260 lines
7.4 KiB
Go
260 lines
7.4 KiB
Go
/*
|
|
Copyright The containerd Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package bindir
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/containerd/containerd/v2/internal/tomlext"
|
|
"github.com/containerd/containerd/v2/pkg/imageverifier"
|
|
"github.com/containerd/log"
|
|
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
|
|
)
|
|
|
|
const outputLimitBytes = 1 << 15 // 32 KiB
|
|
|
|
type Config struct {
|
|
BinDir string `toml:"bin_dir"`
|
|
MaxVerifiers int `toml:"max_verifiers"`
|
|
PerVerifierTimeout tomlext.Duration `toml:"per_verifier_timeout"`
|
|
}
|
|
|
|
type ImageVerifier struct {
|
|
config *Config
|
|
}
|
|
|
|
var _ imageverifier.ImageVerifier = (*ImageVerifier)(nil)
|
|
|
|
func NewImageVerifier(c *Config) *ImageVerifier {
|
|
return &ImageVerifier{
|
|
config: c,
|
|
}
|
|
}
|
|
|
|
func (v *ImageVerifier) VerifyImage(ctx context.Context, name string, desc ocispec.Descriptor) (*imageverifier.Judgement, error) {
|
|
// os.ReadDir sorts entries by name.
|
|
entries, err := os.ReadDir(v.config.BinDir)
|
|
if err != nil {
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
return &imageverifier.Judgement{
|
|
OK: true,
|
|
Reason: fmt.Sprintf("image verifier directory %v does not exist", v.config.BinDir),
|
|
}, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("failed to list directory contents: %w", err)
|
|
}
|
|
|
|
if len(entries) == 0 {
|
|
return &imageverifier.Judgement{
|
|
OK: true,
|
|
Reason: fmt.Sprintf("no image verifier binaries found in %v", v.config.BinDir),
|
|
}, nil
|
|
}
|
|
|
|
reason := &strings.Builder{}
|
|
for i, entry := range entries {
|
|
if (i+1) > v.config.MaxVerifiers && v.config.MaxVerifiers >= 0 {
|
|
log.G(ctx).Warnf("image verifiers are being skipped since directory %v has %v entries, more than configured max of %v verifiers", v.config.BinDir, len(entries), v.config.MaxVerifiers)
|
|
break
|
|
}
|
|
|
|
bin := entry.Name()
|
|
start := time.Now()
|
|
exitCode, vr, err := v.runVerifier(ctx, bin, name, desc)
|
|
runtime := time.Since(start)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to call verifier %v (runtime %v): %w", bin, runtime, err)
|
|
}
|
|
|
|
if exitCode != 0 {
|
|
return &imageverifier.Judgement{
|
|
OK: false,
|
|
Reason: fmt.Sprintf("verifier %v rejected image (exit code %v): %v", bin, exitCode, vr),
|
|
}, nil
|
|
}
|
|
|
|
if i > 0 {
|
|
reason.WriteString(", ")
|
|
}
|
|
reason.WriteString(fmt.Sprintf("%v => %v", bin, vr))
|
|
}
|
|
|
|
return &imageverifier.Judgement{
|
|
OK: true,
|
|
Reason: reason.String(),
|
|
}, nil
|
|
}
|
|
|
|
func (v *ImageVerifier) runVerifier(ctx context.Context, bin string, imageName string, desc ocispec.Descriptor) (exitCode int, reason string, err error) {
|
|
ctx, cancel := context.WithTimeout(ctx, tomlext.ToStdTime(v.config.PerVerifierTimeout))
|
|
defer cancel()
|
|
|
|
binPath := filepath.Join(v.config.BinDir, bin)
|
|
args := []string{
|
|
"-name", imageName,
|
|
"-digest", desc.Digest.String(),
|
|
"-stdin-media-type", ocispec.MediaTypeDescriptor,
|
|
}
|
|
|
|
cmd := exec.CommandContext(ctx, binPath, args...)
|
|
|
|
// We construct our own pipes instead of using the default StdinPipe,
|
|
// StoutPipe, and StderrPipe in order to set timeouts on reads and writes.
|
|
stdinRead, stdinWrite, err := os.Pipe()
|
|
if err != nil {
|
|
return -1, "", err
|
|
}
|
|
cmd.Stdin = stdinRead
|
|
defer stdinRead.Close()
|
|
defer stdinWrite.Close()
|
|
|
|
stdoutRead, stdoutWrite, err := os.Pipe()
|
|
if err != nil {
|
|
return -1, "", err
|
|
}
|
|
cmd.Stdout = stdoutWrite
|
|
defer stdoutRead.Close()
|
|
defer stdoutWrite.Close()
|
|
|
|
stderrRead, stderrWrite, err := os.Pipe()
|
|
if err != nil {
|
|
return -1, "", err
|
|
}
|
|
cmd.Stderr = stderrWrite
|
|
defer stderrRead.Close()
|
|
defer stderrWrite.Close()
|
|
|
|
// Close parent ends of pipes on timeout. Without this, I/O may hang in the
|
|
// parent process.
