mirror of
https://github.com/project-zot/zot.git
synced 2025-01-20 22:52:51 -05:00
b80deb9927
unified both local and s3 ImageStore logic into a single ImageStore added a new driver interface for common file/dirs manipulations to be implemented by different storage types refactor(gc): drop umoci dependency, implemented internal gc added retentionDelay config option that specifies the garbage collect delay for images without tags this will also clean manifests which are part of an index image (multiarch) that no longer exist. fix(dedupe): skip blobs under .sync/ directory if startup dedupe is running while also syncing is running ignore blobs under sync's temporary storage fix(storage): do not allow image indexes modifications when deleting a manifest verify that it is not part of a multiarch image and throw a MethodNotAllowed error to the client if it is. we don't want to modify multiarch images Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
254 lines
8.5 KiB
Go
254 lines
8.5 KiB
Go
package storage
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/docker/distribution/registry/storage/driver/factory"
|
|
"github.com/gobwas/glob"
|
|
notreg "github.com/notaryproject/notation-go/registry"
|
|
godigest "github.com/opencontainers/go-digest"
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
|
|
|
"zotregistry.io/zot/errors"
|
|
"zotregistry.io/zot/pkg/api/config"
|
|
zcommon "zotregistry.io/zot/pkg/common"
|
|
"zotregistry.io/zot/pkg/extensions/monitoring"
|
|
"zotregistry.io/zot/pkg/log"
|
|
common "zotregistry.io/zot/pkg/storage/common"
|
|
"zotregistry.io/zot/pkg/storage/constants"
|
|
"zotregistry.io/zot/pkg/storage/local"
|
|
"zotregistry.io/zot/pkg/storage/s3"
|
|
storageTypes "zotregistry.io/zot/pkg/storage/types"
|
|
)
|
|
|
|
func New(config *config.Config, linter common.Lint, metrics monitoring.MetricServer,
|
|
log log.Logger,
|
|
) (StoreController, error) {
|
|
storeController := StoreController{}
|
|
|
|
if config.Storage.RootDirectory == "" {
|
|
// we can't proceed without global storage
|
|
log.Error().Err(errors.ErrImgStoreNotFound).Msg("controller: no storage config provided")
|
|
|
|
return storeController, errors.ErrImgStoreNotFound
|
|
}
|
|
|
|
// no need to validate hard links work on s3
|
|
if config.Storage.Dedupe && config.Storage.StorageDriver == nil {
|
|
err := local.ValidateHardLink(config.Storage.RootDirectory)
|
|
if err != nil {
|
|
log.Warn().Msg("input storage root directory filesystem does not supports hardlinking," +
|
|
"disabling dedupe functionality")
|
|
|
|
config.Storage.Dedupe = false
|
|
}
|
|
}
|
|
|
|
var defaultStore storageTypes.ImageStore
|
|
|
|
if config.Storage.StorageDriver == nil {
|
|
// false positive lint - linter does not implement Lint method
|
|
//nolint:typecheck,contextcheck
|
|
rootDir := config.Storage.RootDirectory
|
|
defaultStore = local.NewImageStore(rootDir,
|
|
config.Storage.GC, config.Storage.GCReferrers, config.Storage.GCDelay, config.Storage.UntaggedImageRetentionDelay,
|
|
config.Storage.Dedupe, config.Storage.Commit, log, metrics, linter,
|
|
CreateCacheDatabaseDriver(config.Storage.StorageConfig, log),
|
|
)
|
|
} else {
|
|
storeName := fmt.Sprintf("%v", config.Storage.StorageDriver["name"])
|
|
if storeName != constants.S3StorageDriverName {
|
|
log.Fatal().Err(errors.ErrBadConfig).Str("storageDriver", storeName).
|
|
Msg("unsupported storage driver")
|
|
}
|
|
// Init a Storager from connection string.
|
|
store, err := factory.Create(storeName, config.Storage.StorageDriver)
|
|
if err != nil {
|
|
log.Error().Err(err).Str("rootDir", config.Storage.RootDirectory).Msg("unable to create s3 service")
|
|
|
|
return storeController, err
|
|
}
|
|
|
|
/* in the case of s3 config.Storage.RootDirectory is used for caching blobs locally and
|
|
config.Storage.StorageDriver["rootdirectory"] is the actual rootDir in s3 */
|
|
rootDir := "/"
|
|
if config.Storage.StorageDriver["rootdirectory"] != nil {
|
|
rootDir = fmt.Sprintf("%v", config.Storage.StorageDriver["rootdirectory"])
|
|
}
|
|
|
|
// false positive lint - linter does not implement Lint method
|
|
//nolint: typecheck,contextcheck
|
|
defaultStore = s3.NewImageStore(rootDir, config.Storage.RootDirectory,
|
|
config.Storage.GC, config.Storage.GCReferrers, config.Storage.GCDelay,
|
|
config.Storage.UntaggedImageRetentionDelay, config.Storage.Dedupe,
|
|
config.Storage.Commit, log, metrics, linter, store,
|
|
CreateCacheDatabaseDriver(config.Storage.StorageConfig, log))
|
|
}
|
|
|
|
storeController.DefaultStore = defaultStore
|
|
|
|
if config.Storage.SubPaths != nil {
|
|
if len(config.Storage.SubPaths) > 0 {
|
|
subPaths := config.Storage.SubPaths
|
|
|
|
//nolint: contextcheck
|
|
subImageStore, err := getSubStore(config, subPaths, linter, metrics, log)
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("controller: error getting sub image store")
|
|
|
|
return storeController, err
|
|
}
|
|
|
|
storeController.SubStore = subImageStore
|
|
}
|
|
}
|
|
|
|
return storeController, nil
|
|
}
|
|
|
|
func getSubStore(cfg *config.Config, subPaths map[string]config.StorageConfig,
|
|
linter common.Lint, metrics monitoring.MetricServer, log log.Logger,
|
|
) (map[string]storageTypes.ImageStore, error) {
|
|
imgStoreMap := make(map[string]storageTypes.ImageStore, 0)
|
|
|
|
subImageStore := make(map[string]storageTypes.ImageStore)
|
|
|
|
// creating image store per subpaths
|
|
for route, storageConfig := range subPaths {
|
|
// no need to validate hard links work on s3
|
|
if storageConfig.Dedupe && storageConfig.StorageDriver == nil {
|
|
err := local.ValidateHardLink(storageConfig.RootDirectory)
|
|
if err != nil {
|
|
log.Warn().Msg("input storage root directory filesystem does not supports hardlinking, " +
|
|
"disabling dedupe functionality")
|
|
|
|
storageConfig.Dedupe = false
|
|
}
|
|
}
|
|
|
|
if storageConfig.StorageDriver == nil {
|
|
// Compare if subpath root dir is same as default root dir
|
|
isSame, _ := config.SameFile(cfg.Storage.RootDirectory, storageConfig.RootDirectory)
|
|
|
|
if isSame {
|
|
log.Error().Err(errors.ErrBadConfig).Msg("sub path storage directory is same as root directory")
|
|
|
|
return nil, errors.ErrBadConfig
|
|
}
|
|
|
|
isUnique := true
|
|
|
|
// Compare subpath unique files
|
|
for file := range imgStoreMap {
|
|
// We already have image storage for this file
|
|
if compareImageStore(file, storageConfig.RootDirectory) {
|
|
subImageStore[route] = imgStoreMap[file]
|
|
|
|
isUnique = false
|
|
}
|
|
}
|
|
|
|
// subpath root directory is unique
|
|
// add it to uniqueSubFiles
|
|
// Create a new image store and assign it to imgStoreMap
|
|
if isUnique {
|
|
rootDir := storageConfig.RootDirectory
|
|
imgStoreMap[storageConfig.RootDirectory] = local.NewImageStore(rootDir,
|
|
storageConfig.GC, storageConfig.GCReferrers, storageConfig.GCDelay,
|
|
storageConfig.UntaggedImageRetentionDelay, storageConfig.Dedupe,
|
|
storageConfig.Commit, log, metrics, linter,
|
|
CreateCacheDatabaseDriver(storageConfig, log),
|
|
)
|
|
|
|
subImageStore[route] = imgStoreMap[storageConfig.RootDirectory]
|
|
}
|
|
} else {
|
|
storeName := fmt.Sprintf("%v", storageConfig.StorageDriver["name"])
|
|
if storeName != constants.S3StorageDriverName {
|
|
log.Fatal().Err(errors.ErrBadConfig).Str("storageDriver", storeName).
|
|
Msg("unsupported storage driver")
|
|
}
|
|
|
|
// Init a Storager from connection string.
|
|
store, err := factory.Create(storeName, storageConfig.StorageDriver)
|
|
if err != nil {
|
|
log.Error().Err(err).Str("rootDir", storageConfig.RootDirectory).Msg("Unable to create s3 service")
|
|
|
|
return nil, err
|
|
}
|
|
|
|
/* in the case of s3 c.Config.Storage.RootDirectory is used for caching blobs locally and
|
|
c.Config.Storage.StorageDriver["rootdirectory"] is the actual rootDir in s3 */
|
|
rootDir := "/"
|
|
if cfg.Storage.StorageDriver["rootdirectory"] != nil {
|
|
rootDir = fmt.Sprintf("%v", cfg.Storage.StorageDriver["rootdirectory"])
|
|
}
|
|
|
|
// false positive lint - linter does not implement Lint method
|
|
//nolint: typecheck
|
|
subImageStore[route] = s3.NewImageStore(rootDir, storageConfig.RootDirectory,
|
|
storageConfig.GC, storageConfig.GCReferrers, storageConfig.GCDelay,
|
|
storageConfig.UntaggedImageRetentionDelay, storageConfig.Dedupe,
|
|
storageConfig.Commit, log, metrics, linter, store,
|
|
CreateCacheDatabaseDriver(storageConfig, log),
|
|
)
|
|
}
|
|
}
|
|
|
|
return subImageStore, nil
|
|
}
|
|
|
|
func compareImageStore(root1, root2 string) bool {
|
|
isSameFile, err := config.SameFile(root1, root2)
|
|
// This error is path error that means either of root directory doesn't exist, in that case do string match
|
|
if err != nil {
|
|
return strings.EqualFold(root1, root2)
|
|
}
|
|
|
|
return isSameFile
|
|
}
|
|
|
|
// CheckIsImageSignature checks if the given image (repo:tag) represents a signature. The function
|
|
// returns:
|
|
//
|
|
// - bool: if the image is a signature or not
|
|
//
|
|
// - string: the type of signature
|
|
//
|
|
// - string: the digest of the image it signs
|
|
//
|
|
// - error: any errors that occur.
|
|
func CheckIsImageSignature(repoName string, manifestBlob []byte, reference string,
|
|
) (bool, string, godigest.Digest, error) {
|
|
var manifestContent ispec.Manifest
|
|
|
|
err := json.Unmarshal(manifestBlob, &manifestContent)
|
|
if err != nil {
|
|
return false, "", "", err
|
|
}
|
|
|
|
manifestArtifactType := zcommon.GetManifestArtifactType(manifestContent)
|
|
|
|
// check notation signature
|
|
if manifestArtifactType == notreg.ArtifactTypeNotation && manifestContent.Subject != nil {
|
|
return true, NotationType, manifestContent.Subject.Digest, nil
|
|
}
|
|
|
|
// check cosign
|
|
cosignTagRule := glob.MustCompile("sha256-*.sig")
|
|
|
|
if tag := reference; cosignTagRule.Match(reference) {
|
|
prefixLen := len("sha256-")
|
|
digestLen := 64
|
|
signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen]
|
|
|
|
signedImageManifestDigest := godigest.NewDigestFromEncoded(godigest.SHA256,
|
|
signedImageManifestDigestEncoded)
|
|
|
|
return true, CosignType, signedImageManifestDigest, nil
|
|
}
|
|
|
|
return false, "", "", nil
|
|
}
|