Adds image denylist (#1896)

* Adds image denylist

* Move to DockerAPI

* Wording

* Use error instead of critical

* Update supervisor/docker/__init__.py

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>

* Run in executor

* Add pyouroboros/ouroboros

* Mark as unsupported

* Use set

* Update supervisor/docker/__init__.py

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>

* Remove duplicate

* Change logging

* Update supervisor/docker/__init__.py

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>

* Set healthy to False

* small move

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>
Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch>
This commit is contained in:
Joakim Sørensen 2020-08-14 09:45:22 +02:00 committed by GitHub
parent 3b0d0e9928
commit 2d312c276f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 1 deletions

View File

@ -36,6 +36,11 @@ SOCKET_DBUS = Path("/run/dbus/system_bus_socket")
DOCKER_NETWORK = "hassio"
DOCKER_NETWORK_MASK = ip_network("172.30.32.0/23")
DOCKER_NETWORK_RANGE = ip_network("172.30.33.0/24")
DOCKER_IMAGE_DENYLIST = [
"containrrr/watchtower",
"pyouroboros/ouroboros",
"v2tec/watchtower",
]
DNS_SUFFIX = "local.hass.io"

View File

@ -144,6 +144,11 @@ class Core(CoreSysAttributes):
self.supported = False
_LOGGER.error("Systemd DBUS is not connected")
# Check if image names from denylist exist
if await self.sys_run_in_executor(self.sys_docker.check_denylist_images):
self.coresys.supported = False
self.healthy = False
async def start(self):
"""Start Supervisor orchestration."""
self.state = CoreStates.STARTUP

View File

@ -9,7 +9,7 @@ import attr
import docker
from packaging import version as pkg_version
from ..const import DNS_SUFFIX, SOCKET_DOCKER
from ..const import DNS_SUFFIX, DOCKER_IMAGE_DENYLIST, SOCKET_DOCKER
from ..exceptions import DockerAPIError
from .network import DockerNetwork
@ -232,3 +232,24 @@ class DockerAPI:
_LOGGER.debug("Networks prune: %s", output)
except docker.errors.APIError as err:
_LOGGER.warning("Error for networks prune: %s", err)
def check_denylist_images(self) -> bool:
"""Return a boolean if the host has images in the denylist."""
denied_images = set()
for image in self.images.list():
for tag in image.tags:
image_name = tag.split(":")[0]
if (
image_name in DOCKER_IMAGE_DENYLIST
and image_name not in denied_images
):
denied_images.add(image_name)
if not denied_images:
return False
_LOGGER.error(
"Found images: '%s' which are not supported, remove these from the host!",
", ".join(denied_images),
)
return True