0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

93 commits

Author SHA1 Message Date
Andrei Aaron
28ffa38170
chore: fix search for 'no digests left, finished' in nightly job (#2784)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-11-15 08:51:00 -08:00
Andrei Aaron
dc38113df0
chore: use go1.23 in the build environment of zot container images (#2773)
* chore: use go1.23 in the build environment of zot container images

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* chore: increase timeout in test/blackbox/restore_s3_blobs.bats

Looks like the message is actually there even if the test fails, maybe there is a timing issue.
https://github.com/project-zot/zot/actions/runs/11747889146/job/32730772641

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-11-10 10:36:09 -08:00
Ramkumar Chinchani
cb2af94b0b
feat: add support for docker images (#2714)
* feat: add support for docker images

Issue #724

A new config section under "HTTP" called "Compat" is added which
currently takes a list of possible compatible legacy media-types.

https://github.com/opencontainers/image-spec/blob/main/media-types.md#compatibility-matrix

Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported.

Garbage collection also needs to be made aware of non-OCI compatible
layer types.
feat: add cve support for non-OCI compatible layer types

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* 

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: add more docker compat tests

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* feat: add additional validation checks for non-OCI images

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: make "full" images docker-compatible

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-10-31 09:44:04 +02:00
Andrei Aaron
8553712613
chore: upgrade trivy to v0.55.2 and update the logic of waiting for zot to start in some jobs (#2685)
chore: upgrade trivy to v0.55.2, also update the logic of waiting for zot to start in some jobs

Seems like there's an increate in the time zot requires to start before servicing requests.
From my GitHub observations it is better check using curl instead of relying on hardcoded 5s or 10s values.

The logic in .github/workflows/cluster.yaml seems to be old and out of date.
Even on main right now there is only 1 our of 3 zots actualy running.
The other 2 are actually erroring: Error: operation timeout: boltdb file is already in use, path '/tmp/zot/cache.db'
This is unrelated to this PR, I am seeing the same issue in the olders workflow runs still showing the logs

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-09-30 10:37:53 -07:00
Ramkumar Chinchani
4105f120ef
ci: add a ML model artifact test case (#2332)
Both as a test and an example.

Inspired by:
    https://github.com/kubeflow/model-registry/blob/main/docs/logical_model.md

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-03-21 22:30:43 +02:00
Ramkumar Chinchani
fdb401273c
fix: ignore metadb errors if tag not found (#2301) 2024-03-13 07:28:08 +02:00
ossfellow
dc0e41ad53
test(blackbox): add multi-arch index creation and image attributes modification (#2306)
* test: add multi-arch index creation and image modification tests

Signed-off-by: ossfellow <masoud@operatik.io>

* chore: update regclient version to the latest

Signed-off-by: ossfellow <masoud@operatik.io>

---------

Signed-off-by: ossfellow <masoud@operatik.io>
2024-03-08 08:49:12 -08:00
Ramkumar Chinchani
18235ca254
fix(oras)!: remove ORAS artifact references support (#2294)
* fix(oras)!: remove ORAS artifact references support

ORAS artifacts/references predated OCI dist-spec 1.1.0 which now has the
same functionality and likely to see wider adoption.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: update to released official images

So that they are unlikely to be deleted.
*-rc images may be cleaned up over time.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-03-06 12:16:42 -08:00
Andrei Aaron
4e5db84cb1
chore: update image-spec and dist spec to 1.1.0 (#2255)
BREAKING CHANGE: the dist spec version in the config files needs to be bumped to 1.1.0
in order for the config verification to pass without warnings.

Also fix 1 dependabot alert for helm.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-20 13:27:21 +02:00
Andrei Aaron
f1d38d9dad
test(blackbox): fix the scrub test sometimes deleting the image manifest from the layout (#2236)
If the manifest is not present, scrub no longer errors,
so the test looking for errors in the log was not failing.

See the related scrub changes in: https://github.com/project-zot/zot/pull/2180

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-08 15:21:42 +02:00
Andrei Aaron
a60d3891ff
ci: stabilize ecosystem client tools workflow (#2224)
Since the scheduler no longer executes generators in a fixed order, and scrub logic refactoring,
the scrub tasks may or may not complete in the expected time.
Increase sleep times used to search for tasks results in zot logs.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-02 16:11:27 +02:00
peusebiu
7dd1ca353f
fix(nightly): increase wait time for dedupe nightly build (#2177)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-01-22 09:07:04 -08:00
peusebiu
7642e5af98
fix(scheduler): fix data race (#2085)
* fix(scheduler): data race when pushing new tasks

the problem here is that scheduler can be closed in two ways:
- canceling the context given as argument to scheduler.RunScheduler()
- running scheduler.Shutdown()

because of this shutdown can trigger a data race between calling scheduler.inShutdown()
and actually pushing tasks into the pool workers

solved that by keeping a quit channel and listening on both quit channel and ctx.Done()
and closing the worker chan and scheduler afterwards.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>

* refactor(scheduler): refactor into a single shutdown

before this we could stop scheduler either by closing the context
provided to RunScheduler(ctx) or by running Shutdown().

