Fix backfills of super large manifests by stripping metadata from all but the final layer
This is semantically valid because Docker only uses the leaf layer as the image config when reading a V2_1 manifest Fixes https://jira.coreos.com/browse/QUAY-1351
This commit is contained in:
Joseph Schorr
parent
6b30702699
commit
bacf074219
4 changed files with 166 additions and 11 deletions
|
|
@ -17,6 +17,8 @@ from image.docker.schema2 import EMPTY_LAYER_BLOB_DIGEST
|
|||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# The maximum size for generated manifest after which we remove extra metadata.
|
||||
MAXIMUM_GENERATED_MANIFEST_SIZE = 3 * 1024 * 1024 # 3 MB
|
||||
|
||||
class SharedModel:
|
||||
"""
|
||||
|
|
@ -445,9 +447,19 @@ class SharedModel:
|
|||
|
||||
builder.add_layer(parent_image.storage.content_checksum, parent_image.v1_json_metadata)
|
||||
|
||||
# Sign the manifest with our signing key.
|
||||
try:
|
||||
return builder.build(docker_v2_signing_key)
|
||||
built_manifest = builder.build(docker_v2_signing_key)
|
||||
|
||||
# If the generated manifest is greater than the maximum size, regenerate it with
|
||||
# intermediate metadata layers stripped down to their bare essentials.
|
||||
if len(built_manifest.bytes.as_encoded_str()) > MAXIMUM_GENERATED_MANIFEST_SIZE:
|
||||
built_manifest = builder.with_metadata_removed().build(docker_v2_signing_key)
|
||||
|
||||
if len(built_manifest.bytes.as_encoded_str()) > MAXIMUM_GENERATED_MANIFEST_SIZE:
|
||||
logger.error('Legacy image is too large to generate manifest')
|
||||
return None
|
||||
|
||||
return built_manifest
|
||||
except ManifestException as me:
|
||||
logger.exception('Got exception when trying to build manifest for legacy image %s',
|
||||
legacy_image_row)
|
||||
|
|
|
|||
Reference in a new issue