5c8cee2639
issue with the software version display add check of digests of the oci image for upgrade after os-agent pulls image when os upgrading. Fix the issue where the softwares version is empty Signed-off-by: liyuanr <liyuanrong1@huawei.com>
117 lines
4.5 KiB
Diff
117 lines
4.5 KiB
Diff
From 42f5a3e38ea6e23f5aff146f65ad20025088fc84 Mon Sep 17 00:00:00 2001
|
|
From: liyuanr <liyuanrong1@huawei.com>
|
|
Date: Mon, 29 May 2023 11:12:52 +0800
|
|
Subject: [PATCH] KubeOS: add oci image digests check when upgrade and fix the
|
|
issue with the software version display
|
|
|
|
add check of digests of the oci image for upgrade after
|
|
os-agent pulls image when os upgrading.
|
|
|
|
Fix the issue where the softwares version is empty
|
|
|
|
Signed-off-by: liyuanr <liyuanrong1@huawei.com>
|
|
---
|
|
Makefile | 2 +-
|
|
cmd/agent/server/containerd_image.go | 3 ++
|
|
cmd/agent/server/docker_image.go | 3 ++
|
|
cmd/agent/server/utils.go | 44 ++++++++++++++++++++++++++++
|
|
docs/quick-start.md | 8 ++---
|
|
5 files changed, 55 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/Makefile b/Makefile
|
|
index 9d9fbea..27cf175 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -30,7 +30,7 @@ endif
|
|
|
|
VERSION_FILE := ./VERSION
|
|
VERSION := $(shell cat $(VERSION_FILE))
|
|
-PACKAGE:=openeuler.org/saiyan/pkg/version
|
|
+PACKAGE:=openeuler.org/KubeOS/pkg/version
|
|
BUILDFLAGS = -buildmode=pie -trimpath
|
|
LDFLAGS = -w -s -buildid=IdByKubeOS -linkmode=external -extldflags=-static -extldflags=-zrelro -extldflags=-Wl,-z,now -X ${PACKAGE}.Version=${VERSION}
|
|
ENV = CGO_CFLAGS="-fstack-protector-all" CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -O2"
|
|
diff --git a/cmd/agent/server/containerd_image.go b/cmd/agent/server/containerd_image.go
|
|
index 0b614b5..b019b72 100644
|
|
--- a/cmd/agent/server/containerd_image.go
|
|
+++ b/cmd/agent/server/containerd_image.go
|
|
@@ -48,6 +48,9 @@ func (c conImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath prep
|
|
if err := runCommand("crictl", "pull", imageName); err != nil {
|
|
return "", err
|
|
}
|
|
+ if err := checkOCIImageDigestMatch("containerd", imageName, req.CheckSum); err != nil {
|
|
+ return "", err
|
|
+ }
|
|
if err := checkAndCleanMount(mountPath); err != nil {
|
|
logrus.Errorln("containerd clean environment error", err)
|
|
return "", err
|
|
diff --git a/cmd/agent/server/docker_image.go b/cmd/agent/server/docker_image.go
|
|
index 2a52634..e6fa9d6 100644
|
|
--- a/cmd/agent/server/docker_image.go
|
|
+++ b/cmd/agent/server/docker_image.go
|
|
@@ -38,6 +38,9 @@ func (d dockerImageHandler) getRootfsArchive(req *pb.UpdateRequest, neededPath p
|
|
if err := runCommand("docker", "pull", imageName); err != nil {
|
|
return "", err
|
|
}
|
|
+ if err := checkOCIImageDigestMatch("docker", imageName, req.CheckSum); err != nil {
|
|
+ return "", err
|
|
+ }
|
|
containerName := "kubeos-temp"
|
|
dockerPsCmd := "docker ps -a -f=name=" + containerName + "| awk 'NR==2' | awk '{print $1}'"
|
|
existId, err := runCommandWithOut("bash", "-c", dockerPsCmd)
|
|
diff --git a/cmd/agent/server/utils.go b/cmd/agent/server/utils.go
|
|
index 111497c..092417b 100644
|
|
--- a/cmd/agent/server/utils.go
|
|
+++ b/cmd/agent/server/utils.go
|
|
@@ -264,3 +264,47 @@ func checkFileExist(path string) (bool, error) {
|
|
return false, err
|
|
}
|
|
}
|
|
+
|
|
+func checkOCIImageDigestMatch(containerRuntime string, imageName string, checkSum string) error {
|
|
+ var cmdOutput string
|
|
+ var err error
|
|
+ switch containerRuntime {
|
|
+ case "containerd":
|
|
+ cmdOutput, err = runCommandWithOut("crictl", "inspecti", "--output", "go-template",
|
|
+ "--template", "{{.status.repoDigests}}", imageName)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ case "docker":
|
|
+ cmdOutput, err = runCommandWithOut("docker", "inspect", "--format", "{{.RepoDigests}}", imageName)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ default:
|
|
+ logrus.Errorln("containerRuntime ", containerRuntime, " cannot be recognized")
|
|
+ return fmt.Errorf("containerRuntime %s cannot be recognized", containerRuntime)
|
|
+ }
|
|
+ // cmdOutput format is as follows:
|
|
+ // [imageRepository/imageName:imageTag@sha256:digests]
|
|
+ // parse the output and get digest
|
|
+ var imageDigests string
|
|
+ outArray := strings.Split(cmdOutput, "@")
|
|
+ if strings.HasPrefix(outArray[len(outArray)-1], "sha256") {
|
|
+ pasredArray := strings.Split(strings.TrimSuffix(outArray[len(outArray)-1], "]"), ":")
|
|
+ // 2 is the expected length of the array after dividing "imageName:imageTag@sha256:digests" based on ':'
|
|
+ rightLen := 2
|
|
+ if len(pasredArray) == rightLen {
|
|
+ digestIndex := 1 // 1 is the index of digest data in pasredArray
|
|
+ imageDigests = pasredArray[digestIndex]
|
|
+ }
|
|
+ }
|
|
+ if imageDigests == "" {
|
|
+ logrus.Errorln("error when get ", imageName, " digests")
|
|
+ return fmt.Errorf("error when get %s digests", imageName)
|
|
+ }
|
|
+ if imageDigests != checkSum {
|
|
+ logrus.Errorln("checkSumFailed ", imageDigests, " mismatch to ", checkSum)
|
|
+ return fmt.Errorf("checkSumFailed %s mismatch to %s", imageDigests, checkSum)
|
|
+ }
|
|
+ return nil
|
|
+}
|
|
--
|
|
2.33.0.windows.2
|
|
|