Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Q: easier way to grab/read a layer? #1150

Closed
06kellyjac opened this issue Oct 18, 2021 · 4 comments · Fixed by #1203
Closed

Q: easier way to grab/read a layer? #1150

06kellyjac opened this issue Oct 18, 2021 · 4 comments · Fixed by #1203

Comments

@06kellyjac
Copy link

06kellyjac commented Oct 18, 2021
edited
Loading

Related #1011

If I want to read provenance from an .att image pushed by tekton chains

I currently have to do the following:

$ crane pull my/image:some-tag tmp.tar.gz
$ tar xvf tmp.tar.gz
sha256:19648729e40a4e798b7a61d30901430d5808a53b0621be36d7f6f9a2fd0ec540
e2307fd561d470611ad337485f0c53b7b8b79473005508788a6c5a9d40faf563.tar.gz
manifest.json
$ mv e2307fd561d470611ad337485f0c53b7b8b79473005508788a6c5a9d40faf563.tar.gz my-provenance.json
$ cat my-provenance.json | jq

I can shorten this and write a script etc but is there a better way to just grab e2307fd561d470611ad337485f0c53b7b8b79473005508788a6c5a9d40faf563.tar.gz (or the contents) in the first place?

This is a function I've written

# takes an image
getAtt() { crane pull "$1" /dev/stdout | tar xfO /dev/stdin "$(crane manifest "$1" | jq -r .layers[0].digest | cut -d':' -f2).tar.gz"; }
@imjasonh
Copy link
Collaborator

Does crane blob help here?

Here's something that's kinda gross:

REPO=gcr.io/imjasonh
IMAGE=my/image@sha256:abc...
crane blob $REPO@$(
  crane manifest $(
    cosign triangulate $REPO/$IMAGE) | jq -r '.layers[0].digest')

So this uses cosign triangulate to get the associated image ref (in this case .sig), then crane manifest to get that image's manifest, and extract the single layer's blob, then crane blob to get that blob data.

@jonjohnsonjr
Copy link
Collaborator

Does the image always have a single layer?

@06kellyjac
Copy link
Author

As far as I know yeah. I could adapt the script/function to dump all layers though

@jonjohnsonjr
Copy link
Collaborator

As you mentioned, we could address some of this as part of #1011 by actually inspecting the layer media types rather than assuming tarballs.

IMO a reasonable heuristic would be:

if len(layers) == 1 {
  if !isTar(layers[0].MediaType) {
    rc, err := layers[0].Uncompressed()
    if err != nil {
      return err
    }
    defer rc.Close()
    _, err := io.Copy(w, fs)
    return err
  }
}

For images with a single, non-tarball layer, it makes sense to me to just write out the layer contents to stdout with crane export:

$ crane export my/image:some-tag

I'm not sure how that would work with multiple layers -- you'd need something like your or jason's script.

Another approach might be to add a flag to crane export that controls the reduction method. Right now that's hardcoded to be tarball flattening (as per OCI file changesets), but it might be reasonable to do something like crane export --reduce cat that just concatenates everything. This might work for stuff like newline delimited json?

@jonjohnsonjr jonjohnsonjr mentioned this issue Dec 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make crane export more ergonomic jonjohnsonjr/go-containerregistry
3 participants
@imjasonh @06kellyjac @jonjohnsonjr