From e4f2aa625734bfeda9ab594e869e04c06f73921c Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 20 Sep 2021 10:44:12 +0200 Subject: [PATCH] (*libimage.Image).HasDifferentDigest: add authentication Allow for passing down credentials when comparing a local image with a remote one. The linked BZ relates to a regression in `podman auto-update` but while reading the code I noticed it's also impacting pull policies. BZ: bugzilla.redhat.com/show_bug.cgi?id=2000943 Signed-off-by: Valentin Rothberg --- libimage/image.go | 18 +++++++++++++++++- libimage/image_test.go | 4 ++-- libimage/pull.go | 2 +- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/libimage/image.go b/libimage/image.go index ff7d546e9..8456d5280 100644 --- a/libimage/image.go +++ b/libimage/image.go @@ -715,10 +715,18 @@ func (i *Image) Size() (int64, error) { return i.runtime.store.ImageSize(i.ID()) } +// HasDifferentDigestOptions allows for customizing the check if another +// (remote) image has a different digest. +type HasDifferentDigestOptions struct { + // containers-auth.json(5) file to use when authenticating against + // container registries. + AuthFilePath string +} + // HasDifferentDigest returns true if the image specified by `remoteRef` has a // different digest than the local one. This check can be useful to check for // updates on remote registries. -func (i *Image) HasDifferentDigest(ctx context.Context, remoteRef types.ImageReference) (bool, error) { +func (i *Image) HasDifferentDigest(ctx context.Context, remoteRef types.ImageReference, options *HasDifferentDigestOptions) (bool, error) { // We need to account for the arch that the image uses. It seems // common on ARM to tweak this option to pull the correct image. See // github.com/containers/podman/issues/6613. @@ -738,6 +746,14 @@ func (i *Image) HasDifferentDigest(ctx context.Context, remoteRef types.ImageRef sys.VariantChoice = inspectInfo.Variant } + if options != nil && options.AuthFilePath != "" { + sys.AuthFilePath = options.AuthFilePath + } + + return i.hasDifferentDigestWithSystemContext(ctx, remoteRef, sys) +} + +func (i *Image) hasDifferentDigestWithSystemContext(ctx context.Context, remoteRef types.ImageReference, sys *types.SystemContext) (bool, error) { remoteImg, err := remoteRef.NewImage(ctx, sys) if err != nil { return false, err diff --git a/libimage/image_test.go b/libimage/image_test.go index cf6317a0f..5ad67b3f5 100644 --- a/libimage/image_test.go +++ b/libimage/image_test.go @@ -134,14 +134,14 @@ func TestImageFunctions(t *testing.T) { // Same image -> same digest remoteRef, err := alltransports.ParseImageName("docker://" + busyboxDigest) require.NoError(t, err) - hasDifferentDigest, err := image.HasDifferentDigest(ctx, remoteRef) + hasDifferentDigest, err := image.HasDifferentDigest(ctx, remoteRef, nil) require.NoError(t, err) require.False(t, hasDifferentDigest, "image with same digest should have the same manifest (and hence digest)") // Different images -> different digests remoteRef, err = alltransports.ParseImageName("docker://docker.io/library/alpine:latest") require.NoError(t, err) - hasDifferentDigest, err = image.HasDifferentDigest(ctx, remoteRef) + hasDifferentDigest, err = image.HasDifferentDigest(ctx, remoteRef, nil) require.NoError(t, err) require.True(t, hasDifferentDigest, "another image should have a different digest") diff --git a/libimage/pull.go b/libimage/pull.go index 8712a13fd..1c322c37e 100644 --- a/libimage/pull.go +++ b/libimage/pull.go @@ -561,7 +561,7 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str } if pullPolicy == config.PullPolicyNewer && localImage != nil { - isNewer, err := localImage.HasDifferentDigest(ctx, srcRef) + isNewer, err := localImage.hasDifferentDigestWithSystemContext(ctx, srcRef, c.systemContext) if err != nil { pullErrors = append(pullErrors, err) continue