simplify things by getting rid of the external context in RunScheduler().
keep an internal context in the scheduler itself and pass it down to all tasks.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>

---------

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-12-11 10:00:34 -08:00
Andrei Aaron
d71a1f494e
ci(nightly): fix nightly after log message refactor (#2121)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-12-11 15:39:32 +02:00
peusebiu
3c8da6e6fc
Sync s3 (#2073)
* feat(sync): local tmp store

Signed-off-by: a <a@tuxpa.in>

* fix(sync): various fixes for s3+remote storage feature

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>

---------

Signed-off-by: a <a@tuxpa.in>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: a <a@tuxpa.in>
2023-11-28 12:08:15 -08:00
Andrei Aaron
0dfff561f9
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072)
resolves #2008

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-11-21 16:31:12 +02:00
Alexei Dodon
8dd06c6e1e
ci: resource tuning for faster runs (#1967)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-11-15 10:44:31 -08:00
Andreea Lupu
d5065513f5
feat: add support for oci1.1 cosign signatures(using referrers) (#1963)
- Cosign supports 2 types of signature formats:

	1. Using tag -> each new signature of the same manifest is
	added as a new layer of the signature manifest having that
	specific tag("{alghoritm}-{digest_of_signed_manifest}.sig")

	2. Using referrers -> each new signature of the same manifest is
	added as a new manifest

- For adding these cosign signature to metadb, we reserved index 0 of the
list of cosign signatures for tag-based signatures. When a new tag-based
signature is added for the same manifest, the element on first position
in its list of cosign signatures(in metadb) will be updated/overwritten.
When a new cosign signature(using referrers) will be added for the same
manifest this new signature will be appended to the list of cosign
signatures.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-11-06 14:09:39 -08:00
peusebiu
9074f8483b
feat(retention): added image retention policies (#1866)
feat(metaDB): add more image statistics info

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-11-01 09:16:18 -07:00
LaurentiuNiculae
56ad9e6707
refactor(metadb): improve UX by speeding up metadb serialize/deserialize (#1842)
Use protocol buffers and update the metadb interface to better suit our search needs

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-10-30 13:06:04 -07:00
Andrei Aaron
7ce5a74598
feat: use the "zot" namespace for the authentication url (#1947)
Some other minor fixes for swaggo comments (indentation and a bad description)

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-10-20 15:30:56 +03:00
Alexei Dodon
a345ba0823
fix: metrics should be protected behind authZ (#1895)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-10-20 10:33:26 +03:00
Andreea Lupu
fc2380b57b
fix: add support for uploaded index when signing using notation (#1882)
ci(notation): update to latest notation version
fix(sync): add layers info when syncing signatures

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-10-12 18:45:20 -07:00
peusebiu
458d40fb48
fix(nightly): increase nightly delays and timeouts (#1877)
change the startup dedupe blackbox test source image with a lighter one

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-10-12 16:42:07 +03:00
Alexei Dodon
2fd7bfc37a
fix: metrics endpoint must be secured behind authN (#1864)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-10-02 16:37:21 +03:00
Ramkumar Chinchani
8c559441e6
test(cosign): add a oci dist-spec 1.1.0 conformant test case (#1835)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-09-20 12:01:36 -07:00
peusebiu
f164fb9e03
fix(ci): fix nighlty builds and print zot log on failure (#1799)
now gc stress on s3 storage is using minio for ci/cd builds
gc stress on s3 storage is using localstack for nightly builds

fixed(gc): make sure we don't remove repo if there are blobs
being uploaded or the number of blobs gc'ed is not 0

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-20 19:25:06 +03:00
peusebiu
3dbaf2b3ff
fix(sync): ping func should not try to read response body (#1757)
closes: #1703

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-13 20:00:51 +03:00
Andrei Aaron
24e37eb68b
fix(api): Fix 'last' query param for <repo>/tags/list to work without param 'n' (#1777)
Also fix additional issues:
- sorting of tags on calls without pagination parameters ('n' or 'last')
- if 'n' is 0 we should return an empty list and not error

Added tests accordingly

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-09-08 19:46:17 +03:00
LaurentiuNiculae
7b1e24c99e
refactor(cli): remove old cli commands (#1756)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-09-08 15:12:47 +03:00
Andrei Aaron
6115eed4ec
refactor(makefile): consolidate the make targets used for bats tests (#1746)
New examples of running tests:

1. To run a specific bats file (with and without verbose output):
make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats
make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats BATS_VERBOSITY=2

2. To run the CI tests (with and without verbose output)
make run-blackbox-ci
make run-blackbox-ci BATS_VERBOSITY=2

BATS_TEST_FILE_PATH is used to pass on the test file to run using `run-blackbox-tests`
BATS_VERBOSITY controls the verbosity of the bats framework output, if unspecified the output only
contains test results and failure message in case of failures.
If BATS_VERBOSITY is 1, then also show commands as they are executed.
If BATS_VERBOSITY is 2, on top of the above it also shows output of passed tests.

