store: Enable to recieve TOCDigest from runtime

Signed-off-by: Kohei Tokunaga <[email protected]>
containerd · May 21, 2024 · ae56e3c · ae56e3c
1 parent f837845
commit ae56e3c
Show file tree

Hide file tree

Showing 5 changed files with 101 additions and 125 deletions.
diff --git a/cmd/stargz-store/main.go b/cmd/stargz-store/main.go
@@ -132,9 +132,8 @@ func main() {
 				Fatalf("failed to prepare mountpoint %q", mountPoint)
 		}
 	}
-	if !config.Config.DisableVerification {
-		log.G(ctx).Warnf("content verification is not supported; switching to non-verification mode")
-		config.Config.DisableVerification = true
+	if config.Config.DisableVerification {
+		log.G(ctx).Fatalf("content verification can't be disabled")
 	}
 	mt, err := getMetadataStore(*rootDir, config)
 	if err != nil {

diff --git a/fs/layer/layer.go b/fs/layer/layer.go
@@ -108,6 +108,7 @@ type Info struct {
 	FetchedSize  int64     // layer fetched size in bytes
 	PrefetchSize int64     // layer prefetch size in bytes
 	ReadTime     time.Time // last time the layer was read
+	TOCDigest    digest.Digest
 }
 
 // Resolver resolves the layer location and provieds the handler of that layer.
@@ -415,6 +416,7 @@ func (l *layer) Info() Info {
 		FetchedSize:  l.blob.FetchedSize(),
 		PrefetchSize: l.prefetchedSize(),
 		ReadTime:     readTime,
+		TOCDigest:    l.verifiableReader.Metadata().TOCDigest(),
 	}
 }
 

diff --git a/script/demo-store/etc/stargz-store/config.toml b/script/demo-store/etc/stargz-store/config.toml
@@ -1,5 +1,4 @@
 metrics_address = "127.0.0.1:8234"
-disable_verification = true
 [[resolver.host."registry2-store:5000".mirrors]]
 host = "registry2-store:5000"
 insecure = true
diff --git a/store/fs.go b/store/fs.go
@@ -384,12 +384,20 @@ func (n *layernode) Lookup(ctx context.Context, name string, out *fuse.EntryOut)
 				return nil, syscall.EIO
 			}
 			log.G(ctx).WithField(remoteSnapshotLogKey, prepareFailed).
-				WithField("layerdigest", n.digest).
+				WithField("digest", n.digest).
 				WithError(err).
 				Debugf("error resolving layer (context error: %v)", cErr)
 			log.G(ctx).WithError(err).Warnf("failed to mount layer %q: %q", name, n.digest)
 			return nil, syscall.EIO
 		}
+		if err := l.Verify(n.digest); err != nil {
+			log.G(ctx).WithField(remoteSnapshotLogKey, prepareFailed).
+				WithField("digest", n.digest).
+				WithError(err).
+				Debugf("failed to verify layer")
+			log.G(ctx).WithError(err).Warnf("failed to mount layer %q: %q", name, n.digest)
+			return nil, syscall.EIO
+		}
 		if name == blobLink {
 			sAttr := layerToAttr(l, &out.Attr)
 			cn := &blobnode{l: l}