Documentation
¶
Index ¶
- Variables
- func IsAccountName(input string) bool
- type Account
- type Blob
- type ImageReference
- type Manifest
- type ManifestContent
- type ManifestReference
- type Peer
- type PendingBlob
- type PendingReason
- type PlatformFilter
- type Quotas
- type Repository
- type Tag
- type TrivySecurityInfo
- type UnknownBlob
- type UnknownManifest
- type Upload
- type VulnerabilityStatus
Constants ¶
This section is empty.
Variables ¶
var ( RepoNameRx = `[a-z0-9]+(?:[._-][a-z0-9]+)*` RepoPathRx = regexp.MustCompile(`^` + RepoNameRx + `(?:/` + RepoNameRx + `)*$`) RepoPathComponentRx = regexp.MustCompile(`^` + RepoNameRx + `$`) )
var ( RepoNameWithLeadingSlash = "(?:/" + RepoNameRx + ")+" RepoNameWithLeadingSlashRx = regexp.MustCompile(`^` + RepoNameWithLeadingSlash + `$`) )
The "with leading slash" simplifies the regex because we don't need to write the regex for a path element twice. Examples: - /library/alpine - /library/alpine:nonsense
var ImageReferenceRx = regexp.MustCompile(`^(` + RepoNameWithLeadingSlash + `)(?::([a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}))?(?:@(sha256:[a-z0-9]{64}))?$`)
ImageReferenceRx is used to match repo/account and optional tag and digest combination Examples: - /library/alpine - /library/alpine:nonsense - /library/alpine:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef - /library/alpine@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef - /library/alpine:nonsense@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
Functions ¶
func IsAccountName ¶
IsAccountName returns whether the given string is a well-formed account name. This does not check whether the account actually exists in the DB.
Types ¶
type Account ¶
type Account struct {
Name string `db:"name"`
AuthTenantID string `db:"auth_tenant_id"`
// UpstreamPeerHostName is set if and only if the "on_first_use" replication strategy is used.
UpstreamPeerHostName string `db:"upstream_peer_hostname"`
// ExternalPeerURL, ExternalPeerUserName and ExternalPeerPassword are set if
// and only if the "from_external_on_first_use" replication strategy is used.
ExternalPeerURL string `db:"external_peer_url"`
ExternalPeerUserName string `db:"external_peer_username"`
ExternalPeerPassword string `db:"external_peer_password"`
// PlatformFilter restricts which submanifests get replicated when a list manifest is replicated.
PlatformFilter PlatformFilter `db:"platform_filter"`
// RequiredLabels is a comma-separated list of labels that must be present on
// all image manifests in this account.
RequiredLabels string `db:"required_labels"`
// InMaintenance indicates whether the account is in maintenance mode (as defined in the API spec).
InMaintenance bool `db:"in_maintenance"`
// MetadataJSON contains a JSON string of a map[string]string, or the empty string.
MetadataJSON string `db:"metadata_json"`
// RBACPoliciesJSON contains a JSON string of []keppel.RBACPolicy, or the empty string.
RBACPoliciesJSON string `db:"rbac_policies_json"`
// GCPoliciesJSON contains a JSON string of []keppel.GCPolicy, or the empty string.
GCPoliciesJSON string `db:"gc_policies_json"`
// SecurityScanPoliciesJSON contains a JSON string of []keppel.SecurityScanPolicy, or the empty string.
SecurityScanPoliciesJSON string `db:"security_scan_policies_json"`
NextBlobSweepedAt *time.Time `db:"next_blob_sweep_at"` // see tasks.BlobSweepJob
NextStorageSweepedAt *time.Time `db:"next_storage_sweep_at"` // see tasks.StorageSweepJob
NextFederationAnnouncementAt *time.Time `db:"next_federation_announcement_at"` // see tasks.AnnounceAccountToFederationJob
}
Account contains a record from the `accounts` table.
func (Account) SplitRequiredLabels ¶
SplitRequiredLabels parses the RequiredLabels field.
func (Account) SwiftContainerName ¶
SwiftContainerName returns the name of the Swift container backing this Keppel account.
type Blob ¶
type Blob struct {
ID int64 `db:"id"`
AccountName string `db:"account_name"`
Digest digest.Digest `db:"digest"`
SizeBytes uint64 `db:"size_bytes"`
StorageID string `db:"storage_id"`
MediaType string `db:"media_type"`
PushedAt time.Time `db:"pushed_at"`
ValidatedAt time.Time `db:"validated_at"` // see tasks.BlobValidationJob
ValidationErrorMessage string `db:"validation_error_message"`
CanBeDeletedAt *time.Time `db:"can_be_deleted_at"` // see tasks.BlobSweepJob
BlocksVulnScanning *bool `db:"blocks_vuln_scanning"`
}
Blob contains a record from the `blobs` table.
In the `blobs` table, blobs are only bound to an account. This makes cross-repo blob mounts cheap and easy to implement. The actual connection to repos is in the `blob_mounts` table.
StorageID is used to construct the filename (or equivalent) for this blob in the StorageDriver. We cannot use the digest for this since the StorageID needs to be chosen at the start of the blob upload, when the digest is not known yet.
func (Blob) SafeMediaType ¶
SafeMediaType returns the MediaType field, but falls back to "application/octet-stream" if it is empty.
type ImageReference ¶
type ImageReference struct {
Host string // either a plain hostname or a host:port like "example.org:443"
RepoName string
Reference ManifestReference
}
ImageReference refers to an image that can be pulled from a registry.
func ParseImageReference ¶
func ParseImageReference(input string) (ImageReference, string, error)
ParseImageReference parses an image reference string like "registry.example.org/alpine:3.9" into an ImageReference struct. Both on success and on error, an additional string is returned indicating how the input was interpreted (e.g. which defaults were inferred). This can be shown to the user to help them understand how the reference was parsed.
func (ImageReference) String ¶
func (r ImageReference) String() string
String returns the most compact string representation of this reference.
type Manifest ¶
type Manifest struct {
RepositoryID int64 `db:"repo_id"`
Digest digest.Digest `db:"digest"`
MediaType string `db:"media_type"`
SizeBytes uint64 `db:"size_bytes"`
PushedAt time.Time `db:"pushed_at"`
ValidatedAt time.Time `db:"validated_at"` // see tasks.ManifestValidationJob
ValidationErrorMessage string `db:"validation_error_message"`
LastPulledAt *time.Time `db:"last_pulled_at"`
// LabelsJSON contains a JSON string of a map[string]string, or an empty string.
LabelsJSON string `db:"labels_json"`
// GCStatusJSON contains a keppel.GCStatus serialized into JSON, or an empty
// string if GC has not seen this manifest yet.
GCStatusJSON string `db:"gc_status_json"`
MinLayerCreatedAt *time.Time `db:"min_layer_created_at"`
MaxLayerCreatedAt *time.Time `db:"max_layer_created_at"`
}
Manifest contains a record from the `manifests` table.
type ManifestContent ¶
type ManifestContent struct {
RepositoryID int64 `db:"repo_id"`
Digest string `db:"digest"`
Content []byte `db:"content"`
}
ManifestContent contains a record from the `manifest_contents` table.
type ManifestReference ¶
type ManifestReference struct {
Digest digest.Digest
Tag string
}
ManifestReference is a reference to a manifest as encountered in a URL on the Registry v2 API. Exactly one of the members will be non-empty.
func ParseManifestReference ¶
func ParseManifestReference(reference string) ManifestReference
ParseManifestReference parses a manifest reference. If `reference` parses as a digest, it will be interpreted as a digest. Otherwise it will be interpreted as a tag name.
func (ManifestReference) IsDigest ¶
func (r ManifestReference) IsDigest() bool
IsDigest returns whether this reference is to a specific digest, rather than to a tag.
func (ManifestReference) IsTag ¶
func (r ManifestReference) IsTag() bool
IsTag returns whether this reference is to a tag, rather than to a specific digest.
func (ManifestReference) String ¶
func (r ManifestReference) String() string
String returns the original string representation of this reference.
type Peer ¶
type Peer struct {
HostName string `db:"hostname"`
// OurPassword is what we use to log in at the peer.
OurPassword string `db:"our_password"`
// TheirCurrentPasswordHash and TheirPreviousPasswordHash is what the peer
// uses to log in with us. Passwords are rotated hourly. We allow access with
// the current *and* the previous password to avoid a race where we enter the
// new password in the database and then reject authentication attempts from
// the peer before we told them about the new password.
TheirCurrentPasswordHash string `db:"their_current_password_hash"`
TheirPreviousPasswordHash string `db:"their_previous_password_hash"`
// LastPeeredAt is when we last issued a new password for this peer.
LastPeeredAt *time.Time `db:"last_peered_at"` // see tasks.IssueNewPasswordForPeer
}
Peer contains a record from the `peers` table.
type PendingBlob ¶
type PendingBlob struct {
AccountName string `db:"account_name"`
Digest digest.Digest `db:"digest"`
Reason PendingReason `db:"reason"`
PendingSince time.Time `db:"since"`
}
PendingBlob contains a record from the `pending_blobs` table.
type PendingReason ¶
type PendingReason string
PendingReason is an enum that explains why a blob is pending.
const ( // PendingBecauseOfReplication is when a blob is pending because // it is currently being replicated from an upstream registry. PendingBecauseOfReplication PendingReason = "replication" )
type PlatformFilter ¶
type PlatformFilter []manifestlist.PlatformSpec
PlatformFilter appears in type Account. For replica accounts, it restricts which submanifests get replicated when a list manifest is replicated.
func (PlatformFilter) Includes ¶
func (f PlatformFilter) Includes(platform manifestlist.PlatformSpec) bool
Includes checks whether the given platform is included in this filter.
func (PlatformFilter) IsEqualTo ¶
func (f PlatformFilter) IsEqualTo(other PlatformFilter) bool
IsEqualTo checks whether both filters are equal.
func (*PlatformFilter) Scan ¶
func (f *PlatformFilter) Scan(src any) error
Scan implements the sql.Scanner interface.
type Quotas ¶
type Quotas struct {
AuthTenantID string `db:"auth_tenant_id"`
ManifestCount uint64 `db:"manifests"`
}
Quotas contains a record from the `quotas` table.
func DefaultQuotas ¶
DefaultQuotas creates a new Quotas instance with the default quotas.
type Repository ¶
type Repository struct {
ID int64 `db:"id"`
AccountName string `db:"account_name"`
Name string `db:"name"`
NextBlobMountSweepAt *time.Time `db:"next_blob_mount_sweep_at"` // see tasks.BlobMountSweepJob
NextManifestSyncAt *time.Time `db:"next_manifest_sync_at"` // see tasks.ManifestSyncJob (only set for replica accounts)
NextGarbageCollectionAt *time.Time `db:"next_gc_at"` // see tasks.GarbageCollectManifestsJob
}
Repository contains a record from the `repos` table.
func (Repository) FullName ¶
func (r Repository) FullName() string
FullName prepends the account name to the repository name.
type Tag ¶
type Tag struct {
RepositoryID int64 `db:"repo_id"`
Name string `db:"name"`
Digest digest.Digest `db:"digest"`
PushedAt time.Time `db:"pushed_at"`
LastPulledAt *time.Time `db:"last_pulled_at"`
}
Tag contains a record from the `tags` table.
type TrivySecurityInfo ¶
type TrivySecurityInfo struct {
RepositoryID int64 `db:"repo_id"`
Digest digest.Digest `db:"digest"`
VulnerabilityStatus VulnerabilityStatus `db:"vuln_status"`
Message string `db:"message"`
NextCheckAt time.Time `db:"next_check_at"` // see tasks.CheckTrivySecurityStatusJob
CheckedAt *time.Time `db:"checked_at"`
CheckDurationSecs *float64 `db:"check_duration_secs"`
}
type UnknownBlob ¶
type UnknownBlob struct {
AccountName string `db:"account_name"`
StorageID string `db:"storage_id"`
CanBeDeletedAt time.Time `db:"can_be_deleted_at"`
}
UnknownBlob contains a record from the `unknown_blobs` table. This is only used by tasks.StorageSweepJob().
