diff options
author | baude <bbaude@redhat.com> | 2018-03-08 15:45:52 -0600 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-03-14 20:21:31 +0000 |
commit | b85b217f55993955da9ad0cae7735747b2f24390 (patch) | |
tree | 3e633600e50bf3bedc9bdc59abe789fa01f55601 /libpod/image | |
parent | bc358eb396aa87f3122f0449945efc03ed64bfd2 (diff) | |
download | podman-b85b217f55993955da9ad0cae7735747b2f24390.tar.gz podman-b85b217f55993955da9ad0cae7735747b2f24390.tar.bz2 podman-b85b217f55993955da9ad0cae7735747b2f24390.zip |
Stage3 Image Library
This represents the stage3 implementation for the image library. At this point, we
are moving the image-centric functions to pkg/image including migration of args and
object-oriented references. This is a not a one-for-one migration of funcs and some
funcs will need to continue to reside in runtime_img as they are overly specific to
libpod and probably not useful to others.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #484
Approved by: baude
Diffstat (limited to 'libpod/image')
-rw-r--r-- | libpod/image/docker_registry_options.go | 46 | ||||
-rw-r--r-- | libpod/image/image.go | 370 | ||||
-rw-r--r-- | libpod/image/image_test.go | 120 | ||||
-rw-r--r-- | libpod/image/parts.go | 6 | ||||
-rw-r--r-- | libpod/image/pull.go | 246 | ||||
-rw-r--r-- | libpod/image/signing_options.go | 10 | ||||
-rw-r--r-- | libpod/image/utils.go | 52 |
7 files changed, 701 insertions, 149 deletions
diff --git a/libpod/image/docker_registry_options.go b/libpod/image/docker_registry_options.go new file mode 100644 index 000000000..bbb49df28 --- /dev/null +++ b/libpod/image/docker_registry_options.go @@ -0,0 +1,46 @@ +package image + +import "github.com/containers/image/types" + +// DockerRegistryOptions encapsulates settings that affect how we connect or +// authenticate to a remote registry. +type DockerRegistryOptions struct { + // DockerRegistryCreds is the user name and password to supply in case + // we need to pull an image from a registry, and it requires us to + // authenticate. + DockerRegistryCreds *types.DockerAuthConfig + // DockerCertPath is the location of a directory containing CA + // certificates which will be used to verify the registry's certificate + // (all files with names ending in ".crt"), and possibly client + // certificates and private keys (pairs of files with the same name, + // except for ".cert" and ".key" suffixes). + DockerCertPath string + // DockerInsecureSkipTLSVerify turns off verification of TLS + // certificates and allows connecting to registries without encryption. + DockerInsecureSkipTLSVerify bool +} + +// GetSystemContext constructs a new system context from the given signaturePolicy path and the +// values in the DockerRegistryOptions +func (o DockerRegistryOptions) GetSystemContext(signaturePolicyPath, authFile string, forceCompress bool) *types.SystemContext { + sc := &types.SystemContext{ + SignaturePolicyPath: signaturePolicyPath, + DockerAuthConfig: o.DockerRegistryCreds, + DockerCertPath: o.DockerCertPath, + DockerInsecureSkipTLSVerify: o.DockerInsecureSkipTLSVerify, + AuthFilePath: authFile, + DirForceCompress: forceCompress, + } + return sc +} + +// GetSystemContext Constructs a new containers/image/types.SystemContext{} struct from the given signaturePolicy path +func GetSystemContext(signaturePolicyPath, authFilePath string, forceCompress bool) *types.SystemContext { + sc := &types.SystemContext{} + if signaturePolicyPath != "" { + sc.SignaturePolicyPath = signaturePolicyPath + } + sc.AuthFilePath = authFilePath + sc.DirForceCompress = forceCompress + return sc +} diff --git a/libpod/image/image.go b/libpod/image/image.go index a3f0bce83..b218c7d67 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -1,15 +1,26 @@ package image import ( + "encoding/json" "fmt" "io" - "os" + "strings" + "syscall" + "time" + types2 "github.com/containernetworking/cni/pkg/types" + cp "github.com/containers/image/copy" "github.com/containers/image/docker/reference" + is "github.com/containers/image/storage" + "github.com/containers/image/transports/alltransports" + "github.com/containers/image/types" "github.com/containers/storage" + "github.com/containers/storage/pkg/reexec" + "github.com/opencontainers/go-digest" + ociv1 "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" - "github.com/projectatomic/libpod/libpod" "github.com/projectatomic/libpod/pkg/inspect" + "github.com/projectatomic/libpod/pkg/util" ) // Image