*: implement additional pull registries

runcom · runcom · commit b32e73ac17a1 · 2017-07-20T13:05:58.000+02:00
Signed-off-by: Antonio Murdaca &lt;runcom@redhat.com&gt;
diff --git a/cmd/crio/config.go b/cmd/crio/config.go
@@ -131,6 +131,10 @@ image_volumes = "{{ .ImageVolumes }}"
 insecure_registries = [
 {{ range $opt := .InsecureRegistries }}{{ printf "\t%q,\n" $opt }}{{ end }}]
 
+# additional_registries TODO(runcom)
+additional_registries = [
+{{ range $opt := .AdditionalRegistries }}{{ printf "\t%q,\n" $opt }}{{ end }}]
+
 # The "crio.network" table contains settings pertaining to the
 # management of CNI plugins.
 [crio.network]
diff --git a/cmd/crio/main.go b/cmd/crio/main.go
@@ -77,6 +77,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("insecure-registry") {
 		config.InsecureRegistries = ctx.GlobalStringSlice("insecure-registry")
 	}
+	if ctx.GlobalIsSet("additional-registry") {
+		config.AdditionalRegistries = ctx.GlobalStringSlice("additional-registry")
+	}
 	if ctx.GlobalIsSet("default-transport") {
 		config.DefaultTransport = ctx.GlobalString("default-transport")
 	}
@@ -219,6 +222,10 @@ func main() {
 			Name:  "insecure-registry",
 			Usage: "whether to disable TLS verification for the given registry",
 		},
+		cli.StringSliceFlag{
+			Name:  "additional-registry",
+			Usage: "TODO(runcom)",
+		},
 		cli.StringFlag{
 			Name:  "default-transport",
 			Usage: "default transport",
diff --git a/pkg/storage/image.go b/pkg/storage/image.go
@@ -2,6 +2,8 @@ package storage
 
 import (
 	"net"
+	"path/filepath"
+	"strings"
 
 	"github.com/containers/image/copy"
 	"github.com/containers/image/docker/reference"
@@ -31,6 +33,7 @@ type imageService struct {
 	defaultTransport      string
 	insecureRegistryCIDRs []*net.IPNet
 	indexConfigs          map[string]*indexInfo
+	registries            []string
 }
 
 // ImageServer wraps up various CRI-related activities into a reusable
@@ -50,6 +53,8 @@ type ImageServer interface {
 	GetStore() storage.Store
 	// CanPull preliminary checks whether we're allowed to pull an image
 	CanPull(imageName string, options *copy.Options) (bool, error)
+	// TODO(runcom)
+	ResolveNames(imageName string) []string
 }
 
 func (svc *imageService) ListImages(filter string) ([]ImageResult, error) {
@@ -272,11 +277,49 @@ func (svc *imageService) isSecureIndex(indexName string) bool {
 	return true
 }
 
+func isValidHostname(hostname string) bool {
+	return hostname != "" && !strings.Contains(hostname, "/") &&
+		(strings.Contains(hostname, ".") ||
+			strings.Contains(hostname, ":") || hostname == "localhost")
+}
+
+func (svc *imageService) ResolveNames(imageName string) []string {
+
+	// TODO(runcom): if it's docker.io, use ParseNormalizedNamed to get a
+	// correct docker.io FQ image name!!!!
+
+	domain, rest := splitDomain(imageName)
+	if len(domain) != 0 && isValidHostname(domain) {
+		// this means the image is already fully qualified
+		return []string{imageName}
+	}
+	// this means we got an image in the form of "busybox"
+	// we need to use additional registries...
+	// normalize the unqualified image to be domain/repo/image...
+	images := []string{}
+	for _, r := range svc.registries {
+		// TODO(runcom): use a CONST
+		if r == "docker.io" {
+			// no additional registries configured, docker is meant
+			// containers/image will take care of this
+			images = append(images, imageName)
+			continue
+		}
+		path := rest
+		if !isValidHostname(domain) {
+			// This is the case where we have an image like "runcom/busybox"
+			path = imageName
+		}
+		images = append(images, filepath.Join(r, path))
+	}
+	return images
+}
+
 // GetImageService returns an ImageServer that uses the passed-in store, and
 // which will prepend the passed-in defaultTransport value to an image name if
 // a name that's passed to its PullImage() method can't be resolved to an image
 // in the store and can't be resolved to a source on its own.
-func GetImageService(store storage.Store, defaultTransport string, insecureRegistries []string) (ImageServer, error) {
+func GetImageService(store storage.Store, defaultTransport string, insecureRegistries []string, additionalRegistries []string) (ImageServer, error) {
 	if store == nil {
 		var err error
 		store, err = storage.GetStore(storage.DefaultStoreOptions)
@@ -285,11 +328,19 @@ func GetImageService(store storage.Store, defaultTransport string, insecureRegis
 		}
 	}
 
+	if len(additionalRegistries) == 0 {
+		// TODO(runcom): make docker.io a CONST
+		additionalRegistries = []string{"docker.io"}
+	} else {
+		additionalRegistries = append(additionalRegistries, "docker.io")
+	}
+
 	is := &imageService{
 		store:                 store,
 		defaultTransport:      defaultTransport,
 		indexConfigs:          make(map[string]*indexInfo, 0),
 		insecureRegistryCIDRs: make([]*net.IPNet, 0),
+		registries:            additionalRegistries,
 	}
 
 	insecureRegistries = append(insecureRegistries, "127.0.0.0/8")
diff --git a/pkg/storage/image_regexp.go b/pkg/storage/image_regexp.go
@@ -0,0 +1,123 @@
+package storage
+
+// TODO(runcom): explain why we need this here!!!
+
+import "regexp"
+
+var (
+	// alphaNumericRegexp defines the alpha numeric atom, typically a
+	// component of names. This only allows lower case characters and digits.
+	alphaNumericRegexp = match(`[a-z0-9]+`)
+
+	// separatorRegexp defines the separators allowed to be embedded in name
+	// components. This allow one period, one or two underscore and multiple
+	// dashes.
+	separatorRegexp = match(`(?:[._]|__|[-]*)`)
+
+	// nameComponentRegexp restricts registry path component names to start
+	// with at least one letter or number, with following parts able to be
+	// separated by one period, one or two underscore and multiple dashes.
+	nameComponentRegexp = expression(
+		alphaNumericRegexp,
+		optional(repeated(separatorRegexp, alphaNumericRegexp)))
+
+	// domainComponentRegexp restricts the registry domain component of a
+	// repository name to start with a component as defined by domainRegexp
+	// and followed by an optional port.
+	domainComponentRegexp = match(`(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])`)
+
+	// domainRegexp defines the structure of potential domain components
+	// that may be part of image names. This is purposely a subset of what is
+	// allowed by DNS to ensure backwards compatibility with Docker image
+	// names.
+	domainRegexp = expression(
+		domainComponentRegexp,
+		optional(repeated(literal(`.`), domainComponentRegexp)),
+		optional(literal(`:`), match(`[0-9]+`)))
+
+	// NameRegexp is the format for the name component of references. The
+	// regexp has capturing groups for the domain and name part omitting
+	// the separating forward slash from either.
+	NameRegexp = expression(
+		optional(domainRegexp, literal(`/`)),
+		nameComponentRegexp,
+		optional(repeated(literal(`/`), nameComponentRegexp)))
+
+	// anchoredNameRegexp is used to parse a name value, capturing the
+	// domain and trailing components.
+	anchoredNameRegexp = anchored(
+		optional(capture(domainRegexp), literal(`/`)),
+		capture(nameComponentRegexp,
+			optional(repeated(literal(`/`), nameComponentRegexp))))
+
+	// IdentifierRegexp is the format for string identifier used as a
+	// content addressable identifier using sha256. These identifiers
+	// are like digests without the algorithm, since sha256 is used.
+	IdentifierRegexp = match(`([a-f0-9]{64})`)
+
+	// ShortIdentifierRegexp is the format used to represent a prefix
+	// of an identifier. A prefix may be used to match a sha256 identifier
+	// within a list of trusted identifiers.
+	ShortIdentifierRegexp = match(`([a-f0-9]{6,64})`)
+)
+
+// match compiles the string to a regular expression.
+var match = regexp.MustCompile
+
+// literal compiles s into a literal regular expression, escaping any regexp
+// reserved characters.
+func literal(s string) *regexp.Regexp {
+	re := match(regexp.QuoteMeta(s))
+
+	if _, complete := re.LiteralPrefix(); !complete {
+		panic("must be a literal")
+	}
+
+	return re
+}
+
+func splitDomain(name string) (string, string) {
+	match := anchoredNameRegexp.FindStringSubmatch(name)
+	if len(match) != 3 {
+		return "", name
+	}
+	return match[1], match[2]
+}
+
+// expression defines a full expression, where each regular expression must
+// follow the previous.
+func expression(res ...*regexp.Regexp) *regexp.Regexp {
+	var s string
+	for _, re := range res {
+		s += re.String()
+	}
+
+	return match(s)
+}
+
+// optional wraps the expression in a non-capturing group and makes the
+// production optional.
+func optional(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(group(expression(res...)).String() + `?`)
+}
+
+// repeated wraps the regexp in a non-capturing group to get one or more
+// matches.
+func repeated(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(group(expression(res...)).String() + `+`)
+}
+
+// group wraps the regexp in a non-capturing group.
+func group(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`(?:` + expression(res...).String() + `)`)
+}
+
+// capture wraps the expression in a capturing group.
+func capture(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`(` + expression(res...).String() + `)`)
+}
+
+// anchored anchors the regular expression by adding start and end delimiters.
+func anchored(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`^` + expression(res...).String() + `$`)
+}
diff --git a/server/config.go b/server/config.go
@@ -169,6 +169,8 @@ type ImageConfig struct {
 	InsecureRegistries []string `toml:"insecure_registries"`
 	// ImageVolumes controls how volumes specified in image config are handled
 	ImageVolumes ImageVolumesType `toml:"image_volumes"`
+	// TODO(runcom)
+	AdditionalRegistries []string `toml:"additional_registries"`
 }
 
