vendor: update buildkit to 2f99651

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2026-01-14 01:44:12 +08:00 · 2022-02-09 21:53:27 +01:00
parent 60a025b227
commit 307c94e5c7
360 changed files with 13218 additions and 6961 deletions
--- a/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go
@@ -19,6 +19,8 @@ package auth
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -27,7 +29,6 @@ import (
 	"github.com/containerd/containerd/log"
 	remoteserrors "github.com/containerd/containerd/remotes/errors"
 	"github.com/containerd/containerd/version"
-	"github.com/pkg/errors"
 	"golang.org/x/net/context/ctxhttp"
 )

@@ -46,7 +47,7 @@ func GenerateTokenOptions(ctx context.Context, host, username, secret string, c

 	realmURL, err := url.Parse(realm)
 	if err != nil {
-		return TokenOptions{}, errors.Wrap(err, "invalid token auth challenge realm")
+		return TokenOptions{}, fmt.Errorf("invalid token auth challenge realm: %w", err)
 	}

 	to := TokenOptions{
@@ -73,6 +74,15 @@ type TokenOptions struct {
 	Scopes   []string
 	Username string
 	Secret   string
+
+	// FetchRefreshToken enables fetching a refresh token (aka "identity token", "offline token") along with the bearer token.
+	//
+	// For HTTP GET mode (FetchToken), FetchRefreshToken sets `offline_token=true` in the request.
+	// https://docs.docker.com/registry/spec/auth/token/#requesting-a-token
+	//
+	// For HTTP POST mode (FetchTokenWithOAuth), FetchRefreshToken sets `access_type=offline` in the request.
+	// https://docs.docker.com/registry/spec/auth/oauth/#getting-a-token
+	FetchRefreshToken bool
 }

 // OAuthTokenResponse is response from fetching token with a OAuth POST request
@@ -101,6 +111,9 @@ func FetchTokenWithOAuth(ctx context.Context, client *http.Client, headers http.
 		form.Set("username", to.Username)
 		form.Set("password", to.Secret)
 	}
+	if to.FetchRefreshToken {
+		form.Set("access_type", "offline")
+	}

 	req, err := http.NewRequest("POST", to.Realm, strings.NewReader(form.Encode()))
 	if err != nil {
@@ -121,18 +134,18 @@ func FetchTokenWithOAuth(ctx context.Context, client *http.Client, headers http.
 	defer resp.Body.Close()

 	if resp.StatusCode < 200 || resp.StatusCode >= 400 {
-		return nil, errors.WithStack(remoteserrors.NewUnexpectedStatusErr(resp))
+		return nil, remoteserrors.NewUnexpectedStatusErr(resp)
 	}

 	decoder := json.NewDecoder(resp.Body)

 	var tr OAuthTokenResponse
 	if err = decoder.Decode(&tr); err != nil {
-		return nil, errors.Wrap(err, "unable to decode token response")
+		return nil, fmt.Errorf("unable to decode token response: %w", err)
 	}

 	if tr.AccessToken == "" {
-		return nil, errors.WithStack(ErrNoToken)
+		return nil, ErrNoToken
 	}

 	return &tr, nil
@@ -175,6 +188,10 @@ func FetchToken(ctx context.Context, client *http.Client, headers http.Header, t
 		req.SetBasicAuth(to.Username, to.Secret)
 	}

+	if to.FetchRefreshToken {
+		reqParams.Add("offline_token", "true")
+	}
+
 	req.URL.RawQuery = reqParams.Encode()

 	resp, err := ctxhttp.Do(ctx, client, req)
@@ -184,14 +201,14 @@ func FetchToken(ctx context.Context, client *http.Client, headers http.Header, t
 	defer resp.Body.Close()

 	if resp.StatusCode < 200 || resp.StatusCode >= 400 {
-		return nil, errors.WithStack(remoteserrors.NewUnexpectedStatusErr(resp))
+		return nil, remoteserrors.NewUnexpectedStatusErr(resp)
 	}

 	decoder := json.NewDecoder(resp.Body)

 	var tr FetchTokenResponse
 	if err = decoder.Decode(&tr); err != nil {
-		return nil, errors.Wrap(err, "unable to decode token response")
+		return nil, fmt.Errorf("unable to decode token response: %w", err)
 	}

 	// `access_token` is equivalent to `token` and if both are specified
@@ -202,7 +219,7 @@ func FetchToken(ctx context.Context, client *http.Client, headers http.Header, t
 	}

 	if tr.Token == "" {
-		return nil, errors.WithStack(ErrNoToken)
+		return nil, ErrNoToken
 	}

 	return &tr, nil
--- a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
@@ -19,6 +19,7 @@ package docker
 import (
 	"context"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -28,7 +29,6 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/remotes/docker/auth"
 	remoteerrors "github.com/containerd/containerd/remotes/errors"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -37,10 +37,12 @@ type dockerAuthorizer struct {

 	client *http.Client
 	header http.Header
-	mu     sync.Mutex
+	mu     sync.RWMutex

