From 5c9a38d3706ee985be95cb287cd2a6ba6ed40ce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Tue, 11 Feb 2025 19:23:05 +0100 Subject: [PATCH] (WIP) Check for container updates rather than using `image-id.txt` --- dangerzone/isolation_provider/container.py | 59 +++++++++------------- 1 file changed, 23 insertions(+), 36 deletions(-) diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py index 0213cde..bc810d4 100644 --- a/dangerzone/isolation_provider/container.py +++ b/dangerzone/isolation_provider/container.py @@ -5,7 +5,7 @@ import shlex import subprocess from typing import List, Tuple -from .. import container_utils, errors +from .. import container_utils, errors, updater from ..document import Document from ..util import get_resource_path, get_subprocess_startupinfo from .base import IsolationProvider, terminate_process_group @@ -78,41 +78,23 @@ class Container(IsolationProvider): @staticmethod def install() -> bool: - """Install the container image tarball, or verify that it's already installed. + """Check if an update is available and install it if necessary.""" + # XXX Do this only if users have optted in to auto-updates - Perform the following actions: - 1. Get the tags of any locally available images that match Dangerzone's image - name. - 2. Get the expected image tag from the image-id.txt file. - - If this tag is present in the local images, then we can return. - - Else, prune the older container images and continue. - 3. Load the image tarball and make sure it matches the expected tag. - """ - old_tags = container_utils.list_image_tags() - expected_tag = container_utils.get_expected_tag() - - if expected_tag not in old_tags: - # Prune older container images. - log.info( - f"Could not find a Dangerzone container image with tag '{expected_tag}'" + # # Load the image tarball into the container runtime. + update_available, image_digest = updater.is_update_available( + container_utils.CONTAINER_NAME + ) + if update_available: + updater.upgrade_container_image( + container_utils.CONTAINER_NAME, + image_digest, + updater.DEFAULT_PUBKEY_LOCATION, ) - for tag in old_tags: - container_utils.delete_image_tag(tag) - else: - return True - # Load the image tarball into the container runtime. - container_utils.load_image_tarball() - - # Check that the container image has the expected image tag. - # See https://github.com/freedomofpress/dangerzone/issues/988 for an example - # where this was not the case. - new_tags = container_utils.list_image_tags() - if expected_tag not in new_tags: - raise errors.ImageNotPresentException( - f"Could not find expected tag '{expected_tag}' after loading the" - " container image tarball" - ) + updater.verify_local_image( + container_utils.CONTAINER_NAME, updater.DEFAULT_PUBKEY_LOCATION + ) return True @@ -193,6 +175,13 @@ class Container(IsolationProvider): name: str, ) -> subprocess.Popen: container_runtime = container_utils.get_runtime() + + image_digest = container_utils.get_local_image_digest( + container_utils.CONTAINER_NAME + ) + updater.verify_local_image( + container_utils.CONTAINER_NAME, updater.DEFAULT_PUBKEY_LOCATION + ) security_args = self.get_runtime_security_args() debug_args = [] if self.debug: @@ -201,9 +190,7 @@ class Container(IsolationProvider): enable_stdin = ["-i"] set_name = ["--name", name] prevent_leakage_args = ["--rm"] - image_name = [ - container_utils.CONTAINER_NAME + ":" + container_utils.get_expected_tag() - ] + image_name = [container_utils.CONTAINER_NAME + "@sha256:" + image_digest] args = ( ["run"] + security_args