Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jib should report the base image digest that is used #1884

Closed
briandealwis opened this issue Aug 1, 2019 · 9 comments
Closed

Jib should report the base image digest that is used #1884

briandealwis opened this issue Aug 1, 2019 · 9 comments
Assignees
@tejaskasetty
Labels
area/jib-gradle-plugin area/jib-maven-plugin good first issue priority:p4
Milestone
v1.7.0

Comments

@briandealwis
Copy link
Member

Jib should report the image digest used for the base image to simplify configuring a fixed digest, and also for traceability.
@briandealwis briandealwis mentioned this issue Aug 1, 2019
Closed
@tejaskasetty
Copy link
Contributor

Hi! Can I take this up?

@chanseokoh
Copy link
Member

Sure, thanks!

@chanseokoh
Copy link
Member

chanseokoh commented Oct 1, 2019
edited
Loading

Presumably we could just read the Docker-Content-Digest HTTP header in ManifestPuller and print the SHA there.

Alternatively we could compute the SHA on the fly inside ManifestPuller (with SHA256 for now).

However, @jonjohnsonjr sent us some links and said to proceed with caution with the header approach, as registries have implemented this so differently. Generally it's questionable to trust the header value.

@chanseokoh chanseokoh mentioned this issue Oct 2, 2019
Closed
@tejaskasetty
Copy link
Contributor

tejaskasetty commented Oct 3, 2019
edited
Loading

So @chanseokoh I shall work on getting the manifest from the registry first. This should resolve #2034 as well.

@tejaskasetty
Copy link
Contributor

tejaskasetty commented Oct 9, 2019
edited
Loading

@chanseokoh There is one problem with computing the digest from the response directly. Manifest has signatures. We compute the digest from the manifest without the signatures. And you had suggested to compute the digest directly from the inputStream.

@jonjohnsonjr
Copy link

Only schema 1 images have signatures, which jib doesn't support (I believe).

@chanseokoh
Copy link
Member

@jonjohnsonjr Jib doesn't support pushing schema 1 images, but it supports pulling schema 1 base images.

@tejaskasetty I think we can ignore schema 1 manifests. They will be gone sooner or later. We are checking if the schema is 1 or 2 in ManifestPuller (I believe), so perhaps we should report the digest only when it is 2. And the digest of the schema 2 manifests will exactly be the SHA256 checksum of the blob content.

This was referenced Oct 10, 2019
Closed
Merged
@tejaskasetty tejaskasetty mentioned this issue Oct 14, 2019
Merged
@chanseokoh chanseokoh removed the question User inquiries label Oct 14, 2019
chanseokoh pushed a commit that referenced this issue Oct 15, 2019
@chanseokoh
Report base image digest (#1884) (#2063)
1462763 
Base image digest is reported/logged only when the manifest
schema version is 2.
@chanseokoh chanseokoh added this to the v1.7.0 milestone Oct 15, 2019
@chanseokoh
Copy link
Member

Fixed by #2063.

@TadCordle
Copy link
Contributor

TadCordle commented Oct 18, 2019
edited
Loading

@dev-gaur We've released 1.7.0 with @tejaskasetty's fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tejaskasetty tejaskasetty

Labels
area/jib-gradle-plugin area/jib-maven-plugin good first issue priority:p4
Projects
None yet
Milestone
v1.7.0
Development

No branches or pull requests
5 participants
@briandealwis @TadCordle @chanseokoh @jonjohnsonjr @tejaskasetty