github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-19 17:26:28 +00:00
Code Issues Projects Releases Wiki Activity

when filling cache, ensure we include attestations

Browse Source 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
This commit is contained in:
Avi Deitcher 2023-11-30 14:31:17 +02:00
parent 87bbbd184b
commit e1d3a09976
1 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/cmd/linuxkit/cache/pull.go vendored
View File

@ -5,12 +5,16 @@ import (
"fmt" "fmt"
"github.com/containerd/containerd/reference" "github.com/containerd/containerd/reference"
"github.com/google/go-containerregistry/pkg/v1" v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/partial" "github.com/google/go-containerregistry/pkg/v1/partial"
"github.com/google/go-containerregistry/pkg/v1/validate" "github.com/google/go-containerregistry/pkg/v1/validate"
lktspec "github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec" lktspec "github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
) )
const (
unknown = "unknown"
)
// ValidateImage given a reference, validate that it is complete. If not, pull down missing // ValidateImage given a reference, validate that it is complete. If not, pull down missing
// components as necessary. It also calculates the hash of each component. // components as necessary. It also calculates the hash of each component.
func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lktspec.ImageSource, error) { func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lktspec.ImageSource, error) {
@ -49,13 +53,17 @@ func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lkts
// or because it was not available - so get it from the remote // or because it was not available - so get it from the remote
return ImageSource{}, errors.New("no such image") return ImageSource{}, errors.New("no such image")
case imageIndex != nil: case imageIndex != nil:
// check that the index has a manifest for our arch // check that the index has a manifest for our arch, as well as any non-arch-specific ones
im, err := imageIndex.IndexManifest() im, err := imageIndex.IndexManifest()
if err != nil { if err != nil {
return ImageSource{}, fmt.Errorf("could not get index manifest: %v", err) return ImageSource{}, fmt.Errorf("could not get index manifest: %v", err)
} }
var found bool
for _, m := range im.Manifests { for _, m := range im.Manifests {
if m.Platform != nil && m.Platform.Architecture == architecture && m.Platform.OS == linux { if m.Platform == nil {
continue
}
if m.Platform.Architecture == architecture && m.Platform.OS == linux {
img, err := imageIndex.Image(m.Digest) img, err := imageIndex.Image(m.Digest)
if err != nil { if err != nil {
return ImageSource{}, fmt.Errorf("unable to get image: %v", err) return ImageSource{}, fmt.Errorf("unable to get image: %v", err)
@ -63,6 +71,18 @@ func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lkts
if err := validate.Image(img); err != nil { if err := validate.Image(img); err != nil {
return ImageSource{}, fmt.Errorf("invalid image: %s", err) return ImageSource{}, fmt.Errorf("invalid image: %s", err)
} }
found = true
}
if m.Platform.Architecture == unknown && m.Platform.OS == unknown {
img, err := imageIndex.Image(m.Digest)
if err != nil {
return ImageSource{}, fmt.Errorf("unable to get image: %v", err)
}
if err := validate.Image(img); err != nil {
return ImageSource{}, fmt.Errorf("invalid image: %s", err)
}
}
if found {
return p.NewSource( return p.NewSource(
ref, ref,
architecture, architecture,