common

package
v0.0.0-...-33fd75f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 18, 2025 License: MIT Imports: 24 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	ClipHeaderLength            = 54
	ClipFileFormatVersion uint8 = 0x01
	ClipChecksumLength    int64 = 8
)

Variables

View Source 
var (
	ErrFileHeaderMismatch = errors.New("unexpected file header")
	ErrCrcMismatch        = errors.New("crc64 mismatch")
	ErrMissingArchiveRoot = errors.New("no root node found")
)
View Source 
var ClipFileStartBytes []byte = []byte{0x89, 0x43, 0x4C, 0x49, 0x50, 0x0D, 0x0A, 0x1A, 0x0A}
View Source 
var (
	// ErrNoCredentials indicates that no credentials are available for the requested registry
	ErrNoCredentials = errors.New("no credentials available")
)

Functions

func DialContextIPv6 

func DialContextIPv6(ctx context.Context, network, address string) (net.Conn, error)

func IsIPv6Available 

func IsIPv6Available() bool

func NearestCheckpoint 

func NearestCheckpoint(checkpoints []GzipCheckpoint, wantU int64) (cOff, uOff int64)

NearestCheckpoint finds the checkpoint with the largest UOff <= wantU This enables efficient seeking by finding the best checkpoint to decompress from Uses binary search for O(log n) performance

func ParseCredentialsFromJSON 

func ParseCredentialsFromJSON(credStr string) (map[string]string, error)

ParseCredentialsFromJSON parses credentials from JSON string or username:password format Returns structured credentials as a map Handles multiple formats: 1. Beta9 format: {"credentials": {...}, "registry": "...", "type": "..."} 2. Nested JSON strings: {"PASSWORD": "{\"AWS_ACCESS_KEY_ID\":\"...\"}"} 3. Flat JSON: {"USERNAME": "user", "PASSWORD": "pass"} 4. Legacy: "username:password"

Types

type AWSCredentialProvider 

type AWSCredentialProvider struct {
	// contains filtered or unexported fields
}

AWSCredentialProvider provides credentials for any AWS-based registry by setting env vars and using the keychain provider (which handles ECR, etc.)

func NewAWSCredentialProvider 

func NewAWSCredentialProvider(accessKey, secretKey, sessionToken, region, registryPattern string) *AWSCredentialProvider

NewAWSCredentialProvider creates a provider that uses AWS credentials with the keychain

func (*AWSCredentialProvider) GetCredentials 

func (p *AWSCredentialProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*AWSCredentialProvider) Name 

func (p *AWSCredentialProvider) Name() string

type BlockType 

type BlockType byte
const (
	BlockTypeFile BlockType = iota
)

type CachingProvider 

type CachingProvider struct {
	// contains filtered or unexported fields
}

CachingProvider wraps another provider with caching and TTL support This is useful for short-lived tokens (ECR, GCR) that need periodic refresh

func NewCachingProvider 

func NewCachingProvider(base RegistryCredentialProvider, ttl time.Duration) *CachingProvider

NewCachingProvider creates a provider that caches credentials with a TTL

func (*CachingProvider) GetCredentials 

func (p *CachingProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*CachingProvider) Name 

func (p *CachingProvider) Name() string

type CallbackProvider 

type CallbackProvider struct {
	// contains filtered or unexported fields
}

CallbackProvider allows custom credential resolution logic

func NewCallbackProvider 

func NewCallbackProvider(callback func(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)) *CallbackProvider

NewCallbackProvider creates a provider with custom resolution logic

func NewCallbackProviderWithName 

func NewCallbackProviderWithName(name string, callback func(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)) *CallbackProvider

NewCallbackProviderWithName creates a named callback provider

func (*CallbackProvider) GetCredentials 

func (p *CallbackProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*CallbackProvider) Name 

func (p *CallbackProvider) Name() string

type ChainedProvider 

type ChainedProvider struct {
	// contains filtered or unexported fields
}

ChainedProvider tries multiple providers in order until one succeeds

func NewChainedProvider 

func NewChainedProvider(providers ...RegistryCredentialProvider) *ChainedProvider

