Don't unnecessarily trust the ALS FUSE server about the TOC digest

Well, we trust it _anyway_ to actually validate the TOC digest and enforce layer consistency, but it's simpler to use the known-trusted value than to worry about the backend's trust. Also add a FIXME about the case when the value is "". Signed-off-by: Miloslav Trmač <[email protected]>
containers · May 20, 2024 · c2327e4 · c2327e4
1 parent db02dee
commit c2327e4
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/storage/storage_dest.go b/storage/storage_dest.go
@@ -388,11 +388,17 @@ func (s *storageImageDestination) tryReusingBlobAsPending(blobDigest digest.Dige
 		if err != nil && !errors.Is(err, storage.ErrLayerUnknown) {
 			return false, private.ReusedBlob{}, fmt.Errorf(`looking for compressed layers with digest %q and labels: %w`, blobDigest, err)
 		} else if err == nil {
-			d := aLayer.TOCDigest()
-			if d == "" {
-				return false, private.ReusedBlob{}, fmt.Errorf(`failed to get TOCDigest of %q: %w`, blobDigest, err)
+			alsTOCDigest := aLayer.TOCDigest()
+			if alsTOCDigest != options.TOCDigest {
+				// FIXME: If alsTOCDigest is "", the Additional Layer Store FUSE server is probably just too old, and we could
+				// probably go on reading the layer from other sources.
+				//
+				// Currently it should not be possible for alsTOCDigest to be set and not the expected value, but there’s
+				// not that much benefit to checking for equality — we trust the FUSE server to validate the digest either way.
+				return false, private.ReusedBlob{}, fmt.Errorf("additional layer for TOCDigest %q reports unexpected TOCDigest %q",
+					options.TOCDigest, alsTOCDigest)
 			}
-			s.lockProtected.indexToTOCDigest[*options.LayerIndex] = d
+			s.lockProtected.indexToTOCDigest[*options.LayerIndex] = options.TOCDigest
 			s.lockProtected.indexToAdditionalLayer[*options.LayerIndex] = aLayer
 			return true, private.ReusedBlob{
 				Digest: blobDigest,