Fixes to ensuring existing code can process schema 2 manifests
This commit is contained in:
parent
9474fb7833
commit
7b9f56eff3
10 changed files with 91 additions and 21 deletions
|
@ -282,7 +282,7 @@ class RegistryDataInterface(object):
|
||||||
"""
|
"""
|
||||||
Mounts the blob from another repository into the specified target repository, and adds an
|
Mounts the blob from another repository into the specified target repository, and adds an
|
||||||
expiration before that blob is automatically GCed. This function is useful during push
|
expiration before that blob is automatically GCed. This function is useful during push
|
||||||
operations if an existing blob from another repositroy is being pushed. Returns False if
|
operations if an existing blob from another repository is being pushed. Returns False if
|
||||||
the mounting fails. Note that this function does *not* check security for mounting the blob
|
the mounting fails. Note that this function does *not* check security for mounting the blob
|
||||||
and the caller is responsible for doing this check (an example can be found in
|
and the caller is responsible for doing this check (an example can be found in
|
||||||
endpoints/v2/blob.py).
|
endpoints/v2/blob.py).
|
||||||
|
@ -293,3 +293,7 @@ class RegistryDataInterface(object):
|
||||||
"""
|
"""
|
||||||
Sets the expiration on all tags that point to the given manifest to that specified.
|
Sets the expiration on all tags that point to the given manifest to that specified.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@abstractmethod
|
||||||
|
def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
|
||||||
|
""" Returns the schema 1 version of this manifest, or None if none. """
|
||||||
|
|
|
@ -8,9 +8,11 @@ from data import model
|
||||||
from data.model import oci, DataModelException
|
from data.model import oci, DataModelException
|
||||||
from data.database import db_transaction, Image
|
from data.database import db_transaction, Image
|
||||||
from data.registry_model.interface import RegistryDataInterface
|
from data.registry_model.interface import RegistryDataInterface
|
||||||
from data.registry_model.datatypes import Tag, Manifest, LegacyImage, Label, SecurityScanStatus
|
from data.registry_model.datatypes import (Tag, Manifest, LegacyImage, Label, SecurityScanStatus,
|
||||||
|
RepositoryReference)
|
||||||
from data.registry_model.shared import SharedModel
|
from data.registry_model.shared import SharedModel
|
||||||
from data.registry_model.label_handlers import apply_label_to_manifest
|
from data.registry_model.label_handlers import apply_label_to_manifest
|
||||||
|
from image.docker import ManifestException
|
||||||
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
@ -420,5 +422,27 @@ class OCIModel(SharedModel, RegistryDataInterface):
|
||||||
"""
|
"""
|
||||||
oci.tag.set_tag_expiration_sec_for_manifest(manifest._db_id, expiration_sec)
|
oci.tag.set_tag_expiration_sec_for_manifest(manifest._db_id, expiration_sec)
|
||||||
|
|
||||||
|
def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
|
||||||
|
""" Returns the schema 1 manifest for this manifest, or None if none. """
|
||||||
|
try:
|
||||||
|
parsed = manifest.get_parsed_manifest()
|
||||||
|
except ManifestException:
|
||||||
|
return None
|
||||||
|
|
||||||
|
try:
|
||||||
|
manifest_row = database.Manifest.get(id=manifest._db_id)
|
||||||
|
except database.Manifest.DoesNotExist:
|
||||||
|
return None
|
||||||
|
|
||||||
|
repository_ref = RepositoryReference.for_id(manifest_row.repository_id)
|
||||||
|
|
||||||
|
def _lookup_blob(digest):
|
||||||
|
blob = self.get_repo_blob_by_digest(repository_ref, digest, include_placements=True)
|
||||||
|
if blob is None:
|
||||||
|
return None
|
||||||
|
|
||||||
|
return storage.get_content(blob.placements, blob.storage_path)
|
||||||
|
|
||||||
|
return parsed.get_v1_compatible_manifest(namespace_name, repo_name, tag_name, _lookup_blob)
|
||||||
|
|
||||||
oci_model = OCIModel()
|
oci_model = OCIModel()
|
||||||
|
|
|
@ -527,4 +527,12 @@ class PreOCIModel(SharedModel, RegistryDataInterface):
|
||||||
|
|
||||||
model.tag.set_tag_expiration_for_manifest(tag_manifest, expiration_sec)
|
model.tag.set_tag_expiration_for_manifest(tag_manifest, expiration_sec)
|
||||||
|
|
||||||
|
def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
|
||||||
|
""" Returns the schema 1 version of this manifest, or None if none. """
|
||||||
|
try:
|
||||||
|
return manifest.get_parsed_manifest()
|
||||||
|
except ManifestException:
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
pre_oci_model = PreOCIModel()
|
pre_oci_model = PreOCIModel()
|
||||||
|
|
|
@ -317,7 +317,8 @@ class SharedModel:
|
||||||
logger.exception('Could not parse and validate manifest `%s`', manifest._db_id)
|
logger.exception('Could not parse and validate manifest `%s`', manifest._db_id)
|
||||||
return None
|
return None
|
||||||
|
|
||||||
blob_query = model.storage.lookup_repo_storages_by_content_checksum(repo_id, parsed.checksums)
|
blob_query = model.storage.lookup_repo_storages_by_content_checksum(repo_id,
|
||||||
|
parsed.blob_digests)
|
||||||
storage_map = {blob.content_checksum: blob for blob in blob_query}
|
storage_map = {blob.content_checksum: blob for blob in blob_query}
|
||||||
|
|
||||||
manifest_layers = []
|
manifest_layers = []
|
||||||
|
|
|
@ -95,6 +95,9 @@ def test_lookup_manifests(repo_namespace, repo_name, registry_model):
|
||||||
assert found.legacy_image
|
assert found.legacy_image
|
||||||
assert found.legacy_image.parents
|
assert found.legacy_image.parents
|
||||||
|
|
||||||
|
schema1_parsed = registry_model.get_schema1_parsed_manifest(found, 'foo', 'bar', 'baz', storage)
|
||||||
|
assert schema1_parsed is not None
|
||||||
|
|
||||||
|
|
||||||
def test_lookup_unknown_manifest(registry_model):
|
def test_lookup_unknown_manifest(registry_model):
|
||||||
repo = model.repository.get_repository('devtable', 'simple')
|
repo = model.repository.get_repository('devtable', 'simple')
|
||||||
|
|
|
@ -56,7 +56,13 @@ def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
||||||
# Something went wrong.
|
# Something went wrong.
|
||||||
raise ManifestInvalid()
|
raise ManifestInvalid()
|
||||||
|
|
||||||
manifest = _rewrite_to_schema1_if_necessary(namespace_name, repo_name, manifest_ref, manifest)
|
try:
|
||||||
|
parsed = manifest.get_parsed_manifest()
|
||||||
|
except ManifestException:
|
||||||
|
logger.exception('Got exception when trying to parse manifest `%s`', manifest_ref)
|
||||||
|
raise ManifestInvalid()
|
||||||
|
|
||||||
|
manifest = _rewrite_to_schema1_if_necessary(namespace_name, repo_name, manifest_ref, parsed)
|
||||||
if manifest is None:
|
if manifest is None:
|
||||||
raise ManifestUnknown()
|
raise ManifestUnknown()
|
||||||
|
|
||||||
|
@ -65,7 +71,7 @@ def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
||||||
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
||||||
|
|
||||||
return Response(
|
return Response(
|
||||||
manifest.manifest_bytes,
|
manifest.bytes,
|
||||||
status=200,
|
status=200,
|
||||||
headers={
|
headers={
|
||||||
'Content-Type': manifest.media_type,
|
'Content-Type': manifest.media_type,
|
||||||
|
@ -88,14 +94,20 @@ def fetch_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
||||||
if manifest is None:
|
if manifest is None:
|
||||||
raise ManifestUnknown()
|
raise ManifestUnknown()
|
||||||
|
|
||||||
manifest = _rewrite_to_schema1_if_necessary(namespace_name, repo_name, '$digest', manifest)
|
try:
|
||||||
|
parsed = manifest.get_parsed_manifest()
|
||||||
|
except ManifestException:
|
||||||
|
logger.exception('Got exception when trying to parse manifest `%s`', manifest_ref)
|
||||||
|
raise ManifestInvalid()
|
||||||
|
|
||||||
|
manifest = _rewrite_to_schema1_if_necessary(namespace_name, repo_name, '$digest', parsed)
|
||||||
if manifest is None:
|
if manifest is None:
|
||||||
raise ManifestUnknown()
|
raise ManifestUnknown()
|
||||||
|
|
||||||
track_and_log('pull_repo', repository_ref, manifest_digest=manifest_ref)
|
track_and_log('pull_repo', repository_ref, manifest_digest=manifest_ref)
|
||||||
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
||||||
|
|
||||||
return Response(manifest.manifest_bytes, status=200, headers={
|
return Response(manifest.bytes, status=200, headers={
|
||||||
'Content-Type': manifest.media_type,
|
'Content-Type': manifest.media_type,
|
||||||
'Docker-Content-Digest': manifest.digest,
|
'Docker-Content-Digest': manifest.digest,
|
||||||
})
|
})
|
||||||
|
@ -106,7 +118,8 @@ def _rewrite_to_schema1_if_necessary(namespace_name, repo_name, tag_name, manife
|
||||||
# media type is not in the Accept header, we return a schema 1 version of the manifest for
|
# media type is not in the Accept header, we return a schema 1 version of the manifest for
|
||||||
# the amd64+linux platform, if any, or None if none.
|
# the amd64+linux platform, if any, or None if none.
|
||||||
# See: https://docs.docker.com/registry/spec/manifest-v2-2
|
# See: https://docs.docker.com/registry/spec/manifest-v2-2
|
||||||
if len(request.accept_mimetypes) != 0 and manifest.media_type in request.accept_mimetypes:
|
mimetypes = [mimetype for mimetype, _ in request.accept_mimetypes]
|
||||||
|
if manifest.media_type in mimetypes:
|
||||||
return manifest
|
return manifest
|
||||||
|
|
||||||
def lookup_fn(config_or_manifest_digest):
|
def lookup_fn(config_or_manifest_digest):
|
||||||
|
|
|
@ -16,6 +16,7 @@ from data.registry_model import registry_model
|
||||||
from endpoints.decorators import anon_protect, anon_allowed, route_show_if, parse_repository_name
|
from endpoints.decorators import anon_protect, anon_allowed, route_show_if, parse_repository_name
|
||||||
from endpoints.v2.blob import BLOB_DIGEST_ROUTE
|
from endpoints.v2.blob import BLOB_DIGEST_ROUTE
|
||||||
from image.appc import AppCImageFormatter
|
from image.appc import AppCImageFormatter
|
||||||
|
from image.docker import ManifestException
|
||||||
from image.docker.squashed import SquashedDockerImageFormatter
|
from image.docker.squashed import SquashedDockerImageFormatter
|
||||||
from storage import Storage
|
from storage import Storage
|
||||||
from util.audit import track_and_log, wrap_repository
|
from util.audit import track_and_log, wrap_repository
|
||||||
|
@ -42,7 +43,7 @@ class VerbReporter(TarLayerFormatterReporter):
|
||||||
metric_queue.verb_action_passes.Inc(labelvalues=[self.kind, pass_count])
|
metric_queue.verb_action_passes.Inc(labelvalues=[self.kind, pass_count])
|
||||||
|
|
||||||
|
|
||||||
def _open_stream(formatter, tag, manifest, derived_image_id, handlers, reporter):
|
def _open_stream(formatter, tag, manifest, schema1_manifest, derived_image_id, handlers, reporter):
|
||||||
"""
|
"""
|
||||||
This method generates a stream of data which will be replicated and read from the queue files.
|
This method generates a stream of data which will be replicated and read from the queue files.
|
||||||
This method runs in a separate process.
|
This method runs in a separate process.
|
||||||
|
@ -68,7 +69,7 @@ def _open_stream(formatter, tag, manifest, derived_image_id, handlers, reporter)
|
||||||
for layer in reversed(layers):
|
for layer in reversed(layers):
|
||||||
yield image_stream_getter(store, layer.blob)
|
yield image_stream_getter(store, layer.blob)
|
||||||
|
|
||||||
stream = formatter.build_stream(tag, manifest, derived_image_id, layers,
|
stream = formatter.build_stream(tag, schema1_manifest, derived_image_id, layers,
|
||||||
tar_stream_getter_iterator, reporter=reporter)
|
tar_stream_getter_iterator, reporter=reporter)
|
||||||
|
|
||||||
for handler_fn in handlers:
|
for handler_fn in handlers:
|
||||||
|
@ -220,9 +221,21 @@ def _verify_repo_verb(_, namespace, repo_name, tag_name, verb, checker=None):
|
||||||
logger.debug('Could not get manifest on %s/%s:%s::%s', namespace, repo_name, tag.name, verb)
|
logger.debug('Could not get manifest on %s/%s:%s::%s', namespace, repo_name, tag.name, verb)
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
|
# Ensure the manifest is not a list.
|
||||||
|
try:
|
||||||
|
schema1_manifest = registry_model.get_schema1_parsed_manifest(manifest, namespace,
|
||||||
|
repo_name, tag.name,
|
||||||
|
storage)
|
||||||
|
except ManifestException:
|
||||||
|
logger.exception('Could not get manifest on %s/%s:%s::%s', namespace, repo_name, tag.name, verb)
|
||||||
|
abort(400)
|
||||||
|
|
||||||
|
if schema1_manifest is None:
|
||||||
|
abort(404)
|
||||||
|
|
||||||
# If there is a data checker, call it first.
|
# If there is a data checker, call it first.
|
||||||
if checker is not None:
|
if checker is not None:
|
||||||
if not checker(tag, manifest):
|
if not checker(tag, schema1_manifest):
|
||||||
logger.debug('Check mismatch on %s/%s:%s, verb %s', namespace, repo_name, tag.name, verb)
|
logger.debug('Check mismatch on %s/%s:%s, verb %s', namespace, repo_name, tag.name, verb)
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
|
@ -230,12 +243,12 @@ def _verify_repo_verb(_, namespace, repo_name, tag_name, verb, checker=None):
|
||||||
assert tag.repository.namespace_name
|
assert tag.repository.namespace_name
|
||||||
assert tag.repository.name
|
assert tag.repository.name
|
||||||
|
|
||||||
return tag, manifest
|
return tag, manifest, schema1_manifest
|
||||||
|
|
||||||
|
|
||||||
def _repo_verb_signature(namespace, repository, tag_name, verb, checker=None, **kwargs):
|
def _repo_verb_signature(namespace, repository, tag_name, verb, checker=None, **kwargs):
|
||||||
# Verify that the tag exists and that we have access to it.
|
# Verify that the tag exists and that we have access to it.
|
||||||
tag, manifest = _verify_repo_verb(storage, namespace, repository, tag_name, verb, checker)
|
tag, manifest, _ = _verify_repo_verb(storage, namespace, repository, tag_name, verb, checker)
|
||||||
|
|
||||||
# Find the derived image storage for the verb.
|
# Find the derived image storage for the verb.
|
||||||
derived_image = registry_model.lookup_derived_image(manifest, verb,
|
derived_image = registry_model.lookup_derived_image(manifest, verb,
|
||||||
|
@ -261,7 +274,8 @@ def _repo_verb(namespace, repository, tag_name, verb, formatter, sign=False, che
|
||||||
# Verify that the image exists and that we have access to it.
|
# Verify that the image exists and that we have access to it.
|
||||||
logger.debug('Verifying repo verb %s for repository %s/%s with user %s with mimetype %s',
|
logger.debug('Verifying repo verb %s for repository %s/%s with user %s with mimetype %s',
|
||||||
verb, namespace, repository, get_authenticated_user(), request.accept_mimetypes.best)
|
verb, namespace, repository, get_authenticated_user(), request.accept_mimetypes.best)
|
||||||
tag, manifest = _verify_repo_verb(storage, namespace, repository, tag_name, verb, checker)
|
tag, manifest, schema1_manifest = _verify_repo_verb(storage, namespace, repository,
|
||||||
|
tag_name, verb, checker)
|
||||||
|
|
||||||
# Load the repository for later.
|
# Load the repository for later.
|
||||||
repo = model.repository.get_repository(namespace, repository)
|
repo = model.repository.get_repository(namespace, repository)
|
||||||
|
@ -323,7 +337,7 @@ def _repo_verb(namespace, repository, tag_name, verb, formatter, sign=False, che
