KubeOS/0001-KubeOS-add-oci-image-digests-check-when-upgrade-and-.patch

From 42f5a3e38ea6e23f5aff146f65ad20025088fc84 Mon Sep 17 00:00:00 2001
From: liyuanr <liyuanrong1@huawei.com>
Date: Mon, 29 May 2023 11:12:52 +0800
Subject: [PATCH] KubeOS: add oci image digests check when upgrade and fix the
 issue with the software version display

add check of digests of the oci image for upgrade after
os-agent pulls image when os upgrading.

Fix the issue where the softwares version is empty

Signed-off-by: liyuanr <liyuanrong1@huawei.com>
---
 Makefile                             |  2 +-
 cmd/agent/server/containerd_image.go |  3 ++
 cmd/agent/server/docker_image.go     |  3 ++
 cmd/agent/server/utils.go            | 44 ++++++++++++++++++++++++++++
 docs/quick-start.md                  |  8 ++---
 5 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 9d9fbea..27cf175 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ endif
 
 VERSION_FILE := ./VERSION
 VERSION := $(shell cat $(VERSION_FILE))
-PACKAGE:=openeuler.org/saiyan/pkg/version
+PACKAGE:=openeuler.org/KubeOS/pkg/version
 BUILDFLAGS = -buildmode=pie -trimpath
 LDFLAGS = -w -s -buildid=IdByKubeOS -linkmode=external -extldflags=-static -extldflags=-zrelro -extldflags=-Wl,-z,now -X ${PACKAGE}.Version=${VERSION}
 ENV = CGO_CFLAGS="-fstack-protector-all" CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -O2"
diff --git a/cmd/agent/server/containerd_image.go b/cmd/agent/server/containerd_image.go
index 0b614b5..b019b72 100644
--- a/cmd/agent/server/containerd_image.go
+++ b/cmd/agent/server/containerd_image.go
@@ -48,6 +48,9 @@ func (c conImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath prep
 	if err := runCommand("crictl", "pull", imageName); err != nil {
 		return "", err
 	}
+	if err := checkOCIImageDigestMatch("containerd", imageName, req.CheckSum); err != nil {
+		return "", err
+	}
 	if err := checkAndCleanMount(mountPath); err != nil {
 		logrus.Errorln("containerd clean environment error", err)
 		return "", err
diff --git a/cmd/agent/server/docker_image.go b/cmd/agent/server/docker_image.go
index 2a52634..e6fa9d6 100644
--- a/cmd/agent/server/docker_image.go
+++ b/cmd/agent/server/docker_image.go
@@ -38,6 +38,9 @@ func (d dockerImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath p
 	if err := runCommand("docker", "pull", imageName); err != nil {
 		return "", err
 	}
+	if err := checkOCIImageDigestMatch("docker", imageName, req.CheckSum); err != nil {
+		return "", err
+	}
 	containerName := "kubeos-temp"
 	dockerPsCmd := "docker ps -a -f=name=" + containerName + "| awk 'NR==2' | awk '{print $1}'"
