mirror of
https://github.com/containers/podman.git
synced 2025-08-01 07:40:22 +08:00
ea4775ec9e
allow podman machine to extract its disk image from an oci registry or oci-dir locally. for now, the image must be relatively inflexible. it must have 1 layer. the layer must possess one image. so a dockerfile like: FROM scratch COPY ./myimage.xz /myimage.xz when using an oci dir, the directory structure must adhere to the typical directory structure of a an oci image (with one layer). ── blobs │ └── sha256 │ ├── 53735773573b3853bb1cae16dd21061beb416239ceb78d4ef1f2a0609f7e843b │ ├── 80577866ec13c041693e17de61444b4696137623803c3d87f92e4f28a1f4e87b │ └── af57637ac1ab12f833e3cfa886027cc9834a755a437d0e1cf48b5d4778af7a4e ├── index.json └── oci-layout in order to identify this new input, you must use a transport/schema to differentiate from current podman machine init --image-path behavior. we will support `oci-dir://` and `docker://` as transports. when using the docker transport, you can only use an empty transport for input. for example, `podman machine init --image-path docker://`. A fully quailified image name will be supported in the next iteration. the transport absent anything means, i want to pull the default fcos image stored in a registry. podman will determine its current version and then look for its correlating manifest. in this default use case, it would look for: quay.io/libpod/podman-machine-images:<version> that manifest would then point to specific images that contain the correct arch and provider disk image. i.e. quay.io/libpod/podman-machine-images:4.6-qcow2 this PR does not enable something like docker://quay.io/mycorp/myimage:latest yet. names, addresses, andf schema/transports are all subject to change. the plan is to keep this all undocumented until things firm up. [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
111 lines
3.1 KiB
Go
111 lines
3.1 KiB
Go
package ocipull
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/containers/buildah/pkg/parse"
|
|
"github.com/containers/image/v5/copy"
|
|
"github.com/containers/image/v5/oci/layout"
|
|
"github.com/containers/image/v5/pkg/shortnames"
|
|
"github.com/containers/image/v5/signature"
|
|
"github.com/containers/image/v5/transports/alltransports"
|
|
"github.com/containers/image/v5/types"
|
|
specV1 "github.com/opencontainers/image-spec/specs-go/v1"
|
|
)
|
|
|
|
// PullOptions includes data to alter certain knobs when pulling a source
|
|
// image.
|
|
type PullOptions struct {
|
|
// Require HTTPS and verify certificates when accessing the registry.
|
|
TLSVerify bool
|
|
// [username[:password] to use when connecting to the registry.
|
|
Credentials string
|
|
// Quiet the progress bars when pushing.
|
|
Quiet bool
|
|
}
|
|
|
|
// Pull `imageInput` from a container registry to `sourcePath`.
|
|
func Pull(ctx context.Context, imageInput string, sourcePath string, options PullOptions) error {
|
|
if _, err := os.Stat(sourcePath); err == nil {
|
|
return fmt.Errorf("%q already exists", sourcePath)
|
|
}
|
|
|
|
srcRef, err := stringToImageReference(imageInput)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
destRef, err := layout.ParseReference(sourcePath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
sysCtx := &types.SystemContext{
|
|
DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
|
|
}
|
|
if options.Credentials != "" {
|
|
authConf, err := parse.AuthConfig(options.Credentials)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
sysCtx.DockerAuthConfig = authConf
|
|
}
|
|
|
|
if err := validateSourceImageReference(ctx, srcRef, sysCtx); err != nil {
|
|
return err
|
|
}
|
|
|
|
policy, err := signature.DefaultPolicy(sysCtx)
|
|
if err != nil {
|
|
return fmt.Errorf("obtaining default signature policy: %w", err)
|
|
}
|
|
policyContext, err := signature.NewPolicyContext(policy)
|
|
if err != nil {
|
|
return fmt.Errorf("creating new signature policy context: %w", err)
|
|
}
|
|
|
|
copyOpts := copy.Options{
|
|
SourceCtx: sysCtx,
|
|
}
|
|
if !options.Quiet {
|
|
copyOpts.ReportWriter = os.Stderr
|
|
}
|
|
if _, err := copy.Image(ctx, policyContext, destRef, srcRef, ©Opts); err != nil {
|
|
return fmt.Errorf("pulling source image: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func stringToImageReference(imageInput string) (types.ImageReference, error) {
|
|
if shortnames.IsShortName(imageInput) {
|
|
return nil, fmt.Errorf("pulling source images by short name (%q) is not supported, please use a fully-qualified name", imageInput)
|
|
}
|
|
|
|
ref, err := alltransports.ParseImageName("docker://" + imageInput)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parsing image name: %w", err)
|
|
}
|
|
|
|
return ref, nil
|
|
}
|
|
|
|
func validateSourceImageReference(ctx context.Context, ref types.ImageReference, sysCtx *types.SystemContext) error {
|
|
src, err := ref.NewImageSource(ctx, sysCtx)
|
|
if err != nil {
|
|
return fmt.Errorf("creating image source from reference: %w", err)
|
|
}
|
|
defer src.Close()
|
|
|
|
ociManifest, _, _, err := readManifestFromImageSource(ctx, src)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if ociManifest.Config.MediaType != specV1.MediaTypeImageConfig {
|
|
return fmt.Errorf("invalid media type of image config %q (expected: %q)", ociManifest.Config.MediaType, specV1.MediaTypeImageConfig)
|
|
}
|
|
|
|
return nil
|
|
}
|