import hashlib from contextlib import contextmanager from app import storage, docker_v2_signing_key from data import model, database from endpoints.v2.manifest import _write_manifest from image.docker.schema1 import DockerSchema1ManifestBuilder from test.fixtures import * ADMIN_ACCESS_USER = 'devtable' REPO = 'simple' FIRST_TAG = 'first' SECOND_TAG = 'second' THIRD_TAG = 'third' @contextmanager def set_tag_expiration_policy(namespace, expiration_s=0): namespace_user = model.user.get_user(namespace) model.user.change_user_tag_expiration(namespace_user, expiration_s) yield def _perform_cleanup(): database.RepositoryTag.delete().where(database.RepositoryTag.hidden == True).execute() repo_object = model.repository.get_repository(ADMIN_ACCESS_USER, REPO) model.repository.garbage_collect_repo(repo_object) def test_missing_link(initialized_db): """ Tests for a corner case that could result in missing a link to a blob referenced by a manifest. The test exercises the case as follows: 1) Push a manifest of a single layer with a Docker ID `FIRST_ID`, pointing to blob `FIRST_BLOB`. The database should contain the tag referencing the layer, with no changed ID and the blob not being GCed. 2) Push a manifest of two layers: Layer 1: `FIRST_ID` with blob `SECOND_BLOB`: Will result in a new synthesized ID Layer 2: `SECOND_ID` with blob `THIRD_BLOB`: Will result in `SECOND_ID` pointing to the `THIRD_BLOB`, with a parent pointing to the new synthesized ID's layer. 3) Push a manifest of two layers: Layer 1: `THIRD_ID` with blob `FOURTH_BLOB`: Will result in a new `THIRD_ID` layer Layer 2: `FIRST_ID` with blob `THIRD_BLOB`: Since `FIRST_ID` already points to `SECOND_BLOB`, this will synthesize a new ID. With the current bug, the synthesized ID will match that of `SECOND_ID`, leaving `THIRD_ID` unlinked and therefore, after a GC, missing `FOURTH_BLOB`. """ with set_tag_expiration_policy('devtable', 0): location_name = storage.preferred_locations[0] location = database.ImageStorageLocation.get(name=location_name) # Create first blob. first_blob_sha = 'sha256:' + hashlib.sha256("FIRST").hexdigest() model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, first_blob_sha, location, 0, 0, 0) # Push the first manifest. first_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, FIRST_TAG) .add_layer(first_blob_sha, '{"id": "first"}') .build(docker_v2_signing_key)) _write_manifest(ADMIN_ACCESS_USER, REPO, first_manifest) # Delete all temp tags and perform GC. _perform_cleanup() # Ensure that the first blob still exists, along with the first tag. assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, first_blob_sha) is not None assert model.tag.load_tag_manifest(ADMIN_ACCESS_USER, REPO, FIRST_TAG) is not None assert model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, FIRST_TAG).docker_image_id == 'first' # Create the second and third blobs. second_blob_sha = 'sha256:' + hashlib.sha256("SECOND").hexdigest() third_blob_sha = 'sha256:' + hashlib.sha256("THIRD").hexdigest() model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, second_blob_sha, location, 0, 0, 0) model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, third_blob_sha, location, 0, 0, 0) # Push the second manifest. second_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, SECOND_TAG) .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}') .add_layer(second_blob_sha, '{"id": "first"}') .build(docker_v2_signing_key)) _write_manifest(ADMIN_ACCESS_USER, REPO, second_manifest) # Delete all temp tags and perform GC. _perform_cleanup() # Ensure that the first and second blobs still exists, along with the second tag. assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, first_blob_sha) is not None assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, second_blob_sha) is not None assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, third_blob_sha) is not None assert model.tag.load_tag_manifest(ADMIN_ACCESS_USER, REPO, FIRST_TAG) is not None assert model.tag.load_tag_manifest(ADMIN_ACCESS_USER, REPO, SECOND_TAG) is not None assert model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, FIRST_TAG).docker_image_id == 'first' # Ensure the IDs have changed. assert model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, SECOND_TAG).parent.docker_image_id != 'first' assert model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, SECOND_TAG).docker_image_id != 'second' # Create the fourth blob. fourth_blob_sha = 'sha256:' + hashlib.sha256("FOURTH").hexdigest() model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, fourth_blob_sha, location, 0, 0, 0) # Push the third manifest. third_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, THIRD_TAG) .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}') .add_layer(fourth_blob_sha, '{"id": "first"}') # Note the change in BLOB from the second manifest. .build(docker_v2_signing_key)) _write_manifest(ADMIN_ACCESS_USER, REPO, third_manifest) # Delete all temp tags and perform GC. _perform_cleanup() # Ensure all blobs are present. assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, first_blob_sha) is not None assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, second_blob_sha) is not None assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, third_blob_sha) is not None assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, fourth_blob_sha) is not None # Ensure new synthesized IDs were created. second_tag_id = model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, SECOND_TAG).docker_image_id third_tag_id = model.tag.get_tag_image(ADMIN_ACCESS_USER, REPO, THIRD_TAG).docker_image_id assert second_tag_id != third_tag_id