project-copacetic · ashnamehrotra · Jul 3, 2024 · May 22, 2024 · May 22, 2024 · May 22, 2024
@@ -165,6 +165,12 @@
 	// TODO: Add support for custom APK config
 	apkUpdated := am.config.ImageState.Run(llb.Shlex("apk update"), llb.WithProxy(utils.GetProxy()), llb.IgnoreCache).Root()
 
+	// If updating all packages, check for upgrades before proceeding with patch
+	if updates == nil {
+		checkUpgradable := `sh -c "apk list 2>/dev/null | grep -q "upgradable" || exit 1"`
+		apkUpdated = apkUpdated.Run(llb.Shlex(checkUpgradable)).Root()
+	}
+
 	var apkInstalled llb.State
 	var resultManifestBytes []byte
 	var err error

@@ -315,6 +315,9 @@
 		llb.IgnoreCache,
 	).Root()
 
+	checkUpgradable := `sh -c "apt list --upgradable 2>/dev/null | grep -q "upgradable" || exit 1"`
+	aptUpdated = aptUpdated.Run(llb.Shlex(checkUpgradable)).Root()
+
 	// Install all requested update packages without specifying the version. This works around:
 	//  - Reports being slightly out of date, where a newer security revision has displaced the one specified leading to not found errors.
 	//  - Reports not specifying version epochs correct (e.g. bsdutils=2.36.1-8+deb11u1 instead of with epoch as 1:2.36.1-8+dev11u1)
@@ -396,6 +399,11 @@
 								fi
 							done <<< "$(echo "$json_str" | tr -d '{}\n' | tr ',' '\n')"
 
+							if [ -z "$update_packages" ]; then
+								echo "No packages to update"
+								exit 1
+							fi
+
 							mkdir /var/cache/apt/archives
 							cd /var/cache/apt/archives
 							echo "$update_packages" > packages.txt

@@ -34,7 +34,7 @@ func GetPackageManager(osType string, osVersion string, config *buildkit.Config,
 	case "debian", "ubuntu":
 		return &dpkgManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
 	case "cbl-mariner", "centos", "redhat", "rocky", "amazon":
-		return &rpmManager{config: config, workingFolder: workingFolder}, nil
+		return &rpmManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
 	default:
 		return nil, fmt.Errorf("unsupported osType %s specified", osType)
 	}

@@ -46,6 +46,7 @@
 	rpmTools      rpmToolPaths
 	isDistroless  bool
 	packageInfo   map[string]string
+	osVersion     string
 }
 
 type rpmDBType uint
@@ -400,12 +401,27 @@
 	var installCmd string
 	switch {
 	case rm.rpmTools["dnf"] != "":
+		checkUpdateTemplate := `sh -c "%[1]s check-update; if [ $? -ne 0 ]; then echo >> /updates.txt; fi"`
+		if !rm.checkForUpgrades(ctx, rm.rpmTools["dnf"], checkUpdateTemplate) {
+			return nil, nil, fmt.Errorf("no patchable packages found")
+		}
+
 		const dnfInstallTemplate = `sh -c '%[1]s upgrade %[2]s -y && %[1]s clean all'`
 		installCmd = fmt.Sprintf(dnfInstallTemplate, rm.rpmTools["dnf"], pkgs)
 	case rm.rpmTools["yum"] != "":
+		checkUpdateTemplate := `sh -c 'if [ "$(%[1]s -q check-update | wc -l)" -ne 0 ]; then echo >> /updates.txt; fi'`
+		if !rm.checkForUpgrades(ctx, rm.rpmTools["yum"], checkUpdateTemplate) {
+			return nil, nil, fmt.Errorf("no patchable packages found")
+		}
+
 		const yumInstallTemplate = `sh -c '%[1]s upgrade %[2]s -y && %[1]s clean all'`
 		installCmd = fmt.Sprintf(yumInstallTemplate, rm.rpmTools["yum"], pkgs)
 	case rm.rpmTools["microdnf"] != "":
+		checkUpdateTemplate := `sh -c "%[1]s install dnf -y; dnf check-update -y; if [ $? -ne 0 ]; then echo >> /updates.txt; fi;"`
+		if !rm.checkForUpgrades(ctx, rm.rpmTools["microdnf"], checkUpdateTemplate) {
+			return nil, nil, fmt.Errorf("no patchable packages found")
+		}
+
 		const microdnfInstallTemplate = `sh -c '%[1]s update %[2]s && %[1]s clean all'`
 		installCmd = fmt.Sprintf(microdnfInstallTemplate, rm.rpmTools["microdnf"], pkgs)
 	default:
@@ -416,12 +432,12 @@
 
