2019-06-20 16:36:40 -07:00
|
|
|
package storage
|
|
|
|
|
|
|
|
import (
|
2023-05-26 21:08:19 +03:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2023-09-06 19:58:00 +03:00
|
|
|
"regexp"
|
2023-05-26 21:08:19 +03:00
|
|
|
"strings"
|
2019-06-20 16:36:40 -07:00
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
"github.com/docker/distribution/registry/storage/driver/factory"
|
2022-10-22 23:46:13 +03:00
|
|
|
godigest "github.com/opencontainers/go-digest"
|
2022-11-08 00:38:16 -08:00
|
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
2022-10-20 19:39:20 +03:00
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
"zotregistry.io/zot/errors"
|
|
|
|
"zotregistry.io/zot/pkg/api/config"
|
|
|
|
zcommon "zotregistry.io/zot/pkg/common"
|
|
|
|
"zotregistry.io/zot/pkg/extensions/monitoring"
|
|
|
|
"zotregistry.io/zot/pkg/log"
|
|
|
|
common "zotregistry.io/zot/pkg/storage/common"
|
|
|
|
"zotregistry.io/zot/pkg/storage/constants"
|
|
|
|
"zotregistry.io/zot/pkg/storage/local"
|
|
|
|
"zotregistry.io/zot/pkg/storage/s3"
|
|
|
|
storageTypes "zotregistry.io/zot/pkg/storage/types"
|
2019-06-20 16:36:40 -07:00
|
|
|
)
|
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
func New(config *config.Config, linter common.Lint, metrics monitoring.MetricServer,
|
|
|
|
log log.Logger,
|
|
|
|
) (StoreController, error) {
|
|
|
|
storeController := StoreController{}
|
|
|
|
|
|
|
|
if config.Storage.RootDirectory == "" {
|
|
|
|
// we can't proceed without global storage
|
|
|
|
log.Error().Err(errors.ErrImgStoreNotFound).Msg("controller: no storage config provided")
|
|
|
|
|
|
|
|
return storeController, errors.ErrImgStoreNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
// no need to validate hard links work on s3
|
|
|
|
if config.Storage.Dedupe && config.Storage.StorageDriver == nil {
|
|
|
|
err := local.ValidateHardLink(config.Storage.RootDirectory)
|
|
|
|
if err != nil {
|
|
|
|
log.Warn().Msg("input storage root directory filesystem does not supports hardlinking," +
|
|
|
|
"disabling dedupe functionality")
|
|
|
|
|
|
|
|
config.Storage.Dedupe = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var defaultStore storageTypes.ImageStore
|
|
|
|
|
|
|
|
if config.Storage.StorageDriver == nil {
|
|
|
|
// false positive lint - linter does not implement Lint method
|
|
|
|
//nolint:typecheck,contextcheck
|
2023-09-01 20:54:39 +03:00
|
|
|
rootDir := config.Storage.RootDirectory
|
|
|
|
defaultStore = local.NewImageStore(rootDir,
|
|
|
|
config.Storage.GC, config.Storage.GCReferrers, config.Storage.GCDelay, config.Storage.UntaggedImageRetentionDelay,
|
2023-05-26 21:08:19 +03:00
|
|
|
config.Storage.Dedupe, config.Storage.Commit, log, metrics, linter,
|
|
|
|
CreateCacheDatabaseDriver(config.Storage.StorageConfig, log),
|
|
|
|
)
|
|
|
|
} else {
|
|
|
|
storeName := fmt.Sprintf("%v", config.Storage.StorageDriver["name"])
|
|
|
|
if storeName != constants.S3StorageDriverName {
|
|
|
|
log.Fatal().Err(errors.ErrBadConfig).Str("storageDriver", storeName).
|
|
|
|
Msg("unsupported storage driver")
|
|
|
|
}
|
|
|
|
// Init a Storager from connection string.
|
|
|
|
store, err := factory.Create(storeName, config.Storage.StorageDriver)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Str("rootDir", config.Storage.RootDirectory).Msg("unable to create s3 service")
|
|
|
|
|
|
|
|
return storeController, err
|
|
|
|
}
|
|
|
|
|
|
|
|
/* in the case of s3 config.Storage.RootDirectory is used for caching blobs locally and
|
|
|
|
config.Storage.StorageDriver["rootdirectory"] is the actual rootDir in s3 */
|
|
|
|
rootDir := "/"
|
|
|
|
if config.Storage.StorageDriver["rootdirectory"] != nil {
|
|
|
|
rootDir = fmt.Sprintf("%v", config.Storage.StorageDriver["rootdirectory"])
|
|
|
|
}
|
|
|
|
|
|
|
|
// false positive lint - linter does not implement Lint method
|
|
|
|
//nolint: typecheck,contextcheck
|
|
|
|
defaultStore = s3.NewImageStore(rootDir, config.Storage.RootDirectory,
|
2023-09-01 20:54:39 +03:00
|
|
|
config.Storage.GC, config.Storage.GCReferrers, config.Storage.GCDelay,
|
|
|
|
config.Storage.UntaggedImageRetentionDelay, config.Storage.Dedupe,
|
2023-05-26 21:08:19 +03:00
|
|
|
config.Storage.Commit, log, metrics, linter, store,
|
|
|
|
CreateCacheDatabaseDriver(config.Storage.StorageConfig, log))
|
|
|
|
}
|
|
|
|
|
|
|
|
storeController.DefaultStore = defaultStore
|
|
|
|
|
|
|
|
if config.Storage.SubPaths != nil {
|
|
|
|
if len(config.Storage.SubPaths) > 0 {
|
|
|
|
subPaths := config.Storage.SubPaths
|
|
|
|
|
|
|
|
//nolint: contextcheck
|
|
|
|
subImageStore, err := getSubStore(config, subPaths, linter, metrics, log)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Msg("controller: error getting sub image store")
|
|
|
|
|
|
|
|
return storeController, err
|
|
|
|
}
|
|
|
|
|
|
|
|
storeController.SubStore = subImageStore
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return storeController, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getSubStore(cfg *config.Config, subPaths map[string]config.StorageConfig,
|
|
|
|
linter common.Lint, metrics monitoring.MetricServer, log log.Logger,
|
|
|
|
) (map[string]storageTypes.ImageStore, error) {
|
|
|
|
imgStoreMap := make(map[string]storageTypes.ImageStore, 0)
|
|
|
|
|
|
|
|
subImageStore := make(map[string]storageTypes.ImageStore)
|
|
|
|
|
|
|
|
// creating image store per subpaths
|
|
|
|
for route, storageConfig := range subPaths {
|
|
|
|
// no need to validate hard links work on s3
|
|
|
|
if storageConfig.Dedupe && storageConfig.StorageDriver == nil {
|
|
|
|
err := local.ValidateHardLink(storageConfig.RootDirectory)
|
|
|
|
if err != nil {
|
|
|
|
log.Warn().Msg("input storage root directory filesystem does not supports hardlinking, " +
|
|
|
|
"disabling dedupe functionality")
|
|
|
|
|
|
|
|
storageConfig.Dedupe = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if storageConfig.StorageDriver == nil {
|
|
|
|
// Compare if subpath root dir is same as default root dir
|
|
|
|
isSame, _ := config.SameFile(cfg.Storage.RootDirectory, storageConfig.RootDirectory)
|
|
|
|
|
|
|
|
if isSame {
|
|
|
|
log.Error().Err(errors.ErrBadConfig).Msg("sub path storage directory is same as root directory")
|
|
|
|
|
|
|
|
return nil, errors.ErrBadConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
isUnique := true
|
|
|
|
|
|
|
|
// Compare subpath unique files
|
|
|
|
for file := range imgStoreMap {
|
|
|
|
// We already have image storage for this file
|
|
|
|
if compareImageStore(file, storageConfig.RootDirectory) {
|
|
|
|
subImageStore[route] = imgStoreMap[file]
|
|
|
|
|
|
|
|
isUnique = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// subpath root directory is unique
|
|
|
|
// add it to uniqueSubFiles
|
|
|
|
// Create a new image store and assign it to imgStoreMap
|
|
|
|
if isUnique {
|
2023-09-01 20:54:39 +03:00
|
|
|
rootDir := storageConfig.RootDirectory
|
|
|
|
imgStoreMap[storageConfig.RootDirectory] = local.NewImageStore(rootDir,
|
|
|
|
storageConfig.GC, storageConfig.GCReferrers, storageConfig.GCDelay,
|
|
|
|
storageConfig.UntaggedImageRetentionDelay, storageConfig.Dedupe,
|
|
|
|
storageConfig.Commit, log, metrics, linter,
|
|
|
|
CreateCacheDatabaseDriver(storageConfig, log),
|
|
|
|
)
|
2023-05-26 21:08:19 +03:00
|
|
|
|
|
|
|
subImageStore[route] = imgStoreMap[storageConfig.RootDirectory]
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
storeName := fmt.Sprintf("%v", storageConfig.StorageDriver["name"])
|
|
|
|
if storeName != constants.S3StorageDriverName {
|
|
|
|
log.Fatal().Err(errors.ErrBadConfig).Str("storageDriver", storeName).
|
|
|
|
Msg("unsupported storage driver")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Init a Storager from connection string.
|
|
|
|
store, err := factory.Create(storeName, storageConfig.StorageDriver)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Str("rootDir", storageConfig.RootDirectory).Msg("Unable to create s3 service")
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
/* in the case of s3 c.Config.Storage.RootDirectory is used for caching blobs locally and
|
|
|
|
c.Config.Storage.StorageDriver["rootdirectory"] is the actual rootDir in s3 */
|
|
|
|
rootDir := "/"
|
|
|
|
if cfg.Storage.StorageDriver["rootdirectory"] != nil {
|
|
|
|
rootDir = fmt.Sprintf("%v", cfg.Storage.StorageDriver["rootdirectory"])
|
|
|
|
}
|
|
|
|
|
|
|
|
// false positive lint - linter does not implement Lint method
|
|
|
|
//nolint: typecheck
|
|
|
|
subImageStore[route] = s3.NewImageStore(rootDir, storageConfig.RootDirectory,
|
2023-09-01 20:54:39 +03:00
|
|
|
storageConfig.GC, storageConfig.GCReferrers, storageConfig.GCDelay,
|
|
|
|
storageConfig.UntaggedImageRetentionDelay, storageConfig.Dedupe,
|
|
|
|
storageConfig.Commit, log, metrics, linter, store,
|
2023-05-26 21:08:19 +03:00
|
|
|
CreateCacheDatabaseDriver(storageConfig, log),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return subImageStore, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func compareImageStore(root1, root2 string) bool {
|
|
|
|
isSameFile, err := config.SameFile(root1, root2)
|
|
|
|
// This error is path error that means either of root directory doesn't exist, in that case do string match
|
|
|
|
if err != nil {
|
|
|
|
return strings.EqualFold(root1, root2)
|
|
|
|
}
|
|
|
|
|
|
|
|
return isSameFile
|
|
|
|
}
|
|
|
|
|
|
|
|
// CheckIsImageSignature checks if the given image (repo:tag) represents a signature. The function
|
|
|
|
// returns:
|
|
|
|
//
|
|
|
|
// - bool: if the image is a signature or not
|
|
|
|
//
|
|
|
|
// - string: the type of signature
|
|
|
|
//
|
|
|
|
// - string: the digest of the image it signs
|
|
|
|
//
|
|
|
|
// - error: any errors that occur.
|
|
|
|
func CheckIsImageSignature(repoName string, manifestBlob []byte, reference string,
|
|
|
|
) (bool, string, godigest.Digest, error) {
|
|
|
|
var manifestContent ispec.Manifest
|
|
|
|
|
|
|
|
err := json.Unmarshal(manifestBlob, &manifestContent)
|
|
|
|
if err != nil {
|
|
|
|
return false, "", "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
manifestArtifactType := zcommon.GetManifestArtifactType(manifestContent)
|
|
|
|
|
|
|
|
// check notation signature
|
2023-09-06 19:58:00 +03:00
|
|
|
if manifestArtifactType == zcommon.ArtifactTypeNotation && manifestContent.Subject != nil {
|
2023-05-26 21:08:19 +03:00
|
|
|
return true, NotationType, manifestContent.Subject.Digest, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// check cosign
|
2023-09-06 19:58:00 +03:00
|
|
|
cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`)
|
2023-05-26 21:08:19 +03:00
|
|
|
|
2023-09-06 19:58:00 +03:00
|
|
|
if tag := reference; cosignTagRule.MatchString(reference) {
|
2023-05-26 21:08:19 +03:00
|
|
|
prefixLen := len("sha256-")
|
|
|
|
digestLen := 64
|
|
|
|
signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen]
|
|
|
|
|
|
|
|
signedImageManifestDigest := godigest.NewDigestFromEncoded(godigest.SHA256,
|
|
|
|
signedImageManifestDigestEncoded)
|
|
|
|
|
|
|
|
return true, CosignType, signedImageManifestDigest, nil
|
|
|
|
}
|
2021-07-17 06:53:05 +03:00
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
return false, "", "", nil
|
2020-06-30 10:56:58 -07:00
|
|
|
}
|