particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/sources/org.osbuild.skopeo
Christian Kellner 51315a985a stages/skopeo: use extra intermediate download dir 
Instead of downloading the image directly to the temporary directory
and then moving that temporary directory into the cache use one more
intermediate directory and move that into the cache. The reason is
that on Python 3.6 removing the temporary directory itself will make
Python crash like this:

Python 3.6.8 (default, Sep  9 2021, 07:49:02)
[GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> with tempfile.TemporaryDirectory(prefix="tmp-download-") as tmpdir:
...     import os
...     os.rename(tmpdir, "/tmp/foo")

Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
  File "/usr/lib64/python3.6/tempfile.py", line 809, in __exit__
    self.cleanup()
  File "/usr/lib64/python3.6/tempfile.py", line 813, in cleanup
    _shutil.rmtree(self.name)
  File "/usr/lib64/python3.6/shutil.py", line 477, in rmtree
    onerror(os.lstat, path, sys.exc_info())
  File "/usr/lib64/python3.6/shutil.py", line 475, in rmtree
    orig_st = os.lstat(path)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmp-download-adl86mwa'
2022-07-19 19:52:25 +02:00

125 lines
3.9 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3
"""Fetch container image from a registry using skopeo
Buildhost commands used: `skopeo`.
"""
import errno
import os
import sys
import subprocess
import tempfile
import hashlib
from osbuild import sources
from osbuild.util import ctx
SCHEMA = """
"additionalProperties": false,
"definitions": {
"item": {
"description": "The container image to fetch indexed by the container image id",
"type": "object",
"additionalProperties": false,
"patternProperties": {
"sha256:[0-9a-f]{64}": {
"type": "object",
"additionalProperties": false,
"required": ["image"],
"properties": {
"image": {
"type": "object",
"additionalProperties": false,
"required": ["name", "digest"],
"properties": {
"name": {
"type": "string",
"description": "Name of the image (including registry)."
},
"digest": {
"type": "string",
"description": "Digest of image in registry.",
"pattern": "sha256:[0-9a-f]{64}"
},
"tls-verify": {
"type": "boolean",
"description": "Require https (default true)."
}
}
}
}
}
}
}
},
"properties": {
"items": {"$ref": "#/definitions/item"},
"digests": {"$ref": "#/definitions/item"}
},
"oneOf": [{
"required": ["items"]
}, {
"required": ["digests"]
}]
"""
class SkopeoSource(sources.SourceService):
content_type = "org.osbuild.containers"
def fetch_one(self, checksum, desc):
image_id = checksum
image = desc["image"]
imagename = image["name"]
digest = image["digest"]
tls_verify = image.get("tls-verify", True)
with tempfile.TemporaryDirectory(prefix="tmp-download-", dir=self.cache) as tmpdir:
archive_dir = os.path.join(tmpdir, "container-archive")
os.makedirs(archive_dir)
os.chmod(archive_dir, 0o755)
archive_path = os.path.join(archive_dir, "container-image.tar")
source = f"docker://{imagename}@{digest}"
# We use the docker format, not oci, because that is the
# default return image type of real world registries,
# allowing the image to get the same image id as if you
# did "podman pull" (rather than converting the image to
# oci format, changing the id)
destination = f"docker-archive:{archive_path}"
extra_args = []
# The archive format can't store signatures, but we still verify them during download
extra_args.append("--remove-signatures")
if not tls_verify:
extra_args.append("--src-tls-verify=false")
subprocess.run(["skopeo", "copy"] + extra_args + [source, destination],
encoding="utf-8",
check=True)
# Verify that the digest supplied downloaded the correct container image id.
# The image id is the digest of the config, but skopeo can' currently
# get the config id, only the full config, so we checksum it ourselves.
res = subprocess.check_output(["skopeo", "inspect", "--raw", "--config", destination])
downloaded_id = "sha256:" + hashlib.sha256(res).hexdigest()
if downloaded_id != image_id:
raise RuntimeError(
f"Downloaded image {imagename}@{digest} has a id of {downloaded_id}, but expected {image_id}")
# Atomically move download dir into place on successful download
with ctx.suppress_oserror(errno.ENOTEMPTY, errno.EEXIST):
os.rename(archive_dir, f"{self.cache}/{image_id}")
def main():
service = SkopeoSource.from_args(sys.argv[1:])
service.main()
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink