package libpod import ( "encoding/json" "fmt" "io" "os" "strings" "syscall" "time" cp "github.com/containers/image/copy" dockerarchive "github.com/containers/image/docker/archive" "github.com/containers/image/docker/reference" "github.com/containers/image/docker/tarfile" ociarchive "github.com/containers/image/oci/archive" "github.com/containers/image/pkg/sysregistries" "github.com/containers/image/signature" is "github.com/containers/image/storage" "github.com/containers/image/transports" "github.com/containers/image/transports/alltransports" "github.com/containers/image/types" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" "github.com/kubernetes-incubator/cri-o/libpod/common" digest "github.com/opencontainers/go-digest" ociv1 "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" ) // Runtime API const ( // DefaultRegistry is a prefix that we apply to an image name // to check docker hub first for the image DefaultRegistry = "docker://" ) var ( // DockerArchive is the transport we prepend to an image name // when saving to docker-archive DockerArchive = dockerarchive.Transport.Name() // OCIArchive is the transport we prepend to an image name // when saving to oci-archive OCIArchive = ociarchive.Transport.Name() // DirTransport is the transport for pushing and pulling // images to and from a directory DirTransport = "dir" ) // CopyOptions contains the options given when pushing or pulling images type CopyOptions struct { // Compression specifies the type of compression which is applied to // layer blobs. The default is to not use compression, but // archive.Gzip is recommended. Compression archive.Compression // DockerRegistryOptions encapsulates settings that affect how we // connect or authenticate to a remote registry to which we want to // push the image. common.DockerRegistryOptions // SigningOptions encapsulates settings that control whether or not we // strip or add signatures to the image when pushing (uploading) the // image to a registry. common.SigningOptions // SigningPolicyPath this points to a alternative signature policy file, used mainly for testing SignaturePolicyPath string // AuthFile is the path of the cached credentials file defined by the user AuthFile string // Writer is the reportWriter for the output Writer io.Writer } // Image API // ImageFilterParams contains the filter options that may be given when outputting images type ImageFilterParams struct { Dangling string Label string BeforeImage time.Time SinceImage time.Time ReferencePattern string ImageName string ImageInput string } // struct for when a user passes a short or incomplete // image name type imageDecomposeStruct struct { imageName string tag string registry string hasRegistry bool transport string } // ImageFilter is a function to determine whether an image is included in // command output. Images to be outputted are tested using the function. A true // return will include the image, a false return will exclude it. type ImageFilter func(*storage.Image, *types.ImageInspectInfo) bool func (ips imageDecomposeStruct) returnFQName() string { return fmt.Sprintf("%s%s/%s:%s", ips.transport, ips.registry, ips.imageName, ips.tag) } func getRegistriesToTry(image string, store storage.Store) ([]*pullStruct, error) { var pStructs []*pullStruct var imageError = fmt.Sprintf("unable to parse '%s'\n", image) imgRef, err := reference.Parse(image) if err != nil { return nil, errors.Wrapf(err, imageError) } tagged, isTagged := imgRef.(reference.NamedTagged) tag := "latest" if isTagged { tag = tagged.Tag() } hasDomain := true registry := reference.Domain(imgRef.(reference.Named)) if registry == "" { hasDomain = false } imageName := reference.Path(imgRef.(reference.Named)) pImage := imageDecomposeStruct{ imageName, tag, registry, hasDomain, "docker://", } if pImage.hasRegistry { // If input has a registry, we have to assume they included an image // name but maybe not a tag srcRef, err := alltransports.ParseImageName(pImage.returnFQName()) if err != nil { return nil, errors.Errorf(imageError) } pStruct := &pullStruct{ image: srcRef.DockerReference().String(), srcRef: srcRef, } pStructs = append(pStructs, pStruct) } else { // No registry means we check the globals registries configuration file // and assemble a list of candidate sources to try registryConfigPath := "" envOverride := os.Getenv("REGISTRIES_CONFIG_PATH") if len(envOverride) > 0 { registryConfigPath = envOverride } searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath}) if err != nil { fmt.Println(err) return nil, errors.Errorf("unable to parse the registries.conf file and"+ " the image name '%s' is incomplete.", imageName) } for _, searchRegistry := range searchRegistries { pImage.registry = searchRegistry srcRef, err := alltransports.ParseImageName(pImage.returnFQName()) if err != nil { return nil, errors.Errorf("unable to parse '%s'", pImage.returnFQName()) } pStruct := &pullStruct{ image: srcRef.DockerReference().String(), srcRef: srcRef, } pStructs = append(pStructs, pStruct) } } for _, pStruct := range pStructs { destRef, err := is.Transport.ParseStoreReference(store, pStruct.image) if err != nil { return nil, errors.Errorf("error parsing dest reference name: %v", err) } pStruct.dstRef = destRef } return pStructs, nil } type pullStruct struct { image string srcRef types.ImageReference dstRef types.ImageReference } func (r *Runtime) getPullStruct(srcRef types.ImageReference, destName string) (*pullStruct, error) { reference := destName if srcRef.DockerReference() != nil { reference = srcRef.DockerReference().String() } destRef, err := is.Transport.ParseStoreReference(r.store, reference) if err != nil { return nil, errors.Errorf("error parsing dest reference name: %v", err) } return &pullStruct{ image: destName, srcRef: srcRef, dstRef: destRef, }, nil } // returns a list of pullStruct with the srcRef and DstRef based on the transport being used func (r *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName string, sc *types.SystemContext) ([]*pullStruct, error) { var pullStructs []*pullStruct splitArr := strings.Split(imgName, ":") archFile := splitArr[len(splitArr)-1] // supports pulling from docker-archive, oci, and registries if srcRef.Transport().Name() == DockerArchive { tarSource := tarfile.NewSource(archFile) manifest, err := tarSource.LoadTarManifest() if err != nil { return nil, errors.Errorf("error retrieving manifest.json: %v", err) } // to pull the first image stored in the tar file if len(manifest) == 0 { // create an image object and use the hex value of the digest as the image ID // for parsing the store reference newImg, err := srcRef.NewImage(sc) if err != nil { return nil, err } defer newImg.Close() digest := newImg.ConfigInfo().Digest if err := digest.Validate(); err == nil { pullInfo, err := r.getPullStruct(srcRef, "@"+digest.Hex()) if err != nil { return nil, err } pullStructs = append(pullStructs, pullInfo) } else { return nil, errors.Wrapf(err, "error getting config info") } } else { pullInfo, err := r.getPullStruct(srcRef, manifest[0].RepoTags[0]) if err != nil { return nil, err } pullStructs = append(pullStructs, pullInfo) } } else if srcRef.Transport().Name() == OCIArchive { // retrieve the manifest from index.json to access the image name manifest, err := ociarchive.LoadManifestDescriptor(srcRef) if err != nil { return nil, errors.Wrapf(err, "error loading manifest for %q", srcRef) } if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" { return nil, errors.Errorf("error, archive doesn't have a name annotation. Cannot store image with no name") } pullInfo, err := r.getPullStruct(srcRef, manifest.Annotations["org.opencontainers.image.ref.name"]) if err != nil { return nil, err } pullStructs = append(pullStructs, pullInfo) } else if srcRef.Transport().Name() == DirTransport { // supports pull from a directory image := splitArr[1] // remove leading "/" if image[:1] == "/" { image = image[1:] } pullInfo, err := r.getPullStruct(srcRef, image) if err != nil { return nil, err } pullStructs = append(pullStructs, pullInfo) } else { pullInfo, err := r.getPullStruct(srcRef, imgName) if err != nil { return nil, err } pullStructs = append(pullStructs, pullInfo) } return pullStructs, nil } // PullImage pulls an image from configured registries // By default, only the latest tag (or a specific tag if requested) will be // pulled. If allTags is true, all tags for the requested image will be pulled. // Signature validation will be performed if the Runtime has been appropriately // configured func (r *Runtime) PullImage(imgName string, options CopyOptions) error { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return ErrRuntimeStopped } // PullImage copies the image from the source to the destination var pullStructs []*pullStruct signaturePolicyPath := r.config.SignaturePolicyPath if options.SignaturePolicyPath != "" { signaturePolicyPath = options.SignaturePolicyPath } sc := common.GetSystemContext(signaturePolicyPath, options.AuthFile) srcRef, err := alltransports.ParseImageName(imgName) if err != nil { // could be trying to pull from registry with short name pullStructs, err = getRegistriesToTry(imgName, r.store) if err != nil { return errors.Wrap(err, "error getting default registries to try") } } else { pullStructs, err = r.getPullListFromRef(srcRef, imgName, sc) if err != nil { return errors.Wrapf(err, "error getting pullStruct info to pull image %q", imgName) } } policy, err := signature.DefaultPolicy(sc) if err != nil { return err } policyContext, err := signature.NewPolicyContext(policy) if err != nil { return err } defer policyContext.Destroy() copyOptions := common.GetCopyOptions(options.Writer, signaturePolicyPath, &options.DockerRegistryOptions, nil, options.SigningOptions, options.AuthFile) for _, imageInfo := range pullStructs { fmt.Printf("Trying to pull %s...\n", imageInfo.image) if err = cp.Image(policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions); err != nil { fmt.Println("Failed") } else { return nil } } return errors.Wrapf(err, "error pulling image from %q", imgName) } // PushImage pushes the given image to a location described by the given path func (r *Runtime) PushImage(source string, destination string, options CopyOptions) error { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return ErrRuntimeStopped } // PushImage pushes the src image to the destination //func PushImage(source, destination string, options CopyOptions) error { if source == "" || destination == "" { return errors.Wrapf(syscall.EINVAL, "source and destination image names must be specified") } // Get the destination Image Reference dest, err := alltransports.ParseImageName(destination) if err != nil { return errors.Wrapf(err, "error getting destination imageReference for %q", destination) } signaturePolicyPath := r.config.SignaturePolicyPath if options.SignaturePolicyPath != "" { signaturePolicyPath = options.SignaturePolicyPath } sc := common.GetSystemContext(signaturePolicyPath, options.AuthFile) policy, err := signature.DefaultPolicy(sc) if err != nil { return err } policyContext, err := signature.NewPolicyContext(policy) if err != nil { return err } defer policyContext.Destroy() // Look up the source image, expecting it to be in local storage src, err := is.Transport.ParseStoreReference(r.store, source) if err != nil { return errors.Wrapf(err, "error getting source imageReference for %q", source) } copyOptions := common.GetCopyOptions(options.Writer, signaturePolicyPath, nil, &options.DockerRegistryOptions, options.SigningOptions, options.AuthFile) // Copy the image to the remote destination err = cp.Image(policyContext, dest, src, copyOptions) if err != nil { return errors.Wrapf(err, "Error copying image to the remote destination") } return nil } // TagImage adds a tag to the given image func (r *Runtime) TagImage(image *storage.Image, tag string) error { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return ErrRuntimeStopped } tags, err := r.store.Names(image.ID) if err != nil { return err } for _, key := range tags { if key == tag { return nil } } tags = append(tags, tag) return r.store.SetNames(image.ID, tags) } // UntagImage removes a tag from the given image func (r *Runtime) UntagImage(image *storage.Image, tag string) (string, error) { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return "", ErrRuntimeStopped } tags, err := r.store.Names(image.ID) if err != nil { return "", err } for i, key := range tags { if key == tag { tags[i] = tags[len(tags)-1] tags = tags[:len(tags)-1] break } } if err = r.store.SetNames(image.ID, tags); err != nil { return "", err } return tag, nil } // RemoveImage deletes an image from local storage // Images being used by running containers can only be removed if force=true func (r *Runtime) RemoveImage(image *storage.Image, force bool) (string, error) { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return "", ErrRuntimeStopped } containersWithImage, err := r.getContainersWithImage(image.ID) if err != nil { return "", errors.Wrapf(err, "error getting containers for image %q", image.ID) } if len(containersWithImage) > 0 && len(image.Names) <= 1 { if force { if err := r.removeMultipleContainers(containersWithImage); err != nil { return "", err } } else { for _, ctr := range containersWithImage { return "", fmt.Errorf("Could not remove image %q (must force) - container %q is using its reference image", image.ID, ctr.ImageID) } } } if len(image.Names) > 1 && !force { return "", fmt.Errorf("unable to delete %s (must force) - image is referred to in multiple tags", image.ID) } // If it is forced, we have to untag the image so that it can be deleted image.Names = image.Names[:0] _, err = r.store.DeleteImage(image.ID, true) if err != nil { return "", err } return image.ID, nil } // GetImage retrieves an image matching the given name or hash from system // storage // If no matching image can be found, an error is returned func (r *Runtime) GetImage(image string) (*storage.Image, error) { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return nil, ErrRuntimeStopped } return r.getImage(image) } func (r *Runtime) getImage(image string) (*storage.Image, error) { var img *storage.Image ref, err := is.Transport.ParseStoreReference(r.store, image) if err == nil { img, err = is.Transport.GetStoreImage(r.store, ref) } if err != nil { img2, err2 := r.store.Image(image) if err2 != nil { if ref == nil { return nil, errors.Wrapf(err, "error parsing reference to image %q", image) } return nil, errors.Wrapf(err, "unable to locate image %q", image) } img = img2 } return img, nil } // GetImageRef searches for and returns a new types.Image matching the given name or ID in the given store. func (r *Runtime) GetImageRef(image string) (types.Image, error) { r.lock.Lock() defer r.lock.Unlock() if !r.valid { return nil, ErrRuntimeStopped } return r.getImageRef(image) } func (r *Runtime) getImageRef(image string) (types.Image, error) { img, err := r.getImage(image) if err != nil { return nil, errors.Wrapf(err, "unable to locate image %q", image) } ref, err := is.Transport.ParseStoreReference(r.store, "@"+img.ID) if err != nil { return nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID) } imgRef, err := ref.NewImage(nil) if err != nil { return nil, errors.Wrapf(err, "error reading image %q", img.ID) } return imgRef, nil } // GetImages retrieves all images present in storage // Filters can be provided which will determine which images are included in the // output. Multiple filters are handled by ANDing their output, so only images // matching all filters are included func (r *Runtime) GetImages(params *ImageFilterParams, filters ...ImageFilter) ([]*storage.Image, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, ErrRuntimeStopped } images, err := r.store.Images() if err != nil { return nil, err } var imagesFiltered []*storage.Image for _, img := range images { info, err := r.getImageInspectInfo(img) if err != nil { return nil, err } var names []string if len(img.Names) > 0 { names = img.Names } else { names = append(names, "") } for _, name := range names { include := true if params != nil { params.ImageName = name } for _, filter := range filters { include = include && filter(&img, info) } if include { newImage := img newImage.Names = []string{name} imagesFiltered = append(imagesFiltered, &newImage) } } } return imagesFiltered, nil } // GetHistory gets the history of an image and information about its layers func (r *Runtime) GetHistory(image string) ([]ociv1.History, []types.BlobInfo, string, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, nil, "", ErrRuntimeStopped } img, err := r.getImage(image) if err != nil { return nil, nil, "", errors.Wrapf(err, "no such image %q", image) } src, err := r.getImageRef(image) if err != nil { return nil, nil, "", errors.Wrapf(err, "error instantiating image %q", image) } oci, err := src.OCIConfig() if err != nil { return nil, nil, "", err } return oci.History, src.LayerInfos(), img.ID, nil } // ImportImage imports an OCI format image archive into storage as an image func (r *Runtime) ImportImage(path string) (*storage.Image, error) { return nil, ErrNotImplemented } // GetImageInspectInfo returns the inspect information of an image func (r *Runtime) GetImageInspectInfo(image storage.Image) (*types.ImageInspectInfo, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, ErrRuntimeStopped } return r.getImageInspectInfo(image) } func (r *Runtime) getImageInspectInfo(image storage.Image) (*types.ImageInspectInfo, error) { img, err := r.getImageRef(image.ID) if err != nil { return nil, err } return img.Inspect() } // ParseImageFilter takes a set of images and a filter string as input, and returns the libpod.ImageFilterParams struct func (r *Runtime) ParseImageFilter(imageInput, filter string) (*ImageFilterParams, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, ErrRuntimeStopped } if filter == "" && imageInput == "" { return nil, nil } var params ImageFilterParams params.ImageInput = imageInput if filter == "" && imageInput != "" { return ¶ms, nil } images, err := r.store.Images() if err != nil { return nil, err } filterStrings := strings.Split(filter, ",") for _, param := range filterStrings { pair := strings.SplitN(param, "=", 