Merge pull request #54 from riyazdf/trust-tag-fix

trust: always tag after pull

cmd/moby/docker.go

@@ -120,17 +120,27 @@ func dockerRm(container string) error {
 
 func dockerPull(image string, trustedPull bool) error {
 	log.Debugf("docker pull: %s", image)
+	cli, err := dockerClient()
+	if err != nil {
+		return errors.New("could not initialize Docker API client")
+	}
+
 	if trustedPull {
 		log.Debugf("pulling %s with content trust", image)
 		trustedImg, err := TrustedReference(image)
 		if err != nil {
 			return fmt.Errorf("Trusted pull for %s failed: %v", image, err)
 		}
-		image = trustedImg.String()
+
+		// tag the image on a best-effort basis after pulling with content trust,
+		// ensuring that docker picks up the tag and digest fom the canonical format
+		defer func(src, dst string) {
+			if err := cli.ImageTag(context.Background(), src, dst); err != nil {
+				log.Debugf("could not tag trusted image %s to %s", src, dst)
 			}
-	cli, err := dockerClient()
+		}(trustedImg.String(), image)
-	if err != nil {
+
-		return errors.New("could not initialize Docker API client")
+		image = trustedImg.String()
 	}
 
 	r, err := cli.ImagePull(context.Background(), image, types.ImagePullOptions{})

test/test.yml

@@ -1,44 +1,22 @@
-# linuxkit.yml from linuxkit/linuxkit 2388f483c397010d528a9a97b71224dbdb3897b5
 kernel:
   image: "linuxkit/kernel:4.9.x"
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
-  - linuxkit/init:b3740303f3d1e5689a84c87b7dfb48fd2a40a192
+  - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480
-  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
+  - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f
-  - linuxkit/containerd:cf2614f5a96c569a0bd4bd54e054a65ba17d167f
+  - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b
-  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
+  - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d
 onboot:
   - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
+    image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
   - name: binfmt
-    image: "linuxkit/binfmt:131026c0cf6084467316395fed3b358f64bda00c"
+    image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9"
-    binds:
-     - /proc/sys/fs/binfmt_misc:/binfmt_misc
-    readonly: true
   - name: dhcpcd
-    image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8"
+    image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e"
-    binds:
-     - /var:/var
-     - /tmp/etc:/etc
-    capabilities:
-     - CAP_NET_ADMIN
-     - CAP_NET_BIND_SERVICE
-     - CAP_NET_RAW
-    net: host
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: rngd
-    image: "linuxkit/rngd:61a07ced77a9747708223ca16a4aec621eacf518"
+    image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14"
-    capabilities:
-     - CAP_SYS_ADMIN
-    oomScoreAdj: -800
-    readonly: true
   - name: nginx
     image: "nginx:alpine"
     capabilities:
@@ -52,7 +30,7 @@ files:
   - path: etc/docker/daemon.json
     contents: '{"debug": true}'
 trust:
+  org:
+    - linuxkit
   image:
-    - linuxkit/kernel
+    - nginx:alpine
-    - linuxkit/binfmt
-    - linuxkit/rngd