 // NetworkConfig represents the "crio.network" TOML config table
diff --git a/server/image_pull.go b/server/image_pull.go
@@ -14,7 +14,6 @@ import (
 // PullImage pulls a image with authentication config.
 func (s *Server) PullImage(ctx context.Context, req *pb.PullImageRequest) (*pb.PullImageResponse, error) {
 	logrus.Debugf("PullImageRequest: %+v", req)
-	// TODO(runcom?): deal with AuthConfig in req.GetAuth()
 	// TODO: what else do we need here? (Signatures when the story isn't just pulling from docker://)
 	image := ""
 	img := req.GetImage()
@@ -23,51 +22,68 @@ func (s *Server) PullImage(ctx context.Context, req *pb.PullImageRequest) (*pb.P
 	}
 
 	var (
-		username string
-		password string
+		images = s.StorageImageServer().ResolveNames(image)
+		pulled string
+		err    error
 	)
-	if req.GetAuth() != nil {
-		username = req.GetAuth().Username
-		password = req.GetAuth().Password
-		if req.GetAuth().Auth != "" {
-			var err error
-			username, password, err = decodeDockerAuth(req.GetAuth().Auth)
-			if err != nil {
-				return nil, err
+	for _, img := range images {
+		var (
+			username string
+			password string
+		)
+		if req.GetAuth() != nil {
+			username = req.GetAuth().Username
+			password = req.GetAuth().Password
+			if req.GetAuth().Auth != "" {
+				username, password, err = decodeDockerAuth(req.GetAuth().Auth)
+				if err != nil {
+					logrus.Debugf("error decoding authentication for image %s: %v", img, err)
+					continue
+				}
 			}
 		}
-	}
-	options := &copy.Options{
-		SourceCtx: &types.SystemContext{},
-	}
-	// a not empty username should be sufficient to decide whether to send auth
-	// or not I guess
-	if username != "" {
-		options.SourceCtx = &types.SystemContext{
-			DockerAuthConfig: &types.DockerAuthConfig{
-				Username: username,
-				Password: password,
-			},
+		options := &copy.Options{
+			SourceCtx: &types.SystemContext{},
+		}
+		// a not empty username should be sufficient to decide whether to send auth
+		// or not I guess
+		if username != "" {
+			options.SourceCtx = &types.SystemContext{
+				DockerAuthConfig: &types.DockerAuthConfig{
+					Username: username,
+					Password: password,
+				},
+			}
 		}
-	}
 
-	canPull, err := s.StorageImageServer().CanPull(image, options)
-	if err != nil && !canPull {
-		return nil, err
-	}
+		var canPull bool
+		canPull, err = s.StorageImageServer().CanPull(img, options)
+		if err != nil && !canPull {
