Validate OCI configs before unpacking.

rgarcia · rgarcia · commit 756540b3b70c · 2026-03-28T17:01:50.000-04:00
Detect malformed image configs before calling umoci so recovered builds fail cleanly without relying on panic recovery for the captured diff_ids mismatch case.

Made-with: Cursor
diff --git a/lib/images/manager.go b/lib/images/manager.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"runtime/debug"
 	"sort"
 	"strings"
 	"sync"
@@ -239,13 +238,6 @@ func (m *manager) buildImage(ctx context.Context, ref *ResolvedRef) {
 	buildDir := m.paths.SystemBuild(ref.String())
 	tempDir := filepath.Join(buildDir, "rootfs")
 
-	defer func() {
-		if r := recover(); r != nil {
-			m.updateStatusByDigest(ref, StatusFailed, fmt.Errorf("panic while building image %s: %v\n%s", ref.String(), r, debug.Stack()))
-			m.recordBuildMetrics(ctx, buildStart, "failed")
-		}
-	}()
-
 	if err := os.MkdirAll(buildDir, 0755); err != nil {
 		m.updateStatusByDigest(ref, StatusFailed, fmt.Errorf("create build dir: %w", err))
 		m.recordBuildMetrics(ctx, buildStart, "failed")
diff --git a/lib/images/oci.go b/lib/images/oci.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"runtime"
-	"runtime/debug"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -318,6 +317,14 @@ func (c *ociClient) unpackLayers(ctx context.Context, layoutTag, targetDir strin
 		return fmt.Errorf("get manifest: %w", err)
 	}
 
+	configFile, err := img.ConfigFile()
+	if err != nil {
+		return fmt.Errorf("get config file: %w", err)
+	}
+	if err := validateConfigFileForUnpack(layoutTag, gcrManifest, configFile); err != nil {
+		return err
+	}
+
 	// Convert go-containerregistry manifest to OCI v1.Manifest for umoci
 	ociManifest := convertToOCIManifest(gcrManifest)
 
@@ -352,26 +359,36 @@ func (c *ociClient) unpackLayers(ctx context.Context, layoutTag, targetDir strin
 		},
 	}
 
-	var panicErr error
-	func() {
-		defer func() {
-			if r := recover(); r != nil {
-				panicErr = fmt.Errorf("panic in unpack rootfs for %s: %v\n%s", layoutTag, r, debug.Stack())
-			}
-		}()
-
-		err = layer.UnpackRootfs(ctx, casEngine, targetDir, ociManifest, unpackOpts)
-	}()
-	if panicErr != nil {
-		return panicErr
-	}
+	err = layer.UnpackRootfs(ctx, casEngine, targetDir, ociManifest, unpackOpts)
 	if err != nil {
 		return fmt.Errorf("unpack rootfs: %w", err)
 	}
 
 	return nil
 }
 
+func validateConfigFileForUnpack(layoutTag string, manifest *gcr.Manifest, configFile *gcr.ConfigFile) error {
+	if convertToOCIMediaType(string(manifest.Config.MediaType)) != v1.MediaTypeImageConfig {
+		return fmt.Errorf(
+			"unpack rootfs: config blob is not correct mediatype %s: %s",
+			v1.MediaTypeImageConfig,
+			manifest.Config.MediaType,
+		)
+	}
+	if configFile.RootFS.Type != "layers" {
+		return fmt.Errorf("unpack rootfs: config: unsupported rootfs.type: %s", configFile.RootFS.Type)
+	}
+	if len(configFile.RootFS.DiffIDs) != len(manifest.Layers) {
+		return fmt.Errorf(
+			"unpack rootfs: config rootfs.diff_ids has %d entries but manifest has %d layers for %s",
+			len(configFile.RootFS.DiffIDs),
+			len(manifest.Layers),
+			layoutTag,
+		)
+	}
+	return nil
+}
+
 // convertToOCIManifest converts a go-containerregistry manifest to OCI v1.Manifest
 // This allows us to use go-containerregistry (which handles both Docker v2 and OCI v1)
 // for manifest parsing, while still using umoci for layer unpacking.
diff --git a/lib/images/recovery_regression_test.go b/lib/images/recovery_regression_test.go
@@ -32,7 +32,7 @@ func TestUnpackLayersCapturedFixtureReturnsErrorInsteadOfPanicking(t *testing.T)
 	})
 
 	require.Error(t, unpackErr)
-	assert.Contains(t, unpackErr.Error(), "panic in unpack rootfs")
+	assert.Contains(t, unpackErr.Error(), "config rootfs.diff_ids has 0 entries but manifest has 1 layers")
 }
 
 func TestRecoverInterruptedBuildsCapturedFixtureMarksBuildFailed(t *testing.T) {
@@ -64,7 +64,7 @@ func TestRecoverInterruptedBuildsCapturedFixtureMarksBuildFailed(t *testing.T) {
 	require.NotNil(t, meta.Error)
 	assert.Equal(t, recoveryFixtureDigest, meta.Digest)
 	assert.Equal(t, StatusFailed, meta.Status)
-	assert.Contains(t, *meta.Error, "panic in unpack rootfs")
+	assert.Contains(t, *meta.Error, "config rootfs.diff_ids has 0 entries but manifest has 1 layers")
 }
 
 func copyRecoveryFixture(t *testing.T) string {

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func TestUnpackLayersCapturedFixtureReturnsErrorInsteadOfPanicking(t *testing.T)`
`32`	`32`	`})`
`33`	`33`
`34`	`34`	`require.Error(t, unpackErr)`
`35`		`- assert.Contains(t, unpackErr.Error(), "panic in unpack rootfs")`
	`35`	`+ assert.Contains(t, unpackErr.Error(), "config rootfs.diff_ids has 0 entries but manifest has 1 layers")`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`func TestRecoverInterruptedBuildsCapturedFixtureMarksBuildFailed(t *testing.T) {`
`@@ -64,7 +64,7 @@ func TestRecoverInterruptedBuildsCapturedFixtureMarksBuildFailed(t *testing.T) {`
`64`	`64`	`require.NotNil(t, meta.Error)`
`65`	`65`	`assert.Equal(t, recoveryFixtureDigest, meta.Digest)`
`66`	`66`	`assert.Equal(t, StatusFailed, meta.Status)`
`67`		`- assert.Contains(t, *meta.Error, "panic in unpack rootfs")`
	`67`	`+ assert.Contains(t, *meta.Error, "config rootfs.diff_ids has 0 entries but manifest has 1 layers")`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`func copyRecoveryFixture(t *testing.T) string {`