is the primary struct for dealing with images @@ -18,63 +29,113 @@ type Image struct { inspect.ImageData InputName string Local bool - runtime *libpod.Runtime - image *storage.Image + //runtime *libpod.Runtime + image *storage.Image + imageruntime *Runtime +} + +// Runtime contains the store +type Runtime struct { + store storage.Store +} + +// NewImageRuntime creates an Image Runtime including the store given +// store options +func NewImageRuntime(options storage.StoreOptions) (*Runtime, error) { + if reexec.Init() { + return nil, errors.Errorf("unable to reexec") + } + store, err := setStore(options) + if err != nil { + return nil, err + } + + return &Runtime{ + store: store, + }, nil +} + +func setStore(options storage.StoreOptions) (storage.Store, error) { + store, err := storage.GetStore(options) + if err != nil { + return nil, err + } + is.Transport.SetStore(store) + return store, nil +} + +// newFromStorage creates a new image object from a storage.Image +func (ir *Runtime) newFromStorage(img *storage.Image) *Image { + image := Image{ + InputName: img.ID, + Local: true, + imageruntime: ir, + image: img, + } + return &image } // NewFromLocal creates a new image object that is intended // to only deal with local images already in the store (or // its aliases) -func NewFromLocal(name string, runtime *libpod.Runtime) (Image, error) { +func (ir *Runtime) NewFromLocal(name string) (*Image, error) { + image := Image{ - InputName: name, - Local: true, - runtime: runtime, + InputName: name, + Local: true, + imageruntime: ir, } localImage, err := image.getLocalImage() if err != nil { - return Image{}, err + return nil, err } image.image = localImage - return image, nil + return &image, nil } // New creates a new image object where the image could be local // or remote -func New(name string, runtime *libpod.Runtime) (Image, error) { +func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions) (*Image, error) { // We don't know if the image is local or not ... check local first newImage := Image{ - InputName: name, - Local: false, - runtime: runtime, + InputName: name, + Local: false, + imageruntime: ir, } localImage, err := newImage.getLocalImage() if err == nil { newImage.Local = true newImage.image = localImage - return newImage, nil + return &newImage, nil } // The image is not local - pullNames, err := newImage.createNamesToPull() + + imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions) if err != nil { - return newImage, err + return &newImage, errors.Errorf("unable to pull %s", name) } - if len(pullNames) == 0 { - return newImage, errors.Errorf("unable to pull %s", newImage.InputName) - } - var writer io.Writer - writer = os.Stderr - for _, p := range pullNames { - _, err := newImage.pull(p, writer, runtime) - if err == nil { - newImage.InputName = p - img, err := newImage.getLocalImage() - newImage.image = img - return newImage, err - } + + newImage.InputName = imageName + img, err := newImage.getLocalImage() + newImage.image = img + return &newImage, nil +} + +// Shutdown closes down the storage and require a bool arg as to +// whether it should do so forcibly. +func (ir *Runtime) Shutdown(force bool) error { + _, err := ir.store.Shutdown(force) + return err +} + +func (i *Image) reloadImage() error { + newImage, err := i.imageruntime.getImage(i.ID()) + if err != nil { + return errors.Wrapf(err, "unable to reload image") } - return newImage, errors.Errorf("unable to find %s", name) + i.image = newImage.image + return nil } // getLocalImage resolves an unknown input describing an image and @@ -85,9 +146,9 @@ func (i *Image) getLocalImage() (*storage.Image, error) { return nil, errors.Errorf("input name is blank") } var taggedName string - img, err := i.runtime.GetImage(i.InputName) + img, err := i.imageruntime.getImage(i.InputName) if err == nil { - return img, err + return img.image, err } // container-storage wasn't able to find it in its current form @@ -100,9 +161,9 @@ func (i *Image) getLocalImage() (*storage.Image, error) { // the inputname isn't tagged, so we assume latest and try again if !decomposedImage.isTagged { taggedName = fmt.Sprintf("%s:latest", i.InputName) - img, err = i.runtime.GetImage(taggedName) + img, err = i.imageruntime.getImage(taggedName) if err == nil { - return img, nil + return img.image, nil } } hasReg, err := i.hasRegistry() @@ -116,7 +177,7 @@ func (i *Image) getLocalImage() (*storage.Image, error) { } // grab