pubtools-quay

=============== pubtools-quay

Set of scripts used for operating with Quay service

Requirements

• Python 3.5+
• Skopeo is required for the tagging operation

Features

• pubtools-quay-tag-image - Copy a quay image from source to destination(s)
• pubtools-quay-merge-manifest-list - Merge manifest lists of new and old images. The architectures of new (source) image overwrite destination's archs. Archs missing from the source image will still remain in the merged manifest list. Destination image's manifest list is overwritten by the merged manifest list.
• pubtools-quay-untag - Remove tags from quay repositories. Tags to remove are specified by image references. In addition to Docker credentials, Quay API OAuth token has to be specified. Script will not perform the untagging operation if some image in a repo will lose its last tag. In this scenario, untagging can be forced by using the --remove-last argument.

Setup

::

$ pip install -r requirements.txt $ pip install . or $ python setup.py install

Usage

Locally copy an image from source to destination. Quay password is injected from the environment variable. ::

$ export QUAY_PASSWORD=token $ pubtools-quay-tag-image
--source-ref quay.io/source/image:34
--dest-ref quay.io/target/image:34
--quay-user quay+username \

Connect to a remote host via ssh (using password) and perform the copying to multiple destinations. ::

$ export QUAY_PASSWORD=token $ export SSH_PASSWORD=123456 $ pubtools-quay-tag-image
--source-ref quay.io/source/image:34
--dest-ref quay.io/target/image:34
--dest-ref quay.io/target/image2:34
--quay-user quay+username
--remote-exec
--ssh-remote-host 127.0.0.1
--ssh-remote-host-port 2222
--ssh-username user

Connect to a remote host via ssh (using private key), perform the copying ::

$ export QUAY_PASSWORD=token $ export SSH_PASSWORD=123456 $ pubtools-quay-tag-image
--source-ref quay.io/source/image:34
--dest-ref quay.io/target/image:34
--quay-user quay+username
--remote-exec
--ssh-remote-host 127.0.0.1
--ssh-remote-host-port 2222
--ssh-username user
--ssh-key-filename /path/to/file.key \

Merge manifest lists of source-ref and dest-ref and overwrite dest-ref with the result. ::

$ export QUAY_PASSWORD=token $ pubtools-quay-merge-manifest-list
--source-ref quay.io/src/image:1
--dest-ref quay.io/dest/image:1
--quay-user quay+username

Untag multiple images ::

$ export QUAY_PASSWORD=token $ export QUAY_API_TOKEN=oauth_token $ pubtools-quay-tag-image
--reference quay.io/src/image:1
--reference quay.io/src/image:2
--quay-user quay+username
--remote-exec
--ssh-remote-host 127.0.0.1
--ssh-remote-host-port 2222
--ssh-username user
--ssh-key-filename /path/to/file.key \

Untag an image and force the operation in case the tag is a last reference of some digest. ::

$ export QUAY_PASSWORD=token $ export QUAY_API_TOKEN=oauth_token $ pubtools-quay-tag-image
--reference quay.io/src/image:1
--remove-last
--quay-user quay+username \

ChangeLog

0.31.0 (2025-01-14)

• Check related image only for add-bundles

0.30.0 (2025-01-13)

• Disable stage check when removing arches
• Add additional tag to merged manifest list

0.29.0 (2024-11-20)

• Restore a tag only once

0.28.0 (2024-10-18)

• Support tagging OCI images
• Fix manifest list digest in tag docker

0.27.0 (2024-09-03)

• Create entrypoint iib-add-deprecations

0.26.2 (2024-07-19)

• Use tag reference in cosign identity

0.26.1 (2024-07-19)

• Bumped pubtools-sign dependency

0.26.0 (2024-07-18)

• Support multiple identities and tag annotations for cosign signing

0.25.0 (2024-06-24)

• Support pub_reference in SignEntry which translates to --sign-container-identity for cosign

0.24.0 (2024-06-05)

• Ensure that unusual cosign errors are raised
• Set pubtools-iib build-timeout argument based on target settings value
• Fix an issue where ML attestations are double encoded
• Add a retry to the attest command
• Ensure that a 404 error when deleting a tag is tolerated

0.23.0 (2024-05-29)

• Sort backup items by repo
• Support untagging OCI images
• Update log message to show the reference with bad manifest type

0.22.0 (2024-05-21)

Raise an error when manifest claims retry limit is reached Manifest is outdated if both old and new manifests have digests

0.21.0 (2024-05-17)

Fixed pushing index images to wrong namespace Fixed removing index image signatures when there are no non fbc operators

0.20.0 (2024-05-10)

• Fix SBOM publishing for the ML merge workflow
• Remove incompleteness_reasons field from SBOMs before publishing them

0.19.0 (2024-03-18)

• Support cosign signing for container images

0.18.0 (2024-03-18)

• Generate SBOM attestations for manifest lists

0.17.0 (2024-02-27)

• Should not call IIB if bundle is opted in fbc and targets OCP >=4.11

0.16.0 (2024-02-08)

• Instrument tracing for container push
• Add option to disable sending transparency logs to rekor

0.15.0 (2023-12-07)

• End task when IIB request fails
• Set AWS KMS credentials from target settings
• Fix a bug where 0 IIB builds cause a push to fail

0.14.0 (2023-10-17)