 	// indexed by host name
 	handlers map[string]*authHandler
+
+	onFetchRefreshToken OnFetchRefreshToken
 }

 // NewAuthorizer creates a Docker authorizer using the provided function to
@@ -51,9 +53,10 @@ func NewAuthorizer(client *http.Client, f func(string) (string, string, error))
 }

 type authorizerConfig struct {
-	credentials func(string) (string, string, error)
-	client      *http.Client
-	header      http.Header
+	credentials         func(string) (string, string, error)
+	client              *http.Client
+	header              http.Header
+	onFetchRefreshToken OnFetchRefreshToken
 }

 // AuthorizerOpt configures an authorizer
@@ -80,6 +83,16 @@ func WithAuthHeader(hdr http.Header) AuthorizerOpt {
 	}
 }

+// OnFetchRefreshToken is called on fetching request token.
+type OnFetchRefreshToken func(ctx context.Context, refreshToken string, req *http.Request)
+
+// WithFetchRefreshToken enables fetching "refresh token" (aka "identity token", "offline token").
+func WithFetchRefreshToken(f OnFetchRefreshToken) AuthorizerOpt {
+	return func(opt *authorizerConfig) {
+		opt.onFetchRefreshToken = f
+	}
+}
+
 // NewDockerAuthorizer creates an authorizer using Docker's registry
 // authentication spec.
 // See https://docs.docker.com/registry/spec/auth/
@@ -94,10 +107,11 @@ func NewDockerAuthorizer(opts ...AuthorizerOpt) Authorizer {
 	}

 	return &dockerAuthorizer{
-		credentials: ao.credentials,
-		client:      ao.client,
-		header:      ao.header,
-		handlers:    make(map[string]*authHandler),
+		credentials:         ao.credentials,
+		client:              ao.client,
+		header:              ao.header,
+		handlers:            make(map[string]*authHandler),
+		onFetchRefreshToken: ao.onFetchRefreshToken,
 	}
 }

@@ -109,12 +123,21 @@ func (a *dockerAuthorizer) Authorize(ctx context.Context, req *http.Request) err
 		return nil
 	}

-	auth, err := ah.authorize(ctx)
+	auth, refreshToken, err := ah.authorize(ctx)
 	if err != nil {
 		return err
 	}

 	req.Header.Set("Authorization", auth)
+
+	if refreshToken != "" {
+		a.mu.RLock()
+		onFetchRefreshToken := a.onFetchRefreshToken
+		a.mu.RUnlock()
+		if onFetchRefreshToken != nil {
+			onFetchRefreshToken(ctx, refreshToken, req)
+		}
+	}
 	return nil
 }

@@ -161,6 +184,7 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R
 			if err != nil {
 				return err
 			}
+			common.FetchRefreshToken = a.onFetchRefreshToken != nil

 			a.handlers[host] = newAuthHandler(a.client, a.header, c.Scheme, common)
 			return nil
@@ -181,14 +205,15 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R
 			}
 		}
 	}
-	return errors.Wrap(errdefs.ErrNotImplemented, "failed to find supported auth scheme")
+	return fmt.Errorf("failed to find supported auth scheme: %w", errdefs.ErrNotImplemented)
 }

 // authResult is used to control limit rate.
 type authResult struct {
 	sync.WaitGroup
-	token string
-	err   error
+	token        string
+	refreshToken string
+	err          error
 }

 // authHandler is used to handle auth request per registry server.
@@ -220,29 +245,29 @@ func newAuthHandler(client *http.Client, hdr http.Header, scheme auth.Authentica
 	}
 }

-func (ah *authHandler) authorize(ctx context.Context) (string, error) {
+func (ah *authHandler) authorize(ctx context.Context) (string, string, error) {
 	switch ah.scheme {
 	case auth.BasicAuth:
 		return ah.doBasicAuth(ctx)
 	case auth.BearerAuth:
 		return ah.doBearerAuth(ctx)
 	default:
-		return "", errors.Wrapf(errdefs.ErrNotImplemented, "failed to find supported auth scheme: %s", string(ah.scheme))
+		return "", "", fmt.Errorf("failed to find supported auth scheme: %s: %w", string(ah.scheme), errdefs.ErrNotImplemented)
 	}
 }

-func (ah *authHandler) doBasicAuth(ctx context.Context) (string, error) {
+func (ah *authHandler) doBasicAuth(ctx context.Context) (string, string, error) {
 	username, secret := ah.common.Username, ah.common.Secret

 	if username == "" || secret == "" {
-		return "", fmt.Errorf("failed to handle basic auth because missing username or secret")
+		return "", "", fmt.Errorf("failed to handle basic auth because missing username or secret")
 	}

 	auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + secret))
-	return fmt.Sprintf("Basic %s", auth), nil
+	return fmt.Sprintf("Basic %s", auth), "", nil
 }

-func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err error) {
+func (ah *authHandler) doBearerAuth(ctx context.Context) (token, refreshToken string, err error) {
 	// copy common tokenOptions
 	to := ah.common

