From df4d905a6f0d9e74a0aff2514030c343d56ba86d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Fri, 31 Jan 2025 16:32:44 +0100 Subject: [PATCH 1/2] core/images: Ignore attestations when traversing children MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this patch, calling `image.Children` on an image built with BuildKit would produce unnecessary `encountered unknown type application/vnd.in-toto+json; children may not be fetched` debug logs, because the media type is neither a known layer or config type. Make the `image.Children` aware of the attestation layers and don't attempt to traverse them. Signed-off-by: Paweł Gronowski --- core/images/image.go | 4 ++-- core/images/mediatypes.go | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/core/images/image.go b/core/images/image.go index 6bc106aac..9fcce9b4e 100644 --- a/core/images/image.go +++ b/core/images/image.go @@ -369,8 +369,8 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr } return append([]ocispec.Descriptor{}, index.Manifests...), nil - } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) { - // Layers and configs are childless data types and should not be logged. + } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) && !IsAttestationType(desc.MediaType) { + // Layers, configs, and attestations are childless data types and should not be logged. log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType) } return nil, nil diff --git a/core/images/mediatypes.go b/core/images/mediatypes.go index d2e845b16..0c8600d86 100644 --- a/core/images/mediatypes.go +++ b/core/images/mediatypes.go @@ -58,6 +58,9 @@ const ( MediaTypeImageLayerEncrypted = ocispec.MediaTypeImageLayer + "+encrypted" MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted" + + // In-toto attestation + MediaTypeInToto = "application/vnd.in-toto+json" ) // DiffCompression returns the compression as defined by the layer diff media @@ -193,6 +196,16 @@ func IsKnownConfig(mt string) bool { return false } +// IsAttestationType returns true if the media type is an attestation type +func IsAttestationType(mt string) bool { + switch mt { + case MediaTypeInToto: + return true + default: + return false + } +} + // ChildGCLabels returns the label for a given descriptor to reference it func ChildGCLabels(desc ocispec.Descriptor) []string { mt := desc.MediaType From 916d4872262eed04fb6626183c2306320d14e965 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Fri, 31 Jan 2025 16:39:43 +0100 Subject: [PATCH 2/2] core/remotes: Handle attestations in MakeRefKey MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don't produce `reference for unknown type: application/vnd.in-toto+json` warning logs when pushing/fetching an image containing the attestation manifests. Signed-off-by: Paweł Gronowski --- core/remotes/handlers.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/remotes/handlers.go b/core/remotes/handlers.go index 16fcdbf84..a3e1ff984 100644 --- a/core/remotes/handlers.go +++ b/core/remotes/handlers.go @@ -80,6 +80,8 @@ func MakeRefKey(ctx context.Context, desc ocispec.Descriptor) string { return "layer-" + key case images.IsKnownConfig(desc.MediaType): return "config-" + key + case images.IsAttestationType(desc.MediaType): + return "attestation-" + key default: log.G(ctx).Warnf("reference for unknown type: %s", desc.MediaType) return "unknown-" + key