0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

655 commits

Author SHA1 Message Date
Andrei Aaron
26be383aae
fix(digests): do not mandate sha256 as the only algorithm used for hashing blobs (#2075)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-07-19 09:56:31 -07:00
Anders Bennedsgaard
8262c46ad7
Fix sync extension logging (#2537)
* fix: nil pointer dereference on localimagestore

fixes https://github.com/project-zot/zot/issues/2527

Signed-off-by: Anders Bennedsgaard <abbennedsgaard@gmail.com>

* fix: no logging from sync extension imagestore

Signed-off-by: Anders Bennedsgaard <abbennedsgaard@gmail.com>

* feat: create local imagestore not found error

Signed-off-by: Anders Bennedsgaard <abbennedsgaard@gmail.com>

* fix: add test

Signed-off-by: Anders Bennedsgaard <abbennedsgaard@gmail.com>

---------

Signed-off-by: Anders Bennedsgaard <abbennedsgaard@gmail.com>
2024-07-15 10:30:43 -07:00
peusebiu
1c2736d970
fix(storage): handle dedupe disabled in GetAllDedupeReposCandidates() (#2533)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-07-09 15:33:11 +03:00
Ramkumar Chinchani
aaee0220e4
Merge pull request from GHSA-55r9-5mx9-qq7r
when a client pushes an image zot's inline dedupe
will try to find the blob path corresponding with the blob digest
that it's currently pushed and if it's found in the cache
then zot will make a symbolic link to that cache entry and report
to the client that the blob already exists on the location.

Before this patch authorization was not applied on this process meaning
that a user could copy blobs without having permissions on the source repo.

Added a rule which says that the client should have read permissions on the source repo
before deduping, otherwise just Stat() the blob and return the corresponding status code.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Petu Eusebiu <peusebiu@cisco.com>
2024-07-08 11:35:44 -07:00
Ramkumar Chinchani
fb2edcc269
chore: fix dependabot alerts (#2486)
https://github.com/project-zot/zot/pull/2475
https://github.com/project-zot/zot/pull/2477
https://github.com/project-zot/zot/pull/2478
https://github.com/project-zot/zot/pull/2479
https://github.com/project-zot/zot/pull/2480
https://github.com/project-zot/zot/pull/2481
https://github.com/project-zot/zot/pull/2482
https://github.com/project-zot/zot/pull/2483
https://github.com/project-zot/zot/pull/2484
https://github.com/project-zot/zot/pull/2485

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-06-17 20:31:01 +03:00
peusebiu
e023936e8e
fix(ui): fix image details view (#2470)
when a UI client tries to view image details
for an image with multiple tags pointing to the same digest
we make a query to dynamodb having duplicate keys (same digest)
resulting in an error and the client is redirect back to image
overview.

closes: #2464

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-06-14 09:22:48 -07:00
Ramkumar Chinchani
f5fef2384a
chore: fix dependabot alerts (#2462)
* chore: fix dependabot alerts

https://github.com/project-zot/zot/pull/2451
https://github.com/project-zot/zot/pull/2452
https://github.com/project-zot/zot/pull/2453
https://github.com/project-zot/zot/pull/2454
https://github.com/project-zot/zot/pull/2455
https://github.com/project-zot/zot/pull/2456
https://github.com/project-zot/zot/pull/2457
https://github.com/project-zot/zot/pull/2458
https://github.com/project-zot/zot/pull/2459
https://github.com/project-zot/zot/pull/2460
https://github.com/project-zot/zot/pull/2461
https://github.com/project-zot/zot/pull/2463

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* chore: mockoidc has moved to github.com/go-jose/go-jose/v3

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* chore: quiet aws/s3 golang api deprecations

These need to be addressed in a separate PR.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-06-12 22:51:32 -07:00
peusebiu
a4b6892a9c
remove unnecessary calls to storage driver (#2432)
fix(storage): remove unnecessary calls to storage driver

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-06-04 11:39:18 -07:00
Ramkumar Chinchani
1594852428
chore: fix dependabot alerts (#2446)
* chore: fix dependabot alerts

https://github.com/project-zot/zot/pull/2435
https://github.com/project-zot/zot/pull/2436
https://github.com/project-zot/zot/pull/2437
https://github.com/project-zot/zot/pull/2438
https://github.com/project-zot/zot/pull/2439
https://github.com/project-zot/zot/pull/2440
https://github.com/project-zot/zot/pull/2441
https://github.com/project-zot/zot/pull/2442
https://github.com/project-zot/zot/pull/2443
https://github.com/project-zot/zot/pull/2444
https://github.com/project-zot/zot/pull/2445
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* fix(zli): _schema query in zli code should not use empty parens

Fix also some tests
See https://github.com/vektah/gqlparser/issues/292 and https://github.com/vektah/gqlparser/pull/293

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2024-06-04 13:54:30 +03:00
Vishwas Rajashekar
767f81d4f5
feat(sync): support for periodic repo sync in scale-out cluster (#2424)
This commit includes support for periodic repo sync in a scale-out
cluster.
Before this commit, all cluster members would sync all the repos as
the config is shared.

With this change, in periodic sync, the cluster member checks whether
it manages the repo. If it does not manage the repo, it will skip the
sync.

This commit also includes a unit test to test on-demand sync too, but
there are no logic changes for it as it is implicitly handled by the
proxying logic.

Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
2024-05-31 09:25:34 -07:00
Andrei Aaron
2bb46b0562
chore: fix dependabot alerts (#2431)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-05-27 14:37:27 -07:00
Vishwas R
5ae7a028d9
feat(cluster): Add support for request proxying for scale out (#2385)
* feat(cluster): initial commit for scale-out cluster

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* feat(cluster): support shared storage scale out

This change introduces support for shared storage backed
zot cluster scale out.

New feature
Multiple stateless zot instances can run using the same shared
storage backend where each instance looks at a specific set
of repositories based on a siphash of the repository name to improve
scale as the load is distributed across multiple instances.
For a given config, there will only be one instance that can perform
dist-spec read/write on a given repository.

What's changed?
- introduced a transparent request proxy for dist-spec endpoints based on
siphash of repository name.
- new config for scale out cluster that specifies list of
cluster members.

Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-05-20 09:05:21 -07:00
Vishwas R
be5ad66797
refactor(http): refactor http client to accept more customisable options (#2414)
refactor(http): refactor http client to take options struct

This commit updates the arguments for the `CreateHTTPClient`
function to consume a struct which can be extended as required.
It replaces the certPath argument with a struct of 3 paths for
client ertificate, client key, and ca cert. It also adds
a TLSEnabled option for when an HTTP Client is required
without any further TLS config.

Existing consumers of this function have been updated so that
they can work as they do today. This change is a no-op for
existing features.

This allows for certificate paths to be customised and
allows other modules to re-use the same HTTP client and get
the benefits of mTLS support and per-host certificates.

Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
2024-05-06 13:43:41 -07:00
Ramkumar Chinchani
186855b5f8
fix: additional input validation for CVE graphQL query (#2408)
It is possible to ask for a very large limit size which can exhaust
memory.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-04-24 09:23:17 +03:00
Ramiro Algozino
0160c9fc6b
fix(cli/server): serve command expected positional args (#2382)
fix(cli/server): serve command expected positinal args
Expect exactly one positional argument for the serve command with the
path to the config file.

Signed-off-by: Ramiro Algozino <ramiro@sighup.io>
2024-04-11 09:51:41 -07:00
Ramkumar Chinchani
6b3c160176
chore: fix dependabot alerts (#2377)
https://github.com/project-zot/zot/pull/2368
https://github.com/project-zot/zot/pull/2369
https://github.com/project-zot/zot/pull/2370
https://github.com/project-zot/zot/pull/2371
https://github.com/project-zot/zot/pull/2372
https://github.com/project-zot/zot/pull/2373
https://github.com/project-zot/zot/pull/2374
https://github.com/project-zot/zot/pull/2375
https://github.com/project-zot/zot/pull/2376

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-04-09 10:40:16 +03:00
Andrei Aaron
864cd00b9e
fix: Allow GET requests on repositories not found in metadb (#2351)
The issue was reported on Slack.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-03-26 18:38:58 +02:00
Vishwas R
aa53782e5c
feat: show brief package list in image CVE listings (#2338)
Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
2024-03-25 10:36:14 -07:00
Andrei Aaron
8b4abc6ef6
Add a job to check zot config examples (and fix existing examples) (#2322)
* fix: Add credentials config verification

(cherry picked from commit e7fdfa0bcc)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* fix: Update golang version to 1.21.x