 	existId, err := runCommandWithOut("bash", "-c", dockerPsCmd)
diff --git a/cmd/agent/server/utils.go b/cmd/agent/server/utils.go
index 111497c..092417b 100644
--- a/cmd/agent/server/utils.go
+++ b/cmd/agent/server/utils.go
@@ -264,3 +264,47 @@ func checkFileExist(path string) (bool, error) {
 		return false, err
 	}
 }
+
+func checkOCIImageDigestMatch(containerRuntime string, imageName string, checkSum string) error {
+	var cmdOutput string
+	var err error
+	switch containerRuntime {
+	case "containerd":
+		cmdOutput, err = runCommandWithOut("crictl", "inspecti", "--output", "go-template",
+			"--template", "{{.status.repoDigests}}", imageName)
+		if err != nil {
+			return err
+		}
+	case "docker":
+		cmdOutput, err = runCommandWithOut("docker", "inspect", "--format", "{{.RepoDigests}}", imageName)
+		if err != nil {
+			return err
+		}
+	default:
+		logrus.Errorln("containerRuntime ", containerRuntime, " cannot be recognized")
+		return fmt.Errorf("containerRuntime %s cannot be recognized", containerRuntime)
+	}
+	// cmdOutput format is as follows:
+	// [imageRepository/imageName:imageTag@sha256:digests]
+	// parse the output and get digest
+	var imageDigests string
+	outArray := strings.Split(cmdOutput, "@")
+	if strings.HasPrefix(outArray[len(outArray)-1], "sha256") {
+		pasredArray := strings.Split(strings.TrimSuffix(outArray[len(outArray)-1], "]"), ":")
+		// 2 is the expected length of the array after dividing "imageName:imageTag@sha256:digests" based on ':'
+		rightLen := 2
+		if len(pasredArray) == rightLen {
+			digestIndex := 1 // 1 is the index of digest data in pasredArray
+			imageDigests = pasredArray[digestIndex]
+		}
+	}
+	if imageDigests == "" {
+		logrus.Errorln("error when get ", imageName, " digests")
+		return fmt.Errorf("error when get %s digests", imageName)
+	}
+	if imageDigests != checkSum {
+		logrus.Errorln("checkSumFailed ", imageDigests, " mismatch to ", checkSum)
+		return fmt.Errorf("checkSumFailed %s mismatch to %s", imageDigests, checkSum)
+	}
+	return nil
+}
-- 
2.33.0.windows.2
KubeOS: add oci image digests check when upgrade and fix the issue with the software version display add check of digests of the oci image for upgrade after os-agent pulls image when os upgrading. Fix the issue where the softwares version is empty Signed-off-by: liyuanr <liyuanrong1@huawei.com> 2023-05-30 17:33:27 +08:00			`From 42f5a3e38ea6e23f5aff146f65ad20025088fc84 Mon Sep 17 00:00:00 2001`
			`From: liyuanr <liyuanrong1@huawei.com>`
			`Date: Mon, 29 May 2023 11:12:52 +0800`
			`Subject: [PATCH] KubeOS: add oci image digests check when upgrade and fix the`
			`issue with the software version display`