|
||||||
# and send the results to the client and storage.
|
# and send the results to the client and storage.
|
||||||
handlers = [hasher.update]
|
handlers = [hasher.update]
|
||||||
reporter = VerbReporter(verb)
|
reporter = VerbReporter(verb)
|
||||||
args = (formatter, tag, manifest, derived_image.unique_id, handlers, reporter)
|
args = (formatter, tag, manifest, schema1_manifest, derived_image.unique_id, handlers, reporter)
|
||||||
queue_process = QueueProcess(
|
queue_process = QueueProcess(
|
||||||
_open_stream,
|
_open_stream,
|
||||||
8 * 1024,
|
8 * 1024,
|
||||||
|
@ -360,7 +374,7 @@ def _repo_verb(namespace, repository, tag_name, verb, formatter, sign=False, che
|
||||||
def os_arch_checker(os, arch):
|
def os_arch_checker(os, arch):
|
||||||
def checker(tag, manifest):
|
def checker(tag, manifest):
|
||||||
try:
|
try:
|
||||||
image_json = json.loads(manifest.get_parsed_manifest().leaf_layer.raw_v1_metadata)
|
image_json = json.loads(manifest.leaf_layer.raw_v1_metadata)
|
||||||
except ValueError:
|
except ValueError:
|
||||||
logger.exception('Could not parse leaf layer JSON for manifest %s', manifest)
|
logger.exception('Could not parse leaf layer JSON for manifest %s', manifest)
|
||||||
return False
|
return False
|
||||||
|
|
|
@ -18,10 +18,9 @@ class AppCImageFormatter(TarImageFormatter):
|
||||||
Image formatter which produces an tarball according to the AppC specification.
|
Image formatter which produces an tarball according to the AppC specification.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def stream_generator(self, tag, manifest, synthetic_image_id, layer_iterator,
|
def stream_generator(self, tag, parsed_manifest, synthetic_image_id, layer_iterator,
|
||||||
tar_stream_getter_iterator, reporter=None):
|
tar_stream_getter_iterator, reporter=None):
|
||||||
image_mtime = 0
|
image_mtime = 0
|
||||||
parsed_manifest = manifest.get_parsed_manifest()
|
|
||||||
created = parsed_manifest.created_datetime
|
created = parsed_manifest.created_datetime
|
||||||
if created is not None:
|
if created is not None:
|
||||||
image_mtime = calendar.timegm(created.utctimetuple())
|
image_mtime = calendar.timegm(created.utctimetuple())
|
||||||
|
|
|
@ -191,6 +191,11 @@ class DockerSchema2Config(object):
|
||||||
""" Returns the size of this config object. """
|
""" Returns the size of this config object. """
|
||||||
return len(self._config_bytes)
|
return len(self._config_bytes)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def bytes(self):
|
||||||
|
""" Returns the bytes of this config object. """
|
||||||
|
return self._config_bytes
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def labels(self):
|
def labels(self):
|
||||||
""" Returns a dictionary of all the labels defined in this configuration. """
|
""" Returns a dictionary of all the labels defined in this configuration. """
|
||||||
|
|
|
@ -28,10 +28,9 @@ class SquashedDockerImageFormatter(TarImageFormatter):
|
||||||
# daemon dies when trying to load the entire tar into memory.
|
# daemon dies when trying to load the entire tar into memory.
|
||||||
SIZE_MULTIPLIER = 1.2
|
SIZE_MULTIPLIER = 1.2
|
||||||
|
|
||||||
def stream_generator(self, tag, manifest, synthetic_image_id, layer_iterator,
|
def stream_generator(self, tag, parsed_manifest, synthetic_image_id, layer_iterator,
|
||||||
tar_stream_getter_iterator, reporter=None):
|
tar_stream_getter_iterator, reporter=None):
|
||||||
image_mtime = 0
|
image_mtime = 0
|
||||||
parsed_manifest = manifest.get_parsed_manifest()
|
|
||||||
created = parsed_manifest.created_datetime
|
created = parsed_manifest.created_datetime
|
||||||
if created is not None:
|
if created is not None:
|
||||||
image_mtime = calendar.timegm(created.utctimetuple())
|
image_mtime = calendar.timegm(created.utctimetuple())
|
||||||
|
|
Reference in a new issue