all the local images - images, err := i.runtime.GetImages(&libpod.ImageFilterParams{}) + images, err := i.imageruntime.GetImages() if err != nil { return nil, err } @@ -149,43 +210,226 @@ func (i *Image) ID() string { return i.image.ID } -// createNamesToPull looks at a decomposed image and determines the possible -// images names to try pulling in combination with the registries.conf file as well -func (i *Image) createNamesToPull() ([]string, error) { - var pullNames []string - decomposedImage, err := decompose(i.InputName) +// Digest returns the image's Manifest +func (i *Image) Digest() digest.Digest { + return i.image.Digest +} + +// Names returns a string array of names associated with the image +func (i *Image) Names() []string { + return i.image.Names +} + +// Created returns the time the image was created +func (i *Image) Created() time.Time { + return i.image.Created +} + +// TopLayer returns the top layer id as a string +func (i *Image) TopLayer() string { + return i.image.TopLayer +} + +// Remove an image; container removal for the image must be done +// outside the context of images +func (i *Image) Remove(force bool) error { + _, err := i.imageruntime.store.DeleteImage(i.ID(), true) + return err +} + +func annotations(manifest []byte, manifestType string) map[string]string { + annotations := make(map[string]string) + switch manifestType { + case ociv1.MediaTypeImageManifest: + var m ociv1.Manifest + if err := json.Unmarshal(manifest, &m); err == nil { + for k, v := range m.Annotations { + annotations[k] = v + } + } + } + return annotations +} + +// Decompose an Image +func (i *Image) Decompose() error { + return types2.NotImplementedError +} + +// TODO: Rework this method to not require an assembly of the fq name with transport +/* +// GetManifest tries to GET an images manifest, returns nil on success and err on failure +func (i *Image) GetManifest() error { + pullRef, err := alltransports.ParseImageName(i.assembleFqNameTransport()) + if err != nil { + return errors.Errorf("unable to parse '%s'", i.Names()[0]) + } + imageSource, err := pullRef.NewImageSource(nil) + if err != nil { + return errors.Wrapf(err, "unable to create new image source") + } + _, _, err = imageSource.GetManifest(nil) + if err == nil { + return nil + } + return err +} +*/ + +// getImage retrieves an image matching the given name or hash from system +// storage +// If no matching image can be found, an error is returned +func (ir *Runtime) getImage(image string) (*Image, error) { + var img *storage.Image + ref, err := is.Transport.ParseStoreReference(ir.store, image) + if err == nil { + img, err = is.Transport.GetStoreImage(ir.store, ref) + } + if err != nil { + img2, err2 := ir.store.Image(image) + if err2 != nil { + if ref == nil { + return nil, errors.Wrapf(err, "error parsing reference to image %q", image) + } + return nil, errors.Wrapf(err, "unable to locate image %q", image) + } + img = img2 + } + newImage := ir.newFromStorage(img) + return newImage, nil +} + +// GetImages retrieves all images present in storage +func (ir *Runtime) GetImages() ([]*Image, error) { + var newImages []*Image + images, err := ir.store.Images() if err != nil { return nil, err } + for _, i := range images { + newImages = append(newImages, ir.newFromStorage(&i)) + } + return newImages, nil +} - if decomposedImage.hasRegistry { - pullNames = append(pullNames, i.InputName) - } else { - registries, err := libpod.GetRegistries() - if err != nil { - return nil, err +// getImageDigest creates an image object and uses the hex value of the digest as the image ID +// for parsing the store reference +func getImageDigest(src types.ImageReference, ctx *types.SystemContext) (string, error) { + newImg, err := src.NewImage(ctx) + if err != nil { + return "", err + } + defer newImg.Close() + digest := newImg.ConfigInfo().Digest + if err = digest.Validate(); err != nil { + return "", errors.Wrapf(err, "error getting config info") + } + return "@" + digest.Hex(), nil +} + +// TagImage adds a tag to the given image +func (i *Image) TagImage(tag string) error { + tags := i.Names() + if util.StringInSlice(tag, tags) { + return nil + } + tags = append(tags, tag) + i.reloadImage() + return i.imageruntime.store.SetNames(i.ID(), tags) +} + +// PushImage pushes the given image to a location described by the given path +func (i *Image) PushImage(destination, manifestMIMEType, authFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions) error { + // PushImage pushes the src image to the destination + //func PushImage(source, destination string, options CopyOptions) error { + if destination == "" { + return errors.Wrapf(syscall.EINVAL, "destination image name must be specified") + } + + // Get the destination Image Reference + dest, err := alltransports.ParseImageName(destination) + if err != nil { + if hasTransport(destination) { + return errors.Wrapf(err, "error getting destination imageReference for %q", destination) } - for _, registry := range registries { - decomposedImage.registry = registry - pullNames = append(pullNames, decomposedImage.assemble()) + // Try adding the images default transport + destination2 := DefaultTransport + destination + dest, err = alltransports.ParseImageName(destination2) + if err != nil { + return err } } - return pullNames, nil + + sc := GetSystemContext(signaturePolicyPath, authFile, forceCompress) + + policyContext, err := getPolicyContext(sc) + if err != nil { + return err + } + defer policyContext.Destroy() + + // Look up the source image, expecting it to be in local storage + src, err := is.Transport.ParseStoreReference(i.imageruntime.store, i.ID()) + if err != nil { + return errors.Wrapf(err, "error getting source imageReference for %q", i.InputName) + } + + copyOptions := getCopyOptions(writer, signaturePolicyPath, nil, dockerRegistryOptions, signingOptions, authFile, manifestMIMEType, forceCompress) + + // Copy the image to the remote destination + err = cp.Image(policyContext, dest, src, copyOptions) + if err != nil { + return errors.Wrapf(err, "Error copying image to the remote destination") + } + return nil +} + +// MatchesID returns a bool based on if the input id +// matches the image's id +func (i *Image) MatchesID(id string) bool { + return strings.HasPrefix(i.ID(), id) } -// pull is a temporary function for stage1 to be able to pull images during the image -// resolution tests. it will be replaced in stage2 with a more robust function. -func (i *Image) pull(name string, writer io.Writer, r *libpod.Runtime) (string, error) { - options := libpod.CopyOptions{ - Writer: writer, - SignaturePolicyPath: r.GetConfig().SignaturePolicyPath, +// toStorageReference returns a *storageReference from an Image +func (i *Image) toStorageReference() (types.ImageReference, error) { + return is.Transport.ParseStoreReference(i.imageruntime.store, i.ID()) +} + +// toImageRef returns an Image Reference type from an image +func (i *Image) toImageRef() (types.Image, error) { + ref, err := is.Transport.ParseStoreReference(i.imageruntime.store, "@"+i.ID()) + if err != nil { + return nil, errors.Wrapf(err, "error parsing reference to image %q", i.ID()) + } + imgRef, err := ref.NewImage(nil) + if err != nil { + return nil, errors.Wrapf(err, "error reading image %q", i.ID()) } - return i.runtime.PullImage(name, options) + return imgRef, nil } -// Remove an image -// This function is only complete enough for the stage 1 tests. -func (i *Image) Remove(force bool) error { - _, err := i.runtime.RemoveImage(i.image, force) - return err +// sizer knows its size. +type sizer interface { + Size() (int64, error) +} + +//Size returns the size of the image +func (i *Image) Size() (*uint64, error) { + storeRef, err := is.Transport.ParseStoreReference(i.imageruntime.store, i.ID()) + if err != nil { + return nil, err + } + systemContext := &types.SystemContext{} + img, err := storeRef.NewImageSource(systemContext) + if err != nil { + return nil, err + } + if s, ok := img.(sizer); ok { + if sum, err := s.Size(); err == nil { + usum := uint64(sum) + return &usum, nil + } + } + return nil, errors.Errorf("unable to determine size") + } diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go index 4b5b782b1..0e2f0c241 100644 --- a/libpod/image/image_test.go +++ b/libpod/image/image_test.go @@ -2,15 +2,12 @@ package image import ( "fmt" + "io" "io/ioutil" "os" - "path" "testing" "github.com/containers/storage" - "github.com/containers/storage/pkg/reexec" - "github.com/pkg/errors" - "github.com/projectatomic/libpod/libpod" "github.com/stretchr/testify/assert" ) @@ -20,43 +17,9 @@ var ( fedoraNames = []string{"registry.fedoraproject.org/fedora-minimal:latest", "registry.fedoraproject.org/fedora-minimal", "fedora-minimal:latest", "fedora-minimal"} ) -// setup a runtime for the tests in an alternative location on the filesystem -func setupRuntime(workdir