mirror of
https://github.com/containers/podman
synced 2024-10-22 02:03:38 +00:00
bfc473f982
libpod requires new buildah and container image versions to resolve bug #1640298 Signed-off-by: baude <bbaude@redhat.com>
363 lines
14 KiB
Go
363 lines
14 KiB
Go
package image
|
||
|
||
import (
|
||
"context"
|
||
"fmt"
|
||
"io"
|
||
"strings"
|
||
|
||
cp "github.com/containers/image/copy"
|
||
"github.com/containers/image/directory"
|
||
"github.com/containers/image/docker"
|
||
dockerarchive "github.com/containers/image/docker/archive"
|
||
"github.com/containers/image/docker/reference"
|
||
"github.com/containers/image/docker/tarfile"
|
||
ociarchive "github.com/containers/image/oci/archive"
|
||
"github.com/containers/image/pkg/sysregistries"
|
||
is "github.com/containers/image/storage"
|
||
"github.com/containers/image/transports"
|
||
"github.com/containers/image/transports/alltransports"
|
||
"github.com/containers/image/types"
|
||
"github.com/containers/libpod/pkg/registries"
|
||
"github.com/containers/libpod/pkg/util"
|
||
multierror "github.com/hashicorp/go-multierror"
|
||
"github.com/pkg/errors"
|
||
"github.com/sirupsen/logrus"
|
||
)
|
||
|
||
var (
|
||
// DockerArchive is the transport we prepend to an image name
|
||
// when saving to docker-archive
|
||
DockerArchive = dockerarchive.Transport.Name()
|
||
// OCIArchive is the transport we prepend to an image name
|
||
// when saving to oci-archive
|
||
OCIArchive = ociarchive.Transport.Name()
|
||
// DirTransport is the transport for pushing and pulling
|
||
// images to and from a directory
|
||
DirTransport = directory.Transport.Name()
|
||
// DockerTransport is the transport for docker registries
|
||
DockerTransport = docker.Transport.Name()
|
||
// AtomicTransport is the transport for atomic registries
|
||
AtomicTransport = "atomic"
|
||
// DefaultTransport is a prefix that we apply to an image name
|
||
// NOTE: This is a string prefix, not actually a transport name usable for transports.Get();
|
||
// and because syntaxes of image names are transport-dependent, the prefix is not really interchangeable;
|
||
// each user implicitly assumes the appended string is a Docker-like reference.
|
||
DefaultTransport = DockerTransport + "://"
|
||
// DefaultLocalRegistry is the default local registry for local image operations
|
||
// Remote pulls will still use defined registries
|
||
DefaultLocalRegistry = "localhost"
|
||
)
|
||
|
||
// pullRefPair records a pair of prepared image references to pull.
|
||
type pullRefPair struct {
|
||
image string
|
||
srcRef types.ImageReference
|
||
dstRef types.ImageReference
|
||
}
|
||
|
||
// pullGoal represents the prepared image references and decided behavior to be executed by imagePull
|
||
type pullGoal struct {
|
||
refPairs []pullRefPair
|
||
pullAllPairs bool // Pull all refPairs instead of stopping on first success.
|
||
usedSearchRegistries bool // refPairs construction has depended on registries.GetRegistries()
|
||
searchedRegistries []string // The list of search registries used; set only if usedSearchRegistries
|
||
}
|
||
|
||
// singlePullRefPairGoal returns a no-frills pull goal for the specified reference pair.
|
||
func singlePullRefPairGoal(rp pullRefPair) *pullGoal {
|
||
return &pullGoal{
|
||
refPairs: []pullRefPair{rp},
|
||
pullAllPairs: false, // Does not really make a difference.
|
||
usedSearchRegistries: false,
|
||
searchedRegistries: nil,
|
||
}
|
||
}
|
||
|
||
func (ir *Runtime) getPullRefPair(srcRef types.ImageReference, destName string) (pullRefPair, error) {
|
||
decomposedDest, err := decompose(destName)
|
||
if err == nil && !decomposedDest.hasRegistry {
|
||
// If the image doesn't have a registry, set it as the default repo
|
||
decomposedDest.registry = DefaultLocalRegistry
|
||
decomposedDest.hasRegistry = true
|
||
destName = decomposedDest.assemble()
|
||
}
|
||
|
||
reference := destName
|
||
if srcRef.DockerReference() != nil {
|
||
reference = srcRef.DockerReference().String()
|
||
}
|
||
destRef, err := is.Transport.ParseStoreReference(ir.store, reference)
|
||
if err != nil {
|
||
return pullRefPair{}, errors.Wrapf(err, "error parsing dest reference name %#v", destName)
|
||
}
|
||
return pullRefPair{
|
||
image: destName,
|
||
srcRef: srcRef,
|
||
dstRef: destRef,
|
||
}, nil
|
||
}
|
||
|
||
// getSinglePullRefPairGoal calls getPullRefPair with the specified parameters, and returns a single-pair goal for the return value.