Other changes in this PR:
- Update some of the tests to show logs after the run ends.
- Run the linters before the tests, as it saves time on failures when running in GH

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-09-07 21:06:21 +03:00
peusebiu
c6b822f3dd
refactor(authz): use a struct for user access control info operations (#1682)
fix(authz): fix isAdmin not using groups to determine if a user is admin.
fix(authz): return 401 instead of 403

403 is correct as per HTTP spec
However authz is not part of dist-spec and clients know only about 401
So this is a compromise.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 11:13:53 -07:00
peusebiu
b80deb9927
refactor(storage): refactor storage into a single ImageStore (#1656)
unified both local and s3 ImageStore logic into a single ImageStore
added a new driver interface for common file/dirs manipulations
to be implemented by different storage types

refactor(gc): drop umoci dependency, implemented internal gc

added retentionDelay config option that specifies
the garbage collect delay for images without tags

this will also clean manifests which are part of an index image
(multiarch) that no longer exist.

fix(dedupe): skip blobs under .sync/ directory

if startup dedupe is running while also syncing is running
ignore blobs under sync's temporary storage

fix(storage): do not allow image indexes modifications

when deleting a manifest verify that it is not part of a multiarch image
and throw a MethodNotAllowed error to the client if it is.
we don't want to modify multiarch images

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 10:54:39 -07:00
LaurentiuNiculae
72a5968437
test(bats): added bats example for deleting an image (#1718)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-09-01 17:23:34 +03:00
Alexei Dodon
423302df5f
fix: nightly build (#1745)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-09-01 13:08:17 +03:00
Alexei Dodon
41bbb23e30
fix: bats test refactoring (#1731)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-30 12:24:28 -07:00
Damien Degois
289acfabbd
feat(authn): add generic oidc and allow customizable name (#1691)
Rebased and squashed

Signed-off-by: Damien Degois <damien@degois.info>
2023-08-24 12:33:35 +03:00
LaurentiuNiculae
ed90e3bd24
test(annotations): print logs for annotations bats tests (#1680)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-07 13:51:57 -07:00
Andreea Lupu
76277f5ebd
fix: remove inline GC and schedule a background task instead (#1610)
* fix: remove inline GC and set a default value of gc interval

- remove inline GC
- add a default value of GC interval
- run the GC periodically by default with the default value if no interval provided
- generate GC tasks with a random delay(0-30s) between
- add IsReady() method to scheduler.TaskGenerator interface

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

* ci: add test for gc with short interval

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

---------

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-08-07 12:55:19 -07:00
Andrei Aaron
77149aa85c
refactor(extensions)!: refactor the extensions URLs and errors (#1636)
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below
BREAKING CHANGE: The API keys endpoint has been moved -  see details below
BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled
BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey

mgmt and imagetrust extensions:
- separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign
- signature verification logic is in a separate `imagetrust` extension
- better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors)
- add authz on signature uploads (and add a new middleware in common for this purpose)
- remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled

userprefs estension:
- userprefs are enabled if both search and ui extensions are enabled (as opposed to just search)

apikey extension is removed and logic moved into the api folder
- Move apikeys code out of pkg/extensions and into pkg/api
- Remove apikey configuration options from the extensions configuration and move it inside the http auth section
- remove the build label apikeys

other changes:
- move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files.
- add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys
- add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions
- more clear methods for verifying specific extensions are enabled
- fix http methods paired with the UI handlers
- rebuild swagger docs

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 21:58:34 +03:00
peusebiu
d3f27b4ba6
feat: add additional manifest validations (#1609)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-13 09:31:39 -07:00
peusebiu
1d01b644ea
feat(sync): sync can include self url in registry.URLs (#1562)
sync now ignores self referencing urls, this will help
in clustering mode where we can have the same config
for multiple zots

closes #1335

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 12:27:21 +03:00
peusebiu
17d1338af1
feat: integrate openID auth logic and user profile management (#1381)
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 09:27:10 -07:00
peusebiu
7d7e4416b5
fix(nightly): fix nightly builds (#1584)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 16:50:12 +03:00
peusebiu
6932e3ffca
test: add more registries in sync blackbox tests (#1568)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-30 21:07:04 +03:00
peusebiu
377aff1853
fix(sync): fixed skipping docker images when they already synced (#1521)
before syncing an image we first check if it's already present in our storage
to do that we get the manifest from remote and compare it with the local one
but in the case of syncing docker images, because the conversion to OCI format is done while
syncing, we get a docker manifest before conversion, so sync detects that local manifest and
remote one are different, so it starts syncing again.

to overcome this, convert remote docker manifests to OCI manifests and then compare.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 11:05:52 -07:00
Lisca Ana-Roberta
988ca427b5
fix: replaced used CVE in blackbox test (#1519)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-06-15 13:22:29 +03:00
peusebiu
612a12e5a8
refactor(sync): use task scheduler (#1301)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-31 10:26:23 -07:00
Ramkumar Chinchani
9534e0b88b
chore: fix dependabot alerts (#1409)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-11 16:39:21 -07:00
LaurentiuNiculae
ea79be64da
refactor(artifact): remove oci artifact support (#1359)
* refactor(artifact): remove oci artifact support
- add header to referrers call to indicated applied artifact type filters

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(gc): simplify gc logic to increase coverage

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-10 10:15:33 -07:00