• Add --check-related-images option while calling iib-add-bundles
• Remove --skip-pulp argument when calling pubtools-iib

0.13.0 (2023-09-27)

• Implement workflow to push container security manifests
• Support prerelease floating tag
• Remove images created by cosign

0.12.1 (2023-09-13)

Allow radas messaging address to be formatable

0.12.0 (2023-07-25)

• Support pre-release containers
• Better error reporting for skopeo copy commands
• Local executor for tag-docker operatoin

0.11.3 (2023-07-25)

• Trigger building index images in parallel
• Make request session object per thread

0.11.2 (2023-07-10)

• Add logs for adding and removing signatures
• Remove less signatures
• Use hotfix tag to sign an hotfix index image

0.11.1 (2023-05-15)

• Make executor configurable
• Pin bandit version
• Add removing outdated signatures into task_status.jsonl

0.11.0 (2023-03-14)

• Fix race condition in parallel container pushes
• Delete signatures in parallel
• Do not execute iib operation on fbc errors
• Better error message when operator item fails due to fbc inconsistency
• Change FBC logic to not call IIB only when ocp_version >=4.13
• Unpin requests-mock version
• Set request threads for uploading signatures
• Reformatted with new tox version
• Added support for FBC operators
• Drop Python2 support
• Use namespace from index image target settings
• Make iib_deprecation_list_url optional target settings

0.10.4 (2022-10-04)

• Verify bundles presence
• Do not pass arches in IIB request

0.10.3 (2022-10-04)

• Push images to quay in multi-threads
• Added support for hotfix operators
• Use a random filename for the password file in containers
• Fix signatures removal

0.10.2 (2022-08-16)

• Use real task ID for tag docker signing
• Get intermediate repo from build details

0.10.1 (2022-6-17)

• Remove duplicate destinations when pushing docker
• Listen on specific sub topic on signing service

0.10.0 (2022-6-01)

• Fix arch of amd64 image
• Return empty manifest claims when there's nothing to sign
• Remove sorting of Push items
• Unpin the version of python-qpid-proton
• Remove created from claim message
• Change condition to not require hashing
• Push multiarch image when the current destination doesn't have a ML
• Poll for consistent results of whether a tag exists

0.9.3 (2022-04-01)

• Fixing signing issues
• Skip getting v2s1 digest for non-amd64 images
• Less skopeo login to source registry
• Tolerate get_manifest 404 in image untagger

0.9.2 (2022-03-02)

• Add a timeout to all HTTP requests
• Removed the option for entrypoints to send UMB messages

0.9.1 (2022-02-02)

• Fixed creating manifests for v2ch2 single arch containers

0.9.0 (2022-28-1)

• Support v2ch2 single arch containers
• Support v2ch1 containers
• Run rollback only when all index image builds fail
• Add retries to image tagging as a part of pushes
• Skip checking for repo deprecation based on value in target settings
• Support extra source host for quay operations
• Sign V2S1 manifests
• Tag index image timestamps with permanent index image as a source

0.8.3 (2021-10-6)

• Fix the usage of overwrite from index

0.8.2 (2021-10-6)

• Make deprecation list functionality optional

0.8.1 (2021-10-5)

• Disable sending UMB messages for taggign and untagging images

0.8.0 (2021-9-7)

• Use SSL certificates for Pyxis authentication
• Remove duplicate digests when getting signatures from Pyxis
• Remove return of push_docker entrypoint

0.7.2 (2021-8-23)

• Don't raise 404 errors when deleting tags during rollback

0.7.1 (2021-8-20)

• Fix installation of 'docker' dependency on Python 2.6

0.7.0 (2021-8-18)

• Add hooks to declare events of interest
• Create documentation
• Add option to execute commands inside a container
• Add pagination support for getting all tags via Docker HTTP API
• Capture IIB operation exception
• Get index image manifests with its own token
• Lower python-qpid-proton version

0.6.0 (2021-7-14)

• Create entrypoint for removing a Quay repo
• Create entrypoint for clearing a Quay repo
• Add signature removal to tag-docker operations
• Drop unnecessary 'external_repos'
• Add using extra Quay tokens for OSBS organizations
• Allow specifying multiple repos in remove-repo and clear-repo tasks
• Skip signing when no operator claim messages are constructed
• Add support for delimeter-less repositories
• Change "repo" parameter of claim messages to have external representation
• Fix loggers per pubtools conventions
• Check username in output of skopeo --get-login
• Remove the usage of Quay API reading repo data
• Add signature removal for IIB operations
• Update sigstore to be up-to-date with current implementation
• Allow pushing to non-existent repo

0.5.0 (2021-6-2)

• Fix intermediate index image
• Implement tag docker
• Add skip to signing if signing key is None
• Fix pub XMLRPC call
• Implement entrypoints for IIB methods

0.4.0 (2021-5-4)

• Implement push-docker prototype
• Change signing order to happen before pushing
• Use intermediate index image for signing

0.3.0 (2021-2-11)

• Fix the versioning constraint of pyrsistent dependency

0.2.0 (2021-2-9)

• Fix the definition of requirements.txt, allowing installation on Python 2.6

0.1.0 (2021-2-9)

• Initial release.
• Added tag image entrypoint
• Added merge manifest list entrypoint
• Added push docker code skeleton