@@ -255,7 +280,7 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro
 	if r, exist := ah.scopedTokens[scoped]; exist {
 		ah.Unlock()
 		r.Wait()
-		return r.token, r.err
+		return r.token, r.refreshToken, r.err
 	}

 	// only one fetch token job
@@ -266,14 +291,16 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro

 	defer func() {
 		token = fmt.Sprintf("Bearer %s", token)
-		r.token, r.err = token, err
+		r.token, r.refreshToken, r.err = token, refreshToken, err
 		r.Done()
 	}()

 	// fetch token for the resource scope
 	if to.Secret != "" {
 		defer func() {
-			err = errors.Wrap(err, "failed to fetch oauth token")
+			if err != nil {
+				err = fmt.Errorf("failed to fetch oauth token: %w", err)
+			}
 		}()
 		// credential information is provided, use oauth POST endpoint
 		// TODO: Allow setting client_id
@@ -287,25 +314,25 @@ func (ah *authHandler) doBearerAuth(ctx context.Context) (token string, err erro
 				if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
 					resp, err := auth.FetchToken(ctx, ah.client, ah.header, to)
 					if err != nil {
-						return "", err
+						return "", "", err
 					}
-					return resp.Token, nil
+					return resp.Token, resp.RefreshToken, nil
 				}
 				log.G(ctx).WithFields(logrus.Fields{
 					"status": errStatus.Status,
 					"body":   string(errStatus.Body),
 				}).Debugf("token request failed")
 			}
-			return "", err
+			return "", "", err
 		}
-		return resp.AccessToken, nil
+		return resp.AccessToken, resp.RefreshToken, nil
 	}
 	// do request anonymously
 	resp, err := auth.FetchToken(ctx, ah.client, ah.header, to)
 	if err != nil {
-		return "", errors.Wrap(err, "failed to fetch anonymous token")
+		return "", "", fmt.Errorf("failed to fetch anonymous token: %w", err)
 	}
-	return resp.Token, nil
+	return resp.Token, resp.RefreshToken, nil
 }

 func invalidAuthorization(c auth.Challenge, responses []*http.Response) error {
@@ -319,7 +346,7 @@ func invalidAuthorization(c auth.Challenge, responses []*http.Response) error {
 		return nil
 	}

-	return errors.Wrapf(ErrInvalidAuthorization, "server message: %s", errStr)
+	return fmt.Errorf("server message: %s: %w", errStr, ErrInvalidAuthorization)
 }

 func sameRequest(r1, r2 *http.Request) bool {
--- a/vendor/github.com/containerd/containerd/remotes/docker/converter.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/converter.go
@@ -28,7 +28,6 @@ import (
 	"github.com/containerd/containerd/remotes"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 )

 // LegacyConfigMediaType should be replaced by OCI image spec.
@@ -52,12 +51,12 @@ func ConvertManifest(ctx context.Context, store content.Store, desc ocispec.Desc
 	// read manifest data
 	mb, err := content.ReadBlob(ctx, store, desc)
 	if err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to read index data")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to read index data: %w", err)
 	}

 	var manifest ocispec.Manifest
 	if err := json.Unmarshal(mb, &manifest); err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to unmarshal data into manifest")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to unmarshal data into manifest: %w", err)
 	}

 	// check config media type
@@ -68,7 +67,7 @@ func ConvertManifest(ctx context.Context, store content.Store, desc ocispec.Desc
 	manifest.Config.MediaType = images.MediaTypeDockerSchema2Config
 	data, err := json.MarshalIndent(manifest, "", "   ")
 	if err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to marshal manifest")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to marshal manifest: %w", err)
 	}

 	// update manifest with gc labels
@@ -82,7 +81,7 @@ func ConvertManifest(ctx context.Context, store content.Store, desc ocispec.Desc

 	ref := remotes.MakeRefKey(ctx, desc)
 	if err := content.WriteBlob(ctx, store, ref, bytes.NewReader(data), desc, content.WithLabels(labels)); err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to update content")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to update content: %w", err)
 	}
 	return desc, nil
 }
--- a/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go
@@ -19,6 +19,7 @@ package docker
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -29,7 +30,6 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/log"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 )

 type dockerFetcher struct {
@@ -41,7 +41,7 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R

 	hosts := r.filterHosts(HostCapabilityPull)
 	if len(hosts) == 0 {
-		return nil, errors.Wrap(errdefs.ErrNotFound, "no pull hosts")
+		return nil, fmt.Errorf("no pull hosts: %w", errdefs.ErrNotFound)
 	}

 	ctx, err := ContextWithRepositoryScope(ctx, r.refspec, false)
@@ -141,9 +141,9 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
 		}

 		if errdefs.IsNotFound(firstErr) {
-			firstErr = errors.Wrapf(errdefs.ErrNotFound,
-				"could not fetch content descriptor %v (%v) from remote",
-				desc.Digest, desc.MediaType)
+			firstErr = fmt.Errorf("could not fetch content descriptor %v (%v) from remote: %w",
+				desc.Digest, desc.MediaType, errdefs.ErrNotFound,
+			)
 		}

 		return nil, firstErr
@@ -178,19 +178,19 @@ func (r dockerFetcher) open(ctx context.Context, req *request, mediatype string,
 		// implementation.

