vouch-opensource
diff --git a/‎docs/packages.md‎
Lines changed: 32 additions & 3 deletions b/‎docs/packages.md‎
Lines changed: 32 additions & 3 deletions
diff --git a/‎src/cmd/linuxkit/cache/find.go‎
Lines changed: 22 additions & 0 deletions b/‎src/cmd/linuxkit/cache/find.go‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/cmd/linuxkit/cache/nopcloserwriter.go‎
Lines changed: 22 additions & 0 deletions b/‎src/cmd/linuxkit/cache/nopcloserwriter.go‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/cmd/linuxkit/cache/pull.go‎
Lines changed: 10 additions & 0 deletions b/‎src/cmd/linuxkit/cache/pull.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/cmd/linuxkit/cache/push.go‎
Lines changed: 85 additions & 0 deletions b/‎src/cmd/linuxkit/cache/push.go‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎src/cmd/linuxkit/cache/source.go‎
Lines changed: 9 additions & 1 deletion b/‎src/cmd/linuxkit/cache/source.go‎
Lines changed: 9 additions & 1 deletion
@@ -23,7 +23,7 @@ We do not want the builds to happen with each CI run for two reasons:
 1. It is slower to do a package build than to just pull the latest image.
 2. If any of the steps of the build fails, e.g. a `curl` download that depends on an intermittent target, it can cause all of CI to fail.
 
-Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit package push`.
+Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit pkg push`.
 
 
 ## Package source
@@ -54,8 +54,8 @@ A package source consists of a directory containing at least two files:
 ### Prerequisites
 
 Before you can build packages you need:
-- Docker version 17.06 or newer. If you are on a Mac you also need
-  `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
+- Docker version 19.03 or newer, which includes [buildx](https://docs.docker.com/buildx/working-with-buildx/)
+- If you are on a Mac you also need `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
 - `make`, `notary`, `base64`, `jq`, and `expect`
 - A *recent* version of `manifest-tool` which you can build with `make
   bin/manifest-tool`, or `go get github.com:estesp/manifest-tool`, or
@@ -67,6 +67,35 @@ Further, when building packages you need to be logged into hub with
 `docker login` as some of the tooling extracts your hub credentials
 during the build.
 
+### Build Targets
+
+LinuxKit builds packages as docker images. It deposits the built package as a docker image in one of two targets:
+
+* the linuxkit cache `~/.linuxkit/` (configurable) - default option
+* the docker image cache
+
+If you want to build images and test and run them _in a standalone_ fashion locally, then you should pick the docker image cache. Otherwise, you should use the default linuxkit cache. LinuxKit defaults to building OS images using docker images from this cache,\
+only looking in the docker cache if instructed to via `linuxkit build --docker`.
+
+When using the linuxkit cache as the package build target, it creates all of the layers, the manifest that can be uploaded
+to a registry, and the multi-architecture index. If an image already exists for a different architecture in the cache,
+it updates the index to include additional manifests created.
+
+As of this writing, `linuxkit pkg build` only builds packages for the platform on which it is running; it does not (yet) support cross-building the packages for other architectures.
+
+Note that the local docker option is available _only_ when building without pushing to a remote registry, i.e.:
+
+```
+linuxkit pkg build
+linuxkit pkg build --docker
+```
+
+If you push to a registry, it _always_ uses the linuxkit cache only:
+
+```
+linuxkit pkg push
+```
+
 ### Build packages as a maintainer
 
 If you have write access to the `linuxkit` organisation on hub, you
 
@@ -48,3 +48,25 @@ func findImage(p layout.Path, imageName, architecture string) (v1.Image, error)
 	}
 	return nil, fmt.Errorf("no image found for %s", imageName)
 }
+
+// FindDescriptor get the first descriptor pointed to by the image name
+func FindDescriptor(dir string, name string) (*v1.Descriptor, error) {
+	p, err := Get(dir)
+	if err != nil {
+		return nil, err
+	}
+	index, err := p.ImageIndex()
+	// if there is no root index, we are broken
+	if err != nil {
+		return nil, fmt.Errorf("invalid image cache: %v", err)
+	}
+
+	descs, err := partial.FindManifests(index, match.Name(name))
+	if err != nil {
+		return nil, err
+	}
+	if len(descs) < 1 {
+		return nil, nil
+	}
+	return &descs[0], nil
+}
@@ -0,0 +1,22 @@
+package cache
+
+import (
+	"io"
+)
+
+type nopCloserWriter struct {
+	writer io.Writer
+}
+
+func (n nopCloserWriter) Write(b []byte) (int, error) {
+	return n.writer.Write(b)
+}
+
+func (n nopCloserWriter) Close() error {
+	return nil
+}
+
+// NopCloserWriter wrap an io.Writer with a no-op Closer
+func NopCloserWriter(writer io.Writer) io.WriteCloser {
+	return nopCloserWriter{writer}
+}
@@ -5,6 +5,7 @@ import (
 
 	"github.com/containerd/containerd/reference"
 	"github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
 	"github.com/google/go-containerregistry/pkg/v1/validate"
 )
 