string) (*libpod.Runtime, error) { - if reexec.Init() { - return nil, errors.Errorf("dude") - } - sc := libpod.WithStorageConfig(storage.StoreOptions{ - GraphRoot: workdir, - RunRoot: workdir, - }) - sd := libpod.WithStaticDir(path.Join(workdir, "libpod_tmp")) - td := libpod.WithTmpDir(path.Join(workdir, "tmpdir")) - - options := []libpod.RuntimeOption{sc, sd, td} - return libpod.NewRuntime(options...) -} - -// getImage is only used to build a test matrix for testing local images -func getImage(r *libpod.Runtime, fqImageName string) (*storage.Image, error) { - img, err := NewFromLocal(fqImageName, r) - if err != nil { - return nil, err - } - return img.image, nil -} - -func tagImage(r *libpod.Runtime, fqImageName, tagName string) error { - img, err := NewFromLocal(fqImageName, r) - if err != nil { - return err - } - r.TagImage(img.image, tagName) - return nil -} - type localImageTest struct { fqname, taggedName string - img *storage.Image + img *Image names []string } @@ -66,8 +29,11 @@ func mkWorkDir() (string, error) { } // shutdown the runtime and clean behind it -func cleanup(r *libpod.Runtime, workdir string) { - r.Shutdown(true) +func cleanup(workdir string, ir *Runtime) { + if err := ir.Shutdown(false); err != nil { + fmt.Println(err) + os.Exit(1) + } err := os.RemoveAll(workdir) if err != nil { fmt.Println(err) @@ -75,46 +41,27 @@ func cleanup(r *libpod.Runtime, workdir string) { } } -func makeLocalMatrix(r *libpod.Runtime) ([]localImageTest, error) { +func makeLocalMatrix(b, bg *Image) ([]localImageTest, error) { var l []localImageTest // busybox busybox := localImageTest{ fqname: "docker.io/library/busybox:latest", taggedName: "bb:latest", } - b, err := getImage(r, busybox.fqname) - if err != nil { - return nil, err - } busybox.img = b - busybox.names = bbNames - busybox.names = append(busybox.names, []string{"bb:latest", "bb", b.ID, b.ID[0:7], fmt.Sprintf("busybox@%s", b.Digest.String())}...) - - //fedora - fedora := localImageTest{ - fqname: "registry.fedoraproject.org/fedora-minimal:latest", - taggedName: "f27:latest", - } - f, err := getImage(r, fedora.fqname) - if err != nil { - return nil, err - } - fedora.img = f - fedora.names = fedoraNames + busybox.names = b.Names() + busybox.names = append(busybox.names, []string{"bb:latest", "bb", b.ID(), b.ID()[0:7], fmt.Sprintf("busybox@%s", b.Digest())}...) // busybox-glibc busyboxGlibc := localImageTest{ fqname: "docker.io/library/busybox:glibc", taggedName: "bb:glibc", } - bg, err := getImage(r, busyboxGlibc.fqname) - if err != nil { - return nil, err - } + busyboxGlibc.img = bg busyboxGlibc.names = bbGlibcNames - l = append(l, busybox, fedora) + l = append(l, busybox, busyboxGlibc) return l, nil } @@ -124,32 +71,37 @@ func makeLocalMatrix(r *libpod.Runtime) ([]localImageTest, error) { func TestImage_NewFromLocal(t *testing.T) { workdir, err := mkWorkDir() assert.NoError(t, err) - runtime, err := setupRuntime(workdir) - assert.NoError(t, err) + so := storage.StoreOptions{ + RunRoot: workdir, + GraphRoot: workdir, + } + var writer io.Writer + writer = os.Stdout // Need images to be present for this test - _, err = runtime.PullImage("docker.io/library/busybox:latest", libpod.CopyOptions{}) + ir, err := NewImageRuntime(so) assert.NoError(t, err) - _, err = runtime.PullImage("docker.io/library/busybox:glibc", libpod.CopyOptions{}) + bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}) assert.NoError(t, err) - _, err = runtime.PullImage("registry.fedoraproject.org/fedora-minimal:latest", libpod.CopyOptions{}) + bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}) assert.NoError(t, err) - tm, err := makeLocalMatrix(runtime) + tm, err := makeLocalMatrix(bb, bbglibc) assert.NoError(t, err) + for _, image := range tm { // tag our images - err = tagImage(runtime, image.fqname, image.taggedName) + image.img.TagImage(image.taggedName) assert.NoError(t, err) for _, name := range image.names { - newImage, err := NewFromLocal(name, runtime) + newImage, err := ir.NewFromLocal(name) assert.NoError(t, err) - assert.Equal(t, newImage.ID(), image.img.ID) + assert.Equal(t, newImage.ID(), image.img.ID()) } } // Shutdown the runtime and remove the temporary storage - cleanup(runtime, workdir) + cleanup(workdir, ir) } // TestImage_New tests pulling the image by various names, tags, and from @@ -158,21 +110,23 @@ func TestImage_New(t *testing.T) { var names []string workdir, err := mkWorkDir() assert.NoError(t, err) - runtime, err := setupRuntime(workdir) - assert.NoError(t, err) + so := storage.StoreOptions{ + RunRoot: workdir, + GraphRoot: workdir, + } + ir, err := NewImageRuntime(so) + assert.NoError(t, err) // Build the list of pull names names = append(names, bbNames...) names = append(names, fedoraNames...) + var writer io.Writer + writer = os.Stdout // Iterate over the names and delete the image // after the pull for _, img := range names { - _, err := runtime.GetImage(img) - if err == nil { - os.Exit(1) - } - newImage, err := New(img, runtime) + newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}) assert.NoError(t, err) assert.NotEqual(t, newImage.ID(), "") err = newImage.Remove(false) @@ -180,5 +134,5 @@ func TestImage_New(t *testing.T) { } // Shutdown the runtime and remove the temporary storage - cleanup(runtime, workdir) + cleanup(workdir, ir) } diff --git a/libpod/image/parts.go b/libpod/image/parts.go index e4ae489f9..979f223fc 100644 --- a/libpod/image/parts.go +++ b/libpod/image/parts.go @@ -47,6 +47,7 @@ func decompose(input string) (imageParts, error) { name: imageName, tag: tag, isTagged: isTagged, + transport: DefaultTransport, }, nil } @@ -54,3 +55,8 @@ func decompose(input string) (imageParts, error) { func (ip *imageParts) assemble() string { return fmt.Sprintf("%s/%s:%s", ip.registry, ip.name, ip.tag) } + +// assemble concatenates an image's parts with transport into a string +func (ip *imageParts) assembleWithTransport() string { + return fmt.Sprintf("%s%s/%s:%s", ip.transport, ip.registry, ip.name, ip.tag) +} diff --git a/libpod/image/pull.go b/libpod/image/pull.go new file mode 100644 index 000000000..52ef175d4 --- /dev/null +++ b/libpod/image/pull.go @@ -0,0 +1,246 @@ +package image + +import ( + "fmt" + "io" + "os" + "strings" + + cp "github.com/containers/image/copy" + "github.com/containers/image/directory" + "github.com/containers/image/docker" + dockerarchive "github.com/containers/image/docker/archive" + "github.com/containers/image/docker/tarfile" + ociarchive "github.com/containers/image/oci/archive" + "github.com/containers/image/pkg/sysregistries" + is "github.com/containers/image/storage" + "github.com/containers/image/tarball" + "github.com/containers/image/transports/alltransports" + "github.com/containers/image/types" + "github.com/pkg/errors" +) + +var ( + // DockerArchive is the transport we prepend to an image name + // when saving to docker-archive + DockerArchive = dockerarchive.Transport.Name() + // OCIArchive is the transport we prepend to an image name + // when saving to oci-archive + OCIArchive = ociarchive.Transport.Name() + // DirTransport is the transport for pushing and pulling + // images to and from a directory + DirTransport = directory.Transport.Name() + // TransportNames are the supported transports in string form + TransportNames = [...]string{DefaultTransport, DockerArchive, OCIArchive, "ostree:", "dir:"} + // TarballTransport is the transport for importing a tar archive + // and creating a filesystem image + TarballTransport = tarball.Transport.Name() + // DockerTransport is the transport for docker registries + DockerTransport = docker.Transport.Name() + "://" + // AtomicTransport is the transport for atomic registries + AtomicTransport = "atomic" + // DefaultTransport is a prefix that we apply to an image name + DefaultTransport = DockerTransport +) + +type pullStruct struct { + image string + srcRef types.ImageReference + dstRef types.ImageReference +} + +func (ir *Runtime) getPullStruct(srcRef types.ImageReference, destName string) (*pullStruct, error) { + reference := destName + if srcRef.DockerReference() != nil { + reference = srcRef.DockerReference().String() + } + destRef, err := is.Transport.ParseStoreReference(ir.store, reference) + if err != nil { + return nil, errors.Errorf("error parsing dest reference name: %v", err) + } + return &pullStruct{ + image: destName, + srcRef: srcRef, + dstRef: destRef, + }, nil +} + +// returns a list of pullStruct with the srcRef and DstRef based on the transport being used +func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName string, sc *types.SystemContext) ([]*pullStruct, error) { + var pullStructs []*pullStruct + splitArr := strings.Split(imgName, ":") + archFile := splitArr[len(splitArr)-1] + + // supports pulling from docker-archive, oci, and registries + if srcRef.Transport().Name() == DockerArchive { + tarSource, err := tarfile.NewSourceFromFile(archFile) + if