Add index.json validation #51
Conversation
zhouhao3
force-pushed
the
test-mlist
branch
2 times, most recently
from
13a1d21
to
bf107ce
Compare
|
LGTM |
There was a problem hiding this comment.
The validation approach here is strange. Instead of:
- Walk from the initial descriptor to a manifest, validating the manifest if you find one.
- Walk from the initial descriptor to a manifest list, validating the manifest list if you find one.
- Walk from the initial descriptor to …
I'd rather land opencontainers/image-spec#403 and use:
- Get an initial descriptor.
- Fetch the object referenced by the descriptor.
- Run the appropriate intra-blob validation on it (schema: Use Validators map and prepare to extend beyond JSON Schema image-spec#403).
- For any children referenced from the blob, recurse to (2).
image/manifest_list.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func checkPlatform(m Manifests) error { |
There was a problem hiding this comment.
The consensus seems to be that this sort of intra-JSON-blob validation should live in image-spec.
image/manifest_list.go
Outdated
| Platform Platform `json:"platform"` | ||
| } | ||
|
|
||
| func findManifest_list(w walker, d *descriptor) (*manifest_list, error) { |
zhouhao3
force-pushed
the
test-mlist
branch
7 times, most recently
from
320efcb
to
cd48670
Compare
image/manifest_list.go
Outdated
|
|
||
| func (ml *manifestlist) validate(w walker) error { | ||
| for _, d := range ml.Manifests { | ||
| if err := d.Descriptor.validate(w, []string{v1.MediaTypeImageConfig}); err != nil { |
There was a problem hiding this comment.
This is currently raising:
d.Descriptor.validate undefined (type "github.com/opencontainers/image-tools/vendor/github.com/opencontainers/image-spec/specs-go".Descriptor has no field or method validate)
That's because this repo currently defines it's own descriptor type which has a validate method, but you're using the spec's Descriptor which does not have that method. Validating descriptors will become easier with opencontainers/image-spec#403, but until then you'll want to convert your image-spec Descriptor to an image-tools descriptor before calling the local validate method.
There was a problem hiding this comment.
But the manifest also have spec's Descriptor, it can use validate ,I think as long as the manifest file to the Descriptor as specific, you can call.
|
The The consensus seems to be that this sort of intra-JSON-blob validation should live in image-spec. So I think |
|
@q384566678 build failed |
|
I know,I'm trying to fix that @coolljt0725 |
|
On Mon, Oct 31, 2016 at 01:54:49AM -0700, Zhou Hao wrote:
That validate call is using the image-tools-specific manifest 1, |
zhouhao3
force-pushed
the
test-mlist
branch
2 times, most recently
from
c1c6538
to
0317d75
Compare
image/image.go
Outdated
| return err | ||
| } | ||
| } else { | ||
| if !strings.Contains(string(err), "manifestlist not found") { |
There was a problem hiding this comment.
At the moment, the manifest list is OPTIONAL(https://github.com/opencontainers/image-spec/blob/master/manifest-list.md#oci-image-manifest-list-specification) , so we should not error out if there is no manifest list
There was a problem hiding this comment.
Yes, I was in accordance with the idea to write, I first made a judgment on the error message, if it is because there is no manifest list and return, not error out.(There is one“!” symbol follows the if)
image/image.go
Outdated
| return err | ||
| } | ||
| } | ||
|
|
||
| if out != nil { |
There was a problem hiding this comment.
Should we findManifestList first and if manifest_list exists, then extract the manifest from the manifest_list and then validate the manifest?
I +1 with @wking 's proposal
I'd rather land opencontainers/image-spec#403 and use:
Get an initial descriptor.
Fetch the object referenced by the descriptor.
Run the appropriate intra-blob validation on it (opencontainers/image-spec#403).
For any children referenced from the blob, recurse to (2).
zhouhao3
force-pushed
the
test-mlist
branch
5 times, most recently
from
17713f4
to
d38a4ba
Compare
There was a problem hiding this comment.
