mirror of
https://github.com/containers/podman.git
synced 2025-12-01 18:49:18 +08:00
7c8c945496
Pull in updates made to the filters code for images. Filters now perform an AND operation except for th reference filter which does an OR operation for positive case but an AND operation for negative cases. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
529 lines
18 KiB
Go
529 lines
18 KiB
Go
//go:build !remote
|
|
|
|
package libimage
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/containers/common/libimage/manifests"
|
|
"github.com/containers/common/libimage/platform"
|
|
"github.com/containers/common/pkg/config"
|
|
"github.com/containers/common/pkg/retry"
|
|
"github.com/containers/image/v5/copy"
|
|
"github.com/containers/image/v5/docker/reference"
|
|
"github.com/containers/image/v5/pkg/compression"
|
|
"github.com/containers/image/v5/signature"
|
|
"github.com/containers/image/v5/signature/signer"
|
|
storageTransport "github.com/containers/image/v5/storage"
|
|
"github.com/containers/image/v5/types"
|
|
encconfig "github.com/containers/ocicrypt/config"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const (
|
|
defaultMaxRetries = 3
|
|
defaultRetryDelay = time.Second
|
|
)
|
|
|
|
// LookupReferenceFunc return an image reference based on the specified one.
|
|
// The returned reference can return custom ImageSource or ImageDestination
|
|
// objects which intercept or filter blobs, manifests, and signatures as
|
|
// they are read and written.
|
|
type LookupReferenceFunc = manifests.LookupReferenceFunc
|
|
|
|
// CopyOptions allow for customizing image-copy operations.
|
|
type CopyOptions struct {
|
|
// If set, will be used for copying the image. Fields below may
|
|
// override certain settings.
|
|
SystemContext *types.SystemContext
|
|
// Allows for customizing the source reference lookup. This can be
|
|
// used to use custom blob caches.
|
|
SourceLookupReferenceFunc LookupReferenceFunc
|
|
// Allows for customizing the destination reference lookup. This can
|
|
// be used to use custom blob caches.
|
|
DestinationLookupReferenceFunc LookupReferenceFunc
|
|
// CompressionFormat is the format to use for the compression of the blobs
|
|
CompressionFormat *compression.Algorithm
|
|
// CompressionLevel specifies what compression level is used
|
|
CompressionLevel *int
|
|
// ForceCompressionFormat ensures that the compression algorithm set in
|
|
// CompressionFormat is used exclusively, and blobs of other compression
|
|
// algorithms are not reused.
|
|
ForceCompressionFormat bool
|
|
|
|
// containers-auth.json(5) file to use when authenticating against
|
|
// container registries.
|
|
AuthFilePath string
|
|
// Custom path to a blob-info cache.
|
|
BlobInfoCacheDirPath string
|
|
// Path to the certificates directory.
|
|
CertDirPath string
|
|
// Force layer compression when copying to a `dir` transport destination.
|
|
DirForceCompress bool
|
|
// Allow contacting registries over HTTP, or HTTPS with failed TLS
|
|
// verification. Note that this does not affect other TLS connections.
|
|
InsecureSkipTLSVerify types.OptionalBool
|
|
// Maximum number of retries with exponential backoff when facing
|
|
// transient network errors. A reasonable default is used if not set.
|
|
// Default 3.
|
|
MaxRetries *uint
|
|
// RetryDelay used for the exponential back off of MaxRetries.
|
|
// Default 1 time.Second.
|
|
RetryDelay *time.Duration
|
|
// ManifestMIMEType is the desired media type the image will be
|
|
// converted to if needed. Note that it must contain the exact MIME
|
|
// types. Short forms (e.g., oci, v2s2) used by some tools are not
|
|
// supported.
|
|
ManifestMIMEType string
|
|
// Accept uncompressed layers when copying OCI images.
|
|
OciAcceptUncompressedLayers bool
|
|
// If OciEncryptConfig is non-nil, it indicates that an image should be
|
|
// encrypted. The encryption options is derived from the construction
|
|
// of EncryptConfig object. Note: During initial encryption process of
|
|
// a layer, the resultant digest is not known during creation, so
|
|
// newDigestingReader has to be set with validateDigest = false
|
|
OciEncryptConfig *encconfig.EncryptConfig
|
|
// OciEncryptLayers represents the list of layers to encrypt. If nil,
|
|
// don't encrypt any layers. If non-nil and len==0, denotes encrypt
|
|
// all layers. integers in the slice represent 0-indexed layer
|
|
// indices, with support for negative indexing. i.e. 0 is the first
|
|
// layer, -1 is the last (top-most) layer.
|
|
OciEncryptLayers *[]int
|
|
// OciDecryptConfig contains the config that can be used to decrypt an
|
|
// image if it is encrypted if non-nil. If nil, it does not attempt to
|
|
// decrypt an image.
|
|
OciDecryptConfig *encconfig.DecryptConfig
|
|
// Reported to when ProgressInterval has arrived for a single
|
|
// artifact+offset.
|
|
Progress chan types.ProgressProperties
|
|
// If set, allow using the storage transport even if it's disabled by
|
|
// the specified SignaturePolicyPath.
|
|
PolicyAllowStorage bool
|
|
// SignaturePolicyPath to overwrite the default one.
|
|
SignaturePolicyPath string
|
|
// If non-empty, asks for signatures to be added during the copy
|
|
// using the provided signers.
|
|
Signers []*signer.Signer
|
|
// If non-empty, asks for a signature to be added during the copy, and
|
|
// specifies a key ID.
|
|
SignBy string
|
|
// If non-empty, passphrase to use when signing with the key ID from SignBy.
|
|
SignPassphrase string
|
|
// If non-empty, asks for a signature to be added during the copy, using
|
|
// a sigstore private key file at the provided path.
|
|
SignBySigstorePrivateKeyFile string
|
|
// Passphrase to use when signing with SignBySigstorePrivateKeyFile.
|
|
SignSigstorePrivateKeyPassphrase []byte
|
|
// Remove any pre-existing signatures. SignBy will still add a new
|
|
// signature.
|
|
RemoveSignatures bool
|
|
// Writer is used to display copy information including progress bars.
|
|
Writer io.Writer
|
|
|
|
// ----- platform -----------------------------------------------------
|
|
|
|
// Architecture to use for choosing images.
|
|
Architecture string
|
|
// OS to use for choosing images.
|
|
OS string
|
|
// Variant to use when choosing images.
|
|
Variant string
|
|
|
|
// ----- credentials --------------------------------------------------
|
|
|
|
// Username to use when authenticating at a container registry.
|
|
Username string
|
|
// Password to use when authenticating at a container registry.
|
|
Password string
|
|
// Credentials is an alternative way to specify credentials in format
|
|
// "username[:password]". Cannot be used in combination with
|
|
// Username/Password.
|
|
Credentials string
|
|
// IdentityToken is used to authenticate the user and get
|
|
// an access token for the registry.
|
|
IdentityToken string `json:"identitytoken,omitempty"`
|
|
|
|
// ----- internal -----------------------------------------------------
|
|
|
|
// Additional tags when creating or copying a docker-archive.
|
|
dockerArchiveAdditionalTags []reference.NamedTagged
|
|
|
|
// If set it points to a NOTIFY_SOCKET the copier will use to extend
|
|
// the systemd timeout while copying.
|
|
extendTimeoutSocket string
|
|
}
|
|
|
|
// copier is an internal helper to conveniently copy images.
|
|
type copier struct {
|
|
extendTimeoutSocket string
|
|
imageCopyOptions copy.Options
|
|
retryOptions retry.Options
|
|
systemContext *types.SystemContext
|
|
policyContext *signature.PolicyContext
|
|
|
|
sourceLookup LookupReferenceFunc
|
|
destinationLookup LookupReferenceFunc
|
|
}
|
|
|
|
// storageAllowedPolicyScopes overrides the policy for local storage
|
|
// to ensure that we can read images from it.
|
|
var storageAllowedPolicyScopes = signature.PolicyTransportScopes{
|
|
"": []signature.PolicyRequirement{
|
|
signature.NewPRInsecureAcceptAnything(),
|
|
},
|
|
}
|
|
|
|
// getDockerAuthConfig extracts a docker auth config. Returns nil if
|
|
// no credentials are set.
|
|
func getDockerAuthConfig(name, passwd, creds, idToken string) (*types.DockerAuthConfig, error) {
|
|
numCredsSources := 0
|
|
|
|
if name != "" {
|
|
numCredsSources++
|
|
}
|
|
if creds != "" {
|
|
name, passwd, _ = strings.Cut(creds, ":")
|
|
numCredsSources++
|
|
}
|
|
if idToken != "" {
|
|
numCredsSources++
|
|
}
|
|
authConf := &types.DockerAuthConfig{
|
|
Username: name,
|
|
Password: passwd,
|
|
IdentityToken: idToken,
|
|
}
|
|
|
|
switch numCredsSources {
|
|
case 0:
|
|
// Return nil if there is no credential source.