Signed-off-by: onidoru <25552941+onidoru@users.noreply.github.com>
Signed-off-by: Nikita Kotikov <25552941+onidoru@users.noreply.github.com>
(cherry picked from commit cbc0f89dfb)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* fix: LDAP credentials files are now required, add more tests

Signed-off-by: onidoru <25552941+onidoru@users.noreply.github.com>
Signed-off-by: Nikita Kotikov <25552941+onidoru@users.noreply.github.com>
(cherry picked from commit b74366d50b)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* fix: Update error handling, add more tests

Signed-off-by: onidoru <25552941+onidoru@users.noreply.github.com>
Signed-off-by: Nikita Kotikov <25552941+onidoru@users.noreply.github.com>
(cherry picked from commit 8a61bbc2d4)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* fix: Add coverage

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: onidoru <25552941+onidoru@users.noreply.github.com>
Signed-off-by: Nikita Kotikov <25552941+onidoru@users.noreply.github.com>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: onidoru <onidoru@yahoo.com>
Co-authored-by: Nikita Kotikov <25552941+onidoru@users.noreply.github.com>
2024-03-21 10:23:37 -07:00
Ramkumar Chinchani
28e9aabecf
chore: fix dependabot alerts (#2331)
https://github.com/project-zot/zot/pull/2324
https://github.com/project-zot/zot/pull/2325
https://github.com/project-zot/zot/pull/2326
https://github.com/project-zot/zot/pull/2327
https://github.com/project-zot/zot/pull/2328
https://github.com/project-zot/zot/pull/2329

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-03-20 07:37:29 +02:00
Ramkumar Chinchani
fdb401273c
fix: ignore metadb errors if tag not found (#2301) 2024-03-13 07:28:08 +02:00
Vishwas R
c7472a2dda
feat: add verbose mode for cves for image listing (#2308)
Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
2024-03-12 13:38:48 -07:00
Ramkumar Chinchani
18235ca254
fix(oras)!: remove ORAS artifact references support (#2294)
* fix(oras)!: remove ORAS artifact references support

ORAS artifacts/references predated OCI dist-spec 1.1.0 which now has the
same functionality and likely to see wider adoption.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: update to released official images

So that they are unlikely to be deleted.
*-rc images may be cleaned up over time.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-03-06 12:16:42 -08:00
LaurentiuNiculae
5039128723
feat(cve): cli cve diff (#2242)
* feat(gql): add new query for diff of cves for 2 images

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(cli): add cli for cve diff

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2024-03-06 10:40:29 +02:00
peusebiu
6f00e843a0
fix(sync): sync generator now backs off on errors (#2272)
handle unsupported features like oci artifacts.

closes: #2238

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-03-04 09:44:11 -08:00
peusebiu
740eae8f26
fix(sync): better cleaning sync's download dir (#2273)
added cleanup in the case of copy.Image() failures.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-02-29 09:09:21 -08:00
Ramkumar Chinchani
565eca2609
chore: fix dependabot alerts (#2268)
https://github.com/project-zot/zot/pull/2258
https://github.com/project-zot/zot/pull/2259
https://github.com/project-zot/zot/pull/2260
https://github.com/project-zot/zot/pull/2261
https://github.com/project-zot/zot/pull/2262
https://github.com/project-zot/zot/pull/2263
https://github.com/project-zot/zot/pull/2264
https://github.com/project-zot/zot/pull/2265
https://github.com/project-zot/zot/pull/2266
https://github.com/project-zot/zot/pull/2267

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2024-02-20 21:51:40 +02:00
Andrei Aaron
4e5db84cb1
chore: update image-spec and dist spec to 1.1.0 (#2255)
BREAKING CHANGE: the dist spec version in the config files needs to be bumped to 1.1.0
in order for the config verification to pass without warnings.

Also fix 1 dependabot alert for helm.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-20 13:27:21 +02:00
Andrei Aaron
6c953d6400
test: fix flacky coverage in cookiestore cleanup tests (#2257)
Refactor and add more coverage to test flacky coverage in case sessions
which are already deleted are flagged as expired/for deletion.