2) switch strings.TrimSpace(pair[0]) { case "dangling": if common.IsValidBool(pair[1]) { params.Dangling = pair[1] } else { return nil, fmt.Errorf("invalid filter: '%s=[%s]'", pair[0], pair[1]) } case "label": params.Label = pair[1] case "before": if img, err := findImageInSlice(images, pair[1]); err == nil { info, err := r.GetImageInspectInfo(img) if err != nil { return nil, err } params.BeforeImage = info.Created } else { return nil, fmt.Errorf("no such id: %s", pair[0]) } case "since": if img, err := findImageInSlice(images, pair[1]); err == nil { info, err := r.GetImageInspectInfo(img) if err != nil { return nil, err } params.SinceImage = info.Created } else { return nil, fmt.Errorf("no such id: %s``", pair[0]) } case "reference": params.ReferencePattern = pair[1] default: return nil, fmt.Errorf("invalid filter: '%s'", pair[0]) } } return ¶ms, nil } // InfoAndDigestAndSize returns the inspection info and size of the image in the given // store and the digest of its manifest, if it has one, or "" if it doesn't. func (r *Runtime) InfoAndDigestAndSize(img storage.Image) (*types.ImageInspectInfo, digest.Digest, int64, error) { r.lock.RLock() defer r.lock.RUnlock() if !r.valid { return nil, "", -1, ErrRuntimeStopped } imgRef, err := r.getImageRef("@" + img.ID) if err != nil { return nil, "", -1, errors.Wrapf(err, "error reading image %q", img.ID) } defer imgRef.Close() return infoAndDigestAndSize(imgRef) } func infoAndDigestAndSize(imgRef types.Image) (*types.ImageInspectInfo, digest.Digest, int64, error) { imgSize, err := imgRef.Size() if err != nil { return nil, "", -1, errors.Wrapf(err, "error reading size of image %q", transports.ImageName(imgRef.Reference())) } manifest, _, err := imgRef.Manifest() if err != nil { return nil, "", -1, errors.Wrapf(err, "error reading manifest for image %q", transports.ImageName(imgRef.Reference())) } manifestDigest := digest.Digest("") if len(manifest) > 0 { manifestDigest = digest.Canonical.FromBytes(manifest) } info, err := imgRef.Inspect() if err != nil { return nil, "", -1, errors.Wrapf(err, "error inspecting image %q", transports.ImageName(imgRef.Reference())) } return info, manifestDigest, imgSize, nil } // MatchesID returns true if argID is a full or partial match for id func MatchesID(id, argID string) bool { return strings.HasPrefix(argID, id) } // MatchesReference returns true if argName is a full or partial match for name // Partial matches will register only if they match the most specific part of the name available // For example, take the image docker.io/library/redis:latest // redis, library/redis, docker.io/library/redis, redis:latest, etc. will match // But redis:alpine, ry/redis, library, and io/library/redis will not func MatchesReference(name, argName string) bool { if argName == "" { return false } splitName := strings.Split(name, ":") // If the arg contains a tag, we handle it differently than if it does not if strings.Contains(argName, ":") { splitArg := strings.Split(argName, ":") return strings.HasSuffix(splitName[0], splitArg[0]) && (splitName[1] == splitArg[1]) } return strings.HasSuffix(splitName[0], argName) } // ParseImageNames parses the names we've stored with an image into a list of // tagged references and a list of references which contain digests. func ParseImageNames(names []string) (tags, digests []string, err error) { for _, name := range names { if named, err := reference.ParseNamed(name); err == nil { if digested, ok := named.(reference.Digested); ok { canonical, err := reference.WithDigest(named, digested.Digest()) if err == nil { digests = append(digests, canonical.String()) } } else { if reference.IsNameOnly(named) { named = reference.TagNameOnly(named) } if tagged, ok := named.(reference.Tagged); ok { namedTagged, err := reference.WithTag(named, tagged.Tag()) if err == nil { tags = append(tags, namedTagged.String()) } } } } } return tags, digests, nil } func annotations(manifest []byte, manifestType string) map[string]string { annotations := make(map[string]string) switch manifestType { case ociv1.MediaTypeImageManifest: var m ociv1.Manifest if err := json.Unmarshal(manifest, &m); err == nil { for k, v := range m.Annotations { annotations[k] = v } } } return annotations } func findImageInSlice(images []storage.Image, ref string) (storage.Image, error) { for _, image := range images { if MatchesID(image.ID, ref) { return image, nil } for _, name := range image.Names { if MatchesReference(name, ref) { return image, nil } } } return storage.Image{}, errors.New("could not find image") }