NewChainedProvider creates a provider that tries each provider in order

func (*ChainedProvider) GetCredentials 

func (p *ChainedProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*ChainedProvider) Name 

func (p *ChainedProvider) Name() string

type ClipArchiveHeader 

type ClipArchiveHeader struct {
	StartBytes            [9]byte
	ClipFileFormatVersion uint8
	IndexLength           int64
	IndexPos              int64
	StorageInfoLength     int64
	StorageInfoPos        int64
	StorageInfoType       [12]byte
}

type ClipArchiveMetadata 

type ClipArchiveMetadata struct {
	Header      ClipArchiveHeader
	Index       *btree.BTree
	StorageInfo ClipStorageInfo
}

func (*ClipArchiveMetadata) Get 

func (m *ClipArchiveMetadata) Get(path string) *ClipNode

func (*ClipArchiveMetadata) Insert 

func (m *ClipArchiveMetadata) Insert(node *ClipNode)

func (*ClipArchiveMetadata) ListDirectory 

func (m *ClipArchiveMetadata) ListDirectory(path string) []fuse.DirEntry

type ClipNode 

type ClipNode struct {
	NodeType    ClipNodeType
	Path        string
	Attr        fuse.Attr
	Target      string
	ContentHash string

	// Legacy fields (keep for back-compat):
	DataPos int64 // Position of the nodes data in the final binary
	DataLen int64 // Length of the nodes data

	// New (v2 read path):
	Remote *RemoteRef
}

func (*ClipNode) IsDir 

func (n *ClipNode) IsDir() bool

IsDir returns true if the ClipNode represents a directory. 

func (n *ClipNode) IsSymlink() bool

IsSymlink returns true if the ClipNode represents a symlink.

type ClipNodeType 

type ClipNodeType string
const (
	DirNode     ClipNodeType = "dir"
	FileNode    ClipNodeType = "file"
	SymLinkNode ClipNodeType = "symlink"
)

type ClipStorageInfo 

type ClipStorageInfo interface {
	Type() string
	Encode() ([]byte, error)
}

type CredentialType 

type CredentialType string

CredentialType represents different types of registry credentials 

const (
	CredTypePublic  CredentialType = "public"
	CredTypeBasic   CredentialType = "basic"
	CredTypeAWS     CredentialType = "aws"
	CredTypeGCP     CredentialType = "gcp"
	CredTypeAzure   CredentialType = "azure"
	CredTypeToken   CredentialType = "token"
	CredTypeUnknown CredentialType = "unknown"
)

func DetectCredentialType 

func DetectCredentialType(registry string, creds map[string]string) CredentialType

DetectCredentialType determines the type of credentials based on the registry and credential keys

type DockerConfigProvider 

type DockerConfigProvider struct {
	// contains filtered or unexported fields
}

DockerConfigProvider reads credentials from Docker's config.json

func NewDockerConfigProvider 

func NewDockerConfigProvider(configPath string) *DockerConfigProvider

NewDockerConfigProvider creates a provider that reads from Docker config If configPath is empty, uses default location (~/.docker/config.json or $DOCKER_CONFIG)

func (*DockerConfigProvider) GetCredentials 

func (p *DockerConfigProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*DockerConfigProvider) Name 

func (p *DockerConfigProvider) Name() string

type ECRProvider 

type ECRProvider struct {
	// contains filtered or unexported fields
}

ECRProvider provides AWS ECR credentials by calling the ECR GetAuthorizationToken API This provider handles AWS ECR registries and fetches temporary tokens dynamically

func NewECRProvider 

func NewECRProvider(config ECRProviderConfig) *ECRProvider

NewECRProvider creates a provider that fetches ECR authorization tokens

func (*ECRProvider) GetCredentials 

func (p *ECRProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*ECRProvider) Name 

func (p *ECRProvider) Name() string

type ECRProviderConfig 

type ECRProviderConfig struct {
	AWSAccessKey    string
	AWSSecretKey    string
	AWSSessionToken string // optional
	AWSRegion       string
	RegistryPattern string        // optional, defaults to "*.dkr.ecr.*.amazonaws.com"
	CacheTTL        time.Duration // optional, defaults to 11 hours (ECR tokens valid for 12h)
}

