-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide what to do about :tag@digest
changes in Docker
#1248
Comments
I am in favor of doing it. It seems like a reasonable bug fix to me and since we aim for Docker compat I don't think we need to wait for major bump. It also impacts Buildah btw. |
I cannot really comment about that part of the code but as a user it sounds like a bug to me if only the digest is used and the name is ignored. I also don't think we need a major version bump to change it. |
One use case for having the Podman supports it: $ podman pull registry.redhat.io/ubi8:8.7@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6
Trying to pull registry.redhat.io/ubi8@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6... Buildah supports it $ cat Dockerfile
FROM registry.redhat.io/ubi8:8.7@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6
$ buildah bud .
STEP 1/1: FROM registry.redhat.io/ubi8:8.7@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6
COMMIT
--> 16fb1f57c5a
16fb1f57c5af458cd4ee28c5d90e44a2ee4f264dd617f8e13111617928b87aaa OpenShift 4 also supports such references. It didn't initially, and it made things a bit awkward in some projects, e.g. use this yaml to deploy this app, but if on OpenShift then use this other yaml. Skopeo doesn't support it: $ skopeo inspect --no-tags docker://registry.redhat.io/ubi8:8.7@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6
FATA[0000] Error parsing image name "docker://registry.redhat.io/ubi8:8.7@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6": Docker references with both a tag and digest are currently not supported In the skopeo case, users are left in a position where they can't just feed the image reference they have into a skopeo command. They have to detect usage of the syntax It's unfortunate that usage/handling of the |
To be very clear, following the Docker semantics change linked to above (instead of ignoring the tag, enforcing that the tag exists and points at the specified digest), would turn this “assisting in updates” into “outage on updates”. So that’s the point of concern. And from that point of view, Skopeo is in the, in my opinion, fortunate position, of not facing this dilemma because it didn’t allow that usage. And now Skopeo has the option, in principle, of allowing the :tag@digest in the considered enforce-both semantics, without breaking any existing users. |
Maybe I have misunderstood this, but it validates the image name right now, not tag!
This is the current podman behaviour:
Now use the alpine image reference with the digest of the fedora image, this will use the fedora one
Of course that only works when the image with the digest is in local storage. |
Oh… so that’s all my mistake. I’m sorry. I thought that they are enforcing the tag value on the registry to match the expected digest; but they are enforcing the repo part, to ensure that the digest is present. The tag continues to be completely ignored. |
Agree. I believe that's the exact bug fix that docker did as well:
|
c/image is supposed to be enforcing the repo match: https://github.com/containers/image/blob/333c50e3eac84711807ef743be643bc0585e36be/storage/storage_reference.go#L136 . It seems that c/common doesn’t, in Line 441 in 24d7820
lookupImageInDigestsAndRepoTags is already a “last desperate heuristic attempt” legacy path (compare containers/podman#11964 and IIRC earlier discussions), so I don’t feel at all strongly about what that should do.
|
I think we should support it. |
@rhatdan support what? The original topic is restricting what inputs match. Do you mean to enforce the same restrictions, or to support the looser matches which currently find images? |
I think we should match Docker. Which I think is the looser matching. |
The crazy digest matching popped up again in #1503. Fortunately, @Luap99 has the memory of an elephant and pointed me to this conversation. As shown in #1248 (comment), What I propose is to
|
Only for getting feedback from Podman and Buildah CI for now. See containers/issues/1248 for details. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When looking up an image by digest, make sure that the entire repository of the specified value is considered. Previously, both the repository and the tag have been ignored and we looked for _some_ image with a matching digest. As outlined in containers#1248, Docker stopped ignoring the repository with version v20.10.20 (Oct '22) which is a compelling reason to do the same. To be clear, previously `something@digest` would look for any image with `digest` while `something` is entirely ignored. With this change, both `something` and `digest` must match the image. This change breaks two e2e tests in Podman CI which relied on the previous behavior. There is a risk of breaking users but there is a strong security argument to perform this change: if the repository does not match the (previously) returned issue, there is a fair chance of a user error. Fixes: containers#1248 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
https://github.com/moby/moby/releases/tag/v20.10.20 has changed
:tag@digest
semantics to a more secure one.The text was updated successfully, but these errors were encountered: