|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +# Copyright 2023 The Kubernetes Authors. |
| 4 | +# |
| 5 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | +# you may not use this file except in compliance with the License. |
| 7 | +# You may obtain a copy of the License at |
| 8 | +# |
| 9 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +# |
| 11 | +# Unless required by applicable law or agreed to in writing, software |
| 12 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | +# See the License for the specific language governing permissions and |
| 15 | +# limitations under the License. |
| 16 | + |
| 17 | +# This scripts gets copied from the controller into the rescue system |
| 18 | +# of the bare-metal machine. |
| 19 | + |
| 20 | +# Bash Strict Mode: https://github.com/guettli/bash-strict-mode |
| 21 | +trap 'echo -e "\n🤷 🚨 🔥 Warning: A command has failed. Exiting the script. Line was ($0:$LINENO): $(sed -n "${LINENO}p" "$0" 2>/dev/null || true) 🔥 🚨 🤷 "; exit 3' ERR |
| 22 | +set -Eeuo pipefail |
| 23 | + |
| 24 | +image="${1:-}" |
| 25 | +outfile="${2:-}" |
| 26 | + |
| 27 | +function usage { |
| 28 | + echo "$0 image outfile" |
| 29 | + echo " Download a machine image from a container registry" |
| 30 | + echo " image: for example ghcr.io/foo/bar/my-machine-image:v9" |
| 31 | + echo " outfile: Created file. Usually with file extensions '.tgz'" |
| 32 | + echo " If the oci registry needs a token, then the script uses OCI_REGISTRY_AUTH_TOKEN (if set)" |
| 33 | + echo " Example 1: of OCI_REGISTRY_AUTH_TOKEN: mygithubuser:mypassword" |
| 34 | + echo " Example 2: of OCI_REGISTRY_AUTH_TOKEN: ghp_SN51...." |
| 35 | + echo |
| 36 | +} |
| 37 | +if [ -z "$outfile" ]; then |
| 38 | + usage |
| 39 | + exit 1 |
| 40 | +fi |
| 41 | + |
| 42 | +OCI_REGISTRY_AUTH_TOKEN="${OCI_REGISTRY_AUTH_TOKEN:-}" # github:$GITHUB_TOKEN |
| 43 | + |
| 44 | +# Extract registry |
| 45 | +registry="${image%%/*}" |
| 46 | + |
| 47 | +# Extract scope and tag |
| 48 | +remainder="${image#*/}" |
| 49 | +scope="${remainder%:*}" |
| 50 | +tag="${remainder##*:}" |
| 51 | + |
| 52 | +if [[ -z "$registry" || -z "$scope" || -z "$tag" ]]; then |
| 53 | + echo "failed to parse registry, scope and tag from image" |
| 54 | + echo "image=$image" |
| 55 | + echo "registry=$registry" |
| 56 | + echo "scope=$scope" |
| 57 | + echo "tag=$tag" |
| 58 | + exit 1 |
| 59 | +fi |
| 60 | + |
| 61 | +function get_token { |
| 62 | + echo "download with token (OCI_REGISTRY_AUTH_TOKEN set)" |
| 63 | + if [[ "$OCI_REGISTRY_AUTH_TOKEN" != *:* ]]; then |
| 64 | + echo "Using OCI_REGISTRY_AUTH_TOKEN directly (no colon in token)" |
| 65 | + token=$(echo "$OCI_REGISTRY_AUTH_TOKEN" | base64) |
| 66 | + return |
| 67 | + fi |
| 68 | + echo "OCI_REGISTRY_AUTH_TOKEN contains colon. Doing login first" |
| 69 | + token=$(curl -fsSL -u "$OCI_REGISTRY_AUTH_TOKEN" "https://${registry}/token?scope=repository:$scope:pull" | jq -r '.token') |
| 70 | + if [ -z "$token" ] || [ "$token" == null ]; then |
| 71 | + echo "Failed to get token for container registry" |
| 72 | + exit 1 |
| 73 | + fi |
| 74 | + echo "Login to $registry was successful" |
| 75 | +} |
| 76 | + |
| 77 | +AUTH_ARGS=() |
| 78 | +if [ -z "$OCI_REGISTRY_AUTH_TOKEN" ]; then |
| 79 | + echo "OCI_REGISTRY_AUTH_TOKEN is not set. Using no auth" |
| 80 | +else |
| 81 | + token="" |
| 82 | + get_token |
| 83 | + if [ -z "$token" ]; then |
| 84 | + echo "failed to get token" |
| 85 | + exit 1 |
| 86 | + fi |
| 87 | + AUTH_ARGS+=("--header") |
| 88 | + AUTH_ARGS+=("Authorization: Bearer $token") |
| 89 | +fi |
| 90 | +manifest=$(curl -sSL "${AUTH_ARGS[@]}" \ |
| 91 | + -H "Accept: application/vnd.oci.image.manifest.v1+json" \ |
| 92 | + "https://${registry}/v2/${scope}/manifests/${tag}") |
| 93 | + |
| 94 | +if [ -z "$manifest" ] || [ "$manifest" == null ]; then |
| 95 | + echo "Failed to get manifest from container registry for image $image" |
| 96 | + exit 1 |
| 97 | +fi |
| 98 | +digest=$(echo "$manifest" | jq -r '.layers[0].digest') |
| 99 | + |
| 100 | +if [ -z "$digest" ] || [ "$digest" == null ]; then |
| 101 | + echo "Failed to get digest from container registry. Manifest: $manifest" |
| 102 | + exit 1 |
| 103 | +fi |
| 104 | + |
| 105 | +expected_hash=$(echo "$manifest" | jq -r '.layers[0].digest' | cut -d':' -f2) |
| 106 | +if [ -z "$expected_hash" ]; then |
| 107 | + echo "Could not get hash from manifest. Manifest: $manifest" |
| 108 | + exit 1 |
| 109 | +fi |
| 110 | + |
| 111 | +echo "Start download of $image" |
| 112 | +# with speed 5111000 bytes/sec (5MB/sec) and a 2 GByte image, |
| 113 | +# it takes about 6 minutes to download the image. |
| 114 | +# max-time 600 --> 10 minutes |
| 115 | +# Usually the download is much fast: 40 MB/sec, which takes about 50 seconds. |
| 116 | +curl -fsSL "${AUTH_ARGS[@]}" \ |
| 117 | + --retry 5 --retry-delay 2 --retry-connrefused \ |
| 118 | + --speed-limit 5111000 --speed-time 10 --max-time 600 \ |
| 119 | + --continue-at - \ |
| 120 | + --write-out "Downloaded %{size_download} bytes in %{time_total} seconds\n" \ |
| 121 | + -o"$outfile" "https://${registry}/v2/${scope}/blobs/$digest" |
| 122 | + |
| 123 | +hash=$(sha256sum "$outfile" | awk '{print $1}') |
| 124 | +if [ -z "$hash" ]; then |
| 125 | + echo "Failed to calculate hash of downloaded file $outfile" |
| 126 | + exit 1 |
| 127 | +fi |
| 128 | + |
| 129 | +if [ "$hash" != "$expected_hash" ]; then |
| 130 | + echo "Hash of downloaded file $outfile does not match expected hash" |
| 131 | + echo "Expected: $expected_hash" |
| 132 | + echo "Got: $hash" |
| 133 | + exit 1 |
| 134 | +fi |
| 135 | + |
| 136 | +echo "Hash of downloaded file $outfile matches expected hash: $hash" |
0 commit comments