			`add check of digests of the oci image for upgrade after`
			`os-agent pulls image when os upgrading.`

			`Fix the issue where the softwares version is empty`

			`Signed-off-by: liyuanr <liyuanrong1@huawei.com>`
			`---`
			`Makefile \| 2 +-`
			`cmd/agent/server/containerd_image.go \| 3 ++`
			`cmd/agent/server/docker_image.go \| 3 ++`
			`cmd/agent/server/utils.go \| 44 ++++++++++++++++++++++++++++`
			`docs/quick-start.md \| 8 ++---`
			`5 files changed, 55 insertions(+), 5 deletions(-)`

			`diff --git a/Makefile b/Makefile`
			`index 9d9fbea..27cf175 100644`
			`--- a/Makefile`
			`+++ b/Makefile`
			`@@ -30,7 +30,7 @@ endif`

			`VERSION_FILE := ./VERSION`
			`VERSION := $(shell cat $(VERSION_FILE))`
			`-PACKAGE:=openeuler.org/saiyan/pkg/version`
			`+PACKAGE:=openeuler.org/KubeOS/pkg/version`
			`BUILDFLAGS = -buildmode=pie -trimpath`
			`LDFLAGS = -w -s -buildid=IdByKubeOS -linkmode=external -extldflags=-static -extldflags=-zrelro -extldflags=-Wl,-z,now -X ${PACKAGE}.Version=${VERSION}`
			`ENV = CGO_CFLAGS="-fstack-protector-all" CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -O2"`
			`diff --git a/cmd/agent/server/containerd_image.go b/cmd/agent/server/containerd_image.go`
			`index 0b614b5..b019b72 100644`
			`--- a/cmd/agent/server/containerd_image.go`
			`+++ b/cmd/agent/server/containerd_image.go`
			`@@ -48,6 +48,9 @@ func (c conImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath prep`
			`if err := runCommand("crictl", "pull", imageName); err != nil {`
			`return "", err`
			`}`
			`+ if err := checkOCIImageDigestMatch("containerd", imageName, req.CheckSum); err != nil {`
			`+ return "", err`
			`+ }`
			`if err := checkAndCleanMount(mountPath); err != nil {`
			`logrus.Errorln("containerd clean environment error", err)`
			`return "", err`
			`diff --git a/cmd/agent/server/docker_image.go b/cmd/agent/server/docker_image.go`
			`index 2a52634..e6fa9d6 100644`
			`--- a/cmd/agent/server/docker_image.go`
			`+++ b/cmd/agent/server/docker_image.go`
			`@@ -38,6 +38,9 @@ func (d dockerImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath p`
			`if err := runCommand("docker", "pull", imageName); err != nil {`
			`return "", err`
			`}`
			`+ if err := checkOCIImageDigestMatch("docker", imageName, req.CheckSum); err != nil {`
			`+ return "", err`
			`+ }`
			`containerName := "kubeos-temp"`
			`dockerPsCmd := "docker ps -a -f=name=" + containerName + "\| awk 'NR==2' \| awk '{print $1}'"`
			`existId, err := runCommandWithOut("bash", "-c", dockerPsCmd)`
			`diff --git a/cmd/agent/server/utils.go b/cmd/agent/server/utils.go`
			`index 111497c..092417b 100644`
			`--- a/cmd/agent/server/utils.go`
			`+++ b/cmd/agent/server/utils.go`
			`@@ -264,3 +264,47 @@ func checkFileExist(path string) (bool, error) {`
			`return false, err`
			`}`
			`}`
			`+`
			`+func checkOCIImageDigestMatch(containerRuntime string, imageName string, checkSum string) error {`
			`+ var cmdOutput string`
			`+ var err error`
			`+ switch containerRuntime {`
			`+ case "containerd":`
			`+ cmdOutput, err = runCommandWithOut("crictl", "inspecti", "--output", "go-template",`
			`+ "--template", "{{.status.repoDigests}}", imageName)`
			`+ if err != nil {`
			`+ return err`
			`+ }`
			`+ case "docker":`
			`+ cmdOutput, err = runCommandWithOut("docker", "inspect", "--format", "{{.RepoDigests}}", imageName)`
			`+ if err != nil {`
			`+ return err`
			`+ }`
			`+ default:`
			`+ logrus.Errorln("containerRuntime ", containerRuntime, " cannot be recognized")`
			`+ return fmt.Errorf("containerRuntime %s cannot be recognized", containerRuntime)`
			`+ }`
			`+ // cmdOutput format is as follows:`
			`+ // [imageRepository/imageName:imageTag@sha256:digests]`
			`+ // parse the output and get digest`
			`+ var imageDigests string`
			`+ outArray := strings.Split(cmdOutput, "@")`
			`+ if strings.HasPrefix(outArray[len(outArray)-1], "sha256") {`
			`+ pasredArray := strings.Split(strings.TrimSuffix(outArray[len(outArray)-1], "]"), ":")`
			`+ // 2 is the expected length of the array after dividing "imageName:imageTag@sha256:digests" based on ':'`
			`+ rightLen := 2`
			`+ if len(pasredArray) == rightLen {`
			`+ digestIndex := 1 // 1 is the index of digest data in pasredArray`
			`+ imageDigests = pasredArray[digestIndex]`
			`+ }`
			`+ }`
			`+ if imageDigests == "" {`
			`+ logrus.Errorln("error when get ", imageName, " digests")`
			`+ return fmt.Errorf("error when get %s digests", imageName)`
			`+ }`
			`+ if imageDigests != checkSum {`
			`+ logrus.Errorln("checkSumFailed ", imageDigests, " mismatch to ", checkSum)`
			`+ return fmt.Errorf("checkSumFailed %s mismatch to %s", imageDigests, checkSum)`
			`+ }`
			`+ return nil`
			`+}`
			`--`
			`2.33.0.windows.2`