You need to fix the exist test:
createRefFileneeds to point to the manifest list- add a
createManifestlistFileto add a manifest list blob which contains the manifest.
image/image.go
Outdated
| @@ -87,6 +87,16 @@ func validate(w walker, refs []string, out *log.Logger) error { | |||
| if err := m.validate(w); err != nil { | |||
| return err | |||
| } | |||
|
|
|||
| ml, err := findManifestList(w, d) | |||
There was a problem hiding this comment.
This seems not correct, findManifestList(w, d) here just assume the d is a manifest list, but actually, d could be manifest or manifest list. This is why the test failed.
--- FAIL: TestValidateLayout (0.03s)
image_test.go:175: blobs/sha256/3b6be0edf862ac9e6e790fb010cf26770d9ab266f3ff81b5b82f0cf8d6f7d1a6: manifestlist validation failed: [manifests: manifests is required]
I think we should check the d after d.validate(w, validRefMediaTypes), if it is a manifest, then go to findManifest, if it is a manifest list, then go to findManifestList
There was a problem hiding this comment.
Nice,I will do that.Thank you for your suggestion.
zhouhao3
force-pushed
the
test-mlist
branch
3 times, most recently
from
77f3953
to
052ade8
Compare
|
test failed |
zhouhao3
force-pushed
the
test-mlist
branch
2 times, most recently
from
a622eaf
to
428027f
Compare
|
@vbatts @coolljt0725 @cyphar @xiekeyang @stevvooe @jonboulle I updated test file, PTAL. |
cmd/oci-image-tool/create.go
Outdated
| @@ -95,5 +97,9 @@ var createCommand = cli.Command{ | |||
| Value: "rootfs", | |||
| Usage: "A directory representing the root filesystem of the container in the OCI runtime bundle. It is strongly recommended to keep the default value.", | |||
| }, | |||
| cli.StringSliceFlag{ | |||
| Name: "platform", | |||
| Usage: "The platform contains os and arch. Filter manifests according to the conditions provided. Only applicable if reftype is index.", | |||
There was a problem hiding this comment.
I still don't know how to use this from this description. Is there an example?
| @@ -20,6 +20,11 @@ oci-image-tool unpack \- Unpack an image or image source layout | |||
| **--type**="" | |||
| Type of the file to unpack. If unset, oci-image-tool will try to auto-detect the type. One of "imageLayout,image" | |||
|
|
|||
| **--platform**="" | |||
| Specify the os and architecture of the manifest, format is OS:Architecture. | |||
| e.g. --platform linux:amd64 | |||
There was a problem hiding this comment.
@stevvooe I have modified the introduction of information and added examples. PTAL
|
reping @opencontainers/image-tools-maintainers |
|
Just to make sure, if I want to validate an entire image with |
image/image.go
Outdated
| return manifests, nil | ||
| } | ||
|
|
||
| if len(platform) != 2 { |
There was a problem hiding this comment.
Either this should be checked far earlier (when you do the splitting) or you should only split it here. I would prefer if you just passed the string down to filterManifest and then you verify the arguments here.
There was a problem hiding this comment.
updated.Thanks for your advice.
Yes.
Yes, just to filter the manifest in certain circumstances. |
|
LGTM, thanks. |
|
LGTM It is OK from my side, PTAL from others. |
|
If someone else has no objection, I will merge it tomorrow. |
Signed-off-by: zhouhao <zhouhao@cn.fujitsu.com>
Signed-off-by: zhouhao <zhouhao@cn.fujitsu.com>
Signed-off-by: zhouhao <zhouhao@cn.fujitsu.com>
|
@cyphar @xiekeyang @coolljt0725 rebased, PTAL, thanks |
|
reping @vbatts @coolljt0725 @xiekeyang @cyphar @stevvooe PTAL |
|
LGTM |
|
LGTM. |
LGTMs: @cyphar @xiekeyang Closes #51
if the ManifestList exists, it needs to be validated
Signed-off-by: zhouhao zhouhao@cn.fujitsu.com