Image digest output for container_image rule

[ash2k]

This PR adds an additional predeclared output to the container_image rule which contains image digest of that image.

This PR depends on google/containerregistry#87 and needs to be updated with a version of containerregistry that contains those changes.

Fixes #271.

go_binary(
    name = "smith",
    embed = [":go_default_library"],
    pure = "on",
    visibility = ["//visibility:public"],
)

container_push(
    name = "smith.push_docker",
    format = "Docker",
    image = ":smith",
    registry = ...,
    repository = ...,
    stamp = True,
    tag = ...,
)

$ bazel build  --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64  //cmd/smith:container.digest
INFO: Analysed target //cmd/smith:container.digest (0 packages loaded).
INFO: Found 1 target...
Target //cmd/smith:container.digest up-to-date:
  bazel-bin/cmd/smith/container.digest
INFO: Elapsed time: 1.026s, Critical Path: 0.61s
INFO: 1 process: 1 darwin-sandbox.
INFO: Build completed successfully, 2 total actions

$ cat bazel-bin/cmd/smith/container.digest
sha256:73122a2d81d57895f5740efa9030c25045a9a797cd118c8f9867c8de02d57425

$ bazel run  --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64  //cmd/smith:smith.push_docker
INFO: Analysed target //cmd/smith:smith.push_docker (1 packages loaded).
INFO: Found 1 target...
Target //cmd/smith:smith.push_docker up-to-date:
  bazel-bin/cmd/smith/smith.push_docker
INFO: Elapsed time: 0.538s, Critical Path: 0.19s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
<bla-bla-bla-stamping> was resolved to <bla-bla-bla-stamping>/smith:e4cd67ec0-6ebc8057e7619aba8e3c63f4392f1e44
<bla-bla-bla-stamping>/smith:e4cd67ec0-6ebc8057e7619aba8e3c63f4392f1e44 was published with digest: sha256:73122a2d81d57895f5740efa9030c25045a9a797cd118c8f9867c8de02d57425

[nlopezgi]

This looks good overall. Thanks for sending this PR. I'll kick off presubmits to verify all tests pass, but we'll need to wait until the PR in container registry is in to approve. Please let me know one that is in to kick of presubmit again.

[nlopezgi]

Could you please document this new implicit output in https://github.com/bazelbuild/rules_docker#container_image-1

[nlopezgi]

wrap line (or declare inputs above?)

[ArthurRab]

Hey Mikhail, the container image rule already produces a manifest.json in the tarball which contains the image's id. There is a helper script at extract_image_id.sh which extracts it for you!

[ittaiz]

Wow, this looks really promising!
We’re just trying to figure this out ourselves.
We need to compare the current rule digest to one in our registry to know if we need to push or not. Do you think we will be able to use this as is for this need or am I mixing things up?

[ArthurRab]

Sure, I don't see why not. The script I mentioned simply gives you the image's id from the tarball.

[ash2k]

@ArthurRab I see, I didn't know, thanks. However, I'd like to get this information as an additional output + expose that output in the ImageInfo provider. Should I rewrite this PR to use the script? What I don't like about the script, is that it "parses" json using cut. Might be fragile and also cut is a non-hermetic dependency.

[ash2k]

@ArthurRab hey, I can see you sent #448 - this is awesome, thanks. Could you add a command line flag to that script to output the digest into a file please? It is easier to program a rule if the command can output into a file, rather that just print the result. I'll be able to use that new script in this PR as a replacement for the python script in containerregistry repo. Btw, I filled bazelbuild/bazel#5511 a couple of days ago, asking for a way to capture stdout.

[ash2k]

Btw, I only see a single tar file + a tar.gz but I don't see any manifest.json files in them. Where is it?

[ash2k]

Ok, I found it. I need to request that .tar output explicitly and then I get the file. But that manifest.json does not contain the digest, produced by container_push and/or .digest output.

 $ bazel run --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/smith:push_docker
INFO: Analysed target //cmd/smith:push_docker (0 packages loaded).
INFO: Found 1 target...
Target //cmd/smith:push_docker up-to-date:
  bazel-bin/cmd/smith/push_docker
INFO: Elapsed time: 0.342s, Critical Path: 0.10s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
index.docker.io/atlassianlabs/smith:{STABLE_BUILD_GIT_TAG}-{STABLE_BUILD_GIT_COMMIT} was resolved to index.docker.io/atlassianlabs/smith:v1.0.0-2cb13f4
index.docker.io/atlassianlabs/smith:v1.0.0-2cb13f4 was published with digest: sha256:6b74d7e6b4cf36aae4c54e723eb1bb59b6d84a7ceae2141e6804cae3c0ec3f4b

 $ bazel build --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/smith:container.digest
INFO: Analysed target //cmd/smith:container.digest (0 packages loaded).
INFO: Found 1 target...
Target //cmd/smith:container.digest up-to-date:
  bazel-bin/cmd/smith/container.digest
INFO: Elapsed time: 0.258s, Critical Path: 0.04s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action

 $ cat bazel-bin/cmd/smith/container.digest
sha256:6b74d7e6b4cf36aae4c54e723eb1bb59b6d84a7ceae2141e6804cae3c0ec3f4b%

 $ bazel build --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/smith:container.tar   
INFO: Analysed target //cmd/smith:container.tar (0 packages loaded).
INFO: Found 1 target...
Target //cmd/smith:container.tar up-to-date:
  bazel-bin/cmd/smith/container.tar
INFO: Elapsed time: 0.241s, Critical Path: 0.04s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action

