docker/install: Fix latest image install on lima

`latest` is not a valid git tag or revision to get the matching systemd
unit files.
Look up the exact source git commit from the
`'org.opencontainers.image.revision` image config label.

Signed-off-by: Paweł Gronowski <[email protected]>

Author: vvoland

__tests__/docker/install.test.itg.ts

@@ -43,6 +43,7 @@ aarch64:https://cloud.debian.org/images/cloud/bookworm/20231013-1532/debian-12-g
   test.each([
     {type: 'image', tag: '27.3.1'} as InstallSourceImage,
     {type: 'image', tag: 'master'} as InstallSourceImage,
+    {type: 'image', tag: 'latest'} as InstallSourceImage,
     {type: 'archive', version: 'v26.1.4', channel: 'stable'} as InstallSourceArchive,
     {type: 'archive', version: 'latest', channel: 'stable'} as InstallSourceArchive,
   ])(

src/docker/assets.ts

@@ -237,12 +237,10 @@ provision:
 
       HOME=/tmp undock moby/moby-bin:{{srcImageTag}} /usr/local/bin
 
-      wget https://raw.githubusercontent.com/moby/moby/{{srcImageTag}}/contrib/init/systemd/docker.service \
-        https://raw.githubusercontent.com/moby/moby/v{{srcImageTag}}/contrib/init/systemd/docker.service \
-        -O /etc/systemd/system/docker.service || true
-      wget https://raw.githubusercontent.com/moby/moby/{{srcImageTag}}/contrib/init/systemd/docker.socket \
-        https://raw.githubusercontent.com/moby/moby/v{{srcImageTag}}/contrib/init/systemd/docker.socket \
-        -O /etc/systemd/system/docker.socket || true
+      wget https://raw.githubusercontent.com/moby/moby/{{gitCommit}}/contrib/init/systemd/docker.service \
+        -O /etc/systemd/system/docker.service
+      wget https://raw.githubusercontent.com/moby/moby/{{gitCommit}}/contrib/init/systemd/docker.socket \
+        -O /etc/systemd/system/docker.socket
 
       sed -i 's|^ExecStart=.*|ExecStart=/usr/local/bin/dockerd -H fd://|' /etc/systemd/system/docker.service
       sed -i 's|containerd.service||' /etc/systemd/system/docker.service

src/docker/install.ts

@@ -34,6 +34,11 @@ import {Util} from '../util';
 import {limaYamlData, dockerServiceLogsPs1, setupDockerWinPs1} from './assets';
 import {GitHubRelease} from '../types/github';
 import {HubRepository} from '../hubRepository';
+import {Index} from '../types/oci';
+import {MEDIATYPE_IMAGE_INDEX_V1} from '../types/oci/mediatype';
+import {MEDIATYPE_IMAGE_MANIFEST_LIST_V2} from '../types/docker/mediatype';
+import {Manifest} from '../types/oci/manifest';
+import {ImageConfig} from '../types/oci/config';
 
 export interface InstallSourceImage {
   type: 'image';
@@ -71,6 +76,8 @@ export class Install {
   private _version: string | undefined;
   private _toolDir: string | undefined;
 
+  private gitCommit: string | undefined;
+
   private readonly limaInstanceName = 'docker-actions-toolkit';
 
   constructor(opts: InstallOpts) {
@@ -127,12 +134,24 @@ export class Install {
         const cli = await HubRepository.build('dockereng/cli-bin');
         extractFolder = await cli.extractImage(tag);
 
+        const moby = await HubRepository.build('moby/moby-bin');
         if (['win32', 'linux'].includes(platform)) {
           core.info(`Downloading dockerd from moby/moby-bin:${tag}`);
-          const moby = await HubRepository.build('moby/moby-bin');
           await moby.extractImage(tag, extractFolder);
         } else if (platform == 'darwin') {
-          // On macOS, the docker daemon binary will be downloaded inside the lima VM
+          // On macOS, the docker daemon binary will be downloaded inside the lima VM.
+          // However, we will get the exact git revision from the image config
+          // to get the matching systemd unit files.
+          const manifest = await moby.getPlatformManifest(tag);
+          const config = await moby.getConfig<ImageConfig>(manifest.config.digest);
+
+          core.info(`Docker image config labels: ${JSON.stringify(config.Labels, null, 2)}`);
+          this.gitCommit = config.Labels?.['org.opencontainers.image.revision'];
+          if (!this.gitCommit) {
+            core.warning(`No git revision can be determined from the image. Will use master.`);
+            this.gitCommit = 'master';
+          }
+          core.info(`Git revision is ${this.gitCommit}`);
         } else {
           core.warning(`dockerd not supported on ${platform}, only the Docker cli will be available`);
         }
@@ -193,6 +212,9 @@ export class Install {
   }
 
   private async installDarwin(): Promise<string> {
+    if (!this.gitCommit) {
+      throw new Error('gitCommit must be set. Run download first.');
+    }
     const src = this.source;
     const limaDir = path.join(os.homedir(), '.lima', this.limaInstanceName);
     await io.mkdirP(limaDir);
@@ -229,6 +251,7 @@ export class Install {
         customImages: Install.limaCustomImages(),
         daemonConfig: limaDaemonConfig,
         dockerSock: `${limaDir}/docker.sock`,
+        gitCommit: this.gitCommit,
         srcType: src.type,
         srcArchiveVersion: this._version, // Use the resolved version (e.g. latest -> 27.4.0)
         srcArchiveChannel: srcArchive.channel,