ECRProviderConfig configures an ECR provider

type EnvProvider 

type EnvProvider struct{}

EnvProvider reads credentials from environment variables Supports multiple formats:

  • CLIP_REGISTRY_USER_<HOST> / CLIP_REGISTRY_PASS_<HOST>
  • CLIP_OCI_AUTH (JSON format)

func NewEnvProvider 

func NewEnvProvider() *EnvProvider

func (*EnvProvider) GetCredentials 

func (p *EnvProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*EnvProvider) Name 

func (p *EnvProvider) Name() string

type GzipCheckpoint 

type GzipCheckpoint struct {
	COff int64 // Compressed offset
	UOff int64 // Uncompressed offset
}

Gzip decompression index (zran-style checkpoints)

type GzipIndex 

type GzipIndex struct {
	LayerDigest string
	Checkpoints []GzipCheckpoint // Checkpoint every ~2–4 MiB of uncompressed output
}

type ImageMetadata 

type ImageMetadata struct {
	// Image identification
	Name   string `json:"Name"`   // Full image reference (e.g., docker.io/library/alpine:3.18)
	Digest string `json:"Digest"` // Image manifest digest

	// Image configuration
	RepoTags      []string          `json:"RepoTags,omitempty"`
	Created       time.Time         `json:"Created"`
	DockerVersion string            `json:"DockerVersion,omitempty"`
	Labels        map[string]string `json:"Labels,omitempty"`
	Architecture  string            `json:"Architecture"`
	Os            string            `json:"Os"`
	Variant       string            `json:"Variant,omitempty"`
	Author        string            `json:"Author,omitempty"`

	// Runtime configuration
	Env          []string            `json:"Env,omitempty"`
	Cmd          []string            `json:"Cmd,omitempty"`
	Entrypoint   []string            `json:"Entrypoint,omitempty"`
	User         string              `json:"User,omitempty"`
	WorkingDir   string              `json:"WorkingDir,omitempty"`
	ExposedPorts map[string]struct{} `json:"ExposedPorts,omitempty"`
	Volumes      map[string]struct{} `json:"Volumes,omitempty"`
	StopSignal   string              `json:"StopSignal,omitempty"`

	// Layer information
	Layers     []string        `json:"Layers"`     // Layer digests
	LayersData []LayerMetadata `json:"LayersData"` // Detailed layer information
}

ImageMetadata contains comprehensive metadata about the OCI image This is embedded in the index to avoid runtime lookups

type KeychainProvider 

type KeychainProvider struct {
	// contains filtered or unexported fields
}

KeychainProvider wraps go-containerregistry's keychain (supports Docker, GCR, ECR, etc.)

func NewKeychainProvider 

func NewKeychainProvider() *KeychainProvider

NewKeychainProvider creates a provider using go-containerregistry's default keychain This automatically handles Docker config, GCR, ECR, and other standard auth methods

func (*KeychainProvider) GetCredentials 

func (p *KeychainProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*KeychainProvider) Name 

func (p *KeychainProvider) Name() string

type LayerMetadata 

type LayerMetadata struct {
	MIMEType    string            `json:"MIMEType"`
	Digest      string            `json:"Digest"`
	Size        int64             `json:"Size"`
	Annotations map[string]string `json:"Annotations,omitempty"`
}

LayerMetadata contains information about an individual OCI layer

type Metrics 

type Metrics struct {

	// Range GET metrics
	RangeGetBytesTotal   map[string]int64 // digest -> bytes fetched
	RangeGetRequestTotal map[string]int64 // digest -> request count

	// Inflate CPU metrics
	InflateCPUSecondsTotal float64

	// Read path metrics
	ReadHitsTotal   int64
	ReadMissesTotal int64

	// First exec metrics
	FirstExecStartTime time.Time
	FirstExecDuration  time.Duration

