-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(publish): add OCI 1.0 fallback support for AWS ECR #11239
Merged
Merged
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
596c252
fix(publish): add OCI 1.0 fallback support for AWS ECR
milas b6437d0
move around OCI logic, auto fallback/retry 1.1 -> 1.0
milas 3b9572b
fix typo
milas 6a7d4c5
tweak help message on oci version flag
milas 4264d53
use custom config type for OCI v1.0
milas 9993d53
Merge remote-tracking branch 'upstream/main' into fix-publish-ecr
milas d1f9ea3
regen docs
milas File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,183 @@ | ||
/* | ||
Copyright 2023 Docker Compose CLI authors | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package ocipush | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"net/http" | ||
"path/filepath" | ||
"time" | ||
|
||
pusherrors "github.com/containerd/containerd/remotes/errors" | ||
"github.com/distribution/reference" | ||
"github.com/docker/buildx/util/imagetools" | ||
"github.com/docker/compose/v2/pkg/api" | ||
"github.com/opencontainers/go-digest" | ||
"github.com/opencontainers/image-spec/specs-go" | ||
v1 "github.com/opencontainers/image-spec/specs-go/v1" | ||
) | ||
|
||
// clientAuthStatusCodes are client (4xx) errors that are authentication | ||
// related. | ||
var clientAuthStatusCodes = []int{ | ||
http.StatusUnauthorized, | ||
http.StatusForbidden, | ||
http.StatusProxyAuthRequired, | ||
} | ||
|
||
type Pushable struct { | ||
Descriptor v1.Descriptor | ||
Data []byte | ||
} | ||
|
||
func DescriptorForComposeFile(path string, content []byte) v1.Descriptor { | ||
return v1.Descriptor{ | ||
MediaType: "application/vnd.docker.compose.file+yaml", | ||
Digest: digest.FromString(string(content)), | ||
Size: int64(len(content)), | ||
Annotations: map[string]string{ | ||
"com.docker.compose.version": api.ComposeVersion, | ||
"com.docker.compose.file": filepath.Base(path), | ||
}, | ||
} | ||
} | ||
|
||
func PushManifest( | ||
ctx context.Context, | ||
resolver *imagetools.Resolver, | ||
named reference.Named, | ||
layers []Pushable, | ||
ociVersion api.OCIVersion, | ||
) error { | ||
// prepare to push the manifest by pushing the layers | ||
layerDescriptors := make([]v1.Descriptor, len(layers)) | ||
for i := range layers { | ||
layerDescriptors[i] = layers[i].Descriptor | ||
if err := resolver.Push(ctx, named, layers[i].Descriptor, layers[i].Data); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
if ociVersion != "" { | ||
// if a version was explicitly specified, use it | ||
return createAndPushManifest(ctx, resolver, named, layerDescriptors, ociVersion) | ||
} | ||
|
||
// try to push in the OCI 1.1 format but fallback to OCI 1.0 on 4xx errors | ||
// (other than auth) since it's most likely the result of the registry not | ||
// having support | ||
err := createAndPushManifest(ctx, resolver, named, layerDescriptors, api.OCIVersion1_1) | ||
var pushErr pusherrors.ErrUnexpectedStatus | ||
if errors.As(err, &pushErr) && isNonAuthClientError(pushErr.StatusCode) { | ||
// TODO(milas): show a warning here (won't work with logrus) | ||
return createAndPushManifest(ctx, resolver, named, layerDescriptors, api.OCIVersion1_0) | ||
} | ||
return err | ||
} | ||
|
||
func createAndPushManifest( | ||
ctx context.Context, | ||
resolver *imagetools.Resolver, | ||
named reference.Named, | ||
layers []v1.Descriptor, | ||
ociVersion api.OCIVersion, | ||
) error { | ||
toPush, err := generateManifest(layers, ociVersion) | ||
if err != nil { | ||
return err | ||
} | ||
for _, p := range toPush { | ||
err = resolver.Push(ctx, named, p.Descriptor, p.Data) | ||
if err != nil { | ||
return err | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func isNonAuthClientError(statusCode int) bool { | ||
if statusCode < 400 || statusCode >= 500 { | ||
// not a client error | ||
return false | ||
} | ||
for _, v := range clientAuthStatusCodes { | ||
if statusCode == v { | ||
// client auth error | ||
return false | ||
} | ||
} | ||
// any other 4xx client error | ||
return true | ||
} | ||
|
||
func generateManifest(layers []v1.Descriptor, ociCompat api.OCIVersion) ([]Pushable, error) { | ||
var toPush []Pushable | ||
var config v1.Descriptor | ||
var artifactType string | ||
switch ociCompat { | ||
case api.OCIVersion1_0: | ||
configData, err := json.Marshal(v1.ImageConfig{}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
config = v1.Descriptor{ | ||
MediaType: v1.MediaTypeImageConfig, | ||
Digest: digest.FromBytes(configData), | ||
Size: int64(len(configData)), | ||
} | ||
// N.B. OCI 1.0 does NOT support specifying the artifact type, so it's | ||
// left as an empty string to omit it from the marshaled JSON | ||
artifactType = "" | ||
toPush = append(toPush, Pushable{Descriptor: config, Data: configData}) | ||
case api.OCIVersion1_1: | ||
config = v1.DescriptorEmptyJSON | ||
artifactType = "application/vnd.docker.compose.project" | ||
// N.B. the descriptor has the data embedded in it | ||
toPush = append(toPush, Pushable{Descriptor: config, Data: nil}) | ||
default: | ||
return nil, fmt.Errorf("unsupported OCI version: %s", ociCompat) | ||
} | ||
|
||
manifest, err := json.Marshal(v1.Manifest{ | ||
Versioned: specs.Versioned{SchemaVersion: 2}, | ||
MediaType: v1.MediaTypeImageManifest, | ||
ArtifactType: artifactType, | ||
Config: config, | ||
Layers: layers, | ||
Annotations: map[string]string{ | ||
"org.opencontainers.image.created": time.Now().Format(time.RFC3339), | ||
}, | ||
}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
manifestDescriptor := v1.Descriptor{ | ||
MediaType: v1.MediaTypeImageManifest, | ||
Digest: digest.FromString(string(manifest)), | ||
Size: int64(len(manifest)), | ||
Annotations: map[string]string{ | ||
"com.docker.compose.version": api.ComposeVersion, | ||
}, | ||
ArtifactType: artifactType, | ||
} | ||
toPush = append(toPush, Pushable{Descriptor: manifestDescriptor, Data: manifest}) | ||
return toPush, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OCI artifact specification
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OCI artifacts are dead, long live OCI images: https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage
😬
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
really? So this is an non-secret plan to make all this think damn confusing as an "image" can now either be an image or an arbitrary artifact 🥸
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to say "OCI Image/Artifact specification" - does that sound OK?
[also asked internally in Slack if anyone knows what the suggested nomenclature is 🤷🏻]