|
|
if d, ok := ctx.Deadline(); ok {
|
|
stdinWrite.SetDeadline(d)
|
|
stdoutRead.SetDeadline(d)
|
|
stderrRead.SetDeadline(d)
|
|
}
|
|
|
|
// Finish configuring, and then fork & exec the child process.
|
|
p, err := startProcess(ctx, cmd)
|
|
if err != nil {
|
|
return -1, "", err
|
|
}
|
|
defer p.cleanup(ctx)
|
|
|
|
// Close the child ends of the pipes in the parent process.
|
|
stdinRead.Close()
|
|
stdoutWrite.Close()
|
|
stderrWrite.Close()
|
|
|
|
// Write the descriptor to stdin.
|
|
go func() {
|
|
// Descriptors are usually small enough to fit in a pipe buffer (which is
|
|
// often 64 KiB on Linux) so this write usually won't block on the child
|
|
// process reading stdin. However, synchronously writing to stdin may cause
|
|
// the parent to block if the descriptor is larger than the pipe buffer and
|
|
// the child process doesn't read stdin. Therefore, we write to stdin
|
|
// asynchronously, limited by the stdinWrite deadline set above.
|
|
err := json.NewEncoder(stdinWrite).Encode(desc)
|
|
if err != nil {
|
|
// This may error out with a "broken pipe" error if the descriptor is
|
|
// larger than the pipe buffer and the child process does not read all
|
|
// of stdin.
|
|
log.G(ctx).WithError(err).Warn("failed to completely write descriptor to stdin")
|
|
}
|
|
stdinWrite.Close()
|
|
}()
|
|
|
|
// Pipe verifier stderr lines to debug logs.
|
|
stderrLog := log.G(ctx).Logger.WithFields(log.Fields{
|
|
"image_verifier": bin,
|
|
"stream": "stderr",
|
|
})
|
|
stderrLogDone := make(chan struct{})
|
|
go func() {
|
|
defer close(stderrLogDone)
|
|
defer stderrRead.Close()
|
|
lr := &io.LimitedReader{
|
|
R: stderrRead,
|
|
N: outputLimitBytes,
|
|
}
|
|
|
|
s := bufio.NewScanner(lr)
|
|
for s.Scan() {
|
|
stderrLog.Debug(s.Text())
|
|
}
|
|
if err := s.Err(); err != nil {
|
|
stderrLog.WithError(err).Debug("error logging image verifier stderr")
|
|
}
|
|
|
|
if lr.N == 0 {
|
|
// Peek ahead to see if stderr reader was truncated.
|
|
b := make([]byte, 1)
|
|
if n, _ := stderrRead.Read(b); n > 0 {
|
|
stderrLog.Debug("(previous logs may be truncated)")
|
|
}
|
|
}
|
|
|
|
// Discard the truncated part of stderr. Doing this rather than closing the
|
|
// reader avoids broken pipe errors. This is bounded by the stderrRead
|
|
// deadline.
|
|
if _, err := io.Copy(io.Discard, stderrRead); err != nil {
|
|
log.G(ctx).WithError(err).Error("error flushing stderr")
|
|
}
|
|
}()
|
|
|
|
stdout, err := io.ReadAll(io.LimitReader(stdoutRead, outputLimitBytes))
|
|
if err != nil {
|
|
log.G(ctx).WithError(err).Error("error reading stdout")
|
|
} else {
|
|
m := strings.Builder{}
|
|
m.WriteString(strings.TrimSpace(string(stdout)))
|
|
// Peek ahead to see if stdout is truncated.
|
|
b := make([]byte, 1)
|
|
if n, _ := stdoutRead.Read(b); n > 0 {
|
|
m.WriteString("(stdout truncated)")
|
|
}
|
|
reason = m.String()
|
|
}
|
|
|
|
// Discard the truncated part of stdout. Doing this rather than closing the
|
|
// reader avoids broken pipe errors. This is bounded by the stdoutRead
|
|
// deadline.
|
|
if _, err := io.Copy(io.Discard, stdoutRead); err != nil {
|
|
log.G(ctx).WithError(err).Error("error flushing stdout")
|
|
}
|
|
stdoutRead.Close()
|
|
|
|
<-stderrLogDone
|
|
if err := cmd.Wait(); err != nil {
|
|
if ee := (&exec.ExitError{}); errors.As(err, &ee) && ee.ProcessState.Exited() {
|
|
return ee.ProcessState.ExitCode(), reason, nil
|
|
}
|
|
return -1, "", fmt.Errorf("waiting on command to exit: %v", err)
|
|
}
|
|
|
|
return cmd.ProcessState.ExitCode(), reason, nil
|
|
}
|