171 lines
6.1 KiB
Python
Executable file
171 lines
6.1 KiB
Python
Executable file
#!/usr/bin/python3
|
|
"""Fetch container image from a registry using skopeo
|
|
|
|
The image is stored in a directory called `image` under a directory indexed by
|
|
the "container image id", which is the digest of the container configuration
|
|
file (rather than the outer manifest) and is what will be shown in the "podman
|
|
images" output when the image is installed. This digest is stable as opposed to
|
|
the manifest digest which can change during transfer and storage due to e.g.
|
|
recompression.
|
|
|
|
The local storage format for containers is the `dir` format which supports
|
|
retaining signatures and manifests.
|
|
|
|
Buildhost commands used: `skopeo`.
|
|
"""
|
|
|
|
import concurrent.futures
|
|
import errno
|
|
import hashlib
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
from typing import Dict
|
|
|
|
from osbuild import sources
|
|
from osbuild.util import ctx
|
|
|
|
SCHEMA = """
|
|
"additionalProperties": false,
|
|
"definitions": {
|
|
"item": {
|
|
"description": "The container image to fetch indexed by the container image id",
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"patternProperties": {
|
|
"sha256:[0-9a-f]{64}": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["image"],
|
|
"properties": {
|
|
"image": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["name", "digest"],
|
|
"properties": {
|
|
"name": {
|
|
"type": "string",
|
|
"description": "Name of the image (including registry)."
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"description": "Digest of image in registry.",
|
|
"pattern": "sha256:[0-9a-f]{64}"
|
|
},
|
|
"tls-verify": {
|
|
"type": "boolean",
|
|
"description": "Require https (default true)."
|
|
},
|
|
"containers-transport": {
|
|
"type": "string",
|
|
"enum": ["docker", "containers-storage" ],
|
|
"description": "The containers transport from which to copy the container",
|
|
"default": "docker"
|
|
},
|
|
"storage-location": {
|
|
"type": "string",
|
|
"description": "The location of the local containers storage"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"properties": {
|
|
"items": {"$ref": "#/definitions/item"},
|
|
"digests": {"$ref": "#/definitions/item"}
|
|
},
|
|
"oneOf": [{
|
|
"required": ["items"]
|
|
}, {
|
|
"required": ["digests"]
|
|
}]
|
|
"""
|
|
|
|
DOCKER_TRANSPORT = "docker"
|
|
CONTAINERS_STORAGE_TRANSPORT = "containers-storage"
|
|
|
|
|
|
class SkopeoSource(sources.SourceService):
|
|
|
|
content_type = "org.osbuild.containers"
|
|
|
|
dir_name = "image"
|
|
|
|
def get_source(self, transport, reference):
|
|
if transport == DOCKER_TRANSPORT:
|
|
return f"docker://{reference}"
|
|
if transport == CONTAINERS_STORAGE_TRANSPORT:
|
|
return f"containers-storage:{reference}"
|
|
raise RuntimeError("Unrecognized containers transport")
|
|
|
|
def fetch_all(self, items: Dict) -> None:
|
|
filtered = filter(lambda i: not self.exists(i[0], i[1]), items.items()) # discards items already in cache
|
|
|
|
with concurrent.futures.ThreadPoolExecutor(max_workers=self.max_workers) as executor:
|
|
for _ in executor.map(self.fetch_one, *zip(*filtered)):
|
|
pass
|
|
|
|
def fetch_one(self, checksum, desc):
|
|
image_id = checksum
|
|
image = desc["image"]
|
|
imagename = image["name"]
|
|
digest = image["digest"]
|
|
tls_verify = image.get("tls-verify", True)
|
|
transport = image.get("containers-transport", DOCKER_TRANSPORT)
|
|
location = image.get("storage-location", "")
|
|
|
|
with tempfile.TemporaryDirectory(prefix="tmp-download-", dir=self.cache) as tmpdir:
|
|
archive_dir = os.path.join(tmpdir, "container-archive")
|
|
os.makedirs(archive_dir)
|
|
os.chmod(archive_dir, 0o755)
|
|
|
|
# Skopeo will read the default storage path from the
|
|
# /etc/containers/storage.conf unless storage-location
|
|
# is provided. See:
|
|
# https://github.com/containers/storage/blob/acbb93bb802702bc171b9987a47a9b713c280d38/types/options.go#L53
|
|
specifier = location if location == "" else f"[overlay@{location}]"
|
|
reference = f"{specifier}{imagename}@{digest}"
|
|
source = self.get_source(transport, reference)
|
|
|
|
# We use the dir format because it is the most powerful in terms of feature support and is the closest to a
|
|
# direct serialisation of the registry data.
|
|
destination = f"dir:{archive_dir}/{self.dir_name}"
|
|
|
|
extra_args = []
|
|
if not tls_verify:
|
|
extra_args.append("--src-tls-verify=false")
|
|
|
|
subprocess.run(["skopeo", "copy"] + extra_args + [source, destination],
|
|
encoding="utf-8",
|
|
check=True)
|
|
|
|
# Verify that the digest supplied downloaded the correct container image id.
|
|
# The image id is the digest of the config, but skopeo can't currently
|
|
# get the config id, only the full config, so we checksum it ourselves.
|
|
res = subprocess.check_output(["skopeo", "inspect", "--raw", "--config", destination])
|
|
downloaded_id = "sha256:" + hashlib.sha256(res).hexdigest()
|
|
if downloaded_id != image_id:
|
|
raise RuntimeError(
|
|
f"Downloaded image {imagename}@{digest} has a id of {downloaded_id}, but expected {image_id}")
|
|
|
|
# Atomically move download archive into place on successful download
|
|
with ctx.suppress_oserror(errno.ENOTEMPTY, errno.EEXIST):
|
|
os.makedirs(os.path.join(self.cache, image_id), exist_ok=True)
|
|
os.rename(os.path.join(archive_dir, self.dir_name), os.path.join(self.cache, image_id, self.dir_name))
|
|
|
|
def exists(self, checksum, _desc):
|
|
path = os.path.join(self.cache, checksum, self.dir_name)
|
|
return os.path.exists(path)
|
|
|
|
|
|
def main():
|
|
service = SkopeoSource.from_args(sys.argv[1:])
|
|
service.main()
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|