From 9f56f36d205cdb24ad7ae1e41c5e0d7e95fe12dc Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 5 Feb 2023 17:35:44 +0000 Subject: [PATCH 1/4] Add accept headers --- docker-mods.v3 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker-mods.v3 b/docker-mods.v3 index 5590019..b9e67a2 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -138,6 +138,8 @@ get_blob_sha() { --silent \ --location \ --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.index.v1+json" \ --header "Authorization: Bearer $2" \ "$3" | jq -r '.layers[0].digest' else @@ -145,6 +147,8 @@ get_blob_sha() { --silent \ --location \ --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.index.v1+json" \ --header "Authorization: Bearer $2" \ "$3" | jq -r '.fsLayers[0].blobSum' fi From ebaf7815472bb00164439a016ecdf75ea1aed176 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 5 Feb 2023 17:36:01 +0000 Subject: [PATCH 2/4] Sanity-check tarball before trying to extract --- docker-mods.v3 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker-mods.v3 b/docker-mods.v3 index b9e67a2..101676c 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -222,6 +222,10 @@ run_mods() { "${BLOB_URL}${SHALAYER}" -o \ /modtarball.tar.xz mkdir -p /tmp/mod + if ! tar -tzf /modtarball.tar.xz >/dev/null 2>&1; then + echo "Invalid tarball, could not download ${DOCKER_MOD}" + continue + fi tar xzf /modtarball.tar.xz -C /tmp/mod if [[ -d /tmp/mod/etc/s6-overlay ]]; then if [[ -d /tmp/mod/etc/cont-init.d ]]; then From f7ab76d837ac66877f4218fba95ec05313abd191 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 5 Feb 2023 21:33:26 +0000 Subject: [PATCH 3/4] Support mods with multi-digest layers --- docker-mods.v3 | 62 +++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 54 insertions(+), 8 deletions(-) diff --git a/docker-mods.v3 b/docker-mods.v3 index 101676c..d6b4710 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -134,23 +134,69 @@ curl_check() { # Use different filtering depending on URL get_blob_sha() { if [[ $1 == "ghcr" ]]; then - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + MULTIDIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ --silent \ --location \ --request GET \ --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ --header "Accept: application/vnd.oci.image.index.v1+json" \ - --header "Authorization: Bearer $2" \ - "$3" | jq -r '.layers[0].digest' + --header "Authorization: Bearer ${2}" \ + "${3}/${TAG}" | jq -r 'first(.manifests[].digest)?') + if [[ -z "${MULTIDIGEST}" ]]; then + if DIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${2}" \ + "${3}/${TAG}" | grep -v 404); then + echo "${DIGEST}" | jq -r '.layers[0].digest'; + fi + else + if DIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${2}" \ + "${3}/${MULTIDIGEST}" | grep -v 404); then + echo "${DIGEST}" | jq -r '.layers[0].digest'; + fi + fi else - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + MULTIDIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ --silent \ --location \ --request GET \ --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ --header "Accept: application/vnd.oci.image.index.v1+json" \ - --header "Authorization: Bearer $2" \ - "$3" | jq -r '.fsLayers[0].blobSum' + --header "Authorization: Bearer ${2}" \ + "${3}/${TAG}" | jq -r 'first(.manifests[].digest)?') + if [[ -z "${MULTIDIGEST}" ]]; then + if DIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${2}" \ + "${3}/${TAG}" | grep -v 404); then + echo "${DIGEST}" | jq -r '.layers[0].digest'; + fi + else + if DIGEST=$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${2}" \ + "${3}/${MULTIDIGEST}" | grep -v 404); then + echo "${DIGEST}" | jq -r '.layers[0].digest'; + fi + fi fi } @@ -170,7 +216,7 @@ run_mods() { fi FILENAME="${USERNAME}.${REPO}.${TAG}" AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" - MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" + MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests" BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" MODE="ghcr" else @@ -183,7 +229,7 @@ run_mods() { fi FILENAME="${USERNAME}.${REPO}.${TAG}" AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" - MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" + MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests" BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" MODE="dockerhub" fi From b2a601c18032876c4d1d5beee60c7a35207fb19d Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 5 Feb 2023 21:38:44 +0000 Subject: [PATCH 4/4] Update readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b62ad3a..cb44ce0 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ These files are used by Linuxserver build processes to handle mods in our images. Not for end-user consumption. +* **05.02.23:** - Support multi-manifest mods for provenance, etc. * **21.01.23:** - Create with-contenv alias. * **01.01.23:** - Remove support for legacy custom script/service locations. * **25.09.22:** - Initial Release.