	// Layer metrics
	LayerAccessCount map[string]int64 // digest -> access count
	// contains filtered or unexported fields
}

Metrics for performance and usage

func GetGlobalMetrics 

func GetGlobalMetrics() *Metrics

GetGlobalMetrics returns the global metrics instance

func NewMetrics 

func NewMetrics() *Metrics

NewMetrics creates a new metrics collector

func (*Metrics) GetStats 

func (m *Metrics) GetStats() MetricsSnapshot

GetStats returns a snapshot of current statistics

func (*Metrics) RecordFirstExecEnd 

func (m *Metrics) RecordFirstExecEnd()

RecordFirstExecEnd records the end of the first execution

func (*Metrics) RecordFirstExecStart 

func (m *Metrics) RecordFirstExecStart()

RecordFirstExec records the start of the first execution

func (*Metrics) RecordInflateCPU 

func (m *Metrics) RecordInflateCPU(duration time.Duration)

RecordInflateCPU records CPU time spent inflating

func (*Metrics) RecordLayerAccess 

func (m *Metrics) RecordLayerAccess(digest string)

RecordLayerAccess records access to a specific layer

func (*Metrics) RecordRangeGet 

func (m *Metrics) RecordRangeGet(digest string, bytesRead int64)

RecordRangeGet records a range GET operation

func (*Metrics) RecordReadHit 

func (m *Metrics) RecordReadHit()

RecordReadHit records a cache hit

func (*Metrics) RecordReadMiss 

func (m *Metrics) RecordReadMiss()

RecordReadMiss records a cache miss

type MetricsSnapshot 

type MetricsSnapshot struct {
	RangeGetBytesTotal     map[string]int64
	RangeGetRequestTotal   map[string]int64
	InflateCPUSecondsTotal float64
	ReadHitsTotal          int64
	ReadMissesTotal        int64
	FirstExecDuration      time.Duration
	LayerAccessCount       map[string]int64
}

MetricsSnapshot is a point-in-time snapshot of metrics

func (*MetricsSnapshot) PrintSummary 

func (s *MetricsSnapshot) PrintSummary()

PrintSummary prints a human-readable summary of metrics

type OCIStorageInfo 

type OCIStorageInfo struct {
	RegistryURL             string
	Repository              string
	Reference               string // tag or digest
	Layers                  []string
	GzipIdxByLayer          map[string]*GzipIndex // per-layer gzip decompression index
	ZstdIdxByLayer          map[string]*ZstdIndex // per-layer zstd index (P1)
	DecompressedHashByLayer map[string]string     // maps layer digest -> SHA256 hash of decompressed data
	ImageMetadata           *ImageMetadata        `json:"ImageMetadata,omitempty"` // Image metadata - embedded to avoid runtime lookups
}

OCIStorageInfo stores metadata for OCI images with decompression indexes

func (OCIStorageInfo) Encode 

func (osi OCIStorageInfo) Encode() ([]byte, error)

func (OCIStorageInfo) Type 

func (osi OCIStorageInfo) Type() string

type PublicOnlyProvider 

type PublicOnlyProvider struct{}

PublicOnlyProvider always returns ErrNoCredentials, forcing anonymous/public access

func NewPublicOnlyProvider 

func NewPublicOnlyProvider() *PublicOnlyProvider

func (*PublicOnlyProvider) GetCredentials 

func (p *PublicOnlyProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*PublicOnlyProvider) Name 

func (p *PublicOnlyProvider) Name() string

type RegistryCredentialProvider 

type RegistryCredentialProvider interface {
	// GetCredentials returns authentication configuration for a given registry.
	//
	// Parameters:
	//   - ctx: context for cancellation and timeouts
	//   - registry: registry hostname (e.g., "ghcr.io", "registry-1.docker.io")
	//   - scope: optional repository path for per-repo tokens (e.g., "beam-cloud/clip")
	//
	// Returns:
	//   - *authn.AuthConfig: credentials if available
	//   - error: ErrNoCredentials if unavailable, or other error if lookup failed
	GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

	// Name returns a human-readable name for this provider (for logging/debugging)
	Name() string
}

RegistryCredentialProvider is the core interface for obtaining registry credentials at runtime. This interface enables pluggable authentication strategies without persisting credentials in archive metadata.

