CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-14 14:18:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

drop platform/digest pull resolution

Browse Source 
The digest-pull logic was added to make `docker push` work for multi-arch
upstream tags. Now that the push step is `docker buildx imagetools create`
pinned to the gpg-verified RepoDigest, the registry-to-registry copy
handles single- and multi-arch sources without help. Reverts the pull
back to the original line and removes the unused PLATFORM_OS/_ARCH
detection.
This commit is contained in:
Mike Reeves
2026-04-28 14:54:25 -04:00
parent 288a823edf
commit 82dac82d15
1 changed files with 12 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/common/tools/sbin/so-image-common
+12 -44
View File
@@ -104,16 +104,6 @@ update_docker_containers() {
set_version set_version
set_os set_os
# Resolve the local Docker daemon's platform once. Used below to pick the
# matching sub-manifest from a multi-arch image index — Docker 29.x will not
# push a tag that points at an index unless every referenced sub-manifest's
# content is present locally.
local PLATFORM_OS PLATFORM_ARCH
PLATFORM_OS=$(docker version --format '{{.Server.Os}}' 2>/dev/null)
PLATFORM_ARCH=$(docker version --format '{{.Server.Arch}}' 2>/dev/null)
PLATFORM_OS=${PLATFORM_OS:-linux}
PLATFORM_ARCH=${PLATFORM_ARCH:-amd64}
if [ -z "$TRUSTED_CONTAINERS" ]; then if [ -z "$TRUSTED_CONTAINERS" ]; then
container_list container_list
fi fi
@@ -171,37 +161,11 @@ update_docker_containers() {
local image=$i:$VERSION$IMAGE_TAG_SUFFIX local image=$i:$VERSION$IMAGE_TAG_SUFFIX
local sig_url=https://sigs.securityonion.net/$VERSION/$image.sig local sig_url=https://sigs.securityonion.net/$VERSION/$image.sig
fi fi
# Pull down the trusted docker image. If the upstream tag is a multi-arch # Pull down the trusted docker image
# image index, resolve the local-platform manifest digest and pull by run_check_net_err \
# digest so the local tag points at a single-arch image (not an index). "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \
# That keeps Docker 29.x's index-aware push from trying to push sub-manifests "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1
# whose content we never fetched.
local FULL_IMAGE="$CONTAINER_REGISTRY/$IMAGEREPO/$image"
local PLATFORM_DIGEST
PLATFORM_DIGEST=$(docker buildx imagetools inspect --raw "$FULL_IMAGE" 2>/dev/null \
| jq -r --arg os "$PLATFORM_OS" --arg arch "$PLATFORM_ARCH" '
.manifests[]?
| select(.platform.os == $os
and .platform.architecture == $arch
and ((.platform.variant // "") == "")
and ((.annotations["vnd.docker.reference.type"] // "") != "attestation-manifest"))
| .digest' 2>/dev/null \
| head -n 1)
if [ -n "$PLATFORM_DIGEST" ] && [ "$PLATFORM_DIGEST" != "null" ]; then
run_check_net_err \
"docker pull $FULL_IMAGE@$PLATFORM_DIGEST" \
"Could not pull $image ($PLATFORM_OS/$PLATFORM_ARCH), please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1
docker tag "$FULL_IMAGE@$PLATFORM_DIGEST" "$FULL_IMAGE" >> "$LOG_FILE" 2>&1 || {
echo "Unable to retag $image to canonical tag" >> "$LOG_FILE" 2>&1
exit 1
}
else
run_check_net_err \
"docker pull $FULL_IMAGE" \
"Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1
fi
# Get signature # Get signature
run_check_net_err \ run_check_net_err \
"curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' $sig_url --output $SIGNPATH/$image.sig" \ "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' $sig_url --output $SIGNPATH/$image.sig" \
@@ -233,11 +197,15 @@ update_docker_containers() {
# represents freshly-pulled images as an index whose layer content # represents freshly-pulled images as an index whose layer content
# isn't reachable through the push path. The local `docker tag` above # isn't reachable through the push path. The local `docker tag` above
# is preserved so so-image-pull's `:5000` existence check still works. # is preserved so so-image-pull's `:5000` existence check still works.
local PUSH_SRC="$CONTAINER_REGISTRY/$IMAGEREPO/$image" # Pin to the digest already gpg-verified above so we copy exactly the
if [ -n "$PLATFORM_DIGEST" ] && [ "$PLATFORM_DIGEST" != "null" ]; then # bytes we approved.
PUSH_SRC="$CONTAINER_REGISTRY/$IMAGEREPO/$image@$PLATFORM_DIGEST" local VERIFIED_REF
VERIFIED_REF=$(echo "$DOCKERINSPECT" | jq -r ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" | head -n 1)
if [ -z "$VERIFIED_REF" ] || [ "$VERIFIED_REF" = "null" ]; then
echo "Unable to determine verified digest for $image" >> "$LOG_FILE" 2>&1
exit 1
fi fi
docker buildx imagetools create --tag $HOSTNAME:5000/$IMAGEREPO/$image "$PUSH_SRC" >> "$LOG_FILE" 2>&1 || { docker buildx imagetools create --tag $HOSTNAME:5000/$IMAGEREPO/$image "$VERIFIED_REF" >> "$LOG_FILE" 2>&1 || {
echo "Unable to copy $image to embedded registry" >> "$LOG_FILE" 2>&1 echo "Unable to copy $image to embedded registry" >> "$LOG_FILE" 2>&1
exit 1 exit 1
} }