trust: check local image cache to not pull every time

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>

cmd/moby/build.go

@@ -221,13 +221,6 @@ func buildInternal(m Moby, pull bool) []byte {
 	w := new(bytes.Buffer)
 	iw := tar.NewWriter(w)
 
-	if pull || enforceContentTrust(m.Kernel.Image, &m.Trust) {
-		log.Infof("Pull kernel image: %s", m.Kernel.Image)
-		err := dockerPull(m.Kernel.Image, enforceContentTrust(m.Kernel.Image, &m.Trust))
-		if err != nil {
-			log.Fatalf("Could not pull image %s: %v", m.Kernel.Image, err)
-		}
-	}
 	if m.Kernel.Image != "" {
 		// get kernel and initrd tarball from container
 		log.Infof("Extract kernel image: %s", m.Kernel.Image)

cmd/moby/docker.go

@@ -16,6 +16,7 @@ import (
 	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
 	"golang.org/x/net/context"
 )
@@ -118,7 +119,7 @@ func dockerRm(container string) error {
 	return nil
 }
 
-func dockerPull(image string, trustedPull bool) error {
+func dockerPull(image string, forcePull, trustedPull bool) error {
 	log.Debugf("docker pull: %s", image)
 	cli, err := dockerClient()
 	if err != nil {
@@ -140,9 +141,18 @@ func dockerPull(image string, trustedPull bool) error {
 			}
 		}(trustedImg.String(), image)
 
+		log.Debugf("successfully verified trusted reference %s from notary", trustedImg.String())
 		image = trustedImg.String()
+
+		imageSearchArg := filters.NewArgs()
+		imageSearchArg.Add("reference", trustedImg.String())
+		if _, err := cli.ImageList(context.Background(), types.ImageListOptions{Filters: imageSearchArg}); err == nil && !forcePull {
+			log.Debugf("docker pull: trusted image %s already cached...Done", trustedImg.String())
+			return nil
+		}
 	}
 
+	log.Infof("Pull image: %s", image)
 	r, err := cli.ImagePull(context.Background(), image, types.ImagePullOptions{})
 	if err != nil {
 		return err
@@ -171,7 +181,7 @@ func dockerInspectImage(cli *client.Client, image string) (types.ImageInspect, e
 	inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image)
 	if err != nil {
 		if client.IsErrImageNotFound(err) {
-			pullErr := dockerPull(image, false)
+			pullErr := dockerPull(image, true, false)
 			if pullErr != nil {
 				return types.ImageInspect{}, pullErr
 			}

cmd/moby/image.go

@@ -94,8 +94,7 @@ func imageTar(image, prefix string, tw *tar.Writer, trust bool, pull bool) error
 	}
 
 	if pull || trust {
-		log.Infof("Pull image: %s", image)
+		err := dockerPull(image, pull, trust)
-		err := dockerPull(image, trust)
 		if err != nil {
 			return fmt.Errorf("Could not pull image %s: %v", image, err)
 		}
@@ -104,8 +103,7 @@ func imageTar(image, prefix string, tw *tar.Writer, trust bool, pull bool) error
 	if err != nil {
 		// if the image wasn't found, pull it down.  Bail on other errors.
 		if strings.Contains(err.Error(), "No such image") {
-			log.Infof("Pull image: %s", image)
+			err := dockerPull(image, true, trust)
-			err := dockerPull(image, trust)
 			if err != nil {
 				return fmt.Errorf("Could not pull image %s: %v", image, err)
 			}

cmd/moby/trust.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"
 
+	log "github.com/Sirupsen/logrus"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/client/auth"
 	"github.com/docker/distribution/registry/client/auth/challenge"
@@ -59,7 +60,8 @@ func TrustedReference(image string) (reference.Reference, error) {
 
 	rt, err := GetReadOnlyAuthTransport(server, []string{gun}, "", "", "")
 	if err != nil {
-		return nil, err
+		log.Debugf("failed to reach %s notary server for repo: %s, falling back to cache: %v", server, gun, err)
+		rt = nil
 	}
 
 	nRepo, err := notaryClient.NewNotaryRepository(