 		if resp.StatusCode == http.StatusNotFound {
-			return nil, errors.Wrapf(errdefs.ErrNotFound, "content at %v not found", req.String())
+			return nil, fmt.Errorf("content at %v not found: %w", req.String(), errdefs.ErrNotFound)
 		}
 		var registryErr Errors
 		if err := json.NewDecoder(resp.Body).Decode(&registryErr); err != nil || registryErr.Len() < 1 {
-			return nil, errors.Errorf("unexpected status code %v: %v", req.String(), resp.Status)
+			return nil, fmt.Errorf("unexpected status code %v: %v", req.String(), resp.Status)
 		}
-		return nil, errors.Errorf("unexpected status code %v: %s - Server message: %s", req.String(), resp.Status, registryErr.Error())
+		return nil, fmt.Errorf("unexpected status code %v: %s - Server message: %s", req.String(), resp.Status, registryErr.Error())
 	}
 	if offset > 0 {
 		cr := resp.Header.Get("content-range")
 		if cr != "" {
 			if !strings.HasPrefix(cr, fmt.Sprintf("bytes %d-", offset)) {
-				return nil, errors.Errorf("unhandled content range in response: %v", cr)
+				return nil, fmt.Errorf("unhandled content range in response: %v", cr)

 			}
 		} else {
@@ -202,10 +202,10 @@ func (r dockerFetcher) open(ctx context.Context, req *request, mediatype string,
 			// Could use buffer pool here but this case should be rare
 			n, err := io.Copy(io.Discard, io.LimitReader(resp.Body, offset))
 			if err != nil {
-				return nil, errors.Wrap(err, "failed to discard to offset")
+				return nil, fmt.Errorf("failed to discard to offset: %w", err)
 			}
 			if n != offset {
-				return nil, errors.Errorf("unable to discard to offset")
+				return nil, errors.New("unable to discard to offset")
 			}

 		}
--- a/vendor/github.com/containerd/containerd/remotes/docker/httpreadseeker.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/httpreadseeker.go
@@ -18,11 +18,11 @@ package docker

 import (
 	"bytes"
+	"fmt"
 	"io"

 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/log"
-	"github.com/pkg/errors"
 )

 const maxRetry = 3
@@ -69,7 +69,7 @@ func (hrs *httpReadSeeker) Read(p []byte) (n int, err error) {
 		}
 		if hrs.rc != nil {
 			if clsErr := hrs.rc.Close(); clsErr != nil {
-				log.L.WithError(clsErr).Errorf("httpReadSeeker: failed to close ReadCloser")
+				log.L.WithError(clsErr).Error("httpReadSeeker: failed to close ReadCloser")
 			}
 			hrs.rc = nil
 		}
@@ -94,7 +94,7 @@ func (hrs *httpReadSeeker) Close() error {

 func (hrs *httpReadSeeker) Seek(offset int64, whence int) (int64, error) {
 	if hrs.closed {
-		return 0, errors.Wrap(errdefs.ErrUnavailable, "Fetcher.Seek: closed")
+		return 0, fmt.Errorf("Fetcher.Seek: closed: %w", errdefs.ErrUnavailable)
 	}

 	abs := hrs.offset
@@ -105,21 +105,21 @@ func (hrs *httpReadSeeker) Seek(offset int64, whence int) (int64, error) {
 		abs += offset
 	case io.SeekEnd:
 		if hrs.size == -1 {
-			return 0, errors.Wrap(errdefs.ErrUnavailable, "Fetcher.Seek: unknown size, cannot seek from end")
+			return 0, fmt.Errorf("Fetcher.Seek: unknown size, cannot seek from end: %w", errdefs.ErrUnavailable)
 		}
 		abs = hrs.size + offset
 	default:
-		return 0, errors.Wrap(errdefs.ErrInvalidArgument, "Fetcher.Seek: invalid whence")
+		return 0, fmt.Errorf("Fetcher.Seek: invalid whence: %w", errdefs.ErrInvalidArgument)
 	}

 	if abs < 0 {
-		return 0, errors.Wrapf(errdefs.ErrInvalidArgument, "Fetcher.Seek: negative offset")
+		return 0, fmt.Errorf("Fetcher.Seek: negative offset: %w", errdefs.ErrInvalidArgument)
 	}

 	if abs != hrs.offset {
 		if hrs.rc != nil {
 			if err := hrs.rc.Close(); err != nil {
-				log.L.WithError(err).Errorf("Fetcher.Seek: failed to close ReadCloser")
+				log.L.WithError(err).Error("Fetcher.Seek: failed to close ReadCloser")
 			}

 			hrs.rc = nil
@@ -140,17 +140,17 @@ func (hrs *httpReadSeeker) reader() (io.Reader, error) {
 		// only try to reopen the body request if we are seeking to a value
 		// less than the actual size.
 		if hrs.open == nil {
-			return nil, errors.Wrapf(errdefs.ErrNotImplemented, "cannot open")
+			return nil, fmt.Errorf("cannot open: %w", errdefs.ErrNotImplemented)
 		}

 		rc, err := hrs.open(hrs.offset)
 		if err != nil {
-			return nil, errors.Wrapf(err, "httpReadSeeker: failed open")
+			return nil, fmt.Errorf("httpReadSeeker: failed open: %w", err)
 		}

 		if hrs.rc != nil {
 			if err := hrs.rc.Close(); err != nil {
-				log.L.WithError(err).Errorf("httpReadSeeker: failed to close ReadCloser")
+				log.L.WithError(err).Error("httpReadSeeker: failed to close ReadCloser")
 			}
 		}
 		hrs.rc = rc
--- a/vendor/github.com/containerd/containerd/remotes/docker/pusher.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/pusher.go
@@ -18,6 +18,8 @@ package docker

 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -32,7 +34,6 @@ import (
 	remoteserrors "github.com/containerd/containerd/remotes/errors"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 )

 type dockerPusher struct {
@@ -55,7 +56,7 @@ func (p dockerPusher) Writer(ctx context.Context, opts ...content.WriterOpt) (co
 		}
 	}
 	if wOpts.Ref == "" {
-		return nil, errors.Wrap(errdefs.ErrInvalidArgument, "ref must not be empty")
+		return nil, fmt.Errorf("ref must not be empty: %w", errdefs.ErrInvalidArgument)
 	}
 	return p.push(ctx, wOpts.Desc, wOpts.Ref, true)
 }
@@ -76,22 +77,22 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
 	status, err := p.tracker.GetStatus(ref)
 	if err == nil {
 		if status.Committed && status.Offset == status.Total {
-			return nil, errors.Wrapf(errdefs.ErrAlreadyExists, "ref %v", ref)
+			return nil, fmt.Errorf("ref %v: %w", ref, errdefs.ErrAlreadyExists)
 		}
 		if unavailableOnFail {
 			// Another push of this ref is happening elsewhere. The rest of function
 			// will continue only when `errdefs.IsNotFound(err) == true` (i.e. there
 			// is no actively-tracked ref already).
-			return nil, errors.Wrap(errdefs.ErrUnavailable, "push is on-going")
+			return nil, fmt.Errorf("push is on-going: %w", errdefs.ErrUnavailable)
 		}
 		// TODO: Handle incomplete status
 	} else if !errdefs.IsNotFound(err) {
-		return nil, errors.Wrap(err, "failed to get status")
+		return nil, fmt.Errorf("failed to get status: %w", err)
 	}

 	hosts := p.filterHosts(HostCapabilityPush)
 	if len(hosts) == 0 {
-		return nil, errors.Wrap(errdefs.ErrNotFound, "no push hosts")
+		return nil, fmt.Errorf("no push hosts: %w", errdefs.ErrNotFound)
 	}

 	var (
@@ -143,7 +144,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
 					},
 				})
 				resp.Body.Close()
-				return nil, errors.Wrapf(errdefs.ErrAlreadyExists, "content %v on remote", desc.Digest)
+				return nil, fmt.Errorf("content %v on remote: %w", desc.Digest, errdefs.ErrAlreadyExists)
 			}
 		} else if resp.StatusCode != http.StatusNotFound {
 			err := remoteserrors.NewUnexpectedStatusErr(resp)
@@ -205,7 +206,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
 					Offset: desc.Size,
 				},
 			})
-			return nil, errors.Wrapf(errdefs.ErrAlreadyExists, "content %v on remote", desc.Digest)
+			return nil, fmt.Errorf("content %v on remote: %w", desc.Digest, errdefs.ErrAlreadyExists)
 		default:
 			err := remoteserrors.NewUnexpectedStatusErr(resp)
 			log.G(ctx).WithField("resp", resp).WithField("body", string(err.(remoteserrors.ErrUnexpectedStatus).Body)).Debug("unexpected response")
@@ -221,7 +222,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
 		if strings.HasPrefix(location, "/") {
 			lurl, err = url.Parse(lhost.Scheme + "://" + lhost.Host + location)
 			if err != nil {
-				return nil, errors.Wrapf(err, "unable to parse location %v", location)
+				return nil, fmt.Errorf("unable to parse location %v: %w", location, err)
 			}
 		} else {
 			if !strings.Contains(location, "://") {
@@ -229,7 +230,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
 			}
 			lurl, err = url.Parse(location)
 			if err != nil {
-				return nil, errors.Wrapf(err, "unable to parse location %v", location)
+				return nil, fmt.Errorf("unable to parse location %v: %w", location, err)
 			}

 			if lurl.Host != lhost.Host || lhost.Scheme != lurl.Scheme {
@@ -374,7 +375,7 @@ func (pw *pushWriter) Digest() digest.Digest {
 func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
 	// Check whether read has already thrown an error
 	if _, err := pw.pipe.Write([]byte{}); err != nil && err != io.ErrClosedPipe {
-		return errors.Wrap(err, "pipe error before commit")
+		return fmt.Errorf("pipe error before commit: %w", err)
 	}

