Implement a lookaside storage for signatures of images in Docker registries #52
Conversation
|
(Tests failing due to API changes, corresponding update is containers/skopeo#170 .) |
mtrmac
force-pushed
the
docker-lookaside
branch
2 times, most recently
from
37723f2 to
273d3c8
Compare
|
Rebased, has no dependencies now. |
mtrmac
force-pushed
the
docker-lookaside
branch
5 times, most recently
from
bc25077 to
3032b0c
Compare
|
Note that this calls (Should the default be to use the environment or to ignore it? I am leaning towards “use” but not sure.) |
mtrmac
force-pushed
the
docker-lookaside
branch
7 times, most recently
from
f10b136 to
cf2789d
Compare
mtrmac
force-pushed
the
docker-lookaside
branch
3 times, most recently
from
ec19c57 to
0d027ce
Compare
|
OK, updated with the configuration per projectatomic/atomic#594, now includes documentation and high unit test converage for @runcom PTAL sometime (not urgent enough to be done over the weekend). |
should this also be with |
docker/docker_client.go
Outdated
| var registry string | ||
| if refHostname == dockerHostname { | ||
| // forWriting specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection) | ||
| func newDockerClient(ctx *types.SystemContext, ref dockerReference, forWriting bool) (*dockerClient, error) { |
There was a problem hiding this comment.
can we name this just write bool and document that it'll be used for writing? This is not in the Go idioms where variables,arguments and such are just small names. Maybe mode or mask and have other values to maybe be future proof?
There was a problem hiding this comment.
can we name this just
write booland document that it'll be used for writing?
I can’t see that having a short name + “for writing” documentation is any shorter or easier to understand than a self-documenting forWriting, but, sure, changed.
Maybe
modeormaskand have other values to maybe be future proof?
I don’t want to get all Design Patterns on this; the underlying configuration file syntax is not future proof that way, and that is the ABI commitment; even if we turned mode into an interface we wouldn’t know what to do with it in registryNamespace.signatureTopLevel. The parameter is an internal implementation detail which we can generalize at any time if needed.
There was a problem hiding this comment.
I don’t want to get all Design Patterns on this; the underlying configuration file syntax is not future proof that way, and that is the ABI commitment; even if we turned mode into an interface we wouldn’t know what to do with it in registryNamespace.signatureTopLevel. The parameter is an internal implementation detail which we can generalize at any time if needed.
yeah I pushed too much there :)
docker/docker_image_dest.go
Outdated
| return false, err | ||
| } | ||
| defer res.Body.Close() | ||
| if res.StatusCode == http.StatusNotFound { |
There was a problem hiding this comment.
question, is there an API to follow when implementing a remove sigstore? sorry if I missed it but I was just wondering this
There was a problem hiding this comment.
Actually, thanks for pointing this out. Without authentication this is basically pointless; we kind of are defining an API here, but we don’t really want to—e.g. if we decided to later implement WebDAV or something, having the attempt an an implementation above could lead to somebody implementing such a server.
Because we are not truly serious about the above code as an API, let’s just drop it for now.
|
LGTM This is awesome @mtrmac , I'd like to know more about the API a remote sigstore should implement though. |
|
Forget about the lookaside API doc, I just checked the emails :) |
No; when add a lookaside for |
| return nil, err | ||
| } | ||
| for _, configName := range configNames { | ||
| configPath := filepath.Join(dirPath, configName) |
There was a problem hiding this comment.
Forgot a .yaml suffix check here, will add it.
mtrmac
force-pushed
the
docker-lookaside
branch
from
0d027ce to
c286c99
Compare
|
Updated:
@runcom Do you want to take another look? |
LGTM |
mtrmac
force-pushed
the
docker-lookaside
branch
from
c286c99 to
89a28a6
Compare
Allows configuring "sigstore" (for RW) and "sigstore-write" (write-only) for images/repositories/namespaces/registries in /etc/containers/repositories.d/*.yaml . If configured, uses them to store signatures in the docker: transport. Also includes documentation in docs/registries.d.md. Signed-off-by: Miloslav Trmač <[email protected]>
mtrmac
force-pushed
the
docker-lookaside
branch
from
89a28a6 to
aaedc64
Compare
|
👍 |
There have been redundant calls here since two ref.ref.Hostname() calls were added in aaedc64 (Implement lookaside storage for signatures for Docker registries, 2016-08-11, containers#52). At that point the two calls were separated by a dockerHostname check which could have been shifted by two lines to avoid the doubled function calls. But in f28367e (Add docker/config package to containers/image/pkg, 2017-08-29, containers#333) the dockerHostname check moved to a separate function entirely (newDockerClientWithDetails) while the Domain() calls remained together in newDockerClientFromRef. So now there is no longer any reason for the second call, and this commit drops it. Signed-off-by: W. Trevor King <[email protected]>
There have been redundant calls here since two ref.ref.Hostname() calls were added in aaedc64 (Implement lookaside storage for signatures for Docker registries, 2016-08-11, containers#52). At that point the two calls were separated by a dockerHostname check which could have been shifted by two lines to avoid the doubled function calls. But in f28367e (Add docker/config package to containers/image/pkg, 2017-08-29, containers#333) the dockerHostname check moved to a separate function entirely (newDockerClientWithDetails) while the Domain() calls remained together in newDockerClientFromRef. So now there is no longer any reason for the second call, and this commit drops it. Signed-off-by: W. Trevor King <[email protected]>
2 participants
Allows configuring
sigstore(for RW) andsigstore-write(write-only) for images/repositories/namespaces/registries inatomic.conf.If configured, uses them to store signatures in the
docker:transport.This works fine for
file://sigstore URLs, for read-onlyhttp://andhttps://sigstoreURLs, and is at best a skeleton for writing tohttp:///https://(no authentication, to start). So, with this, pushing signatures to remote Docker registries is still not reasonably possible, but at least you can push to afile://pointing to a webroot of a sigstore served to the public over HTTP. (Or you can configuresigstoreto point to HTTP to pull from the same sources as your users, andsigstore-writeto the webroot.)Does not deal with any kind of discovery, the lookaside needs to be manually configured in advance.
This pulls in #49 for
types.SystemContextand significantly extends it, adding a genericRootForImplicitAbsolutePathsand adding aSystemContextparameter totypes.NewImage{,Source,Destination}as tentatively discussed in #41 . (Also note that we now implicitly use theATOMIC_CONFenvironment variable, for compatibility withprojectatomic/atomic). I will rebase as necessary.Parsing
atomic.confhere in generic is admittedly fairly ugly, but perhaps still better than defining an interface for this and requiringskopeoto implement that…More details are in commit messages.