twothatIT
dee07d7b8e
The Docker Hub REST API returns per-platform manifest digests, while
docker image inspect RepoDigests stores the manifest list digest.
These two values never match, causing update_available to always be
True even after a fresh pull.
Fix: use registry-1.docker.io/v2/{name}/manifests/{tag} with anonymous
auth and read the Docker-Content-Digest response header, which is the
exact same digest that docker pull stores in RepoDigests.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
268 lines
9.7 KiB
Python
268 lines
9.7 KiB
Python
"""NetBird Docker image update service.
|
|
|
|
Compares locally pulled images against Docker Hub to detect available updates.
|
|
Provides pull and per-customer container recreation functions without data loss.
|
|
"""
|
|
|
|
import asyncio
|
|
import json
|
|
import logging
|
|
import os
|
|
import subprocess
|
|
from typing import Any
|
|
|
|
import httpx
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Services that make up a customer's NetBird deployment
|
|
NETBIRD_SERVICES = ["management", "signal", "relay", "dashboard"]
|
|
|
|
|
|
async def _run_cmd(cmd: list[str], timeout: int = 300) -> subprocess.CompletedProcess:
|
|
"""Run a subprocess command without blocking the event loop."""
|
|
loop = asyncio.get_event_loop()
|
|
return await loop.run_in_executor(
|
|
None,
|
|
lambda: subprocess.run(cmd, capture_output=True, text=True, timeout=timeout),
|
|
)
|
|
|
|
|
|
def _parse_image_name(image: str) -> tuple[str, str]:
|
|
"""Split 'repo/name:tag' into ('repo/name', 'tag'). Defaults tag to 'latest'."""
|
|
if ":" in image:
|
|
name, tag = image.rsplit(":", 1)
|
|
else:
|
|
name, tag = image, "latest"
|
|
return name, tag
|
|
|
|
|
|
async def get_hub_digest(image: str) -> str | None:
|
|
"""Fetch the manifest-list digest from the Docker Registry v2 API.
|
|
|
|
Uses anonymous auth against registry-1.docker.io — does NOT pull the image.
|
|
Returns the Docker-Content-Digest header value (sha256:...) which is identical
|
|
to the digest stored in local RepoDigests after a pull, enabling correct comparison.
|
|
"""
|
|
name, tag = _parse_image_name(image)
|
|
try:
|
|
async with httpx.AsyncClient(timeout=15) as client:
|
|
# Step 1: obtain anonymous pull token
|
|
token_resp = await client.get(
|
|
"https://auth.docker.io/token",
|
|
params={"service": "registry.docker.io", "scope": f"repository:{name}:pull"},
|
|
)
|
|
if token_resp.status_code != 200:
|
|
logger.warning("Failed to get registry token for %s", image)
|
|
return None
|
|
token = token_resp.json().get("token")
|
|
|
|
# Step 2: fetch manifest — prefer manifest list (multi-arch) so the digest
|
|
# matches what `docker pull` stores in RepoDigests.
|
|
manifest_resp = await client.get(
|
|
f"https://registry-1.docker.io/v2/{name}/manifests/{tag}",
|
|
headers={
|
|
"Authorization": f"Bearer {token}",
|
|
"Accept": (
|
|
"application/vnd.docker.distribution.manifest.list.v2+json, "
|
|
"application/vnd.oci.image.index.v1+json, "
|
|
"application/vnd.docker.distribution.manifest.v2+json"
|
|
),
|
|
},
|
|
)
|
|
if manifest_resp.status_code != 200:
|
|
logger.warning("Registry API returned %d for %s", manifest_resp.status_code, image)
|
|
return None
|
|
|
|
# The Docker-Content-Digest header is the canonical digest
|
|
digest = manifest_resp.headers.get("docker-content-digest")
|
|
if digest:
|
|
return digest
|
|
return None
|
|
except Exception as exc:
|
|
logger.warning("Failed to fetch registry digest for %s: %s", image, exc)
|
|
return None
|
|
|
|
|
|
def get_local_digest(image: str) -> str | None:
|
|
"""Get the RepoDigest for a locally pulled image.
|
|
|
|
Returns the digest (sha256:...) or None if image not found locally.
|
|
"""
|
|
try:
|
|
result = subprocess.run(
|
|
["docker", "image", "inspect", image, "--format", "{{json .RepoDigests}}"],
|
|
capture_output=True, text=True, timeout=10,
|
|
)
|
|
if result.returncode != 0:
|
|
return None
|
|
digests = json.loads(result.stdout.strip())
|
|
if not digests:
|
|
return None
|
|
# RepoDigests look like "netbirdio/management@sha256:abc..."
|
|
for d in digests:
|
|
if "@" in d:
|
|
return d.split("@", 1)[1]
|
|
return None
|
|
except Exception as exc:
|
|
logger.warning("Failed to inspect local image %s: %s", image, exc)
|
|
return None
|
|
|
|
|
|
def get_container_image_id(container_name: str) -> str | None:
|
|
"""Get the full image ID (sha256:...) of a running or stopped container."""
|
|
try:
|
|
result = subprocess.run(
|
|
["docker", "inspect", container_name, "--format", "{{.Image}}"],
|
|
capture_output=True, text=True, timeout=10,
|
|
)
|
|
if result.returncode != 0:
|
|
return None
|
|
return result.stdout.strip() or None
|
|
except Exception:
|
|
return None
|
|
|
|
|
|
def get_local_image_id(image: str) -> str | None:
|
|
"""Get the full image ID (sha256:...) of a locally stored image."""