|
|
return nil, nil
|
|
case 1:
|
|
return authConf, nil
|
|
default:
|
|
// Cannot use the multiple credential sources.
|
|
return nil, errors.New("cannot use the multiple credential sources")
|
|
}
|
|
}
|
|
|
|
// newCopier creates a copier. Note that fields in options *may* overwrite the
|
|
// counterparts of the specified system context. Please make sure to call
|
|
// `(*copier).close()`.
|
|
func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) {
|
|
c := copier{extendTimeoutSocket: options.extendTimeoutSocket}
|
|
c.systemContext = r.systemContextCopy()
|
|
|
|
if options.SourceLookupReferenceFunc != nil {
|
|
c.sourceLookup = options.SourceLookupReferenceFunc
|
|
}
|
|
|
|
if options.DestinationLookupReferenceFunc != nil {
|
|
c.destinationLookup = options.DestinationLookupReferenceFunc
|
|
}
|
|
|
|
if options.InsecureSkipTLSVerify != types.OptionalBoolUndefined {
|
|
c.systemContext.DockerInsecureSkipTLSVerify = options.InsecureSkipTLSVerify
|
|
c.systemContext.OCIInsecureSkipTLSVerify = options.InsecureSkipTLSVerify == types.OptionalBoolTrue
|
|
c.systemContext.DockerDaemonInsecureSkipTLSVerify = options.InsecureSkipTLSVerify == types.OptionalBoolTrue
|
|
}
|
|
|
|
c.systemContext.DirForceCompress = c.systemContext.DirForceCompress || options.DirForceCompress
|
|
|
|
if options.AuthFilePath != "" {
|
|
c.systemContext.AuthFilePath = options.AuthFilePath
|
|
}
|
|
|
|
c.systemContext.DockerArchiveAdditionalTags = options.dockerArchiveAdditionalTags
|
|
|
|
c.systemContext.OSChoice, c.systemContext.ArchitectureChoice, c.systemContext.VariantChoice = platform.Normalize(options.OS, options.Architecture, options.Variant)
|
|
|
|
if options.SignaturePolicyPath != "" {
|
|
c.systemContext.SignaturePolicyPath = options.SignaturePolicyPath
|
|
}
|
|
|
|
dockerAuthConfig, err := getDockerAuthConfig(options.Username, options.Password, options.Credentials, options.IdentityToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if dockerAuthConfig != nil {
|
|
c.systemContext.DockerAuthConfig = dockerAuthConfig
|
|
}
|
|
|
|
if options.BlobInfoCacheDirPath != "" {
|
|
c.systemContext.BlobInfoCacheDir = options.BlobInfoCacheDirPath
|
|
}
|
|
|
|
if options.CertDirPath != "" {
|
|
c.systemContext.DockerCertPath = options.CertDirPath
|
|
}
|
|
|
|
if options.CompressionFormat != nil {
|
|
c.systemContext.CompressionFormat = options.CompressionFormat
|
|
}
|
|
|
|
if options.CompressionLevel != nil {
|
|
c.systemContext.CompressionLevel = options.CompressionLevel
|
|
}
|
|
|
|
// NOTE: for the sake of consistency it's called Oci* in the CopyOptions.
|
|
c.systemContext.OCIAcceptUncompressedLayers = options.OciAcceptUncompressedLayers
|
|
|
|
policy, err := signature.DefaultPolicy(c.systemContext)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Buildah compatibility: even if the policy denies _all_ transports,
|
|
// Buildah still wants the storage to be accessible.
|
|
if options.PolicyAllowStorage {
|
|
policy.Transports[storageTransport.Transport.Name()] = storageAllowedPolicyScopes
|
|
}
|
|
|
|
policyContext, err := signature.NewPolicyContext(policy)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
c.policyContext = policyContext
|
|
|
|
c.retryOptions.MaxRetry = defaultMaxRetries
|
|
if options.MaxRetries != nil {
|
|
c.retryOptions.MaxRetry = int(*options.MaxRetries)
|
|
}
|
|
c.retryOptions.Delay = defaultRetryDelay
|
|
if options.RetryDelay != nil {
|
|
c.retryOptions.Delay = *options.RetryDelay
|
|
}
|
|
|
|
c.imageCopyOptions.Progress = options.Progress
|
|
if c.imageCopyOptions.Progress != nil {
|
|
c.imageCopyOptions.ProgressInterval = time.Second
|
|
}
|
|
|
|
c.imageCopyOptions.ForceCompressionFormat = options.ForceCompressionFormat
|
|
c.imageCopyOptions.ForceManifestMIMEType = options.ManifestMIMEType
|
|
c.imageCopyOptions.SourceCtx = c.systemContext
|
|
c.imageCopyOptions.DestinationCtx = c.systemContext
|
|
c.imageCopyOptions.OciEncryptConfig = options.OciEncryptConfig
|
|
c.imageCopyOptions.OciEncryptLayers = options.OciEncryptLayers
|
|
c.imageCopyOptions.OciDecryptConfig = options.OciDecryptConfig
|
|
c.imageCopyOptions.RemoveSignatures = options.RemoveSignatures
|
|
c.imageCopyOptions.Signers = options.Signers
|
|
c.imageCopyOptions.SignBy = options.SignBy
|
|
c.imageCopyOptions.SignPassphrase = options.SignPassphrase
|
|
c.imageCopyOptions.SignBySigstorePrivateKeyFile = options.SignBySigstorePrivateKeyFile
|
|
c.imageCopyOptions.SignSigstorePrivateKeyPassphrase = options.SignSigstorePrivateKeyPassphrase
|
|
c.imageCopyOptions.ReportWriter = options.Writer
|
|
|
|
defaultContainerConfig, err := config.Default()
|
|
if err != nil {
|
|
logrus.Warnf("Failed to get container config for copy options: %v", err)
|
|
} else {
|
|
c.imageCopyOptions.MaxParallelDownloads = defaultContainerConfig.Engine.ImageParallelCopies
|
|
}
|
|
|
|
return &c, nil
|
|
}
|
|
|
|
// close open resources.
|
|
func (c *copier) close() error {
|
|
return c.policyContext.Destroy()
|
|
}
|
|
|
|
// copy the source to the destination. Returns the bytes of the copied
|
|
// manifest which may be used for digest computation.
|
|
func (c *copier) copy(ctx context.Context, source, destination types.ImageReference) ([]byte, error) {
|
|
logrus.Debugf("Copying source image %s to destination image %s", source.StringWithinTransport(), destination.StringWithinTransport())
|
|
|
|
// Avoid running out of time when running inside a systemd unit by
|
|
// regularly increasing the timeout.
|
|
if c.extendTimeoutSocket != "" {
|
|
socketAddr := &net.UnixAddr{
|
|
Name: c.extendTimeoutSocket,
|
|
Net: "unixgram",
|
|
}
|
|
conn, err := net.DialUnix(socketAddr.Net, nil, socketAddr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer conn.Close()
|
|
|
|
numExtensions := 10
|
|
extension := 30 * time.Second
|
|
timerFrequency := 25 * time.Second // Fire the timer at a higher frequency to avoid a race
|
|
timer := time.NewTicker(timerFrequency)
|
|
socketCtx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
defer timer.Stop()
|
|
|
|
if c.imageCopyOptions.ReportWriter != nil {
|
|
fmt.Fprintf(c.imageCopyOptions.ReportWriter,
|
|
"Pulling image %s inside systemd: setting pull timeout to %s\n",
|
|
source.StringWithinTransport(),
|
|
time.Duration(numExtensions)*extension,
|
|
)
|
|
}
|
|
|
|
// From `man systemd.service(5)`:
|
|
//
|
|
// "If a service of Type=notify/Type=notify-reload sends "EXTEND_TIMEOUT_USEC=...", this may cause
|
|
// the start time to be extended beyond TimeoutStartSec=. The first receipt of this message must
|
|
// occur before TimeoutStartSec= is exceeded, and once the start time has extended beyond
|
|
// TimeoutStartSec=, the service manager will allow the service to continue to start, provided the
|
|
// service repeats "EXTEND_TIMEOUT_USEC=..." within the interval specified until the service startup
|
|
// status is finished by "READY=1"."
|
|
extendValue := []byte(fmt.Sprintf("EXTEND_TIMEOUT_USEC=%d", extension.Microseconds()))
|
|
extendTimeout := func() {
|
|
if _, err := conn.Write(extendValue); err != nil {
|
|
logrus.Errorf("Increasing EXTEND_TIMEOUT_USEC failed: %v", err)
|
|
}
|
|
numExtensions--
|
|
}
|
|
|
|
extendTimeout()
|
|
go func() {
|
|
for {
|
|
select {
|
|
case <-socketCtx.Done():
|
|
return
|
|
case <-timer.C:
|
|
if numExtensions == 0 {
|
|
return
|
|
}
|
|
extendTimeout()
|
|
}
|
|
}
|
|
}()
|
|
}
|
|
|
|
var err error
|
|
|
|
if c.sourceLookup != nil {
|
|
source, err = c.sourceLookup(source)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if c.destinationLookup != nil {
|
|
destination, err = c.destinationLookup(destination)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
// Buildah compat: used when running in OpenShift.