|
||
func (ir *Runtime) getSinglePullRefPairGoal(srcRef types.ImageReference, destName string) (*pullGoal, error) {
|
||
rp, err := ir.getPullRefPair(srcRef, destName)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
return singlePullRefPairGoal(rp), nil
|
||
}
|
||
|
||
// pullGoalFromImageReference returns a pull goal for a single ImageReference, depending on the used transport.
|
||
func (ir *Runtime) pullGoalFromImageReference(ctx context.Context, srcRef types.ImageReference, imgName string, sc *types.SystemContext) (*pullGoal, error) {
|
||
// supports pulling from docker-archive, oci, and registries
|
||
switch srcRef.Transport().Name() {
|
||
case DockerArchive:
|
||
archivePath := srcRef.StringWithinTransport()
|
||
tarSource, err := tarfile.NewSourceFromFile(archivePath)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
manifest, err := tarSource.LoadTarManifest()
|
||
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error retrieving manifest.json")
|
||
}
|
||
// to pull the first image stored in the tar file
|
||
if len(manifest) == 0 {
|
||
// use the hex of the digest if no manifest is found
|
||
reference, err := getImageDigest(ctx, srcRef, sc)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
return ir.getSinglePullRefPairGoal(srcRef, reference)
|
||
}
|
||
|
||
if len(manifest[0].RepoTags) == 0 {
|
||
// If the input image has no repotags, we need to feed it a dest anyways
|
||
digest, err := getImageDigest(ctx, srcRef, sc)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
return ir.getSinglePullRefPairGoal(srcRef, digest)
|
||
}
|
||
|
||
// Need to load in all the repo tags from the manifest
|
||
res := []pullRefPair{}
|
||
for _, dst := range manifest[0].RepoTags {
|
||
pullInfo, err := ir.getPullRefPair(srcRef, dst)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
res = append(res, pullInfo)
|
||
}
|
||
return &pullGoal{
|
||
refPairs: res,
|
||
pullAllPairs: true,
|
||
usedSearchRegistries: false,
|
||
searchedRegistries: nil,
|
||
}, nil
|
||
|
||
case OCIArchive:
|
||
// retrieve the manifest from index.json to access the image name
|
||
manifest, err := ociarchive.LoadManifestDescriptor(srcRef)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error loading manifest for %q", srcRef)
|
||
}
|
||
|
||
var dest string
|
||
if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" {
|
||
// If the input image has no image.ref.name, we need to feed it a dest anyways
|
||
// use the hex of the digest
|
||
dest, err = getImageDigest(ctx, srcRef, sc)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error getting image digest; image reference not found")
|
||
}
|
||
} else {
|
||
dest = manifest.Annotations["org.opencontainers.image.ref.name"]
|
||
}
|
||
return ir.getSinglePullRefPairGoal(srcRef, dest)
|
||
|
||
case DirTransport:
|
||
path := srcRef.StringWithinTransport()
|
||
image := path
|
||
if image[:1] == "/" {
|
||
// Set localhost as the registry so docker.io isn't prepended, and the path becomes the repository
|
||
image = DefaultLocalRegistry + image
|
||
}
|
||
return ir.getSinglePullRefPairGoal(srcRef, image)
|
||
|
||
default:
|
||
return ir.getSinglePullRefPairGoal(srcRef, imgName)
|
||
}
|
||
}
|
||
|
||
// pullImageFromHeuristicSource pulls an image based on inputName, which is heuristically parsed and may involve configured registries.
|
||
// Use pullImageFromReference if the source is known precisely.
|
||
func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName string, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
||
var goal *pullGoal
|
||
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
||
srcRef, err := alltransports.ParseImageName(inputName)
|
||
if err != nil {
|
||
// could be trying to pull from registry with short name
|
||
goal, err = ir.pullGoalFromPossiblyUnqualifiedName(inputName)
|
||
if err != nil {
|
||
return nil, errors.Wrap(err, "error getting default registries to try")
|
||
}
|
||
} else {
|
||
goal, err = ir.pullGoalFromImageReference(ctx, srcRef, inputName, sc)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error determining pull goal for image %q", inputName)
|
||
}
|
||
}
|
||
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, forceSecure)
|
||
}
|
||
|
||
// pullImageFromReference pulls an image from a types.imageReference.
|
||
func (ir *Runtime) pullImageFromReference(ctx context.Context, srcRef types.ImageReference, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
||
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
||
goal, err := ir.pullGoalFromImageReference(ctx, srcRef, transports.ImageName(srcRef), sc)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error determining pull goal for image %q", transports.ImageName(srcRef))
|
||
}
|
||
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, forceSecure)
|
||
}
|
||
|
||
// doPullImage is an internal helper interpreting pullGoal. Almost everyone should call one of the callers of doPullImage instead.
|
||
func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goal pullGoal, writer io.Writer, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
||
policyContext, err := getPolicyContext(sc)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
defer policyContext.Destroy()
|
||
|
||
insecureRegistries, err := registries.GetInsecureRegistries()
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
var images []string
|
||
var pullErrors *multierror.Error
|
||
for _, imageInfo := range goal.refPairs {
|
||
copyOptions := getCopyOptions(sc, writer, dockerOptions, nil, signingOptions, "", nil)
|
||
if imageInfo.srcRef.Transport().Name() == DockerTransport {
|
||
imgRef := imageInfo.srcRef.DockerReference()
|
||
if imgRef == nil { // This should never happen; such references can’t be created.
