Skip to content
/ fcos-image-redirector Public

Provide easier access to the most recent versions of FCOS images

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mcsaucy/fcos-image-redirector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

streams

streams

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Procfile

Procfile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Fedora CoreOS Image Redirector

Need a way to find the most up-to-date FCOS artifact? Don't use this. Use the official page instead. FCOS #625 has details explaining why you should use the official approach.

Trying to find a stable URL you can hit to pull down the most up-to-date image (for example via iPXE)? This may be what you want. Hosted at latest-fcos.herokuapp.com, e.g. https://latest-fcos.herokuapp.com/stable/artifacts/x86_64/metal/pxe/kernel.

How it works

The Fedora CoreOS project exposes streams files to track the most up-to-date versions of things for a given stream (stable, testing, or next). When we get a request, we pull down the streams JSON blob, parse it, cache it, and then redirect you to the FCOS URL.

At the end of the day, this just parses a JSON blob, uses the request path to walk the object tree and then redirects to what it finds.

What's supported

We should be able to redirect to any location within the "architectures/*/artifacts" structure of the streams JSON blob.

We support the "stable", "testing", and "next" streams (which at the time of writing is all of them).

The general path structure is $STREAM/artifacts/$ARCH/$PLATFORM/$FORMAT/$ARTIFACT?$OPTIONS.

Basic lookups

Example: /stable/artifacts/x86_64/metal/pxe/kernel

This just redirects to the location for that resource in the streams JSON.

Peeking

Example: /stable/artifacts/x86_64/metal/pxe/kernel?peek

This doesn't redirect. Instead of redirecting to a URL, we write it to the response body.

Signature fetching

Example: /stable/artifacts/x86_64/metal/pxe/kernel?sig

Redirects to the .sig file for the resource. This can also be used with ?peek.

Digest fetching

Example: /stable/artifacts/x86_64/metal/pxe/kernel?sha256

Writes the SHA256 digest for the resource (as stored in the streams blob) in the response body. There's no redirection here.

How do I know this isn't tampering with images?

Because it's not serving them. The requester is merely being redirected to the a resource hosted by the Fedora CoreOS project.

Now, we could totally redirect you to some other source that hosts compromised or non-FCOS images and pass them off as legitimate, but if you're worried about that you should probably not be using this (or at least audit all 200 lines of code and host it yourself).

At the end of the day, the best thing you can do is use the coreos-installer to grab your images, as it's the Official way and it performs signature verification.

About

Provide easier access to the most recent versions of FCOS images

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages