Merge pull request #10007 from Jenkins-J/fsverity-content-verification
Fsverity content verification
This commit is contained in:
Akihiro Suda
@@ -29,6 +29,7 @@ import (
|
||||
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/pkg/filters"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/containerd/log"
|
||||
|
||||
@@ -62,8 +63,9 @@ type LabelStore interface {
|
||||
// Store can generally support multi-reader, single-writer ingest of data,
|
||||
// including resumable ingest.
|
||||
type store struct {
|
||||
root string
|
||||
ls LabelStore
|
||||
root string
|
||||
ls LabelStore
|
||||
integritySupported bool
|
||||
}
|
||||
|
||||
// NewStore returns a local content store
|
||||
@@ -81,9 +83,12 @@ func NewLabeledStore(root string, ls LabelStore) (content.Store, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
supported, _ := fsverity.IsSupported(root)
|
||||
|
||||
return &store{
|
||||
root: root,
|
||||
ls: ls,
|
||||
root: root,
|
||||
ls: ls,
|
||||
integritySupported: supported,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -35,6 +35,7 @@ import (
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/core/content/testsuite"
|
||||
"github.com/containerd/containerd/v2/internal/randutil"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/containerd/v2/pkg/testutil"
|
||||
"github.com/containerd/errdefs"
|
||||
|
||||
@@ -193,6 +194,18 @@ func TestContentWriter(t *testing.T) {
|
||||
t.Fatal("mismatched data written to disk")
|
||||
}
|
||||
|
||||
// ensure fsverity is enabled on blob if fsverity is supported
|
||||
ok, err := fsverity.IsSupported(tmpdir)
|
||||
if !ok || err != nil {
|
||||
t.Log("fsverity not supported, skipping fsverity check")
|
||||
return
|
||||
}
|
||||
|
||||
ok, err = fsverity.IsEnabled(path)
|
||||
if !ok || err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestWalkBlobs(t *testing.T) {
|
||||
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/containerd/log"
|
||||
"github.com/opencontainers/go-digest"
|
||||
@@ -137,6 +138,14 @@ func (w *writer) Commit(ctx context.Context, size int64, expected digest.Digest,
|
||||
return err
|
||||
}
|
||||
|
||||
// Enable content blob integrity verification if supported
|
||||
|
||||
if w.s.integritySupported {
|
||||
if err := fsverity.Enable(target); err != nil {
|
||||
log.G(ctx).Warnf("failed to enable integrity for blob %v: %s", target, err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
// Ingest has now been made available in the content store, attempt to complete
|
||||
// setting metadata but errors should only be logged and not returned since
|
||||
// the content store cannot be cleanly rolled back.
|
||||
|
||||
Reference in New Issue
Block a user