+			logrus.Debugf("error checking image %s: %v", img, err)
+			continue
+		}
 
-	// let's be smart, docker doesn't repull if image already exists.
-	if _, err := s.StorageImageServer().ImageStatus(s.ImageContext(), image); err == nil {
-		return &pb.PullImageResponse{
-			ImageRef: image,
-		}, nil
-	}
+		// let's be smart, docker doesn't repull if image already exists.
+		_, err = s.StorageImageServer().ImageStatus(s.ImageContext(), img)
+		if err == nil {
+			logrus.Debugf("image %s already in store, skipping pull", img)
+			pulled = img
+			break
+		}
 
-	if _, err := s.StorageImageServer().PullImage(s.ImageContext(), image, options); err != nil {
+		_, err = s.StorageImageServer().PullImage(s.ImageContext(), img, options)
+		if err != nil {
+			logrus.Debugf("error pulling image %s: %v", img, err)
+			continue
+		}
+		pulled = img
+		break
+	}
+	if pulled == "" && err != nil {
 		return nil, err
 	}
 	resp := &pb.PullImageResponse{
-		ImageRef: image,
+		ImageRef: pulled,
 	}
 	logrus.Debugf("PullImageResponse: %+v", resp)
 	return resp, nil
diff --git a/server/image_remove.go b/server/image_remove.go
@@ -19,8 +19,21 @@ func (s *Server) RemoveImage(ctx context.Context, req *pb.RemoveImageRequest) (*
 	if image == "" {
 		return nil, fmt.Errorf("no image specified")
 	}
-	err := s.StorageImageServer().RemoveImage(s.ImageContext(), image)
-	if err != nil {
+	var (
+		images  = s.StorageImageServer().ResolveNames(image)
+		err     error
+		deleted bool
+	)
+	for _, img := range images {
+		err = s.StorageImageServer().RemoveImage(s.ImageContext(), img)
+		if err != nil {
+			logrus.Debugf("error deleting image %s: %v", img, err)
+			continue
+		}
+		deleted = true
+		break
+	}
+	if !deleted && err != nil {
 		return nil, err
 	}
 	resp := &pb.RemoveImageResponse{}
diff --git a/server/image_status.go b/server/image_status.go
diff --git a/server/server.go b/server/server.go

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,8 @@ type ImageConfig struct {`
`169`	`169`	InsecureRegistries []string `toml:"insecure_registries"`
`170`	`170`	`// ImageVolumes controls how volumes specified in image config are handled`
`171`	`171`	ImageVolumes ImageVolumesType `toml:"image_volumes"`
	`172`	`+ // TODO(runcom)`
	`173`	+ AdditionalRegistries []string `toml:"additional_registries"`
`172`	`174`	`}`
`173`	`175`
`174`	`176`	`// NetworkConfig represents the "crio.network" TOML config table`