feat: add support for docker images (#2714)

* feat: add support for docker images

Issue #724

A new config section under "HTTP" called "Compat" is added which
currently takes a list of possible compatible legacy media-types.

https://github.com/opencontainers/image-spec/blob/main/media-types.md#compatibility-matrix

Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported.

Garbage collection also needs to be made aware of non-OCI compatible
layer types.
feat: add cve support for non-OCI compatible layer types

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* 

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: add more docker compat tests

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* feat: add additional validation checks for non-OCI images

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: make "full" images docker-compatible

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

test/blackbox/ci.sh

@@ -9,7 +9,7 @@ PATH=$PATH:${SCRIPTPATH}/../../hack/tools/bin
 
 tests=("pushpull" "pushpull_authn" "delete_images" "referrers" "metadata" "anonymous_policy"
       "annotations" "detect_manifest_collision" "cve" "sync" "sync_docker" "sync_replica_cluster"
-      "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index")
+      "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat")
 
 for test in ${tests[*]}; do
     ${BATS} ${BATS_FLAGS} ${SCRIPTPATH}/${test}.bats > ${test}.log & pids+=($!)

test/blackbox/docker_compat.bats

@@ -0,0 +1,94 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+
+function verify_prerequisites {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    return 0
+}
+
+function setup_file() {
+    # Verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+    # Download test data to folder common for the entire suite, not just this file
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.0",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}",
+        "compat": ["docker2s2"]
+
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    }
+}
+EOF
+    git -C ${BATS_FILE_TMPDIR} clone https://github.com/project-zot/helm-charts.git
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown() {
+    # conditionally printing on failure is possible from teardown but not from from teardown_file
+    cat ${BATS_FILE_TMPDIR}/zot.log
+}
+
+function teardown_file() {
+    zot_stop_all
+}
+
+@test "push docker image to compatible zot" {
+    zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
+    zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    cat > Dockerfile <<EOF
+    FROM public.ecr.aws/docker/library/busybox:latest
+    RUN echo "hello world" > /testfile
+EOF
+    docker build -f Dockerfile . -t localhost:${zot_port}/test:latest
+    run docker push localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+    [ $(cat ${zot_root_dir}/test/index.json | jq .manifests[0].mediaType)  = '"application/vnd.docker.distribution.manifest.v2+json"' ]
+    run docker pull localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+    # inspect and trigger a CVE scan
+    run skopeo inspect --tls-verify=false docker://localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+    # delete
+    run skopeo delete --tls-verify=false docker://localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+    run skopeo inspect --tls-verify=false docker://localhost:${zot_port}/test:latest
+    [ "$status" -ne 0 ]
+    # re-push
+    run docker push localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+    run skopeo inspect --tls-verify=false docker://localhost:${zot_port}/test:latest
+    [ "$status" -eq 0 ]
+}

test/blackbox/pushpull.bats

@@ -359,3 +359,16 @@ EOF
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 0 ]
 }
+
+@test "push docker image" {
+    zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
+    cat > Dockerfile <<EOF
+    FROM public.ecr.aws/docker/library/busybox:latest
+    RUN echo "hello world" > /testfile
+EOF
+    docker build -f Dockerfile . -t localhost:${zot_port}/test
+    run docker push localhost:${zot_port}/test
+    [ "$status" -eq 1 ]
+    run docker pull localhost:${zot_port}/test
+    [ "$status" -eq 1 ]
+}