Support to download remote OCI layers (with TLS) #351
Conversation
tscolari
force-pushed
the
tls-layer-downloads
branch
from
8a00b54 to
fc6165a
Compare
|
So that test broke because of the use of go < 1.8 on the tests (where the That's a bit misleading because the tests output says but that doesn't seem to be the case. We tried to reproduce the error with different versions of go and could only reproduce it with 1.7 and bellow. (1.9 and 1.8 was all green) |
tscolari
force-pushed
the
tls-layer-downloads
branch
from
fc6165a to
790798d
Compare
|
The PR #352 should update the version of go in the docker image |
|
Thanks. I will take a detailed look later (hopefully tomorrow), this seem reasonable at a first glance. (Note to self: Previous discussion in #147 ). |
| @@ -0,0 +1,13 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
There was a problem hiding this comment.
Nit: Please use fixtures for the name of the subdirectory containing test fixtures, to be consistent with the other subpackages.
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
ACK overall, just various minor things.
Should ociImageDestination.AcceptsForeignLayerURLs now return true? It’s, strictly speaking, orthogonal.
docker/docker_image_src.go
Outdated
| } | ||
|
|
||
| // TODO? Fix bug here: looping over urls continues even after successful request... | ||
| // this is slow, and also leaks response bodies which don't get closed. |
There was a problem hiding this comment.
Good catch; please file a GitHub issue instead. Using the source code as a bug tracker does not really work.
| @@ -0,0 +1 @@ | |||
| {"schemaVersion":2,"manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:84afb6189c4d69f2d040c5f1dc4e0a16fed9b539ce9cfb4ac2526ae4e0576cc0","size":496,"annotations":{"org.opencontainers.image.ref.name":"v0.1.1"},"platform":{"architecture":"amd64","os":"linux"}}]} No newline at end of file | |||
There was a problem hiding this comment.
Move this to fixtures as well, please.
oci/layout/oci_src.go
Outdated
| client := &http.Client{} | ||
| if ctx != nil { | ||
| tr := tlsclientconfig.NewTransport() | ||
| tr.TLSClientConfig = tlsconfig.ServerDefault() |
There was a problem hiding this comment.
ctx == nil is defined to be equal to ctx == &types.SystemContext{}, but this code treats them differently.
The ServerDefault should probably be always used.
oci/layout/oci_src.go
Outdated
| tr := tlsclientconfig.NewTransport() | ||
| tr.TLSClientConfig = tlsconfig.ServerDefault() | ||
| if ctx.OCICertPath != "" { | ||
| tlsclientconfig.SetupCertificates(ctx.OCICertPath, tr.TLSClientConfig) |
There was a problem hiding this comment.
This needs error handling.
oci/layout/oci_src.go
Outdated
| func (s *ociImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, error) { | ||
| var ( | ||
| resp *http.Response | ||
| err error |
There was a problem hiding this comment.
resp does not need to be pre-declared.
err might be better initialized to errors.New("Internal error: getExternalBlob called with no URLs") or something like that, to be defensive and strictly correct.
(Both non-blocking.)
oci/layout/oci_src_test.go
Outdated
| ClientCAs: clientCertPool, | ||
| } | ||
|
|
||
| tlsConfig.BuildNameToCertificate() |
There was a problem hiding this comment.
This seems to read tlsConfig.Certificates, which is empty at this point?!
oci/layout/oci_src_test.go
Outdated
| http.HandleFunc("/", remoteLayerContent) | ||
|
|
||
| httpServer := &http.Server{ | ||
| Addr: ":12000", |
There was a problem hiding this comment.
Nothing guarantees that the port is available. Could this use :0 to automatically choose an available one?
(There is also net/http/httptest; would it simplify things?)
There was a problem hiding this comment.
Yeah, I think so, I'm going to give it a try here ^^
oci/layout/oci_src_test.go
Outdated
| layerInfo := types.BlobInfo{ | ||
| URLs: []string{ | ||
| "brokenurl", | ||
| "https://example.com", |
There was a problem hiding this comment.
This is not really blocking, but it would be nice for an unit test not to depend on an external service like this.
Could this use something like https://golang.org/src/net/http/httptest/example_test.go:ExampleServer?
|
|
||
| func TestGetBlobForRemoteLayers(t *testing.T) { | ||
| imageSource := createImageSource(t, &types.SystemContext{}) | ||
| layerInfo := types.BlobInfo{ |
There was a problem hiding this comment.
(Non-blocking: Strictly speaking, the Digest field is mandatory and Size should be -1 if unknown. OTOH I realize that computing the digests would be fairly pointless pain.)
oci/layout/oci_src_test.go
Outdated
| func createImageSource(t *testing.T, context *types.SystemContext) types.ImageSource { | ||
| imageSource, err := newImageSource(context, ociReference{ | ||
| dir: "assets/manifest", | ||
| }) |
There was a problem hiding this comment.
(Non-blocking: Calling NewReference like a public user would make it obvious that there’s nothing special about constructing this reference.)
There was a problem hiding this comment.
So on this one it seems that go doesn't allow the NewReference return (type.ImageReference) to be used as an ociReference.
cannot use imageRef (type types.ImageReference) as type ociReference in argument to newImageSource: need type assertion
casting seems to work
There was a problem hiding this comment.
The public ociReference.NewImageSource can be called instead.
tscolari
force-pushed
the
tls-layer-downloads
branch
2 times, most recently
from
c4d3ace to
c0f8e4b
Compare
oci/layout/oci_src_test.go
Outdated
| hash.Write([]byte("Hello world")) | ||
| imageSource := createImageSource(t, &types.SystemContext{}) | ||
| layerInfo := types.BlobInfo{ | ||
| Digest: digest.NewDigest("sha256", hash), |
There was a problem hiding this comment.
(FWIW this could be digest.FromBytes([]byte(…)). This is fine as well.)
tscolari
force-pushed
the
tls-layer-downloads
branch
2 times, most recently
from
3b01125 to
4849f5e
Compare
|
@mtrmac PTAL |
* Support for custom certs and keys when downloading OCI layers Signed-off-by: Will Martin <[email protected]>
tscolari
force-pushed
the
tls-layer-downloads
branch
from
4849f5e to
1ed776f
Compare
|
👍 |
|
LGTM |
Part of the fixes from containers#351 got undone Signed-off-by: umohnani8 <[email protected]>
5 participants
This is a follow up of #348, which added the
URLproperty to the BlobInfo descriptor.This will allow
GetBlobto fetch external blobs when the "urls" property is present. The download is performed by an HTTP client that has itsTransportconfigured depending on the newly introducedSytemContext.OCICertPathandSystemContext.OCIInsecureSkipTLSVerifyproperties.BlobInfo.URLsis an array and therefore the implementation would iterate over the URLs until HTTP OK response is returned.When the
SytemContext.OCICertPathis specified the implementation would look for CA, private key and public key certificates the same way the Docker client does. As a matter of fact they both use one and the same certificate handling implementation that is extracted in the newly introducedtlsclientconfigpackage.(this is part of a CloudFoundry/Grootfs story to support OCI images based buildpacks in the future)