 	// Write results.manifest to host for post-patch validation
 	var resultBytes []byte
-	var err error
 	if updates != nil {
 		const rpmResultsTemplate = `sh -c 'rpm -qa --queryformat "%s" %s > "%s"'`
 		outputResultsCmd := fmt.Sprintf(rpmResultsTemplate, resultQueryFormat, pkgs, resultManifest)
 		resultsWritten := installed.Dir(resultsPath).Run(llb.Shlex(outputResultsCmd)).AddMount(resultsPath, llb.Scratch())
 
+		var err error
 		resultBytes, err = buildkit.ExtractFileFromState(ctx, rm.config.Client, &resultsWritten, resultManifest)
 		if err != nil {
 			return nil, nil, err
@@ -434,6 +450,20 @@
 	return &patchMerge, resultBytes, nil
 }
 
+func (rm *rpmManager) checkForUpgrades(ctx context.Context, toolPath, checkUpdateTemplate string) bool {
+	checkUpdate := fmt.Sprintf(checkUpdateTemplate, toolPath)
+	stateWithCheck := rm.config.ImageState.Run(llb.Shlex(checkUpdate)).Root()
+
+	_, err := buildkit.ExtractFileFromState(ctx, rm.config.Client, &stateWithCheck, "/updates.txt")
+
+	// if error in extracting file, that means updates.txt does not exist and there are no updates.
+	if err != nil {
+		return false
+	}
+
+	return true
+}
+
 func (rm *rpmManager) unpackAndMergeUpdates(ctx context.Context, updates unversioned.UpdatePackages, toolImage string) (*llb.State, []byte, error) {
 	// Spin up a build tooling container to fetch and unpack packages to create patch layer.
 	// Pull family:version -> need to create version to base image map
@@ -449,7 +479,7 @@
 	if updates == nil {
 		jsonPackageData, err := json.Marshal(rm.packageInfo)
 		if err != nil {
-			return nil, nil, fmt.Errorf("unable to marshal dm.packageInfo %w", err)
+			return nil, nil, fmt.Errorf("unable to marshal rm.packageInfo %w", err)
 		}
 
 		busyboxCopied = busyboxCopied.Run(
@@ -463,13 +493,18 @@
 									pkg_name=$(echo "$package" | sed 's/^"\(.*\)"$/\1/')
 
 									pkg_version=$(echo "$version" | sed 's/^"\(.*\)"$/\1/')
-									latest_version=$(yum info $pkg_name 2>/dev/null | grep "Version" | sed -n '$s/Version *: //p')
+									latest_version=$(yum list available $pkg_name 2>/dev/null | grep $pkg_name | tail -n 1 | tr -s ' ' | cut -d ' ' -f 2 | sed 's/\.cm2//')
 
 									if [ "$latest_version" != "$pkg_version" ]; then
 										update_packages="$update_packages $pkg_name"
 									fi
 								done <<< "$(echo "$json_str" | tr -d '{}\n' | tr ',' '\n')"
 
+								if [ -z "$update_packages" ]; then
+									echo "No packages to update"
+									exit 1
+								fi
+
 								echo "$update_packages" > packages.txt
 						`,
 			})).Root()