OCI media types; annotation support; oci index

Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-09-19 18:02:52 +00:00 · 2017-07-11 14:19:47 -05:00
parent 6fcea22b0a
commit c94f28805e
11 changed files with 102 additions and 90 deletions
--- a/registry/handlers/manifests.go
+++ b/registry/handlers/manifests.go
@@ -18,6 +18,7 @@ import (
 	"github.com/docker/distribution/registry/auth"
 	"github.com/gorilla/handlers"
 	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go/v1"
 )

 // These constants determine which architecture and OS to choose from a
@@ -76,7 +77,7 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 	supportsSchema2 := false
 	supportsManifestList := false
 	supportsOCISchema := false
-	supportsOCIManifestList := false
+	supportsOCIImageIndex := false
 	// this parsing of Accept headers is not quite as full-featured as godoc.org's parser, but we don't care about "q=" values
 	// https://github.com/golang/gddo/blob/e91d4165076d7474d20abda83f92d15c7ebc3e81/httputil/header/header.go#L165-L202
 	for _, acceptHeader := range r.Header["Accept"] {
@@ -100,15 +101,15 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 			if mediaType == manifestlist.MediaTypeManifestList {
 				supportsManifestList = true
 			}
-			if mediaType == ocischema.MediaTypeManifest {
+			if mediaType == v1.MediaTypeImageManifest {
 				supportsOCISchema = true
 			}
-			if mediaType == manifestlist.MediaTypeOCIManifestList {
-				supportsOCIManifestList = true
+			if mediaType == v1.MediaTypeImageIndex {
+				supportsOCIImageIndex = true
 			}
 		}
 	}
-	supportsOCI := supportsOCISchema || supportsOCIManifestList
+	supportsOCI := supportsOCISchema || supportsOCIImageIndex

 	var manifest distribution.Manifest
 	if imh.Tag != "" {
@@ -151,15 +152,15 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)

 	schema2Manifest, isSchema2 := manifest.(*schema2.DeserializedManifest)
 	manifestList, isManifestList := manifest.(*manifestlist.DeserializedManifestList)
-	isAnOCIManifest := isSchema2 && (schema2Manifest.MediaType == ocischema.MediaTypeManifest)
-	isAnOCIManifestList := isManifestList && (manifestList.MediaType == manifestlist.MediaTypeOCIManifestList)
+	isAnOCIManifest := isSchema2 && (schema2Manifest.MediaType == v1.MediaTypeImageManifest)
+	isAnOCIImageIndex := isManifestList && (manifestList.MediaType == v1.MediaTypeImageIndex)

 	if (isSchema2 && !isAnOCIManifest) && (supportsOCISchema && !supportsSchema2) {
 		fmt.Printf("\n\nmanifest is schema2, but accept header only supports OCISchema \n\n")
 		w.WriteHeader(http.StatusNotFound)
 		return
 	}
-	if (isManifestList && !isAnOCIManifestList) && (supportsOCIManifestList && !supportsManifestList) {
+	if (isManifestList && !isAnOCIImageIndex) && (supportsOCIImageIndex && !supportsManifestList) {
 		fmt.Printf("\n\nmanifestlist is not OCI, but accept header only supports an OCI manifestlist\n\n")
 		w.WriteHeader(http.StatusNotFound)
 		return
@@ -169,7 +170,7 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 		w.WriteHeader(http.StatusNotFound)
 		return
 	}
-	if isAnOCIManifestList && (!supportsOCIManifestList && supportsManifestList) {
+	if isAnOCIImageIndex && (!supportsOCIImageIndex && supportsManifestList) {
 		fmt.Printf("\n\nmanifestlist is OCI, but accept header only supports non-OCI manifestlists\n\n")
 		w.WriteHeader(http.StatusNotFound)
 		return
@@ -185,7 +186,7 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 		if err != nil {
 			return
 		}
-	} else if imh.Tag != "" && isManifestList && !(supportsManifestList || supportsOCIManifestList) {
+	} else if imh.Tag != "" && isManifestList && !(supportsManifestList || supportsOCIImageIndex) {
 		// Rewrite manifest in schema1 format
 		ctxu.GetLogger(imh).Infof("rewriting manifest list %s in schema1 format to support old client", imh.Digest.String())

@@ -243,7 +244,7 @@ func (imh *manifestHandler) GetImageManifest(w http.ResponseWriter, r *http.Requ
 	supportsSchema2 := false
 	supportsManifestList := false
 	supportsOCISchema := false
-	supportsOCIManifestList := false
+	supportsOCIImageIndex := false