 $ tar -xf bazel-bin/cmd/smith/container.tar "manifest.json"                                        
 
 $ cat manifest.json | grep 6b74d7e6b4cf36aae4c54e723eb1bb59b6d84a7ceae2141e6804cae3c0ec3f4b

 $ cat manifest.json
[{"Config": "07a57c5b5e1100d9ed139dc7641e84f19602a4501aa6c8df115023623c76d005.json", "Layers": ["b0dde63cbf25a3f5a23ca221181d9f00ae48be8cb125938dc388e93ac6ff6dfd/layer.tar", "a6fe265ee3668f5cc5fc0d5dee33593df6d199069ef4be0a9648d478b04ec13e/layer.tar"], "RepoTags": ["bazel/cmd/smith:container"]}]%

[ArthurRab]

Ah, my bad. I had the image id and digest confused, sorry about that. We don't have a script that gives you the digest so this pr is still valid. Go ahead and make the requested changes and we'll merge it in.

[ash2k]

No worries. I've made the requested changes, waiting on the containerregistry PR to get merged.

[ittaiz]

Hi,
Is this approved apart from the commit pointer of container registry? This has been pending for a long time (due to the PR there waiting) and I think it would be great to make sure this can be merged as soon as the other one gets merged

[nlopezgi]

Yes, iirc I think this can be merged once the upstream PR is in (and conflicts have been resolved). Let me know if you are having issues with that one to ping them.

[ittaiz]

Last update there was 11 days ago about finalizing code review. If you can ping them on Monday I’d appreciate it very much

…

On Thu, 16 Aug 2018 at 22:00 Nicolas Lopez ***@***.***> wrote: Yes, iirc I think this can be merged once the upstream PR is in (and conflicts have been resolved). Let me know if you are having issues with that one to ping them. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#445 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABUIF5URHiqO_HI3_SRlavDUAJWtQVLLks5uRcFDgaJpZM4VDVYH> .

[ash2k]

This is ready for review and merge.

[ittaiz]

yay, everything is green. @nlopezgi waiting for your approval.

[nlopezgi]

Thanks again for sending this PR and good to hear the upstream change in containerregstry finally made it in.

This looks good overall, one comment about the digest being part of the cotnainer_parts.

Also, could you add a test to https://github.com/bazelbuild/rules_docker/blob/master/tests/docker/BUILD that verifies the digest output is produced with the right value?

[nlopezgi]

Would it make sense to make the digest part of the container_parts? If not, why?

[ash2k]

Makes sense, done.

[ash2k]

Also, could you add a test to https://github.com/bazelbuild/rules_docker/blob/master/tests/docker/BUILD that verifies the digest output is produced with the right value?

I've just tried to figure out how to do that but could not. Any specific instructions on how to do that would be very useful.

[xingao267]

@ash2k There is a file_test skylark rule which should work for you. Example usage: https://github.com/bazelbuild/rules_docker/blob/master/tests/contrib/BUILD#L140

You can have something like:

container_image(
    name = "my_test_image",
    ....
)

file_test(
    name = "test_container_image_output_digest",
    file = ":my_test_image.digest",
    regexp (or match depends on your need) = "<the digest>",
)

[ash2k]

@xingao267 thanks a lot, that was much easier than I expected. Ready for merge.

[stevewolter]

Danger: This change is missing support for the newly-introduced --manifest flag: google/containerregistry@2acf471. In the current form, this change produces different digests than the images pushed with docker_push.

In containerregistry's image_digest tool, manifest support has also been overlooked, so a containerregistry change like stevewolter/containerregistry@21496a1 is needed first.

[ittaiz]

Wow, this is indeed dangerous.

…

On Fri, 31 Aug 2018 at 15:15 Steve Wolter ***@***.***> wrote: Danger: This change is missing support for the newly-introduced --manifest flag: ***@***.*** <google/containerregistry@2acf471>. In the current form, this change produces different digests than the images pushed with docker_push. In containerregistry's image_digest tool, manifest support has also been overlooked, so a containerregistry change like ***@***.*** <stevewolter/containerregistry@21496a1> is needed first. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#445 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABUIFwBnZr4iR1Ur-V4YpoIiI2OthmEEks5uWSj_gaJpZM4VDVYH> .

[nlopezgi]

Thanks for noticing this issue. I think we should wait until the fix @stevewolter proposes is in container registry, could you please send them a PR (and I will help get it submitted faster early next week, or later today if I can finish some other high priority tasks I have pending).

[stevewolter]

Thanks for the help, Nicolas. Sent google/containerregistry#104.

…

On Fri, Aug 31, 2018 at 3:36 PM Nicolas Lopez ***@***.***> wrote: Thanks for noticing this issue. I think we should wait until the fix @stevewolter <https://github.com/stevewolter> proposes is in container registry, could you please send them a PR (and I will help get it submitted faster early next week, or later today if I can finish some other high priority tasks I have pending). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#445 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFgJgNRyAdnLqCTCWUNKL6wSY5l_I8pAks5uWTvTgaJpZM4VDVYH> .

[nlopezgi]

@stevewolter let me know if I can help get google/containerregistry#104 submitted faster (e.g., by trying to ping owners internally)

[nlopezgi]

Thanks @stevewolter! the change to container registry is in github, @ash2k can you update the pin to containerregistry in this cl and let me know when its ready to review again.

[ash2k]

@nlopezgi updated