particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/sources/org.osbuild.skopeo
Christian Kellner 4647140808 source/skopeo: use subprocess.check_output 
Use `subprocess.check_output` instead of `run(..., capture_output=True)`
since the latter only got added in Python 3.7 and our codebase needs to
be compatible with 3.6 due to RHEL 8.x.
2022-07-13 20:06:42 +02:00

123 lines
3.8 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3
"""Fetch container image from a registry using skopeo
Buildhost commands used: `skopeo`.
"""
import errno
import os
import sys
import subprocess
import tempfile
import hashlib
from osbuild import sources
from osbuild.util import ctx
SCHEMA = """
"additionalProperties": false,
"definitions": {
"item": {
"description": "The container image to fetch indexed by the container image id",
"type": "object",
"additionalProperties": false,
"patternProperties": {
"sha256:[0-9a-f]{64}": {
"type": "object",
"additionalProperties": false,
"required": ["image"],
"properties": {
"image": {
"type": "object",
"additionalProperties": false,
"required": ["name", "digest"],
"properties": {
"name": {
"type": "string",
"description": "Name of the image (including registry)."
},
"digest": {
"type": "string",
"description": "Digest of image in registry.",
"pattern": "sha256:[0-9a-f]{64}"
},
"tls-verify": {
"type": "boolean",
"description": "Require https (default true)."
}
}
}
}
}
}
}
},
"properties": {
"items": {"$ref": "#/definitions/item"},
"digests": {"$ref": "#/definitions/item"}
},
"oneOf": [{
"required": ["items"]
}, {
"required": ["digests"]
}]
"""
class SkopeoSource(sources.SourceService):
content_type = "org.osbuild.containers"
def fetch_one(self, checksum, desc):
image_id = checksum
image = desc["image"]
imagename = image["name"]
digest = image["digest"]
tls_verify = image.get("tls-verify", True)
with tempfile.TemporaryDirectory(prefix="tmp-download-", dir=self.cache) as tmpdir:
archive_path = os.path.join(tmpdir, "container-image.tar")
source = f"docker://{imagename}@{digest}"
# We use the docker format, not oci, because that is the
# default return image type of real world registries,
# allowing the image to get the same image id as if you
# did "podman pull" (rather than converting the image to
# oci format, changing the id)
destination = f"docker-archive:{archive_path}"
extra_args = []
# The archive format can't store signatures, but we still verify them during download
extra_args.append("--remove-signatures")
if not tls_verify:
extra_args.append("--src-tls-verify=false")
subprocess.run(["skopeo", "copy"] + extra_args + [source, destination],
encoding="utf-8",
check=True)
# Verify that the digest supplied downloaded the correct container image id.
# The image id is the digest of the config, but skopeo can' currently
# get the config id, only the full config, so we checksum it ourselves.
res = subprocess.check_output(["skopeo", "inspect", "--raw", "--config", destination])
downloaded_id = "sha256:" + hashlib.sha256(res).hexdigest()
if downloaded_id != image_id:
raise RuntimeError(
f"Downloaded image {imagename}@{digest} has a id of {downloaded_id}, but expected {image_id}")
# Atomically move download dir into place on successful download
os.chmod(tmpdir, 0o755)
with ctx.suppress_oserror(errno.ENOTEMPTY, errno.EEXIST):
os.rename(tmpdir, f"{self.cache}/{image_id}")
def main():
service = SkopeoSource.from_args(sys.argv[1:])
service.main()
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink