Fix c/image fails to pull OCI image with non-http(s):// urls

ktock · ktock · commit c064ff14123f · 2021-11-09T11:17:38.000+09:00
Signed-off-by: Kohei Tokunaga &lt;ktokunaga.mail@gmail.com&gt;
diff --git a/docker/docker_image_src.go b/docker/docker_image_src.go
@@ -408,7 +408,11 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
 // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location.
 func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(ctx, info.URLs)
+		if r, s, err := s.getExternalBlob(ctx, info.URLs); err == nil {
+			return r, s, nil
+		} else if containsValidHTTPURLs(info.URLs) { // if contains valid HTTP URLs, external blob should be fetched.
+			return nil, 0, err
+		} // no understandable urls are contained. Ignore urls and allow fallback.
 	}
 
 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
@@ -425,6 +429,16 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
 	return res.Body, getBlobSize(res), nil
 }
 
+func containsValidHTTPURLs(urls []string) bool {
+	for _, s := range urls {
+		u, err := url.Parse(s)
+		if err == nil && (u.Scheme == "http" || u.Scheme == "https") {
+			return true
+		}
+	}
+	return false
+}
+
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
 // (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
diff --git a/oci/layout/oci_src.go b/oci/layout/oci_src.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"strconv"
 
@@ -113,7 +114,11 @@ func (s *ociImageSource) HasThreadSafeGetBlob() bool {
 // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location.
 func (s *ociImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(ctx, info.URLs)
+		if r, s, err := s.getExternalBlob(ctx, info.URLs); err == nil {
+			return r, s, nil
+		} else if containsValidHTTPURLs(info.URLs) { // if contains valid HTTP URLs, external blob should be fetched.
+			return nil, 0, err
+		} // no understandable urls are contained. Ignore urls and allow fallback.
 	}
 
 	path, err := s.ref.blobPath(info.Digest, s.sharedBlobDir)
@@ -132,6 +137,16 @@ func (s *ociImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache
 	return r, fi.Size(), nil
 }
 
+func containsValidHTTPURLs(urls []string) bool {
+	for _, s := range urls {
+		u, err := url.Parse(s)
+		if err == nil && (u.Scheme == "http" || u.Scheme == "https") {
+			return true
+		}
+	}
+	return false
+}
+
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
 // (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
