imagecheck

package
v0.0.0-...-6d93963 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package imagecheck verifies container image availability locally.

Index

Constants

This section is empty.

Variables

View Source
var ErrDigestUnavailable = errors.New("imagecheck: image digest unavailable")

ErrDigestUnavailable is returned when a digest cannot be resolved for an image — e.g. the engine does not expose one at task-spec construction time (Kubernetes resolves digests in the kubelet pull status, not before the pod exists). Callers treat this as "fall back to the literal tag": a cache miss is always safe, so an unresolved digest never produces a stale hit, it only declines the extra tamper-evidence for that step.

Functions

This section is empty.

Types

type DigestFunc

type DigestFunc func(ctx context.Context, imageRef string) (string, error)

DigestFunc resolves a single image reference to its content digest (sha256:...). Implementations may perform network I/O (a registry pull or inspect); the Resolver wraps them with a short-TTL cache so steady-state runs pay the cost at most once per TTL window.

type Resolver

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver resolves image tags to content digests and caches the mapping with a short, per-call TTL. It is safe for concurrent use. Resolution is engine-aware: each supported engine supplies a DigestFunc; engines without one (or with a nil func) report ErrDigestUnavailable so the caller falls back to the tag.

The TTL is supplied per Resolve call (not fixed on the Resolver) so different jobs can demand different freshness against the same warm cache — e.g. a job with digestTTL: 0 re-resolves every check (immediate moved-tag detection) while others reuse the steady-state default and pay no registry round-trip.

func Default

func Default() *Resolver

Default returns a process-wide shared Resolver, built lazily on first call. Sharing one instance means the tag->digest cache is warm across runs, so steady-state execution pays no per-task registry round-trip. The cache TTL is supplied per Resolve call, so the shared instance can serve jobs with different freshness requirements.

func NewResolver

func NewResolver(opts ...ResolverOption) *Resolver

NewResolver builds a Resolver. By default the Docker engine resolves via the local Docker daemon: it inspects the image (using its content config digest / RepoDigests) and, only if the image is not already present locally, pulls it first so a digest is available. The cache TTL is supplied per Resolve call.

Registry auth limitation: the pull-if-absent path uses an anonymous pull (no RegistryAuth is sent), so digest resolution for an image that must be pulled from a *private* registry will fail and the step falls back to the literal tag — which is always safe (a cache miss is never a stale hit). Images already present locally (the steady-state case, and any image the runtime already pulled) resolve without auth. Wiring RegistryAuth from the secret providers is a tracked follow-up. Podman and Kubernetes have no pre-run digest source wired here yet, so they also fall back to the tag.

func (*Resolver) Resolve

func (r *Resolver) Resolve(ctx context.Context, engine models.AtomEngine, imageRef string, ttl time.Duration) (string, error)

Resolve returns the content digest (sha256:...) for the image run by the given engine. On any resolution failure it returns ErrDigestUnavailable (the underlying cause is logged), so callers can fall back to the tag without special-casing every engine.

ttl bounds how long a resolved tag->digest mapping is reused. It is a perf cache: within the window a moved tag is NOT re-detected (the prior digest is served). A ttl of 0 (or negative) disables the cache for this call — the digest is re-resolved every time, so a moved tag is detected immediately at the cost of a registry round-trip per check. Different callers may pass different TTLs against the same shared, warm cache.

type ResolverOption

type ResolverOption func(*Resolver)

ResolverOption configures a Resolver.

func WithClock

func WithClock(now func() time.Time) ResolverOption

WithClock overrides the clock used for TTL expiry (test seam).

func WithEngineDigestFunc

func WithEngineDigestFunc(engine models.AtomEngine, fn DigestFunc) ResolverOption

WithEngineDigestFunc registers (or overrides) the DigestFunc for an engine. Primarily a test seam; production wiring uses NewResolver's defaults.

type Result

type Result struct {
	Image     string
	Available bool
	Error     error
}

Result describes whether a container image is available locally.

func Check

func Check(ctx context.Context, images []string) []Result

Check inspects the local Docker daemon for each image without pulling.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL