refactor: Reduce binary size of zot-minimal; Added CI check for binary size (#1758)

Signed-off-by: Alexei Dodon <adodon@cisco.com>
2026-06-16 04:17:55 +08:00 · 2023-09-06 19:58:00 +03:00
parent 75a76005b4
commit f5b63963be
18 changed files with 134 additions and 83 deletions
@@ -1,10 +1,10 @@
 package config

 import (
+	"encoding/json"
 	"os"
 	"time"

-	"github.com/getlantern/deepcopy"
 	distspec "github.com/opencontainers/distribution-spec/specs-go"

 	extconf "zotregistry.io/zot/pkg/extensions/config"
@@ -221,17 +221,28 @@ func SameFile(str1, str2 string) (bool, error) {
 	return os.SameFile(sFile, tFile), nil
 }

+func DeepCopy(src, dst interface{}) error {
+	bytes, err := json.Marshal(src)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(bytes, dst)
+
+	return err
+}
+
 // Sanitize makes a sanitized copy of the config removing any secrets.
 func (c *Config) Sanitize() *Config {
 	sanitizedConfig := &Config{}
-	if err := deepcopy.Copy(sanitizedConfig, c); err != nil {
+
+	if err := DeepCopy(c, sanitizedConfig); err != nil {
 		panic(err)
 	}

 	if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" {
 		sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}

-		if err := deepcopy.Copy(sanitizedConfig.HTTP.Auth.LDAP, c.HTTP.Auth.LDAP); err != nil {
+		if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
 			panic(err)
 		}

@@ -65,4 +65,20 @@ func TestConfig(t *testing.T) {
 		So(err, ShouldBeNil)
 		So(isSame, ShouldBeTrue)
 	})
+	Convey("Test DeepCopy() & Sanitize()", t, func() {
+		conf := config.New()
+		So(conf, ShouldNotBeNil)
+		authConfig := &config.AuthConfig{LDAP: &config.LDAPConfig{BindPassword: "oina"}}
+		conf.HTTP.Auth = authConfig
+		So(func() { conf.Sanitize() }, ShouldNotPanic)
+		conf = conf.Sanitize()
+		So(conf.HTTP.Auth.LDAP.BindPassword, ShouldEqual, "******")
+
+		// negative
+		obj := make(chan int)
+		err := config.DeepCopy(conf, obj)
+		So(err, ShouldNotBeNil)
+		err = config.DeepCopy(obj, conf)
+		So(err, ShouldNotBeNil)
+	})
 }
@@ -16,7 +16,6 @@ import (
 	"sync"
 	"time"

-	notreg "github.com/notaryproject/notation-go/registry"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sigstore/cosign/v2/pkg/oci/remote"

@@ -482,7 +481,7 @@ func isNotationSigned(ctx context.Context, repo, digestStr string, searchConf se
 	var referrers ispec.Index

 	URL := fmt.Sprintf("%s/v2/%s/referrers/%s?artifactType=%s",
-		*searchConf.servURL, repo, digestStr, notreg.ArtifactTypeNotation)
+		*searchConf.servURL, repo, digestStr, common.ArtifactTypeNotation)

 	_, err := makeGETRequest(ctx, URL, username, password,
 		*searchConf.verifyTLS, *searchConf.debug, &referrers, searchConf.resultWriter)
@@ -23,6 +23,9 @@ const (
 	CosignSignature   = "cosign"
 	CosignSigKey      = "dev.cosignproject.cosign/signature"
 	NotationSignature = "notation"
+	// same value as github.com/notaryproject/notation-go/registry.ArtifactTypeNotation (assert by internal test).
+	// reason used: to reduce zot minimal binary size (otherwise adds oras.land/oras-go/v2 deps).
+	ArtifactTypeNotation = "application/vnd.cncf.notary.signature"
 )

 func Contains[T comparable](elems []T, v T) bool {
@@ -5,6 +5,7 @@ import (
 	"path"
 	"testing"

+	notreg "github.com/notaryproject/notation-go/registry"
 	. "github.com/smartystreets/goconvey/convey"

 	"zotregistry.io/zot/pkg/api/config"
@@ -56,4 +57,8 @@ func TestCommon(t *testing.T) {
 		So(common.Index([]string{"a", "b"}, "b"), ShouldEqual, 1)
 		So(common.Index([]string{"a", "b"}, "c"), ShouldEqual, -1)
 	})
+
+	Convey("Test ArtifactTypeNotation const has same value as in notaryproject", t, func() {
+		So(common.ArtifactTypeNotation, ShouldEqual, notreg.ArtifactTypeNotation)
+	})
 }
@@ -12,13 +12,11 @@ import (

 	"zotregistry.io/zot/pkg/api/config"
 	"zotregistry.io/zot/pkg/log"
-	_ "zotregistry.io/zot/swagger"
 )

 func SetupSwaggerRoutes(conf *config.Config, router *mux.Router, authFunc mux.MiddlewareFunc,
 	log log.Logger,
 ) {
-	// swagger "/swagger/v2/index.html"
 	log.Warn().Msg("skipping enabling swagger because given zot binary " +
 		"doesn't include this feature, please build a binary that does so")
 }
@@ -13,13 +13,13 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
 	"time"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	"github.com/gobwas/glob"
 	regTypes "github.com/google/go-containerregistry/pkg/v1/types"
 	notreg "github.com/notaryproject/notation-go/registry"
 	godigest "github.com/opencontainers/go-digest"
@@ -1245,9 +1245,9 @@ func TestExpandedRepoInfo(t *testing.T) {
 				ExpandedRepoInfo(repo:"test1"){
 					Summary {
 						Name LastUpdated Size
-						Platforms {Os Arch} 
+						Platforms {Os Arch}
 						Vendors
-					} 
+					}
 					Images {
 						Tag
 						Manifests {
@@ -1341,7 +1341,7 @@ func TestExpandedRepoInfo(t *testing.T) {
 		query := `{
 			ExpandedRepoInfo(repo:"zot-cve-test"){
 				Summary {
-					Name LastUpdated Size 
+					Name LastUpdated Size
 					}
 				}
 			}`
@@ -1363,7 +1363,7 @@ func TestExpandedRepoInfo(t *testing.T) {
 				Images {
 					Tag
 					Manifests {
-						Digest 
+						Digest
 						Layers {Size Digest}
 					}
 					IsSigned
@@ -1437,7 +1437,7 @@ func TestExpandedRepoInfo(t *testing.T) {
 			ExpandedRepoInfo(repo:"zot-test"){
 				Images {
 					RepoName
-					Tag IsSigned 
+					Tag IsSigned
 					Manifests{
 						Digest
 						Layers {Size Digest}
@@ -1548,10 +1548,10 @@ func TestExpandedRepoInfo(t *testing.T) {
 		{
 			ExpandedRepoInfo(repo:"repo"){
 				Images {
-					RepoName 
-					Tag 
+					RepoName
+					Tag
 					Manifests {
-						Digest 
+						Digest
 						Layers {Size Digest}
 					}
 				}
@@ -1633,10 +1633,10 @@ func TestExpandedRepoInfo(t *testing.T) {
 		{
 			ExpandedRepoInfo(repo:"test-repo"){
 				Images {
-					RepoName 
-					Tag 
+					RepoName
+					Tag
 					Manifests {
-						Digest 
+						Digest
 						Layers {Size Digest}
 					}
 				}
@@ -1743,10 +1743,10 @@ func TestExpandedRepoInfo(t *testing.T) {
 		{
 			ExpandedRepoInfo(repo:"repo"){
 				Images {
-					RepoName 
-					Tag 
+					RepoName
+					Tag
 					Manifests {
-						Digest 
+						Digest
 						Layers {Size Digest}
 					}
 				}
@@ -3306,7 +3306,7 @@ func TestGlobalSearch(t *testing.T) {
 				Images {
 					RepoName Tag LastUpdated Size
 					Manifests {
-						LastUpdated Size 
+						LastUpdated Size
 						Platform { Os Arch }
 						History {
 							Layer { Size Digest }
@@ -3322,7 +3322,7 @@ func TestGlobalSearch(t *testing.T) {
 					NewestImage {
 						RepoName Tag LastUpdated Size
 						Manifests {
-							LastUpdated Size 
+							LastUpdated Size
 							Platform { Os Arch }
 							History {
 								Layer { Size Digest }
@@ -3535,7 +3535,7 @@ func TestGlobalSearch(t *testing.T) {
 					Images {
 						RepoName Tag LastUpdated Size
 						Manifests {
-							LastUpdated Size 
+							LastUpdated Size
 							Platform { Os Arch }
 							History {
 								Layer { Size Digest }
@@ -3551,7 +3551,7 @@ func TestGlobalSearch(t *testing.T) {
 						NewestImage {
 							RepoName Tag LastUpdated Size
 							Manifests {
-								LastUpdated Size 
+								LastUpdated Size
 								Platform { Os Arch }
 								History {
 									Layer { Size Digest }
@@ -3625,7 +3625,7 @@ func TestGlobalSearch(t *testing.T) {
 				Images {
 					RepoName Tag LastUpdated Size
 					Manifests {
-						LastUpdated Size 
+						LastUpdated Size
 						Platform { Os Arch }
 						History {
 							Layer { Size Digest }
@@ -3641,7 +3641,7 @@ func TestGlobalSearch(t *testing.T) {
 					NewestImage {
 						RepoName Tag LastUpdated Size
 						Manifests {
-							LastUpdated Size 
+							LastUpdated Size
 							Platform { Os Arch }
 							History {
 								Layer { Size Digest }
@@ -4335,7 +4335,7 @@ func TestMetaDBWhenSigningImages(t *testing.T) {
 				Images {
 					RepoName Tag LastUpdated Size IsSigned
 					Manifests{
-						LastUpdated Size 
+						LastUpdated Size
 					}
 				}
 			}
@@ -5349,7 +5349,7 @@ func TestMetaDBWhenDeletingImages(t *testing.T) {
 					RepoName Tag LastUpdated Size IsSigned
 					Manifests{
 						Platform { Os Arch }
-						LastUpdated Size 
+						LastUpdated Size
 					}
 				}
 			}
@@ -5399,7 +5399,7 @@ func TestMetaDBWhenDeletingImages(t *testing.T) {
 						RepoName Tag LastUpdated Size IsSigned
 						Manifests{
 							Platform { Os Arch }
-							LastUpdated Size 
+							LastUpdated Size
 						}
 					}
 				}
@@ -5436,9 +5436,9 @@ func TestMetaDBWhenDeletingImages(t *testing.T) {
 			for _, manifest := range indexContent.Manifests {
 				tag := manifest.Annotations[ispec.AnnotationRefName]

-				cosignTagRule := glob.MustCompile("sha256-*.sig")
+				cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`)

-				if cosignTagRule.Match(tag) {
+				if cosignTagRule.MatchString(tag) {
 					signatureTag = tag
 				}
 			}
@@ -5472,10 +5472,10 @@ func TestMetaDBWhenDeletingImages(t *testing.T) {
 			{
 				GlobalSearch(query:"repo1:1.0.1"){
 					Images {
-						RepoName Tag LastUpdated Size IsSigned			
+						RepoName Tag LastUpdated Size IsSigned
 						Manifests{
 							Platform { Os Arch }
-							LastUpdated Size 
+							LastUpdated Size
 						}
 					}
 				}
@@ -5786,15 +5786,15 @@ func TestSearchSize(t *testing.T) {
 		query := `
 		{
 			GlobalSearch(query:"testrepo:"){
-				Images { 
+				Images {
 					RepoName Tag LastUpdated Size Vendor
 					Manifests{
 						Platform { Os Arch }
-						LastUpdated Size 
+						LastUpdated Size
 					}
 				}
 				Repos {
-					Name LastUpdated Size 
+					Name LastUpdated Size
 					NewestImage {
 						Manifests{
 							Platform { Os Arch }
@@ -5823,15 +5823,15 @@ func TestSearchSize(t *testing.T) {
 		query = `
 		{
 			GlobalSearch(query:"testrepo"){
-				Images { 
-					RepoName Tag LastUpdated Size 
+				Images {
+					RepoName Tag LastUpdated Size
 					Manifests{
 						Platform { Os Arch }
 						LastUpdated Size
 					}
 				}
 				Repos {
-					Name LastUpdated Size 
+					Name LastUpdated Size
 					NewestImage {
 						Manifests{
 							Platform { Os Arch }
@@ -5869,19 +5869,19 @@ func TestSearchSize(t *testing.T) {
 		query = `
 		{
 			GlobalSearch(query:"testrepo:"){
-				Images { 
-					RepoName Tag LastUpdated Size 
+				Images {
+					RepoName Tag LastUpdated Size
 					Manifests{
 						Platform { Os Arch }
-						LastUpdated Size 
+						LastUpdated Size
 					}
 				}
 				Repos {
-					Name LastUpdated Size 
+					Name LastUpdated Size
 					NewestImage {
 						Manifests{
 							Platform { Os Arch }
-							LastUpdated Size 
+							LastUpdated Size
 						}
 					}
 				}
@@ -5905,14 +5905,14 @@ func TestSearchSize(t *testing.T) {
 		{
 			GlobalSearch(query:"testrepo"){
 				Images {
-					RepoName Tag LastUpdated Size 
+					RepoName Tag LastUpdated Size
 					Manifests{
 						Platform { Os Arch }
 						LastUpdated Size
-					} 
+					}
 				}
 				Repos {
-					Name LastUpdated Size 
+					Name LastUpdated Size
 					NewestImage {
 						Manifests{
 							Platform { Os Arch }
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"net/http"

