ironic.common.oci_registry module

class ironic.common.oci_registry.MakeSession(verify=True)[source]

Bases: object

Class method to uniformly create sessions.

Sessions created by this class will retry on errors with an exponential backoff before raising an exception. Because our primary interaction is with the container registries the adapter will also retry on 401 and 404. This is being done because registries commonly return 401 when an image is not found, which is commonly a cache miss. See the adapter definitions for more on retry details.

create()[source]
class ironic.common.oci_registry.OciClient(verify)[source]

Bases: object

authenticate(image_url, username=None, password=None)[source]

Authenticate to the remote container registry.

Parameters:

  • image_url – The URL to utilise for the remote container registry.

  • username – The username paraemter.

  • password – The password parameter.

Raises:

AttributeError when an unknown authentication attribute has been specified by the remote service.

Raises:

ImageServiceAuthenticationRequired when the remote Container registry requires authentication but we do not have a credentials.

download_blob_from_manifest(manifest_url, image_file)[source]

Retrieves the requested blob from the manifest URL…

And saves the requested manifest’s artifact as the requested image_file location, and then returns the verified checksum.

Parameters:

  • manifest_url – The URL, in oci://host/user/container@digest formatted artifact manifest URL. This is not the digest value for the blob, which can only be discovered by retrieving the manifest.

  • image_file – The image file object to write the blob to.

Returns:

The verified digest value matching the saved artifact.

get_artifact_index(image)[source]

Retrieve an index of artifacts in the Container Registry.

Parameters:

image – The remote container registry URL in the form of oci://host/user/container:tag.

Returns:

A dictionary object representing the index of artifacts present in the container registry, in the form of manifest references along with any other metadata per entry which the remote registry returns such as annotations, and platform labeling which aids in artifact selection.

get_blob_url(image, blob_digest)[source]

Generates an HTTP representing an blob artifact.

Parameters:

  • image – The OCI Container URL.

  • blob_digest – The digest value representing the desired blob artifact.

Returns:

A HTTP URL string representing the blob URL which can be utilized by an HTTP client to retrieve the artifact.

get_cached_auth()[source]

Retrieves the cached authentication header for reuse.

get_manifest(image, digest=None)[source]

Retrieve a manifest from the remote API.

This method is a wrapper for the _get_manifest helper, which normalizes the input URL, performs basic sanity checking, and then calls the underlying method to retrieve the manifest.

The manifest is then returned to the caller in the form of a dictionary.

Parameters:

  • image – The full URL to the desired manifest or the URL of the container and an accompanying digest parameter.

  • digest – The Digest value for the requested manifest.

Returns:

A dictionary object representing the manifest as stored in the remote API.

class ironic.common.oci_registry.RegistrySessionHelper[source]

Bases: object

Class with various registry session helpers

This class contains a bunch of static methods to be used when making session requests against a container registry. The methods are primarily used to handle authentication/reauthentication for the requests against registries that require auth.

static check_redirect_trusted(request_response, request_session, stream=True, timeout=60)[source]

Check if we’ve been redirected to a trusted source

Because we may be using auth, we may not want to leak authentication keys to an untrusted source. If we get a redirect, we need to check that the redirect url is one of our sources that we trust. Otherwise we drop the Authorization header from the redirect request. We’ll add the header back into the request session after performing the request to ensure that future usage of the session.

Param:

request_response: Response object of the request to check

Param:

request_session: Session to use when redirecting

Param:

stream: Should we stream the response of the redirect

Param:

timeout: Timeout for the redirect request

static check_status(session, request, allow_reauth=True)[source]

Check request status and trigger reauth

This function can be used to check if we need to perform authentication for a container registry request because we’ve gotten a 401.

static get(request_session, *args, **kwargs)[source]

Perform a get and retry if auth fails

This function is designed to be used when we perform a get to an authenticated source. This function will attempt a single re-authentication request if the first one fails.

static get_bearer_token(session, username=None, password=None, realm=None, service=None, scope=None)[source]
get_token_from_config()[source]

Takes a FQDN for a container registry and consults auth config.

This method evaluates named configuration parameter [oci]authentication_config and looks for pre-shared secrets in the supplied json file. It is written to defensively handle the file such that errors are not treated as fatal to the overall lookup process, but errors are logged.

The expected file format is along the lines of:

{
“auths”: {
“domain.name”: {

“auth”: “pre-shared-secret-value”

}

}

}

Parameters:

fqdn – A fully qualified domain name for interacting with the remote image registry.

Returns:

String value for the “auth” key which matches the supplied FQDN.

static parse_www_authenticate(header)[source]