packages/KubeOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!45 KubeOS: add oci image digests check when upgrade and fix the issue with the software version display

Browse Source 
From: @li-yuanrong 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2023-05-30 12:59:14 +00:00 committed by Gitee
commit acf8a7c071
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 124 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
0001-KubeOS-add-oci-image-digests-check-when-upgrade-and-.patch Normal file
View File

@ -0,0 +1,116 @@
From 42f5a3e38ea6e23f5aff146f65ad20025088fc84 Mon Sep 17 00:00:00 2001
From: liyuanr <liyuanrong1@huawei.com>
Date: Mon, 29 May 2023 11:12:52 +0800
Subject: [PATCH] KubeOS: add oci image digests check when upgrade and fix the
issue with the software version display
add check of digests of the oci image for upgrade after
os-agent pulls image when os upgrading.
Fix the issue where the softwares version is empty
Signed-off-by: liyuanr <liyuanrong1@huawei.com>
---
Makefile | 2 +-
cmd/agent/server/containerd_image.go | 3 ++
cmd/agent/server/docker_image.go | 3 ++
cmd/agent/server/utils.go | 44 ++++++++++++++++++++++++++++
docs/quick-start.md | 8 ++---
5 files changed, 55 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 9d9fbea..27cf175 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ endif
VERSION_FILE := ./VERSION
VERSION := $(shell cat $(VERSION_FILE))
-PACKAGE:=openeuler.org/saiyan/pkg/version
+PACKAGE:=openeuler.org/KubeOS/pkg/version
BUILDFLAGS = -buildmode=pie -trimpath
LDFLAGS = -w -s -buildid=IdByKubeOS -linkmode=external -extldflags=-static -extldflags=-zrelro -extldflags=-Wl,-z,now -X ${PACKAGE}.Version=${VERSION}
ENV = CGO_CFLAGS="-fstack-protector-all" CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -O2"
diff --git a/cmd/agent/server/containerd_image.go b/cmd/agent/server/containerd_image.go
index 0b614b5..b019b72 100644
--- a/cmd/agent/server/containerd_image.go
+++ b/cmd/agent/server/containerd_image.go
@@ -48,6 +48,9 @@ func (c conImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath prep
if err := runCommand("crictl", "pull", imageName); err != nil {
return "", err
}
+ if err := checkOCIImageDigestMatch("containerd", imageName, req.CheckSum); err != nil {
+ return "", err
+ }
if err := checkAndCleanMount(mountPath); err != nil {
logrus.Errorln("containerd clean environment error", err)
return "", err
diff --git a/cmd/agent/server/docker_image.go b/cmd/agent/server/docker_image.go
index 2a52634..e6fa9d6 100644
--- a/cmd/agent/server/docker_image.go
+++ b/cmd/agent/server/docker_image.go
@@ -38,6 +38,9 @@ func (d dockerImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath p
if err := runCommand("docker", "pull", imageName); err != nil {
return "", err
}
+ if err := checkOCIImageDigestMatch("docker", imageName, req.CheckSum); err != nil {
+ return "", err
+ }
containerName := "kubeos-temp"
dockerPsCmd := "docker ps -a -f=name=" + containerName + "| awk 'NR==2' | awk '{print $1}'"
existId, err := runCommandWithOut("bash", "-c", dockerPsCmd)
diff --git a/cmd/agent/server/utils.go b/cmd/agent/server/utils.go
index 111497c..092417b 100644
--- a/cmd/agent/server/utils.go
+++ b/cmd/agent/server/utils.go
@@ -264,3 +264,47 @@ func checkFileExist(path string) (bool, error) {
return false, err
}
}
+
+func checkOCIImageDigestMatch(containerRuntime string, imageName string, checkSum string) error {
+ var cmdOutput string
+ var err error
+ switch containerRuntime {
+ case "containerd":
+ cmdOutput, err = runCommandWithOut("crictl", "inspecti", "--output", "go-template",
+ "--template", "{{.status.repoDigests}}", imageName)
+ if err != nil {
+ return err
+ }
+ case "docker":
+ cmdOutput, err = runCommandWithOut("docker", "inspect", "--format", "{{.RepoDigests}}", imageName)
+ if err != nil {
+ return err
+ }
+ default:
+ logrus.Errorln("containerRuntime ", containerRuntime, " cannot be recognized")
+ return fmt.Errorf("containerRuntime %s cannot be recognized", containerRuntime)
+ }
+ // cmdOutput format is as follows:
+ // [imageRepository/imageName:imageTag@sha256:digests]
+ // parse the output and get digest
+ var imageDigests string
+ outArray := strings.Split(cmdOutput, "@")
+ if strings.HasPrefix(outArray[len(outArray)-1], "sha256") {
+ pasredArray := strings.Split(strings.TrimSuffix(outArray[len(outArray)-1], "]"), ":")
+ // 2 is the expected length of the array after dividing "imageName:imageTag@sha256:digests" based on ':'
+ rightLen := 2
+ if len(pasredArray) == rightLen {
+ digestIndex := 1 // 1 is the index of digest data in pasredArray
+ imageDigests = pasredArray[digestIndex]
+ }
+ }
+ if imageDigests == "" {
+ logrus.Errorln("error when get ", imageName, " digests")
+ return fmt.Errorf("error when get %s digests", imageName)
+ }
+ if imageDigests != checkSum {
+ logrus.Errorln("checkSumFailed ", imageDigests, " mismatch to ", checkSum)
+ return fmt.Errorf("checkSumFailed %s mismatch to %s", imageDigests, checkSum)
+ }
+ return nil
+}
--
2.33.0.windows.2

9
KubeOS.spec
View File

@ -2,10 +2,11 @@
Name: KubeOS Name: KubeOS
Version: 1.0.3 Version: 1.0.3
Release: 1 Release: 2
Summary: O&M platform used to update the whole OS as an entirety Summary: O&M platform used to update the whole OS as an entirety
License: Mulan PSL v2 License: Mulan PSL v2
Source0: https://gitee.com/openeuler/KubeOS/repository/archive/v%{version}.tar.gz Source0: https://gitee.com/openeuler/KubeOS/repository/archive/v%{version}.tar.gz
Patch1: 0001-KubeOS-add-oci-image-digests-check-when-upgrade-and-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: make BuildRequires: make
BuildRequires: golang >= 1.13 BuildRequires: golang >= 1.13
@ -106,6 +107,12 @@ install -p -m 0600 ./files/os-release %{buildroot}/opt/kubeOS/files
rm -rfv %{buildroot} rm -rfv %{buildroot}
%changelog %changelog
* Tue May 30 2023 liyuanrong<liyuanrong1@huawei.com> - 1.0.3-2
- Type:requirement
- CVE:NA
- SUG:restart
- DESC:add oci image digests check when upgrade and fix the issue with the software version display
* Tue May 16 2023 liyuanrong<liyuanrong1@huawei.com> - 1.0.3-1 * Tue May 16 2023 liyuanrong<liyuanrong1@huawei.com> - 1.0.3-1
- Type:requirement - Type:requirement
- CVE:NA - CVE:NA