 	if err := pw.pipe.Close(); err != nil {
@@ -397,11 +398,11 @@ func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Di

 	status, err := pw.tracker.GetStatus(pw.ref)
 	if err != nil {
-		return errors.Wrap(err, "failed to get status")
+		return fmt.Errorf("failed to get status: %w", err)
 	}

 	if size > 0 && size != status.Offset {
-		return errors.Errorf("unexpected size %d, expected %d", status.Offset, size)
+		return fmt.Errorf("unexpected size %d, expected %d", status.Offset, size)
 	}

 	if expected == "" {
@@ -410,11 +411,11 @@ func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Di

 	actual, err := digest.Parse(resp.Header.Get("Docker-Content-Digest"))
 	if err != nil {
-		return errors.Wrap(err, "invalid content digest in response")
+		return fmt.Errorf("invalid content digest in response: %w", err)
 	}

 	if actual != expected {
-		return errors.Errorf("got digest %s, expected %s", actual, expected)
+		return fmt.Errorf("got digest %s, expected %s", actual, expected)
 	}

 	status.Committed = true
--- a/vendor/github.com/containerd/containerd/remotes/docker/registry.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/registry.go
@@ -17,10 +17,9 @@
 package docker

 import (
+	"errors"
 	"net"
 	"net/http"
-
-	"github.com/pkg/errors"
 )

 // HostCapabilities represent the capabilities of the registry
--- a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
@@ -18,6 +18,7 @@ package docker

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -34,7 +35,6 @@ import (
 	"github.com/containerd/containerd/version"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context/ctxhttp"
 )
@@ -254,7 +254,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp

 	hosts := base.filterHosts(caps)
 	if len(hosts) == 0 {
-		return "", ocispec.Descriptor{}, errors.Wrap(errdefs.ErrNotFound, "no resolve hosts")
+		return "", ocispec.Descriptor{}, fmt.Errorf("no resolve hosts: %w", errdefs.ErrNotFound)
 	}

 	ctx, err = ContextWithRepositoryScope(ctx, refspec, false)
@@ -279,7 +279,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 			resp, err := req.doWithRetries(ctx, nil)
 			if err != nil {
 				if errors.Is(err, ErrInvalidAuthorization) {
-					err = errors.Wrapf(err, "pull access denied, repository does not exist or may require authorization")
+					err = fmt.Errorf("pull access denied, repository does not exist or may require authorization: %w", err)
 				}
 				// Store the error for referencing later
 				if firstErr == nil {
@@ -298,11 +298,11 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 				if resp.StatusCode > 399 {
 					// Set firstErr when encountering the first non-404 status code.
 					if firstErr == nil {
-						firstErr = errors.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status)
+						firstErr = fmt.Errorf("pulling from host %s failed with status code %v: %v", host.Host, u, resp.Status)
 					}
 					continue // try another host
 				}
-				return "", ocispec.Descriptor{}, errors.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status)
+				return "", ocispec.Descriptor{}, fmt.Errorf("pulling from host %s failed with unexpected status code %v: %v", host.Host, u, resp.Status)
 			}
 			size := resp.ContentLength
 			contentType := getManifestMediaType(resp)
@@ -318,7 +318,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp

 				if dgstHeader != "" && size != -1 {
 					if err := dgstHeader.Validate(); err != nil {
-						return "", ocispec.Descriptor{}, errors.Wrapf(err, "%q in header not a valid digest", dgstHeader)
+						return "", ocispec.Descriptor{}, fmt.Errorf("%q in header not a valid digest: %w", dgstHeader, err)
 					}
 					dgst = dgstHeader
 				}
@@ -366,7 +366,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 			// Prevent resolving to excessively large manifests
 			if size > MaxManifestSize {
 				if firstErr == nil {
-					firstErr = errors.Wrapf(errdefs.ErrNotFound, "rejecting %d byte manifest for %s", size, ref)
+					firstErr = fmt.Errorf("rejecting %d byte manifest for %s: %w", size, ref, errdefs.ErrNotFound)
 				}
 				continue
 			}
@@ -387,7 +387,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 	// means that either no registries were given or each registry returned 404.

 	if firstErr == nil {
-		firstErr = errors.Wrap(errdefs.ErrNotFound, ref)
+		firstErr = fmt.Errorf("%s: %w", ref, errdefs.ErrNotFound)
 	}

 	return "", ocispec.Descriptor{}, firstErr
@@ -547,7 +547,7 @@ func (r *request) do(ctx context.Context) (*http.Response, error) {
 	ctx = log.WithLogger(ctx, log.G(ctx).WithField("url", u))
 	log.G(ctx).WithFields(requestFields(req)).Debug("do request")
 	if err := r.authorize(ctx, req); err != nil {
-		return nil, errors.Wrap(err, "failed to authorize")
+		return nil, fmt.Errorf("failed to authorize: %w", err)
 	}