See coverage drop in pkg/api/cookiestore.go:
8e68255946/indirect-changes

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-19 14:43:30 -08:00
Andrei Aaron
2d2e005449
fix(npe): handle case where os.Stat returns different error types in DirExists (#2253)
See https://github.com/project-zot/zot/actions/runs/7905369535/job/21577848110

Also add tests to fix some of the coverage fluctuations.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-18 08:00:00 +02:00
Vishwas R
0aa6bf0fff
feat: include PackagePath data in CVEs for image queries (#2241)
Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
2024-02-15 13:19:49 -08:00
peusebiu
8e68255946
fix(sync): added bearer client for sync (#2222)
fixed ping function taking too much time

closes: #2213 #2212

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-02-14 09:18:10 -08:00
Andrei Aaron
d0eb043be5
feat: Get the image LastUpdated timestamp from annotations (#2240)
Fallback to Created field and the History entries in the image config
only if the annotation "org.opencontainers.image.created" is not available

closes #2210

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-14 09:14:24 -08:00
Andreea Lupu
55acce6923
feat(graphql): filter CVEs by severity (#2246)
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2024-02-14 09:11:57 -08:00
LaurentiuNiculae
de90abd5dc
style(metadb): use type aliases for metadb types to be easier to read (#2043)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2024-02-14 09:08:08 -08:00
peusebiu
5b83937d40
fix(tests): fixed inconsistent sync test (#2237)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-02-08 18:28:59 +02:00
Andrei Aaron
60dc8569ec
build(go): switch to go 1.21 (#2049)
Also update to the latest swaggo version, as the previous one did not work with go 1.21

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-07 10:54:28 -08:00
Andrei Aaron
6a83dd47c0
fix(scheduler): the session cleanup generator is reset too often (#2220)
This causes the "fair" scheduler to run it too often in the detriment of other generators.
The intention was to run it every 2 hours but the measurement unit for 7200 was not specified.

Add more logs, including showing a generator name, in order to troubleshoot this kind of issues easier in the future.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-02-01 09:15:53 -08:00
Andrei Aaron
ce4924f841
refactor: rename go module from zotregistry.io/zot to zotregistry.dev/zot (#2187)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-01-31 20:34:07 -08:00
Andrei Aaron
a2b923b6fd
feat(search): search for a specific tag cross-repo (#2211)
Syntax to search for `<tag_name>` accross all repos is `:<tag_name>`

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-01-30 09:12:41 -08:00
Andreea Lupu
ddba1b7baf
fix(scrub): hold locks per image not per repo while executing scrub (#2180)
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2024-01-25 11:12:21 -08:00
LaurentiuNiculae
1785688b7c
feat(ldap): hot reloading ldap credentials on change (#2167)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2024-01-25 09:15:22 -08:00
Andrei Aaron
8215766720
fix: the scheduler is now fair (#2158)
Generators are now ordered by rank in the priority queue.

The rank computation formula is:
- 100/(1+generated_task_count) for high priority tasks
- 10/(1+generated_task_count) for medium priority tasks
- 1/(1+generated_task_count) for low priority tasks

Note the ranks are used when comparing generators both with the same priority and with different priority.
So now we are:
- giving an opportunity to all generators with the same priority to take turns generating tasks
- giving roughly 1 low priority and 10 medium priority tasks the opportunity to run for every 100 high priority tasks running.

After a generator generates a task, the generators are reordered in the priority queue based on rank.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-01-25 09:05:47 -08:00
peusebiu
e9ab520905
fix(bearer): fixed /v2/ route not implementing token spec (#2176)
We use chartmuseum lib for handling bearer requests, which is not
implementing the token spec, mainly it expects "scope" parameter
to be given on every request, even for /v2/ route which doesn't represent
a resource.

Handle this /v2/ route inside our code.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-01-22 09:15:27 -08:00
Andrei Aaron
ed6be0580e
refactor: replace deprecated APIs for creating images in the search tests (#2173)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-01-22 09:10:34 -08:00
LaurentiuNiculae
3f97f878fd
feat(cve): add option to exclude string from cve search (#2163)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2024-01-19 12:59:42 -08:00
Andrei Aaron
8467a80a50
refactor: update tests to use the newer API for creating test images (#2168)
- update cve tests
- update scrub tests
- update tests for parsing storage and loading into meta DB
- update controller tests

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-01-17 10:20:07 -08:00
peusebiu
ee9bbb0bf2
feat(log): print traceback when panics occur (#2166)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-01-16 09:08:14 -08:00
peusebiu
d1bf713573
fix: excessive memory usage (#2164)
instead of reading entire files before calculating their digests
stream them by using their Reader method.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-01-16 09:04:36 -08:00
peusebiu
0bed25dddd
feat(config): handle config files with no explicit extension (#2147)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2024-01-15 13:10:56 +02:00