-	notreg "github.com/notaryproject/notation-go/registry"
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
@@ -209,7 +208,7 @@ func getNotationManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor {
 	notaryManifests := []ispec.Descriptor{}

 	for _, ref := range ociRefs.Manifests {
-		if ref.ArtifactType == notreg.ArtifactTypeNotation {
+		if ref.ArtifactType == common.ArtifactTypeNotation {
 			notaryManifests = append(notaryManifests, ref)
 		}
 	}
@@ -12,7 +12,6 @@ import (
 	"time"

 	"github.com/docker/distribution/registry/storage/driver"
-	notreg "github.com/notaryproject/notation-go/registry"
 	godigest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/schema"
 	imeta "github.com/opencontainers/image-spec/specs-go"
@@ -714,7 +713,7 @@ func IsSignature(descriptor ispec.Descriptor) bool {
 		}

 		// is notation signature
-		if descriptor.ArtifactType == notreg.ArtifactTypeNotation {
+		if descriptor.ArtifactType == zcommon.ArtifactTypeNotation {
 			return true
 		}
 	default:
@@ -3,11 +3,10 @@ package storage
 import (
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"strings"

 	"github.com/docker/distribution/registry/storage/driver/factory"
-	"github.com/gobwas/glob"
-	notreg "github.com/notaryproject/notation-go/registry"
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"

@@ -232,14 +231,14 @@ func CheckIsImageSignature(repoName string, manifestBlob []byte, reference strin
 	manifestArtifactType := zcommon.GetManifestArtifactType(manifestContent)

 	// check notation signature
-	if manifestArtifactType == notreg.ArtifactTypeNotation && manifestContent.Subject != nil {
+	if manifestArtifactType == zcommon.ArtifactTypeNotation && manifestContent.Subject != nil {
 		return true, NotationType, manifestContent.Subject.Digest, nil
 	}

 	// check cosign
-	cosignTagRule := glob.MustCompile("sha256-*.sig")
+	cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`)

-	if tag := reference; cosignTagRule.Match(reference) {
+	if tag := reference; cosignTagRule.MatchString(reference) {
 		prefixLen := len("sha256-")
 		digestLen := 64
 		signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen]
@@ -13,7 +13,6 @@ import (
 	"strings"
 	"time"

-	notreg "github.com/notaryproject/notation-go/registry"
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"

@@ -233,7 +232,7 @@ func (olu BaseOciLayoutUtils) GetImageTagsWithTimestamp(repo string) ([]cvemodel
 // check notary signature corresponding to repo name, manifest digest and mediatype.
 func (olu BaseOciLayoutUtils) checkNotarySignature(name string, digest godigest.Digest) bool {
 	imageStore := olu.StoreController.GetImageStore(name)
-	mediaType := notreg.ArtifactTypeNotation
+	mediaType := common.ArtifactTypeNotation

 	referrers, err := imageStore.GetReferrers(name, digest, []string{mediaType})
 	if err != nil {