type UnknownManifest ¶
type UnknownManifest struct {
AccountName string `db:"account_name"`
RepositoryName string `db:"repo_name"`
Digest digest.Digest `db:"digest"`
CanBeDeletedAt time.Time `db:"can_be_deleted_at"`
}
UnknownManifest contains a record from the `unknown_manifests` table. This is only used by tasks.StorageSweepJob().
NOTE: We don't use repository IDs here because unknown manifests may exist in repositories that are also not known to the database.
type Upload ¶
type Upload struct {
RepositoryID int64 `db:"repo_id"`
UUID string `db:"uuid"`
StorageID string `db:"storage_id"`
SizeBytes uint64 `db:"size_bytes"`
Digest string `db:"digest"`
NumChunks uint32 `db:"num_chunks"`
UpdatedAt time.Time `db:"updated_at"`
}
Upload contains a record from the `uploads` table.
Digest contains the SHA256 digest of everything that has been uploaded so far. This is used to validate that we're resuming at the right position in the next PUT/PATCH.
type VulnerabilityStatus ¶
type VulnerabilityStatus string
VulnerabilityStatus enumerates the possible values for a manifest's vulnerability status.
const ( // ErrorVulnerabilityStatus is a VulnerabilityStatus that indicates that vulnerability scanning failed. ErrorVulnerabilityStatus VulnerabilityStatus = "Error" // PendingVulnerabilityStatus is a VulnerabilityStatus which means that we're not done scanning vulnerabilities yet. PendingVulnerabilityStatus VulnerabilityStatus = "Pending" // UnsupportedVulnerabilityStatus is a VulnerabilityStatus which means that we don't support scanning this manifest. UnsupportedVulnerabilityStatus VulnerabilityStatus = "Unsupported" // CleanSeverity is a VulnerabilityStatus which means that there are no vulnerabilities. CleanSeverity VulnerabilityStatus = "Clean" // UnknownSeverity is a VulnerabilityStatus which means that there are vulnerabilities, but their severity is unknown. UnknownSeverity VulnerabilityStatus = "Unknown" // NegligibleSeverity is a VulnerabilityStatus. // LowSeverity is a VulnerabilityStatus. LowSeverity VulnerabilityStatus = "Low" // MediumSeverity is a VulnerabilityStatus. MediumSeverity VulnerabilityStatus = "Medium" // HighSeverity is a VulnerabilityStatus. HighSeverity VulnerabilityStatus = "High" // CriticalSeverity is a VulnerabilityStatus. CriticalSeverity VulnerabilityStatus = "Critical" // RottenVulnerabilityStatus is a VulnerabilityStatus indicating that vulnerability scan results are incomplete because of EOSL on the base distro. RottenVulnerabilityStatus VulnerabilityStatus = "Rotten" )
func MergeVulnerabilityStatuses ¶
func MergeVulnerabilityStatuses(sevs ...VulnerabilityStatus) VulnerabilityStatus
MergeVulnerabilityStatuses combines multiple VulnerabilityStatus values into one.
* Any ErrorVulnerabilityStatus input results in an ErrorVulnerabilityStatus result. * Otherwise, any UnsupportedVulnerabilityStatus input results in an UnsupportedVulnerabilityStatus result. * Otherwise, any PendingVulnerabilityStatus input results in a PendingVulnerabilityStatus result. * Otherwise, the result is the same as the highest individual severity.
func (VulnerabilityStatus) HasReport ¶
func (s VulnerabilityStatus) HasReport() bool
HasReport checks whether a manifest with this VulnerabilityStatus has a vulnerability report available.
Source Files