 	var client = &http.Client{}
@@ -559,13 +559,16 @@ func (r *request) do(ctx context.Context) (*http.Response, error) {
 			if len(via) >= 10 {
 				return errors.New("stopped after 10 redirects")
 			}
-			return errors.Wrap(r.authorize(ctx, req), "failed to authorize redirect")
+			if err := r.authorize(ctx, req); err != nil {
+				return fmt.Errorf("failed to authorize redirect: %w", err)
+			}
+			return nil
 		}
 	}

 	resp, err := ctxhttp.Do(ctx, client, req)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to do request")
+		return nil, fmt.Errorf("failed to do request: %w", err)
 	}
 	log.G(ctx).WithFields(responseFields(resp)).Debug("fetch response received")
 	return resp, nil
--- a/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"strconv"
@@ -28,8 +29,6 @@ import (
 	"sync"
 	"time"

-	"golang.org/x/sync/errgroup"
-
 	"github.com/containerd/containerd/archive/compression"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
@@ -39,7 +38,7 @@ import (
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
 )

 const (
@@ -158,12 +157,12 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De

 	history, diffIDs, err := c.schema1ManifestHistory()
 	if err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "schema 1 conversion failed")
+		return ocispec.Descriptor{}, fmt.Errorf("schema 1 conversion failed: %w", err)
 	}

 	var img ocispec.Image
 	if err := json.Unmarshal([]byte(c.pulledManifest.History[0].V1Compatibility), &img); err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to unmarshal image from schema 1 history")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to unmarshal image from schema 1 history: %w", err)
 	}

 	img.History = history
@@ -174,7 +173,7 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De

 	b, err := json.MarshalIndent(img, "", "   ")
 	if err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to marshal image")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to marshal image: %w", err)
 	}

 	config := ocispec.Descriptor{
@@ -198,7 +197,7 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De

 	mb, err := json.MarshalIndent(manifest, "", "   ")
 	if err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to marshal image")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to marshal image: %w", err)
 	}

 	desc := ocispec.Descriptor{
@@ -215,12 +214,12 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De

 	ref := remotes.MakeRefKey(ctx, desc)
 	if err := content.WriteBlob(ctx, c.contentStore, ref, bytes.NewReader(mb), desc, content.WithLabels(labels)); err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to write image manifest")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to write image manifest: %w", err)
 	}

 	ref = remotes.MakeRefKey(ctx, config)
 	if err := content.WriteBlob(ctx, c.contentStore, ref, bytes.NewReader(b), config); err != nil {
-		return ocispec.Descriptor{}, errors.Wrap(err, "failed to write image config")
+		return ocispec.Descriptor{}, fmt.Errorf("failed to write image config: %w", err)
 	}

 	return desc, nil
@@ -349,7 +348,7 @@ func (c *Converter) fetchBlob(ctx context.Context, desc ocispec.Descriptor) erro
 	if desc.Size == -1 {
 		info, err := c.contentStore.Info(ctx, desc.Digest)
 		if err != nil {
-			return errors.Wrap(err, "failed to get blob info")
+			return fmt.Errorf("failed to get blob info: %w", err)
 		}
 		desc.Size = info.Size
 	}
@@ -370,7 +369,7 @@ func (c *Converter) fetchBlob(ctx context.Context, desc ocispec.Descriptor) erro
 	}

 	if _, err := c.contentStore.Update(ctx, cinfo, "labels.containerd.io/uncompressed", fmt.Sprintf("labels.%s", labelDockerSchema1EmptyLayer)); err != nil {
-		return errors.Wrap(err, "failed to update uncompressed label")
+		return fmt.Errorf("failed to update uncompressed label: %w", err)
 	}

 	c.mu.Lock()
@@ -384,7 +383,7 @@ func (c *Converter) fetchBlob(ctx context.Context, desc ocispec.Descriptor) erro
 func (c *Converter) reuseLabelBlobState(ctx context.Context, desc ocispec.Descriptor) (bool, error) {
 	cinfo, err := c.contentStore.Info(ctx, desc.Digest)
 	if err != nil {
-		return false, errors.Wrap(err, "failed to get blob info")
+		return false, fmt.Errorf("failed to get blob info: %w", err)
 	}
 	desc.Size = cinfo.Size

@@ -441,7 +440,7 @@ func (c *Converter) schema1ManifestHistory() ([]ocispec.History, []digest.Digest
 	for i := range m.History {
 		var h v1History
 		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), &h); err != nil {
-			return nil, nil, errors.Wrap(err, "failed to unmarshal history")
+			return nil, nil, fmt.Errorf("failed to unmarshal history: %w", err)
 		}

 		blobSum := m.FSLayers[i].BlobSum
@@ -553,7 +552,7 @@ func stripSignature(b []byte) ([]byte, error) {
 	}
 	pb, err := joseBase64UrlDecode(sig.Signatures[0].Protected)
 	if err != nil {
-		return nil, errors.Wrapf(err, "could not decode %s", sig.Signatures[0].Protected)
+		return nil, fmt.Errorf("could not decode %s: %w", sig.Signatures[0].Protected, err)
 	}

 	var protected protectedBlock
@@ -567,7 +566,7 @@ func stripSignature(b []byte) ([]byte, error) {

 	tail, err := joseBase64UrlDecode(protected.Tail)
 	if err != nil {
-		return nil, errors.Wrap(err, "invalid tail base 64 value")
+		return nil, fmt.Errorf("invalid tail base 64 value: %w", err)
 	}

 	return append(b[:protected.Length], tail...), nil
--- a/vendor/github.com/containerd/containerd/remotes/docker/status.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/status.go
@@ -17,12 +17,12 @@
 package docker

 import (
+	"fmt"
 	"sync"