|
|
try:
|
|
result = subprocess.run(
|
|
["docker", "image", "inspect", image, "--format", "{{.Id}}"],
|
|
capture_output=True, text=True, timeout=10,
|
|
)
|
|
if result.returncode != 0:
|
|
return None
|
|
return result.stdout.strip() or None
|
|
except Exception:
|
|
return None
|
|
|
|
|
|
async def check_image_status(image: str) -> dict[str, Any]:
|
|
"""Check whether a configured image has an update available on Docker Hub.
|
|
|
|
Returns a dict with:
|
|
image: the image name:tag
|
|
local_digest: digest of locally cached image (or None)
|
|
hub_digest: latest digest from Docker Hub (or None)
|
|
update_available: True if hub_digest differs from local_digest
|
|
"""
|
|
hub_digest, local_digest = await asyncio.gather(
|
|
get_hub_digest(image),
|
|
asyncio.get_event_loop().run_in_executor(None, get_local_digest, image),
|
|
)
|
|
|
|
if hub_digest and local_digest:
|
|
update_available = hub_digest != local_digest
|
|
elif hub_digest and not local_digest:
|
|
# Image not pulled locally yet — needs pull
|
|
update_available = True
|
|
else:
|
|
update_available = False
|
|
|
|
return {
|
|
"image": image,
|
|
"local_digest": local_digest,
|
|
"hub_digest": hub_digest,
|
|
"update_available": update_available,
|
|
}
|
|
|
|
|
|
async def check_all_images(config) -> dict[str, Any]:
|
|
"""Check all 4 configured NetBird images for available updates.
|
|
|
|
Returns a dict with:
|
|
images: dict mapping image name -> status dict
|
|
any_update_available: bool
|
|
"""
|
|
images = [
|
|
config.netbird_management_image,
|
|
config.netbird_signal_image,
|
|
config.netbird_relay_image,
|
|
config.netbird_dashboard_image,
|
|
]
|
|
results = await asyncio.gather(*[check_image_status(img) for img in images])
|
|
by_image = {r["image"]: r for r in results}
|
|
any_update = any(r["update_available"] for r in results)
|
|
return {"images": by_image, "any_update_available": any_update}
|
|
|
|
|
|
async def pull_image(image: str) -> dict[str, Any]:
|
|
"""Pull a Docker image. Returns success/error dict."""
|
|
logger.info("Pulling image: %s", image)
|
|
result = await _run_cmd(["docker", "pull", image], timeout=600)
|
|
if result.returncode != 0:
|
|
logger.error("Failed to pull %s: %s", image, result.stderr)
|
|
return {"image": image, "success": False, "error": result.stderr[:500]}
|
|
return {"image": image, "success": True}
|
|
|
|
|
|
async def pull_all_images(config) -> dict[str, Any]:
|
|
"""Pull all 4 configured NetBird images. Returns results per image."""
|
|
images = [
|
|
config.netbird_management_image,
|
|
config.netbird_signal_image,
|
|
config.netbird_relay_image,
|
|
config.netbird_dashboard_image,
|
|
]
|
|
results = await asyncio.gather(*[pull_image(img) for img in images])
|
|
return {
|
|
"results": {r["image"]: r for r in results},
|
|
"all_success": all(r["success"] for r in results),
|
|
}
|
|
|
|
|
|
def get_customer_container_image_status(container_prefix: str, config) -> dict[str, Any]:
|
|
"""Check which service containers are running outdated local images.
|
|
|
|
Compares each running container's image ID against the locally stored image ID
|
|
for the configured image tag. This is a local check — no network call.
|
|
|
|
Returns:
|
|
services: dict mapping service name to status info
|
|
needs_update: True if any service has a different image ID than locally stored
|
|
"""
|
|
service_images = {
|
|
"management": config.netbird_management_image,
|
|
"signal": config.netbird_signal_image,
|
|
"relay": config.netbird_relay_image,
|
|
"dashboard": config.netbird_dashboard_image,
|
|
}
|
|
services: dict[str, Any] = {}
|
|
for svc, image in service_images.items():
|
|
container_name = f"{container_prefix}-{svc}"
|
|
container_id = get_container_image_id(container_name)
|
|
local_id = get_local_image_id(image)
|
|
if container_id and local_id:
|
|
up_to_date = container_id == local_id
|
|
else:
|
|
up_to_date = None # container not running or image not pulled
|
|
services[svc] = {
|
|
"container": container_name,
|
|
"image": image,
|
|
"up_to_date": up_to_date,
|
|
}
|
|
needs_update = any(s["up_to_date"] is False for s in services.values())
|
|
return {"services": services, "needs_update": needs_update}
|
|
|
|
|
|
async def update_customer_containers(instance_dir: str, project_name: str) -> dict[str, Any]:
|
|
"""Recreate customer containers to pick up newly pulled images.
|
|
|
|
Runs `docker compose up -d` in the customer's instance directory.
|
|
Images must already be pulled. Bind-mounted data is preserved — no data loss.
|
|
"""
|
|
compose_file = os.path.join(instance_dir, "docker-compose.yml")
|
|
if not os.path.isfile(compose_file):
|
|
return {"success": False, "error": f"docker-compose.yml not found at {compose_file}"}
|
|
cmd = [
|
|
"docker", "compose",
|
|
"-f", compose_file,
|
|
"-p", project_name,
|
|
"up", "-d", "--remove-orphans",
|
|
]
|
|
logger.info("Updating containers for %s", project_name)
|
|
result = await _run_cmd(cmd, timeout=300)
|
|
if result.returncode != 0:
|
|
return {"success": False, "error": result.stderr[:1000]}
|
|
return {"success": True}
|