|
|
sourceInsecure, err := checkRegistrySourcesAllows(source)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
destinationInsecure, err := checkRegistrySourcesAllows(destination)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Sanity checks for Buildah.
|
|
if sourceInsecure != nil && *sourceInsecure {
|
|
if c.systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
|
|
return nil, fmt.Errorf("can't require tls verification on an insecured registry")
|
|
}
|
|
}
|
|
if destinationInsecure != nil && *destinationInsecure {
|
|
if c.systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
|
|
return nil, fmt.Errorf("can't require tls verification on an insecured registry")
|
|
}
|
|
}
|
|
|
|
var returnManifest []byte
|
|
f := func() error {
|
|
opts := c.imageCopyOptions
|
|
if sourceInsecure != nil {
|
|
value := types.NewOptionalBool(*sourceInsecure)
|
|
opts.SourceCtx.DockerInsecureSkipTLSVerify = value
|
|
}
|
|
if destinationInsecure != nil {
|
|
value := types.NewOptionalBool(*destinationInsecure)
|
|
opts.DestinationCtx.DockerInsecureSkipTLSVerify = value
|
|
}
|
|
|
|
copiedManifest, err := copy.Image(ctx, c.policyContext, destination, source, &opts)
|
|
if err == nil {
|
|
returnManifest = copiedManifest
|
|
}
|
|
return err
|
|
}
|
|
return returnManifest, retry.IfNecessary(ctx, f, &c.retryOptions)
|
|
}
|
|
|
|
// checkRegistrySourcesAllows checks the $BUILD_REGISTRY_SOURCES environment
|
|
// variable, if it's set. The contents are expected to be a JSON-encoded
|
|
// github.com/openshift/api/config/v1.Image, set by an OpenShift build
|
|
// controller that arranged for us to be run in a container.
|
|
//
|
|
// If set, the insecure return value indicates whether the registry is set to
|
|
// be insecure.
|
|
//
|
|
// NOTE: this functionality is required by Buildah for OpenShift.
|
|
func checkRegistrySourcesAllows(dest types.ImageReference) (insecure *bool, err error) {
|
|
registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES")
|
|
if !ok || registrySources == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
logrus.Debugf("BUILD_REGISTRY_SOURCES set %q", registrySources)
|
|
|
|
dref := dest.DockerReference()
|
|
if dref == nil || reference.Domain(dref) == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
// Use local struct instead of github.com/openshift/api/config/v1 RegistrySources
|
|
var sources struct {
|
|
InsecureRegistries []string `json:"insecureRegistries,omitempty"`
|
|
BlockedRegistries []string `json:"blockedRegistries,omitempty"`
|
|
AllowedRegistries []string `json:"allowedRegistries,omitempty"`
|
|
}
|
|
if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
|
|
return nil, fmt.Errorf("parsing $BUILD_REGISTRY_SOURCES (%q) as JSON: %w", registrySources, err)
|
|
}
|
|
blocked := false
|
|
if len(sources.BlockedRegistries) > 0 {
|
|
for _, blockedDomain := range sources.BlockedRegistries {
|
|
if blockedDomain == reference.Domain(dref) {
|
|
blocked = true
|
|
}
|
|
}
|
|
}
|
|
if blocked {
|
|
return nil, fmt.Errorf("registry %q denied by policy: it is in the blocked registries list (%s)", reference.Domain(dref), registrySources)
|
|
}
|
|
allowed := true
|
|
if len(sources.AllowedRegistries) > 0 {
|
|
allowed = false
|
|
for _, allowedDomain := range sources.AllowedRegistries {
|
|
if allowedDomain == reference.Domain(dref) {
|
|
allowed = true
|
|
}
|
|
}
|
|
}
|
|
if !allowed {
|
|
return nil, fmt.Errorf("registry %q denied by policy: not in allowed registries list (%s)", reference.Domain(dref), registrySources)
|
|
}
|
|
|
|
for _, insecureDomain := range sources.InsecureRegistries {
|
|
if insecureDomain == reference.Domain(dref) {
|
|
insecure := true
|
|
return &insecure, nil
|
|
}
|
|
}
|
|
|
|
return nil, nil
|
|
}
|