cri-o/server/image_pull.go

package server

import (
	"encoding/base64"
	"strings"

	"github.com/containers/image/copy"
	"github.com/containers/image/types"
	"github.com/sirupsen/logrus"
	"golang.org/x/net/context"
	pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
)

// PullImage pulls a image with authentication config.
func (s *Server) PullImage(ctx context.Context, req *pb.PullImageRequest) (*pb.PullImageResponse, error) {
	logrus.Debugf("PullImageRequest: %+v", req)
	// TODO: what else do we need here? (Signatures when the story isn't just pulling from docker://)
	image := ""
	img := req.GetImage()
	if img != nil {
		image = img.Image
	}

	var (
		images []string
		pulled string
		err    error
	)
	images, err = s.StorageImageServer().ResolveNames(image)
	if err != nil {
		return nil, err
	}
	for _, img := range images {
		var (
			username string
			password string
		)
		if req.GetAuth() != nil {
			username = req.GetAuth().Username
			password = req.GetAuth().Password
			if req.GetAuth().Auth != "" {
				username, password, err = decodeDockerAuth(req.GetAuth().Auth)
				if err != nil {
					logrus.Debugf("error decoding authentication for image %s: %v", img, err)
					continue
				}
			}
		}
		options := &copy.Options{
			SourceCtx: &types.SystemContext{},
		}
		// Specifiying a username indicates the user intends to send authentication to the registry.
		if username != "" {
			options.SourceCtx = &types.SystemContext{
				DockerAuthConfig: &types.DockerAuthConfig{
					Username: username,
					Password: password,
				},
			}
		}

		var canPull bool
		canPull, err = s.StorageImageServer().CanPull(img, options)
		if err != nil && !canPull {
			logrus.Debugf("error checking image %s: %v", img, err)
			continue
		}

		// let's be smart, docker doesn't repull if image already exists.
		_, err = s.StorageImageServer().ImageStatus(s.ImageContext(), img)
		if err == nil {
			logrus.Debugf("image %s already in store, skipping pull", img)
			pulled = img
			break
		}

		_, err = s.StorageImageServer().PullImage(s.ImageContext(), img, options)
		if err != nil {
			logrus.Debugf("error pulling image %s: %v", img, err)
			continue
		}
		pulled = img
		break
	}
	if pulled == "" && err != nil {
		return nil, err
	}
	resp := &pb.PullImageResponse{
		ImageRef: pulled,
	}
	logrus.Debugf("PullImageResponse: %+v", resp)
	return resp, nil
}

func decodeDockerAuth(s string) (string, string, error) {
	decoded, err := base64.StdEncoding.DecodeString(s)
	if err != nil {
		return "", "", err
	}
	parts := strings.SplitN(string(decoded), ":", 2)
	if len(parts) != 2 {
		// if it's invalid just skip, as docker does
		return "", "", nil
	}
	user := parts[0]
	password := strings.Trim(parts[1], "\x00")
	return user, password, nil
}
*: abstractions and ImageService plus some fix here and there Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-19 18:53:57 +00:00			`package server`

			`import (`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`"encoding/base64"`
			`"strings"`

Integrate containers/storage Use containers/storage to store images, pod sandboxes, and containers. A pod sandbox's infrastructure container has the same ID as the pod to which it belongs, and all containers also keep track of their pod's ID. The container configuration that we build using the data in a CreateContainerRequest is stored in the container's ContainerDirectory and ContainerRunDirectory. We catch SIGTERM and SIGINT, and when we receive either, we gracefully exit the grpc loop. If we also think that there aren't any container filesystems in use, we attempt to do a clean shutdown of the storage driver. The test harness now waits for ocid to exit before attempting to delete the storage root directory. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> 2016-10-18 14:48:33 +00:00			`"github.com/containers/image/copy"`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`"github.com/containers/image/types"`
Move to new github.com/sirupsen/logrus. Need to mv to latest released and supported version of logrus switch github.com/Sirupsen/logrus github.com/sirupsen/logrus Also vendor in latest containers/storage and containers/image Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2017-08-05 11:40:46 +00:00			`"github.com/sirupsen/logrus"`
*: abstractions and ImageService plus some fix here and there Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-19 18:53:57 +00:00			`"golang.org/x/net/context"`
Fix the build for ocid to cri-o rename Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2016-09-26 23:55:12 +00:00			`pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"`
*: abstractions and ImageService plus some fix here and there Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-19 18:53:57 +00:00			`)`