|
||
return nil, fmt.Errorf("internal error: DockerTransport reference %s does not have a DockerReference",
|
||
transports.ImageName(imageInfo.srcRef))
|
||
}
|
||
registry := reference.Domain(imgRef)
|
||
|
||
if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
|
||
copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
|
||
logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
|
||
}
|
||
}
|
||
// Print the following statement only when pulling from a docker or atomic registry
|
||
if writer != nil && (imageInfo.srcRef.Transport().Name() == DockerTransport || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
|
||
io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
|
||
}
|
||
_, err = cp.Image(ctx, policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions)
|
||
if err != nil {
|
||
pullErrors = multierror.Append(pullErrors, err)
|
||
logrus.Debugf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err)
|
||
if writer != nil {
|
||
io.WriteString(writer, "Failed\n")
|
||
}
|
||
} else {
|
||
if !goal.pullAllPairs {
|
||
return []string{imageInfo.image}, nil
|
||
}
|
||
images = append(images, imageInfo.image)
|
||
}
|
||
}
|
||
// If no image was found, we should handle. Lets be nicer to the user and see if we can figure out why.
|
||
if len(images) == 0 {
|
||
registryPath := sysregistries.RegistriesConfPath(&types.SystemContext{})
|
||
if goal.usedSearchRegistries && len(goal.searchedRegistries) == 0 {
|
||
return nil, errors.Errorf("image name provided is a short name and no search registries are defined in %s.", registryPath)
|
||
}
|
||
// If the image passed in was fully-qualified, we will have 1 refpair. Bc the image is fq'd, we dont need to yap about registries.
|
||
if !goal.usedSearchRegistries {
|
||
if pullErrors != nil && len(pullErrors.Errors) > 0 { // this should always be true
|
||
return nil, errors.Wrap(pullErrors.Errors[0], "unable to pull image")
|
||
}
|
||
return nil, errors.Errorf("unable to pull image, or you do not have pull access")
|
||
}
|
||
return nil, pullErrors
|
||
}
|
||
return images, nil
|
||
}
|
||
|
||
// hasShaInInputName returns a bool as to whether the user provided an image name that includes
|
||
// a reference to a specific sha
|
||
func hasShaInInputName(inputName string) bool {
|
||
return strings.Contains(inputName, "@sha256:")
|
||
}
|
||
|
||
// pullGoalFromPossiblyUnqualifiedName looks at inputName and determines the possible
|
||
// image references to try pulling in combination with the registries.conf file as well
|
||
func (ir *Runtime) pullGoalFromPossiblyUnqualifiedName(inputName string) (*pullGoal, error) {
|
||
decomposedImage, err := decompose(inputName)
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
if decomposedImage.hasRegistry {
|
||
var imageName, destName string
|
||
if hasShaInInputName(inputName) {
|
||
imageName = fmt.Sprintf("%s%s", decomposedImage.transport, inputName)
|
||
} else {
|
||
imageName = decomposedImage.assembleWithTransport()
|
||
}
|
||
srcRef, err := alltransports.ParseImageName(imageName)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "unable to parse '%s'", inputName)
|
||
}
|
||
if hasShaInInputName(inputName) {
|
||
destName = decomposedImage.assemble()
|
||
} else {
|
||
destName = inputName
|
||
}
|
||
destRef, err := is.Transport.ParseStoreReference(ir.store, destName)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error parsing dest reference name %#v", destName)
|
||
}
|
||
ps := pullRefPair{
|
||
image: inputName,
|
||
srcRef: srcRef,
|
||
dstRef: destRef,
|
||
}
|
||
return singlePullRefPairGoal(ps), nil
|
||
}
|
||
|
||
searchRegistries, err := registries.GetRegistries()
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
var refPairs []pullRefPair
|
||
for _, registry := range searchRegistries {
|
||
decomposedImage.registry = registry
|
||
imageName := decomposedImage.assembleWithTransport()
|
||
if hasShaInInputName(inputName) {
|
||
imageName = fmt.Sprintf("%s%s/%s", decomposedImage.transport, registry, inputName)
|
||
}
|
||
srcRef, err := alltransports.ParseImageName(imageName)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "unable to parse '%s'", inputName)
|
||
}
|
||
ps := pullRefPair{
|
||
image: decomposedImage.assemble(),
|
||
srcRef: srcRef,
|
||
}
|
||
ps.dstRef, err = is.Transport.ParseStoreReference(ir.store, ps.image)
|
||
if err != nil {
|
||
return nil, errors.Wrapf(err, "error parsing dest reference name %#v", ps.image)
|
||
}
|
||
refPairs = append(refPairs, ps)
|
||
}
|
||
return &pullGoal{
|
||
refPairs: refPairs,
|
||
pullAllPairs: false,
|
||
usedSearchRegistries: true,
|
||
searchedRegistries: searchRegistries,
|
||
}, nil
|
||
}
|