diff --git a/cmd/moby/build.go b/cmd/moby/build.go index 390d69554..5524fd55d 100644 --- a/cmd/moby/build.go +++ b/cmd/moby/build.go @@ -123,7 +123,7 @@ func buildInternal(name string, pull bool, config []byte) { kernelAltName = "bzImage" ktarName = "kernel.tar" ) - out, err := ImageExtract(m.Kernel.Image, "") + out, err := ImageExtract(m.Kernel.Image, "", enforceContentTrust(m.Kernel.Image, &m.Trust), pull) if err != nil { log.Fatalf("Failed to extract kernel image and tarball: %v", err) } @@ -138,15 +138,8 @@ func buildInternal(name string, pull bool, config []byte) { // convert init images to tarballs log.Infof("Add init containers:") for _, ii := range m.Init { - if pull || enforceContentTrust(ii, &m.Trust) { - log.Infof("Pull init image: %s", ii) - err := dockerPull(ii, enforceContentTrust(ii, &m.Trust)) - if err != nil { - log.Fatalf("Could not pull image %s: %v", ii, err) - } - } log.Infof("Process init image: %s", ii) - init, err := ImageExtract(ii, "") + init, err := ImageExtract(ii, "", enforceContentTrust(ii, &m.Trust), pull) if err != nil { log.Fatalf("Failed to build init tarball from %s: %v", ii, err) } @@ -156,13 +149,6 @@ func buildInternal(name string, pull bool, config []byte) { log.Infof("Add onboot containers:") for i, image := range m.Onboot { - if pull || enforceContentTrust(image.Image, &m.Trust) { - log.Infof(" Pull: %s", image.Image) - err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust)) - if err != nil { - log.Fatalf("Could not pull image %s: %v", image.Image, err) - } - } log.Infof(" Create OCI config for %s", image.Image) config, err := ConfigToOCI(&image) if err != nil { @@ -170,7 +156,7 @@ func buildInternal(name string, pull bool, config []byte) { } so := fmt.Sprintf("%03d", i) path := "containers/onboot/" + so + "-" + image.Name - out, err := ImageBundle(path, image.Image, config) + out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull) if err != nil { log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err) } @@ -180,20 +166,13 @@ func buildInternal(name string, pull bool, config []byte) { log.Infof("Add service containers:") for _, image := range m.Services { - if pull || enforceContentTrust(image.Image, &m.Trust) { - log.Infof(" Pull: %s", image.Image) - err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust)) - if err != nil { - log.Fatalf("Could not pull image %s: %v", image.Image, err) - } - } log.Infof(" Create OCI config for %s", image.Image) config, err := ConfigToOCI(&image) if err != nil { log.Fatalf("Failed to create config.json for %s: %v", image.Image, err) } path := "containers/services/" + image.Name - out, err := ImageBundle(path, image.Image, config) + out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull) if err != nil { log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err) } diff --git a/cmd/moby/image.go b/cmd/moby/image.go index 5c132f6ac..0b4bf4c2a 100644 --- a/cmd/moby/image.go +++ b/cmd/moby/image.go @@ -40,7 +40,7 @@ nameserver 2001:4860:4860::8844 } // ImageExtract extracts the filesystem from an image and returns a tarball with the files prefixed by the given path -func ImageExtract(image, prefix string) ([]byte, error) { +func ImageExtract(image, prefix string, trust bool, pull bool) ([]byte, error) { log.Debugf("image extract: %s %s", image, prefix) out := new(bytes.Buffer) tw := tar.NewWriter(out) @@ -48,7 +48,7 @@ func ImageExtract(image, prefix string) ([]byte, error) { if err != nil { return []byte{}, err } - err = imageTar(image, prefix, tw) + err = imageTar(image, prefix, tw, trust, pull) if err != nil { return []byte{}, err } @@ -87,14 +87,31 @@ func tarPrefix(path string, tw *tar.Writer) error { return nil } -func imageTar(image, prefix string, tw *tar.Writer) error { +func imageTar(image, prefix string, tw *tar.Writer, trust bool, pull bool) error { log.Debugf("image tar: %s %s", image, prefix) if prefix != "" && prefix[len(prefix)-1] != byte('/') { return fmt.Errorf("prefix does not end with /: %s", prefix) } + + if pull || trust { + log.Infof("Pull image: %s", image) + err := dockerPull(image, trust) + if err != nil { + return fmt.Errorf("Could not pull image %s: %v", image, err) + } + } container, err := dockerCreate(image) if err != nil { - return fmt.Errorf("Failed to docker create image %s: %v", image, err) + // most likely we need to pull the image if this failed + log.Infof("Pull image: %s", image) + err := dockerPull(image, trust) + if err != nil { + return fmt.Errorf("Could not pull image %s: %v", image, err) + } + container, err = dockerCreate(image) + if err != nil { + return fmt.Errorf("Failed to docker create image %s: %v", image, err) + } } contents, err := dockerExport(container) if err != nil { @@ -161,7 +178,7 @@ func imageTar(image, prefix string, tw *tar.Writer) error { } // ImageBundle produces an OCI bundle at the given path in a tarball, given an image and a config.json -func ImageBundle(path string, image string, config []byte) ([]byte, error) { +func ImageBundle(path string, image string, config []byte, trust bool, pull bool) ([]byte, error) { log.Debugf("image bundle: %s %s cfg: %s", path, image, string(config)) out := new(bytes.Buffer) tw := tar.NewWriter(out) @@ -183,7 +200,7 @@ func ImageBundle(path string, image string, config []byte) ([]byte, error) { if err != nil { return []byte{}, err } - err = imageTar(image, path+"/rootfs/", tw) + err = imageTar(image, path+"/rootfs/", tw, trust, pull) if err != nil { return []byte{}, err }