Merge pull request #1673 from ktock/store-tocdigest-id

[Additional Layer Store] Use TOCDigest as ID of each layer
containerd · Jun 19, 2024 · 7e8fc21 · 7e8fc21
2 parents bfb1ce4 + a1573c2
commit 7e8fc21
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 127 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -17,8 +17,8 @@ ARG RUNC_VERSION=v1.1.12
 ARG CNI_PLUGINS_VERSION=v1.4.1
 ARG NERDCTL_VERSION=1.7.6
 
-ARG PODMAN_VERSION=v5.0.2
-ARG CRIO_VERSION=v1.30.0
+ARG PODMAN_VERSION=v5.1.1
+ARG CRIO_VERSION=main
 ARG CONMON_VERSION=v2.1.11
 ARG COMMON_VERSION=v0.58.2
 ARG CRIO_TEST_PAUSE_IMAGE_NAME=registry.k8s.io/pause:3.6

diff --git a/cmd/stargz-store/main.go b/cmd/stargz-store/main.go
@@ -132,9 +132,8 @@ func main() {
 				Fatalf("failed to prepare mountpoint %q", mountPoint)
 		}
 	}
-	if !config.Config.DisableVerification {
-		log.G(ctx).Warnf("content verification is not supported; switching to non-verification mode")
-		config.Config.DisableVerification = true
+	if config.Config.DisableVerification {
+		log.G(ctx).Fatalf("content verification can't be disabled")
 	}
 	mt, err := getMetadataStore(*rootDir, config)
 	if err != nil {

diff --git a/fs/layer/layer.go b/fs/layer/layer.go
@@ -108,6 +108,7 @@ type Info struct {
 	FetchedSize  int64     // layer fetched size in bytes
 	PrefetchSize int64     // layer prefetch size in bytes
 	ReadTime     time.Time // last time the layer was read
+	TOCDigest    digest.Digest
 }
 
 // Resolver resolves the layer location and provieds the handler of that layer.
@@ -415,6 +416,7 @@ func (l *layer) Info() Info {
 		FetchedSize:  l.blob.FetchedSize(),
 		PrefetchSize: l.prefetchedSize(),
 		ReadTime:     readTime,
+		TOCDigest:    l.verifiableReader.Metadata().TOCDigest(),
 	}
 }
 

diff --git a/script/demo-store/etc/stargz-store/config.toml b/script/demo-store/etc/stargz-store/config.toml
@@ -1,5 +1,4 @@
 metrics_address = "127.0.0.1:8234"
-disable_verification = true
 [[resolver.host."registry2-store:5000".mirrors]]
 host = "registry2-store:5000"
 insecure = true
diff --git a/store/fs.go b/store/fs.go
@@ -384,12 +384,20 @@ func (n *layernode) Lookup(ctx context.Context, name string, out *fuse.EntryOut)
 				return nil, syscall.EIO
 			}
 			log.G(ctx).WithField(remoteSnapshotLogKey, prepareFailed).
-				WithField("layerdigest", n.digest).
+				WithField("digest", n.digest).
 				WithError(err).
 				Debugf("error resolving layer (context error: %v)", cErr)
 			log.G(ctx).WithError(err).Warnf("failed to mount layer %q: %q", name, n.digest)
 			return nil, syscall.EIO
 		}
+		if err := l.Verify(n.digest); err != nil {
+			log.G(ctx).WithField(remoteSnapshotLogKey, prepareFailed).
+				WithField("digest", n.digest).
+				WithError(err).
+				Debugf("failed to verify layer")
+			log.G(ctx).WithError(err).Warnf("failed to mount layer %q: %q", name, n.digest)
+			return nil, syscall.EIO
+		}
 		if name == blobLink {
 			sAttr := layerToAttr(l, &out.Attr)
 			cn := &blobnode{l: l}