Add image verifier transfer service plugin system based on a binary directory

Signed-off-by: Ethan Lowman <ethan.lowman@datadoghq.com>

plugins/imageverifier/path_unix.go

@@ -0,0 +1,21 @@
+//go:build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package imageverifier
+
+var defaultPath = "/opt/containerd/image-verifier/bin"

plugins/imageverifier/path_windows.go

@@ -0,0 +1,25 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package imageverifier
+
+import (
+	"path/filepath"
+
+	"github.com/containerd/containerd/defaults"
+)
+
+var defaultPath = filepath.Join(defaults.DefaultRootDir, "opt", "image-verifier", "bin")

plugins/imageverifier/plugin.go

@@ -0,0 +1,45 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package imageverifier
+
+import (
+	"time"
+
+	"github.com/containerd/containerd/pkg/imageverifier/bindir"
+	"github.com/containerd/containerd/plugin"
+)
+
+// Register default image verifier service plugin
+func init() {
+	plugin.Register(&plugin.Registration{
+		Type:   plugin.ImageVerifierPlugin,
+		ID:     "bindir",
+		Config: defaultConfig(),
+		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
+			cfg := ic.Config.(*bindir.Config)
+			return bindir.NewImageVerifier(cfg), nil
+		},
+	})
+}
+
+func defaultConfig() *bindir.Config {
+	return &bindir.Config{
+		BinDir:             defaultPath,
+		MaxVerifiers:       10,
+		PerVerifierTimeout: 10 * time.Second,
+	}
+}

plugins/transfer/plugin.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containerd/containerd/leases"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/metadata"
+	"github.com/containerd/containerd/pkg/imageverifier"
 	"github.com/containerd/containerd/pkg/transfer/local"
 	"github.com/containerd/containerd/pkg/unpack"
 	"github.com/containerd/containerd/platforms"
@@ -45,6 +46,7 @@ func init() {
 			plugin.LeasePlugin,
 			plugin.MetadataPlugin,
 			plugin.DiffPlugin,
+			plugin.ImageVerifierPlugin,
 		},
 		Config: defaultConfig(),
 		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
@@ -59,6 +61,20 @@ func init() {
 				return nil, err
 			}
 
+			vfs := make(map[string]imageverifier.ImageVerifier)
+			vps, err := ic.GetByType(plugin.ImageVerifierPlugin)
+			if err != nil {
+				return nil, err
+			}
+
+			for name, vp := range vps {
+				inst, err := vp.Instance()
+				if err != nil {
+					return nil, err
+				}
+				vfs[name] = inst.(imageverifier.ImageVerifier)
+			}
+
 			// Set configuration based on default or user input
 			var lc local.TransferConfig
 			lc.MaxConcurrentDownloads = config.MaxConcurrentDownloads
@@ -126,7 +142,7 @@ func init() {
 			}
 			lc.RegistryConfigPath = config.RegistryConfigPath
 
-			return local.NewTransferService(l.(leases.Manager), ms.ContentStore(), metadata.NewImageStore(ms), &lc), nil
+			return local.NewTransferService(l.(leases.Manager), ms.ContentStore(), metadata.NewImageStore(ms), vfs, &lc), nil
 		},
 	})
 }