			`// PullImage pulls a image with authentication config.`
			`func (s Server) PullImage(ctx context.Context, req pb.PullImageRequest) (*pb.PullImageResponse, error) {`
Integrate containers/storage Use containers/storage to store images, pod sandboxes, and containers. A pod sandbox's infrastructure container has the same ID as the pod to which it belongs, and all containers also keep track of their pod's ID. The container configuration that we build using the data in a CreateContainerRequest is stored in the container's ContainerDirectory and ContainerRunDirectory. We catch SIGTERM and SIGINT, and when we receive either, we gracefully exit the grpc loop. If we also think that there aren't any container filesystems in use, we attempt to do a clean shutdown of the storage driver. The test harness now waits for ocid to exit before attempting to delete the storage root directory. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> 2016-10-18 14:48:33 +00:00			`logrus.Debugf("PullImageRequest: %+v", req)`
			`// TODO: what else do we need here? (Signatures when the story isn't just pulling from docker://)`
			`image := ""`
			`img := req.GetImage()`
			`if img != nil {`
Applying k8s.io v3 API for ocic and ocid Signed-off-by: Michał Żyłowski <michal.zylowski@intel.com> 2017-02-03 14:41:28 +00:00			`image = img.Image`
implement raw pullimage functionality Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-20 08:42:55 +00:00			`}`
image_pull: check image already pulled This is an optimization of our image pull code path. It's basically how docker handles pulls as well. Let's be smart and check the image in pull code path as well. This also matches docker behavior which first checks whether we're allowed to actually pull an image before looking into local storage. Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-06-07 17:54:02 +00:00
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`var (`
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`images []string`
			`pulled string`
			`err error`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`)`
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`images, err = s.StorageImageServer().ResolveNames(image)`
			`if err != nil {`
			`return nil, err`
			`}`
			`for _, img := range images {`
			`var (`
			`username string`
			`password string`
			`)`
			`if req.GetAuth() != nil {`
			`username = req.GetAuth().Username`
			`password = req.GetAuth().Password`
			`if req.GetAuth().Auth != "" {`
			`username, password, err = decodeDockerAuth(req.GetAuth().Auth)`
			`if err != nil {`
			`logrus.Debugf("error decoding authentication for image %s: %v", img, err)`
			`continue`
			`}`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`}`
			`}`
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`options := &copy.Options{`
			`SourceCtx: &types.SystemContext{},`
			`}`
			`// Specifiying a username indicates the user intends to send authentication to the registry.`
			`if username != "" {`
			`options.SourceCtx = &types.SystemContext{`
			`DockerAuthConfig: &types.DockerAuthConfig{`
			`Username: username,`
			`Password: password,`
			`},`
			`}`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00			`}`
image_pull: check image already pulled This is an optimization of our image pull code path. It's basically how docker handles pulls as well. Let's be smart and check the image in pull code path as well. This also matches docker behavior which first checks whether we're allowed to actually pull an image before looking into local storage. Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-06-07 17:54:02 +00:00
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`var canPull bool`
			`canPull, err = s.StorageImageServer().CanPull(img, options)`
			`if err != nil && !canPull {`
			`logrus.Debugf("error checking image %s: %v", img, err)`
			`continue`
			`}`
image_pull: check image already pulled This is an optimization of our image pull code path. It's basically how docker handles pulls as well. Let's be smart and check the image in pull code path as well. This also matches docker behavior which first checks whether we're allowed to actually pull an image before looking into local storage. Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-06-07 17:54:02 +00:00
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`// let's be smart, docker doesn't repull if image already exists.`
			`_, err = s.StorageImageServer().ImageStatus(s.ImageContext(), img)`
			`if err == nil {`
			`logrus.Debugf("image %s already in store, skipping pull", img)`
			`pulled = img`
			`break`
			`}`
image_pull: check image already pulled This is an optimization of our image pull code path. It's basically how docker handles pulls as well. Let's be smart and check the image in pull code path as well. This also matches docker behavior which first checks whether we're allowed to actually pull an image before looking into local storage. Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-06-07 17:54:02 +00:00
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`_, err = s.StorageImageServer().PullImage(s.ImageContext(), img, options)`
			`if err != nil {`
			`logrus.Debugf("error pulling image %s: %v", img, err)`
			`continue`
			`}`
			`pulled = img`
			`break`
			`}`
			`if pulled == "" && err != nil {`
implement raw pullimage functionality Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-20 08:42:55 +00:00			`return nil, err`
			`}`
server: fix ImagePullResponse Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-01-17 11:21:32 +00:00			`resp := &pb.PullImageResponse{`
*: implement additional pull registries Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-07-20 08:01:23 +00:00			`ImageRef: pulled,`
server: fix ImagePullResponse Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-01-17 11:21:32 +00:00			`}`
Integrate containers/storage Use containers/storage to store images, pod sandboxes, and containers. A pod sandbox's infrastructure container has the same ID as the pod to which it belongs, and all containers also keep track of their pod's ID. The container configuration that we build using the data in a CreateContainerRequest is stored in the container's ContainerDirectory and ContainerRunDirectory. We catch SIGTERM and SIGINT, and when we receive either, we gracefully exit the grpc loop. If we also think that there aren't any container filesystems in use, we attempt to do a clean shutdown of the storage driver. The test harness now waits for ocid to exit before attempting to delete the storage root directory. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> 2016-10-18 14:48:33 +00:00			`logrus.Debugf("PullImageResponse: %+v", resp)`
			`return resp, nil`
*: abstractions and ImageService plus some fix here and there Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-19 18:53:57 +00:00			`}`
server: add auth info to image pull Fix the following upstream k8s's e2e-node test: ``` should be able to pull from private registry with secret [Conformance] ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2017-04-10 13:00:24 +00:00
			`func decodeDockerAuth(s string) (string, string, error) {`
			`decoded, err := base64.StdEncoding.DecodeString(s)`
			`if err != nil {`
			`return "", "", err`
			`}`
			`parts := strings.SplitN(string(decoded), ":", 2)`
			`if len(parts) != 2 {`
			`// if it's invalid just skip, as docker does`
			`return "", "", nil`
			`}`
			`user := parts[0]`
			`password := strings.Trim(parts[1], "\x00")`
			`return user, password, nil`
			`}`