 	// this parsing of Accept headers is not quite as full-featured as godoc.org's parser, but we don't care about "q=" values
 	// https://github.com/golang/gddo/blob/e91d4165076d7474d20abda83f92d15c7ebc3e81/httputil/header/header.go#L165-L202
@@ -268,15 +269,15 @@ func (imh *manifestHandler) GetImageManifest(w http.ResponseWriter, r *http.Requ
 			if mediaType == manifestlist.MediaTypeManifestList {
 				supportsManifestList = true
 			}
-			if mediaType == ocischema.MediaTypeManifest {
+			if mediaType == v1.MediaTypeImageManifest {
 				supportsOCISchema = true
 			}
-			if mediaType == manifestlist.MediaTypeOCIManifestList {
-				supportsOCIManifestList = true
+			if mediaType == v1.MediaTypeImageIndex {
+				supportsOCIImageIndex = true
 			}
 		}
 	}
-	supportsOCI := supportsOCISchema || supportsOCIManifestList
+	supportsOCI := supportsOCISchema || supportsOCIImageIndex

 	ctxu.GetLogger(imh).Debug("GetImageManifest")
 	manifests, err := imh.Repository.Manifests(imh)
@@ -325,14 +326,14 @@ func (imh *manifestHandler) GetImageManifest(w http.ResponseWriter, r *http.Requ

 	schema2Manifest, isSchema2 := manifest.(*schema2.DeserializedManifest)
 	manifestList, isManifestList := manifest.(*manifestlist.DeserializedManifestList)
-	isAnOCIManifest := isSchema2 && (schema2Manifest.MediaType == ocischema.MediaTypeManifest)
-	isAnOCIManifestList := isManifestList && (manifestList.MediaType == manifestlist.MediaTypeOCIManifestList)
+	isAnOCIManifest := isSchema2 && (schema2Manifest.MediaType == v1.MediaTypeImageManifest)
+	isAnOCIImageIndex := isManifestList && (manifestList.MediaType == v1.MediaTypeImageIndex)

 	badCombinations := [][]bool{
 		{isSchema2 && !isAnOCIManifest, supportsOCISchema && !supportsSchema2},
-		{isManifestList && !isAnOCIManifestList, supportsOCIManifestList && !supportsManifestList},
+		{isManifestList && !isAnOCIImageIndex, supportsOCIImageIndex && !supportsManifestList},
 		{isAnOCIManifest, !supportsOCISchema && supportsSchema2},
-		{isAnOCIManifestList, !supportsOCIManifestList && supportsManifestList},
+		{isAnOCIImageIndex, !supportsOCIImageIndex && supportsManifestList},
 	}
 	for i, combo := range badCombinations {
 		if combo[0] && combo[1] {
@@ -360,7 +361,7 @@ func (imh *manifestHandler) GetImageManifest(w http.ResponseWriter, r *http.Requ
 		if err != nil {
 			return
 		}
-	} else if imh.Tag != "" && isManifestList && !(supportsManifestList || supportsOCIManifestList) {
+	} else if imh.Tag != "" && isManifestList && !(supportsManifestList || supportsOCIImageIndex) {
 		// Rewrite manifest in schema1 format
 		dcontext.GetLogger(imh).Infof("rewriting manifest list %s in schema1 format to support old client", imh.Digest.String())

@@ -499,7 +500,7 @@ func (imh *manifestHandler) PutManifest(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	isAnOCIManifest := mediaType == ocischema.MediaTypeManifest || mediaType == manifestlist.MediaTypeOCIManifestList
+	isAnOCIManifest := mediaType == v1.MediaTypeImageManifest || mediaType == v1.MediaTypeImageIndex

 	if isAnOCIManifest {
 		fmt.Printf("\n\nPutting an OCI Manifest!\n\n\n")
@@ -615,6 +616,14 @@ func (imh *manifestHandler) applyResourcePolicy(manifest distribution.Manifest)
 			message := fmt.Sprintf("unknown manifest class for %s", m.Config.MediaType)
 			return errcode.ErrorCodeDenied.WithMessage(message)
 		}
+	case *ocischema.DeserializedManifest:
+		switch m.Config.MediaType {
+		case v1.MediaTypeImageConfig:
+			class = "image"
+		default:
+			message := fmt.Sprintf("unknown manifest class for %s", m.Config.MediaType)
+			return errcode.ErrorCodeDenied.WithMessage(message)
+		}
 	}

 	if class == "" {
--- a/registry/storage/manifeststore.go
+++ b/registry/storage/manifeststore.go
@@ -13,6 +13,7 @@ import (
 	"github.com/docker/distribution/manifest/schema1"
 	"github.com/docker/distribution/manifest/schema2"
 	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go/v1"
 )

 // A ManifestHandler gets and puts manifests of a particular type.
@@ -101,9 +102,9 @@ func (ms *manifestStore) Get(ctx context.Context, dgst digest.Digest, options ..
 		switch versioned.MediaType {
 		case schema2.MediaTypeManifest:
 			return ms.schema2Handler.Unmarshal(ctx, dgst, content)
-		case ocischema.MediaTypeManifest:
+		case v1.MediaTypeImageManifest:
 			return ms.ocischemaHandler.Unmarshal(ctx, dgst, content)
-		case manifestlist.MediaTypeManifestList, manifestlist.MediaTypeOCIManifestList:
+		case manifestlist.MediaTypeManifestList, v1.MediaTypeImageIndex:
 			return ms.manifestListHandler.Unmarshal(ctx, dgst, content)
 		default:
 			return nil, distribution.ErrManifestVerification{fmt.Errorf("unrecognized manifest content type %s", versioned.MediaType)}
--- a/registry/storage/ocimanifesthandler.go
+++ b/registry/storage/ocimanifesthandler.go
@@ -9,6 +9,7 @@ import (
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go/v1"
 )

 //ocischemaManifestHandler is a ManifestHandler that covers ocischema manifests.
@@ -79,7 +80,8 @@ func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst oc
 		var err error

 		switch descriptor.MediaType {
-		case ocischema.MediaTypeForeignLayer:
+		// TODO: mikebrow/steveoe verify we should treat oci nondistributable like foreign layers?
+		case v1.MediaTypeImageLayerNonDistributable, v1.MediaTypeImageLayerNonDistributableGzip:
 			// Clients download this layer from an external URL, so do not check for
 			// its presense.
 			if len(descriptor.URLs) == 0 {
@@ -95,7 +97,7 @@ func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst oc
 					break
 				}
 			}
-		case ocischema.MediaTypeManifest:
+		case v1.MediaTypeImageManifest:
 			var exists bool
 			exists, err = manifestService.Exists(ctx, descriptor.Digest)
 			if err != nil || !exists {
--- a/registry/storage/ocimanifesthandler_test.go
+++ b/registry/storage/ocimanifesthandler_test.go
@@ -9,9 +9,10 @@ import (
 	"github.com/docker/distribution/manifest"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/docker/distribution/registry/storage/driver/inmemory"
+	"github.com/opencontainers/image-spec/specs-go/v1"
 )

-func TestVerifyOCIManifestForeignLayer(t *testing.T) {
+func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
 	ctx := context.Background()
 	inmemoryDriver := inmemory.New()
 	registry := createRegistry(t, inmemoryDriver,
@@ -20,26 +21,26 @@ func TestVerifyOCIManifestForeignLayer(t *testing.T) {
 	repo := makeRepository(t, registry, "test")
 	manifestService := makeManifestService(t, repo)

-	config, err := repo.Blobs(ctx).Put(ctx, ocischema.MediaTypeConfig, nil)
+	config, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageConfig, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

-	layer, err := repo.Blobs(ctx).Put(ctx, ocischema.MediaTypeLayer, nil)
+	layer, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageLayerGzip, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

-	foreignLayer := distribution.Descriptor{
+	nonDistributableLayer := distribution.Descriptor{
 		Digest:    "sha256:463435349086340864309863409683460843608348608934092322395278926a",
 		Size:      6323,
-		MediaType: ocischema.MediaTypeForeignLayer,
+		MediaType: v1.MediaTypeImageLayerNonDistributableGzip,
 	}

 	template := ocischema.Manifest{
 		Versioned: manifest.Versioned{
 			SchemaVersion: 2,
-			MediaType:     ocischema.MediaTypeManifest,
+			MediaType:     v1.MediaTypeImageManifest,
 		},
 		Config: config,
 	}
@@ -52,58 +53,58 @@ func TestVerifyOCIManifestForeignLayer(t *testing.T) {

 	cases := []testcase{
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			nil,
 			errMissingURL,
 		},
 		{
-			// regular layers may have foreign urls
+			// regular layers may have foreign urls (non-Distributable Layers)
 			layer,
 			[]string{"http://foo/bar"},
 			nil,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"file:///local/file"},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"http://foo/bar#baz"},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{""},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"https://foo/bar", ""},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"", "https://foo/bar"},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"http://nope/bar"},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"http://foo/nope"},
 			errInvalidURL,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"http://foo/bar"},
 			nil,
 		},
 		{
-			foreignLayer,
+			nonDistributableLayer,
 			[]string{"https://foo/bar"},
 			nil,
 		},