Implementations should:

  • Return credentials dynamically (support token refresh)
  • Return ErrNoCredentials if credentials are not available (caller will try anonymous)
  • Handle short-lived tokens gracefully (e.g., ECR, GCR)
  • Never log or expose sensitive credential data

func CreateProviderFromCredentials 

func CreateProviderFromCredentials(ctx context.Context, registry string, credType CredentialType, creds map[string]string) RegistryCredentialProvider

CreateProviderFromCredentials creates a CLIP-compatible credential provider from a credential map This is the main function that beta9 should use to create providers for CLIP Returns common.RegistryCredentialProvider

func CredentialsToProvider 

func CredentialsToProvider(ctx context.Context, registry string, creds map[string]string) RegistryCredentialProvider

CredentialsToProvider converts a credential map and registry to a CLIP-compatible provider This is a convenience function that auto-detects credential type and creates the appropriate provider

func DefaultProvider 

func DefaultProvider() RegistryCredentialProvider

DefaultProvider returns a sensible default provider chain for most use cases Order: Env -> Docker Config -> Keychain

type RemoteRef 

type RemoteRef struct {
	LayerDigest string // "sha256:..."
	UOffset     int64  // file payload start in UNCOMPRESSED tar stream
	ULength     int64  // file payload length (uncompressed)
}

RemoteRef points to a file's data within an OCI layer

type S3StorageInfo 

type S3StorageInfo struct {
	Bucket         string
	Region         string
	Key            string
	Endpoint       string
	ForcePathStyle bool
}

Storage Info Implementations

func (S3StorageInfo) Encode 

func (ssi S3StorageInfo) Encode() ([]byte, error)

func (S3StorageInfo) Type 

func (ssi S3StorageInfo) Type() string

type StaticProvider 

type StaticProvider struct {
	// contains filtered or unexported fields
}

StaticProvider returns pre-configured credentials for specific registries Supports both exact registry matching and wildcard patterns

func NewStaticProvider 

func NewStaticProvider(credentials map[string]*authn.AuthConfig) *StaticProvider

NewStaticProvider creates a provider with a fixed set of credentials The map key should be the registry hostname (e.g., "ghcr.io") Supports patterns like "*.dkr.ecr.*.amazonaws.com" for wildcard matching

func NewStaticProviderWithName 

func NewStaticProviderWithName(name string, credentials map[string]*authn.AuthConfig) *StaticProvider

NewStaticProviderWithName creates a named static provider

func ParseBase64AuthConfig 

func ParseBase64AuthConfig(encoded string, registry string) (*StaticProvider, error)

ParseBase64AuthConfig parses the legacy base64-encoded auth config format Returns a StaticProvider with the decoded credentials This is used for backward compatibility with the old AuthConfig field

func (*StaticProvider) GetCredentials 

func (p *StaticProvider) GetCredentials(ctx context.Context, registry string, scope string) (*authn.AuthConfig, error)

func (*StaticProvider) Name 

func (p *StaticProvider) Name() string

type StorageInfoWrapper 

type StorageInfoWrapper struct {
	Type string
	Data []byte
}

Storage info is a structure containing data describing remote storage config

type StorageMode 

type StorageMode string
const (
	StorageModeLocal StorageMode = "local"
	StorageModeS3    StorageMode = "s3"
	StorageModeOCI   StorageMode = "oci"
)

type ZstdFrame 

type ZstdFrame struct {
	COff int64 // Compressed offset
	CLen int64 // Compressed length
	UOff int64 // Uncompressed offset
	ULen int64 // Uncompressed length
}

Zstd frame index (P1 - future)

type ZstdIndex 

type ZstdIndex struct {
	LayerDigest string
	Frames      []ZstdFrame
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.