@@ -15,17 +16,24 @@ func ValidateImage(ref *reference.Spec, cacheDir, architecture string) (ImageSou
 		imageIndex v1.ImageIndex
 		image      v1.Image
 		imageName  = ref.String()
+		desc       *v1.Descriptor
 	)
 	// next try the local cache
 	root, err := FindRoot(cacheDir, imageName)
 	if err == nil {
 		img, err := root.Image()
 		if err == nil {
 			image = img
+			if desc, err = partial.Descriptor(img); err != nil {
+				return ImageSource{}, errors.New("image could not create valid descriptor")
+			}
 		} else {
 			ii, err := root.ImageIndex()
 			if err == nil {
 				imageIndex = ii
+				if desc, err = partial.Descriptor(ii); err != nil {
+					return ImageSource{}, errors.New("index could not create valid descriptor")
+				}
 			}
 		}
 	}
@@ -45,6 +53,7 @@ func ValidateImage(ref *reference.Spec, cacheDir, architecture string) (ImageSou
 				ref,
 				cacheDir,
 				architecture,
+				desc,
 			), nil
 		}
 		return ImageSource{}, errors.New("invalid index")
@@ -55,6 +64,7 @@ func ValidateImage(ref *reference.Spec, cacheDir, architecture string) (ImageSou
 				ref,
 				cacheDir,
 				architecture,
+				desc,
 			), nil
 		}
 		return ImageSource{}, errors.New("invalid image")
 
@@ -0,0 +1,85 @@
+package cache
+
+import (
+	"fmt"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	namepkg "github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/registry"
+)
+
+// PushWithManifest push an image along with, optionally, a multi-arch index.
+func PushWithManifest(dir string, name, suffix string, pushImage, pushManifest, trust, sign bool) error {
+	var (
+		digest  string
+		l       int
+		err     error
+		options []remote.Option
+	)
+	p, err := Get(dir)
+	if err != nil {
+		return err
+	}
+
+	imageName := name + suffix
+	ref, err := namepkg.ParseReference(imageName)
+	if err != nil {
+		return err
+	}
+
+	if pushImage {
+		fmt.Printf("Pushing %s\n", imageName)
+		// do we even have the given one?
+		root, err := findRootFromLayout(p, imageName)
+		if err != nil {
+			return err
+		}
+		options = append(options, remote.WithAuthFromKeychain(authn.DefaultKeychain))
+		img, err1 := root.Image()
+		ii, err2 := root.ImageIndex()
+		switch {
+		case err1 == nil:
+			if err := remote.Write(ref, img, options...); err != nil {
+				return err
+			}
+			fmt.Printf("Pushed image %s\n", imageName)
+		case err2 == nil:
+			if err := remote.WriteIndex(ref, ii, options...); err != nil {
+				return err
+			}
+			fmt.Printf("Pushed index %s\n", imageName)
+		default:
+			return fmt.Errorf("name %s unknown in cache", imageName)
+		}
+	} else {
+		fmt.Print("Image push disabled, skipping...\n")
+	}
+
+	auth, err := registry.GetDockerAuth()
+	if err != nil {
+		return fmt.Errorf("failed to get auth: %v", err)
+	}
+
+	if pushManifest {
+		fmt.Printf("Pushing %s to manifest %s\n", imageName, name)
+		digest, l, err = registry.PushManifest(imageName, auth)
+		if err != nil {
+			return err
+		}
+	} else {
+		fmt.Print("Manifest push disabled, skipping...\n")
+	}
+
+	// if trust is not enabled, nothing more to do
+	if !trust {
+		fmt.Println("trust disabled, not signing")
+		return nil
+	}
+	if !sign {
+		fmt.Println("signing disabled, not signing")
+		return nil
+	}
+	fmt.Printf("Signing manifest for %s\n", imageName)
+	return registry.SignTag(name, digest, l, auth)
+}
@@ -6,6 +6,7 @@ import (
 	"io"
 
 	"github.com/containerd/containerd/reference"
+	"github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -17,16 +18,18 @@ type ImageSource struct {
 	ref          *reference.Spec
 	cache        layout.Path
 	architecture string
+	descriptor   *v1.Descriptor
 }
 
 // NewSource return an ImageSource for a specific ref and architecture in the given
 // cache directory.
-func NewSource(ref *reference.Spec, dir string, architecture string) ImageSource {
+func NewSource(ref *reference.Spec, dir string, architecture string, descriptor *v1.Descriptor) ImageSource {
 	p, _ := Get(dir)
 	return ImageSource{
 		ref:          ref,
 		cache:        p,
 		architecture: architecture,
+		descriptor:   descriptor,
 	}
 }
 
@@ -67,3 +70,8 @@ func (c ImageSource) TarReader() (io.ReadCloser, error) {
 
 	return mutate.Extract(image), nil
 }
+
+// Descriptor return the descriptor of the image.
+func (c ImageSource) Descriptor() *v1.Descriptor {
+	return c.descriptor
+}