compat API create/pull: fix error handling

Make sure that the create endpoint does not always return 200 even in
case of a failure.  Some of the code had to be massaged since encoding a
report implies sending a 200.

Fixes: #15828
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/crc-org/vfkit v0.0.5-0.20230602131541-3d57f09010c9
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/digitalocean/go-qemu v0.0.0-20221209210016-f035778c97f7
+	github.com/docker/distribution v2.8.2+incompatible
 	github.com/docker/docker v24.0.2+incompatible
 	github.com/docker/go-connections v0.4.1-0.20210727194412-58542c764a11
 	github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651
@@ -90,7 +91,6 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/digitalocean/go-libvirt v0.0.0-20220804181439-8648fbde413e // indirect
 	github.com/disiqueira/gotree/v3 v3.0.2 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsouza/go-dockerclient v1.9.7 // indirect

pkg/api/handlers/compat/images.go

@@ -23,6 +23,7 @@ import (
 	"github.com/containers/podman/v4/pkg/domain/infra/abi"
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/containers/storage"
+	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/gorilla/schema"
 	"github.com/opencontainers/go-digest"
@@ -313,18 +314,24 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) {
 		pullResChan <- pullResult{images: pulledImages, err: err}
 	}()
 
+	enc := json.NewEncoder(w)
+	enc.SetEscapeHTML(true)
+
 	flush := func() {
 		if flusher, ok := w.(http.Flusher); ok {
 			flusher.Flush()
 		}
 	}
 
-	w.WriteHeader(http.StatusOK)
-	w.Header().Set("Content-Type", "application/json")
-	flush()
-
-	enc := json.NewEncoder(w)
-	enc.SetEscapeHTML(true)
+	statusWritten := false
+	writeStatusCode := func(code int) {
+		if !statusWritten {
+			w.WriteHeader(code)
+			w.Header().Set("Content-Type", "application/json")
+			flush()
+			statusWritten = true
+		}
+	}
 
 loop: // break out of for/select infinite loop
 	for {
@@ -332,6 +339,7 @@ loop: // break out of for/select infinite loop
 		report.Progress = &jsonmessage.JSONProgress{}
 		select {
 		case e := <-progress:
+			writeStatusCode(http.StatusOK)
 			switch e.Event {
 			case types.ProgressEventNewArtifact:
 				report.Status = "Pulling fs layer"
@@ -352,14 +360,20 @@ loop: // break out of for/select infinite loop
 			flush()
 		case pullRes := <-pullResChan:
 			err := pullRes.err
-			pulledImages := pullRes.images
 			if err != nil {
+				var errcd errcode.ErrorCoder
+				if errors.As(err, &errcd) {
+					writeStatusCode(errcd.ErrorCode().Descriptor().HTTPStatusCode)
+				} else {
+					writeStatusCode(http.StatusInternalServerError)
+				}
 				msg := err.Error()
 				report.Error = &jsonmessage.JSONError{
 					Message: msg,
 				}
 				report.ErrorMessage = msg
 			} else {
+				pulledImages := pullRes.images
 				if len(pulledImages) > 0 {
 					img := pulledImages[0].ID()
 					if utils.IsLibpodRequest(r) {
@@ -374,6 +388,7 @@ loop: // break out of for/select infinite loop
 						Message: msg,
 					}
 					report.ErrorMessage = msg
+					writeStatusCode(http.StatusInternalServerError)
 				}
 			}
 			if err := enc.Encode(report); err != nil {

test/apiv2/10-images.at

@@ -72,6 +72,7 @@ t POST "images/create?fromSrc=-&repo=myimage&tag=mytag" - 200
 t GET "images/myimage:mytag/json" 200 \
   .Id~'^sha256:[0-9a-f]\{64\}$' \
   .RepoTags[0]="docker.io/library/myimage:mytag"
+t POST /images/create?fromImage=busybox:invalidtag123 404
 
 # Display the image history
 t GET libpod/images/nonesuch/history 404