From 27f1cc0a13c0475f23f9a360a26556b4d72f9489 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 11 Feb 2016 22:40:00 +0200 Subject: [PATCH] Add a check that will fail if we try to mislink V1 layers Also logs some useful information --- data/model/image.py | 3 ++- endpoints/v2/manifest.py | 9 ++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/data/model/image.py b/data/model/image.py index f6330eacf..0665c5750 100644 --- a/data/model/image.py +++ b/data/model/image.py @@ -133,7 +133,8 @@ def invert_placement_query_results(placement_query): def lookup_repository_images(repo, docker_image_ids): return (Image - .select() + .select(Image, ImageStorage) + .join(ImageStorage) # TODO(jschorr): Remove once no longer needed in v2/manifest.py. .where(Image.repository == repo, Image.docker_image_id << docker_image_ids)) diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py index b7d4a7bc7..405903aa7 100644 --- a/endpoints/v2/manifest.py +++ b/endpoints/v2/manifest.py @@ -4,7 +4,7 @@ import json import features from peewee import IntegrityError -from flask import make_response, request, url_for +from flask import make_response, request, url_for, abort from collections import namedtuple, OrderedDict from jwkest.jws import SIGNER_ALGS, keyrep from datetime import datetime @@ -373,6 +373,13 @@ def _write_manifest(namespace, repo_name, manifest): # If there is already a V1 image for this layer, nothing more to do. if v1_mdata.docker_id in images_map: + # Ensure that the V1 image's storage matches the V2 blob. If not, we've found + # a data inconsistency and need to fail. + v1_image = images_map[v1_mdata.docker_id] + if v1_image.storage.content_checksum != digest_str: + logger.error('Checksum mismatch on V1 layer %s (#%s): Expected digest %s, found %s', + v1_mdata.docker_id, v1_image.id, digest_str, v1_image.storage.content_checksum) + abort(500) continue # Lookup the parent image for the layer, if any.