err != nil { + return nil, err + } + manifest, err := tarSource.LoadTarManifest() + + if err != nil { + return nil, errors.Errorf("error retrieving manifest.json: %v", err) + } + // to pull the first image stored in the tar file + if len(manifest) == 0 { + // use the hex of the digest if no manifest is found + reference, err := getImageDigest(srcRef, sc) + if err != nil { + return nil, err + } + pullInfo, err := ir.getPullStruct(srcRef, reference) + if err != nil { + return nil, err + } + pullStructs = append(pullStructs, pullInfo) + } else { + var dest string + if len(manifest[0].RepoTags) > 0 { + dest = manifest[0].RepoTags[0] + } else { + // If the input image has no repotags, we need to feed it a dest anyways + dest, err = getImageDigest(srcRef, sc) + if err != nil { + return nil, err + } + } + pullInfo, err := ir.getPullStruct(srcRef, dest) + if err != nil { + return nil, err + } + pullStructs = append(pullStructs, pullInfo) + } + } else if srcRef.Transport().Name() == OCIArchive { + // retrieve the manifest from index.json to access the image name + manifest, err := ociarchive.LoadManifestDescriptor(srcRef) + if err != nil { + return nil, errors.Wrapf(err, "error loading manifest for %q", srcRef) + } + + if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" { + return nil, errors.Errorf("error, archive doesn't have a name annotation. Cannot store image with no name") + } + pullInfo, err := ir.getPullStruct(srcRef, manifest.Annotations["org.opencontainers.image.ref.name"]) + if err != nil { + return nil, err + } + pullStructs = append(pullStructs, pullInfo) + } else if srcRef.Transport().Name() == DirTransport { + // supports pull from a directory + image := splitArr[1] + // remove leading "/" + if image[:1] == "/" { + image = image[1:] + } + pullInfo, err := ir.getPullStruct(srcRef, image) + if err != nil { + return nil, err + } + pullStructs = append(pullStructs, pullInfo) + } else { + pullInfo, err := ir.getPullStruct(srcRef, imgName) + if err != nil { + return nil, err + } + pullStructs = append(pullStructs, pullInfo) + } + return pullStructs, nil +} + +// pullImage pulls an image from configured registries +// By default, only the latest tag (or a specific tag if requested) will be +// pulled. +func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) { + // pullImage copies the image from the source to the destination + var pullStructs []*pullStruct + sc := GetSystemContext(signaturePolicyPath, authfile, false) + srcRef, err := alltransports.ParseImageName(i.InputName) + if err != nil { + // could be trying to pull from registry with short name + pullStructs, err = i.createNamesToPull() + if err != nil { + return "", errors.Wrap(err, "error getting default registries to try") + } + } else { + pullStructs, err = i.imageruntime.getPullListFromRef(srcRef, i.InputName, sc) + if err != nil { + return "", errors.Wrapf(err, "error getting pullStruct info to pull image %q", i.InputName) + } + } + policyContext, err := getPolicyContext(sc) + if err != nil { + return "", err + } + defer policyContext.Destroy() + + copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false) + for _, imageInfo := range pullStructs { + // Print the following statement only when pulling from a docker or atomic registry + if writer != nil && (imageInfo.srcRef.Transport().Name() == DockerTransport || imageInfo.srcRef.Transport().Name() == AtomicTransport) { + io.WriteString(writer, fmt.Sprintf("Trying to pull %s...\n", imageInfo.image)) + } + if err = cp.Image(policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions); err != nil { + if writer != nil { + io.WriteString(writer, "Failed\n") + } + } else { + return imageInfo.image, nil + } + } + return "", errors.Wrapf(err, "error pulling image from") +} + +// createNamesToPull looks at a decomposed image and determines the possible +// images names to try pulling in combination with the registries.conf file as well +func (i *Image) createNamesToPull() ([]*pullStruct, error) { + var pullNames []*pullStruct + decomposedImage, err := decompose(i.InputName) + if err != nil { + return nil, err + } + if decomposedImage.hasRegistry { + srcRef, err := alltransports.ParseImageName(decomposedImage.assembleWithTransport()) + if err != nil { + return nil, errors.Errorf("unable to parse '%s'", i.InputName) + } + ps := pullStruct{ + image: i.InputName, + srcRef: srcRef, + } + pullNames = append(pullNames, &ps) + + } else { + registryConfigPath := "" + envOverride := os.Getenv("REGISTRIES_CONFIG_PATH") + if len(envOverride) > 0 { + registryConfigPath = envOverride + } + searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath}) + if err != nil { + return nil, err + } + for _, registry := range searchRegistries { + decomposedImage.registry = registry + srcRef, err := alltransports.ParseImageName(decomposedImage.assembleWithTransport()) + if err != nil { + return nil, errors.Errorf("unable to parse '%s'", i.InputName) + } + ps := pullStruct{ + image: decomposedImage.assemble(), + srcRef: srcRef, + } + pullNames = append(pullNames, &ps) + } + } + + for _, pStruct := range pullNames { + destRef, err := is.Transport.ParseStoreReference(i.imageruntime.store, pStruct.image) + if err != nil { + return nil, errors.Errorf("error parsing dest reference name: %v", err) + } + pStruct.dstRef = destRef + } + + return pullNames, nil +} diff --git a/libpod/image/signing_options.go b/libpod/image/signing_options.go new file mode 100644 index 000000000..f310da749 --- /dev/null +++ b/libpod/image/signing_options.go @@ -0,0 +1,10 @@ +package image + +// SigningOptions encapsulates settings that control whether or not we strip or +// add signatures to images when writing them. +type SigningOptions struct { + // RemoveSignatures directs us to remove any signatures which are already present. + RemoveSignatures bool + // SignBy is a key identifier of some kind, indicating that a signature should be generated using the specified private key and stored with the image. + SignBy string +} diff --git a/libpod/image/utils.go b/libpod/image/utils.go index f312c8e4d..adc795e3a 100644 --- a/libpod/image/utils.go +++ b/libpod/image/utils.go @@ -1,9 +1,16 @@ package image import ( + "io" + + cp "github.com/containers/image/copy" "github.com/containers/image/docker/reference" "github.com/containers/storage" "github.com/pkg/errors" + + "github.com/containers/image/signature" + "github.com/containers/image/types" + "strings" ) func getTags(nameInput string) (reference.NamedTagged, bool, error) { @@ -18,17 +25,17 @@ func getTags(nameInput string) (reference.NamedTagged, bool, error) { // findImageInRepotags takes an imageParts struct and searches images' repotags for // a match on name:tag -func findImageInRepotags(search imageParts, images []*storage.Image) (*storage.Image, error) { +func findImageInRepotags(search imageParts, images []*Image) (*storage.Image, error) { var results []*storage.Image for _, image := range images { - for _, name := range image.Names { + for _, name := range image.Names() { d, err := decompose(name) // if we get an error, ignore and keep going if err != nil { continue } if d.name == search.name && d.tag == search.tag { - results = append(results, image) + results = append(results, image.image) break } } @@ -40,3 +47,42 @@ func findImageInRepotags(search imageParts, images []*storage.Image) (*storage.I } return results[0], nil } + +// getCopyOptions constructs a new containers/image/copy.Options{} struct from the given parameters +func getCopyOptions(reportWriter io.Writer, signaturePolicyPath string, srcDockerRegistry, destDockerRegistry *DockerRegistryOptions, signing SigningOptions, authFile, manifestType string, forceCompress bool) *cp.Options { + if srcDockerRegistry == nil { + srcDockerRegistry = &DockerRegistryOptions{} + } + if destDockerRegistry == nil { + destDockerRegistry = &DockerRegistryOptions{} + } + srcContext := srcDockerRegistry.GetSystemContext(signaturePolicyPath, authFile, forceCompress) + destContext := destDockerRegistry.GetSystemContext(signaturePolicyPath, authFile, forceCompress) + return &cp.Options{ + RemoveSignatures: signing.RemoveSignatures, + SignBy: signing.SignBy, + ReportWriter: reportWriter, + SourceCtx: srcContext, + DestinationCtx: destContext, + ForceManifestMIMEType: manifestType, + } +} + +// getPolicyContext sets up, intializes and returns a new context for the specified policy +func getPolicyContext(ctx *types.SystemContext) (*signature.PolicyContext, error) { + policy, err := signature.DefaultPolicy(ctx) + if err != nil { + return nil, err + } + + policyContext, err := signature.NewPolicyContext(policy) + if err != nil { + return nil, err + } + return policyContext, nil +} + +// hasTransport determines if the image string contains '://', returns bool +func hasTransport(image string) bool { + return strings.Contains(image, "://") +} |