture"`
+	Layers       []string  `json:"Layers"`
 	LayersData   []struct {
 		Size int64 `json:"Size"`
 	} `json:"LayersData"`
@@ -417,7 +419,7 @@ func (r *ProtocolOCI) GetImageAlias(name string) (*api.ImageAliasesEntry, string
 	}
 
 	info.Alias = name
-	info.Digest = strings.Replace(info.Digest, "sha256:", "", 1)
+	info.Digest = r.computeFingerprint(info.Layers)
 
 	archID, err := osarch.ArchitectureID(info.Architecture)
 	if err != nil {
@@ -478,3 +480,13 @@ func (r *ProtocolOCI) GetImageAliasArchitectures(imageType string, name string)
 func (r *ProtocolOCI) ExportImage(_ string, _ api.ImageExportPost) (Operation, error) {
 	return nil, errors.New("Exporting images is not supported with OCI registry")
 }
+
+func (r *ProtocolOCI) computeFingerprint(layers []string) string {
+	h := sha256.New()
+
+	for _, layer := range layers {
+		h.Write([]byte(layer))
+	}
+
+	return fmt.Sprintf("%x", h.Sum(nil))
+}

cmd/incusd/instance_console.go

@@ -719,11 +719,16 @@ func instanceConsoleLogGet(d *Daemon, r *http.Request) response.Response {
 
 		var headers map[string]string
 		if consoleLogType == "vga" {
-			screenshotFile, err := os.CreateTemp(v.Path(), "screenshot-*.png")
+			screenshotFile, err := os.Create(fmt.Sprintf("/tmp/incus_screenshot_%d", inst.ID()))
 			if err != nil {
 				return response.SmartError(fmt.Errorf("Couldn't create screenshot file: %w", err))
 			}
 
+			err = screenshotFile.Chmod(0o600)
+			if err != nil {
+				return response.SmartError(err)
+			}
+
 			ent.Cleanup = func() {
 				_ = screenshotFile.Close()
 				_ = os.Remove(screenshotFile.Name())

internal/server/apparmor/instance.go

@@ -25,6 +25,7 @@ import (
 type instance interface {
 	Project() api.Project
 	Name() string
+	ID() int
 	ExpandedConfig() map[string]string
 	Type() instancetype.Type
 	LogPath() string
@@ -271,6 +272,7 @@ func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (stri
 			"libraryPath":    strings.Split(os.Getenv("LD_LIBRARY_PATH"), ":"),
 			"logPath":        inst.LogPath(),
 			"runPath":        inst.RunPath(),
+			"id":             inst.ID(),
 			"name":           InstanceProfileName(inst),
 			"path":           path,
 			"raw":            rawContent,

internal/server/apparmor/instance_qemu.profile.go

@@ -72,6 +72,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   {{ .runPath }}/** rwk,
   {{ .path }}/** rwk,
   {{ .devicesPath }}/** rwk,
+  /tmp/incus_screenshot_{{ .id }} rwk,
 
   # Needed for the fork sub-commands
   {{ .exePath }} mr,

internal/server/device/pci/pci.go

@@ -108,8 +108,14 @@ func DeviceDriverOverride(pciDev Device, driverOverride string) error {
 	reverter := revert.New()
 	defer reverter.Fail()
 
+	// Check if already bound to the target driver.
+	_, err := os.Stat(filepath.Join("/sys/bus/pci/drivers", driverOverride, pciDev.SlotName))
+	if err == nil {
+		return nil
+	}
+
 	// Unbind the device from the host (ignore if not bound).
-	err := DeviceUnbind(pciDev)
+	err = DeviceUnbind(pciDev)
 	if err != nil && errors.Is(err, fs.ErrNotExist) {
 		return err
 	}

internal/server/network/acl/driver_common.go

@@ -682,9 +682,13 @@ func (d *common) Update(config *api.NetworkACLPut, clientType request.ClientType
 			return err
 		}
 
-		err = FirewallApplyACLRules(d.state, d.logger, d.projectName, aclNet)
-		if err != nil {
-			return err
+		// Only trigger application on related bridged networks that directly use the ACL.
+		networkACLs := util.SplitNTrimSpace(aclNet.Config["security.acls"], ",", -1, true)
+		if slices.Contains(networkACLs, d.info.Name) {
+			err = FirewallApplyACLRules(d.state, d.logger, d.projectName, aclNet)
+			if err != nil {
+				return err
+			}
 		}
 	}
 

internal/server/operations/util.go

@@ -58,7 +58,9 @@ func SetProgressMetadata(metadata map[string]any, stage, displayPrefix string, p
 		}
 	} else if processed > 0 {
 		metadata[stage+"_progress"] = fmt.Sprintf("%s: %s (%s/s)", displayPrefix, units.GetByteSizeString(processed, 2), units.GetByteSizeString(speed, 2))
-	} else {
+	} else if speed > 0 {
 		metadata[stage+"_progress"] = fmt.Sprintf("%s: %s/s", displayPrefix, units.GetByteSizeString(speed, 2))
+	} else {
+		metadata[stage+"_progress"] = displayPrefix
 	}
 }

shared/archive/archive.go

@@ -187,6 +187,11 @@ func Unpack(file string, path string, blockBackend bool, maxMemory int64, tracke
 			allowedCmds = append(allowedCmds, unpacker[0])
 		}
 	} else if strings.HasPrefix(extension, ".squashfs") {
+		// Progress tracking with squashfs doesn't work as it needs to seek the file.
+		if tracker.Handler != nil {
+			tracker.Handler(0, 0)
+		}
+
 		// unsquashfs does not support reading from stdin,
 		// so ProgressTracker is not possible.
 		command = "unsquashfs"

shared/ioprogress/tracker.go

@@ -62,6 +62,11 @@ func (pt *ProgressTracker) update(n int) {
 	if pt.Length > 0 {
 		pt.percentage = percentage
 		progressInt = min(int64(1+int(percentage)), 100)
+
+		// Cap maximum download speed to file size.
+		if speedInt > pt.Length {
+			speedInt = pt.Length
+		}
 	} else {
 		progressInt = pt.total