src/hubRepository.ts

@@ -21,8 +21,8 @@ import * as core from '@actions/core';
 import {Manifest} from './types/oci/manifest';
 import * as tc from '@actions/tool-cache';
 import fs from 'fs';
-import {MEDIATYPE_IMAGE_INDEX_V1, MEDIATYPE_IMAGE_MANIFEST_V1} from './types/oci/mediatype';
-import {MEDIATYPE_IMAGE_MANIFEST_V2, MEDIATYPE_IMAGE_MANIFEST_LIST_V2} from './types/docker/mediatype';
+import {MEDIATYPE_IMAGE_CONFIG_V1, MEDIATYPE_IMAGE_INDEX_V1, MEDIATYPE_IMAGE_MANIFEST_V1} from './types/oci/mediatype';
+import {MEDIATYPE_IMAGE_MANIFEST_V2, MEDIATYPE_IMAGE_MANIFEST_LIST_V2, MEDIATYPE_IMAGE_CONFIG_V1 as DOCKER_MEDIATYPE_IMAGE_CONFIG_V1} from './types/docker/mediatype';
 import {DockerHub} from './dockerhub';
 
 export class HubRepository {
@@ -40,15 +40,19 @@ export class HubRepository {
     return new HubRepository(repository, token);
   }
 
-  // Unpacks the image layers and returns the path to the extracted image.
-  // Only OCI indexes/manifest list are supported for now.
-  public async extractImage(tag: string, destDir?: string): Promise<string> {
-    const index = await this.getManifest<Index>(tag);
+  public async getPlatformManifest(tagOrDigest: string): Promise<Manifest> {
+    const index = await this.getManifest<Index>(tagOrDigest);
     if (index.mediaType != MEDIATYPE_IMAGE_INDEX_V1 && index.mediaType != MEDIATYPE_IMAGE_MANIFEST_LIST_V2) {
       throw new Error(`Unsupported image media type: ${index.mediaType}`);
     }
     const digest = HubRepository.getPlatformManifestDigest(index);
-    const manifest = await this.getManifest<Manifest>(digest);
+    return await this.getManifest<Manifest>(digest);
+  }
+
+  // Unpacks the image layers and returns the path to the extracted image.
+  // Only OCI indexes/manifest list are supported for now.
+  public async extractImage(tag: string, destDir?: string): Promise<string> {
+    const manifest = await this.getPlatformManifest(tag);
 
     const paths = manifest.layers.map(async layer => {
       const url = this.blobUrl(layer.digest);
@@ -99,11 +103,19 @@ export class HubRepository {
   }
 
   public async getManifest<T>(tagOrDigest: string): Promise<T> {
-    const url = `https://registry-1.docker.io/v2/${this.repo}/manifests/${tagOrDigest}`;
+    return this.registryGet<T>(tagOrDigest, 'manifests', [MEDIATYPE_IMAGE_INDEX_V1, MEDIATYPE_IMAGE_MANIFEST_LIST_V2, MEDIATYPE_IMAGE_MANIFEST_V1, MEDIATYPE_IMAGE_MANIFEST_V2]);
+  }
+
+  public async getConfig<T>(tagOrDigest: string): Promise<T> {
+    return this.registryGet<T>(tagOrDigest, 'blobs', [MEDIATYPE_IMAGE_CONFIG_V1, DOCKER_MEDIATYPE_IMAGE_CONFIG_V1]);
+  }
+
+  private async registryGet<T>(tagOrDigest: string, endpoint: 'manifests' | 'blobs', accept: Array<string>): Promise<T> {
+    const url = `https://registry-1.docker.io/v2/${this.repo}/${endpoint}/${tagOrDigest}`;
 
     const headers = {
       Authorization: `Bearer ${this.token}`,
-      Accept: [MEDIATYPE_IMAGE_INDEX_V1, MEDIATYPE_IMAGE_MANIFEST_LIST_V2, MEDIATYPE_IMAGE_MANIFEST_V1, MEDIATYPE_IMAGE_MANIFEST_V2].join(', ')
+      Accept: accept.join(', ')
     };
     const resp = await HubRepository.http.get(url, headers);
     const body = await resp.readBody();

src/types/docker/mediatype.ts

@@ -17,3 +17,5 @@
 export const MEDIATYPE_IMAGE_MANIFEST_LIST_V2 = 'application/vnd.docker.distribution.manifest.list.v2+json';
 
 export const MEDIATYPE_IMAGE_MANIFEST_V2 = 'application/vnd.docker.distribution.manifest.v2+json';
+
+export const MEDIATYPE_IMAGE_CONFIG_V1 = 'application/vnd.docker.container.image.v1+json';

src/types/oci/mediatype.ts

@@ -23,3 +23,5 @@ export const MEDIATYPE_IMAGE_INDEX_V1 = 'application/vnd.oci.image.index.v1+json
 export const MEDIATYPE_IMAGE_LAYER_V1 = 'application/vnd.oci.image.layer.v1.tar';
 
 export const MEDIATYPE_EMPTY_JSON_V1 = 'application/vnd.oci.empty.v1+json';
+
+export const MEDIATYPE_IMAGE_CONFIG_V1 = 'application/vnd.oci.image.config.v1+json';