 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/moby/locker"
-	"github.com/pkg/errors"
 )

 // Status of a content operation
@@ -67,7 +67,7 @@ func (t *memoryStatusTracker) GetStatus(ref string) (Status, error) {
 	defer t.m.Unlock()
 	status, ok := t.statuses[ref]
 	if !ok {
-		return Status{}, errors.Wrapf(errdefs.ErrNotFound, "status for ref %v", ref)
+		return Status{}, fmt.Errorf("status for ref %v: %w", ref, errdefs.ErrNotFound)
 	}
 	return status, nil
 }
--- a/vendor/github.com/containerd/containerd/remotes/handlers.go
+++ b/vendor/github.com/containerd/containerd/remotes/handlers.go
@@ -18,6 +18,7 @@ package remotes

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -29,7 +30,6 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/platforms"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/semaphore"
 )
@@ -127,13 +127,13 @@ func fetch(ctx context.Context, ingester content.Ingester, fetcher Fetcher, desc
 		// most likely a poorly configured registry/web front end which responded with no
 		// Content-Length header; unable (not to mention useless) to commit a 0-length entry
 		// into the content store. Error out here otherwise the error sent back is confusing
-		return errors.Wrapf(errdefs.ErrInvalidArgument, "unable to fetch descriptor (%s) which reports content size of zero", desc.Digest)
+		return fmt.Errorf("unable to fetch descriptor (%s) which reports content size of zero: %w", desc.Digest, errdefs.ErrInvalidArgument)
 	}
 	if ws.Offset == desc.Size {
 		// If writer is already complete, commit and return
 		err := cw.Commit(ctx, desc.Size, desc.Digest)
 		if err != nil && !errdefs.IsAlreadyExists(err) {
-			return errors.Wrapf(err, "failed commit on ref %q", ws.Ref)
+			return fmt.Errorf("failed commit on ref %q: %w", ws.Ref, err)
 		}
 		return nil
 	}
@@ -243,8 +243,8 @@ func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, st
 			// as a marker for this problem
 			if (manifestStack[i].MediaType == ocispec.MediaTypeImageIndex ||
 				manifestStack[i].MediaType == images.MediaTypeDockerSchema2ManifestList) &&
-				errors.Cause(err) != nil && strings.Contains(errors.Cause(err).Error(), "400 Bad Request") {
-				return errors.Wrap(err, "manifest list/index references to blobs and/or manifests are missing in your target registry")
+				errors.Unwrap(err) != nil && strings.Contains(errors.Unwrap(err).Error(), "400 Bad Request") {
+				return fmt.Errorf("manifest list/index references to blobs and/or manifests are missing in your target registry: %w", err)
 			}
 			return err
 		}
@@ -253,6 +253,43 @@ func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, st
 	return nil
 }

+// SkipNonDistributableBlobs returns a handler that skips blobs that have a media type that is "non-distributeable".
+// An example of this kind of content would be a Windows base layer, which is not supposed to be redistributed.
+//
+// This is based on the media type of the content:
+// 	- application/vnd.oci.image.layer.nondistributable
+// 	- application/vnd.docker.image.rootfs.foreign
+func SkipNonDistributableBlobs(f images.HandlerFunc) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		if images.IsNonDistributable(desc.MediaType) {
+			log.G(ctx).WithField("digest", desc.Digest).WithField("mediatype", desc.MediaType).Debug("Skipping non-distributable blob")
+			return nil, images.ErrSkipDesc
+		}
+
+		if images.IsLayerType(desc.MediaType) {
+			return nil, nil
+		}
+
+		children, err := f(ctx, desc)
+		if err != nil {
+			return nil, err
+		}
+		if len(children) == 0 {
+			return nil, nil
+		}
+
+		out := make([]ocispec.Descriptor, 0, len(children))
+		for _, child := range children {
+			if !images.IsNonDistributable(child.MediaType) {
+				out = append(out, child)
+			} else {
+				log.G(ctx).WithField("digest", child.Digest).WithField("mediatype", child.MediaType).Debug("Skipping non-distributable blob")
+			}
+		}
+		return out, nil
+	}
+}
+
 // FilterManifestByPlatformHandler allows Handler to handle non-target
 // platform's manifest and configuration data.
 func FilterManifestByPlatformHandler(f images.HandlerFunc, m platforms.Matcher) images.HandlerFunc {