Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker - incorrect update of manifest list sha to amd64 manifest sha #2962

Closed
KnicKnic opened this issue Jan 8, 2021 · 5 comments · Fixed by #3060
Closed

docker - incorrect update of manifest list sha to amd64 manifest sha #2962

KnicKnic opened this issue Jan 8, 2021 · 5 comments · Fixed by #3060
Assignees
Labels
T: bug 🐞 Something isn't working

Comments

@KnicKnic
Copy link

KnicKnic commented Jan 8, 2021

I built the latest master (0c3f58f) and this repros
Package manager/ecosystem
docker

Manifest contents prior to update
https://github.com/KnicKnic/myq-garage-server/blob/2f81d6dfac244bf06f669a5ef86d6b3b42949364/Dockerfile

FROM python:slim@sha256:4d92968b26bb6b7b62d957244de86fc1054f03793577d49e85c00864eb03ca07 as python-base

Incorrect Updated dependency
see incorrect pull request KnicKnic/myq-garage-server#3

FROM python:slim@sha256:56d9bdc243bc53d4bb055305b58cc0be15b05cc09dcda9b9d5e224233889b61b as python-base

What you expected to see, versus what you actually saw
I did not expect to see an update as the original dockerfile referenced the most recent manifest list. I have dumped the manifest list at the time of the bug to show that it is going from the manifest list sha, to the linux/amd64 manifest sha.

/mnt/c/Users/nmaliwa$ docker buildx imagetools inspect docker.io/library/python:slim
Name:      docker.io/library/python:slim
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:4d92968b26bb6b7b62d957244de86fc1054f03793577d49e85c00864eb03ca07

Manifests:
  Name:      docker.io/library/python:slim@sha256:56d9bdc243bc53d4bb055305b58cc0be15b05cc09dcda9b9d5e224233889b61b
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      docker.io/library/python:slim@sha256:b1a7b49314a060e6e29cc0106c456f0006069d656afdc43ea0f822eae9578544
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v5

  Name:      docker.io/library/python:slim@sha256:2438965ab5800e6847d02c654abc87d8e1efc8b4b39ffcc1b120651a3943e50d
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm/v7

  Name:      docker.io/library/python:slim@sha256:47189a18721bc387ff4a356d9f3b519de96bc247745ae70bc8f17cfa595ab148
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64/v8

  Name:      docker.io/library/python:slim@sha256:02ce622d98de3586acc2c0a2f0f6fe3490483ed076987be6ff7bf50edb69bac0
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/386

  Name:      docker.io/library/python:slim@sha256:60bc1468d088838ca0e0fb0d1886ba3aa022d0c39772545644b90fc9f991f2ea
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/mips64le

  Name:      docker.io/library/python:slim@sha256:ff51ddefc4b96e42fbe386bb620d3ba1a668f367ee10e2e6d0247748280b5c6d
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/ppc64le

  Name:      docker.io/library/python:slim@sha256:992b402409ad0fd664e47ab4fdc6163274a105fb5a938c0e52e3fad58257840e
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/s390x

The build system targets multi architecture builds, it is not appropriate to change the sha to a manifest from a manifest list.

Images of the diff or a link to the PR, issue or logs

here is the reproduction logs

[dependabot-core-dev] ~/dependabot-core $ bin/dry-run.rb docker knicknic/myq-garage-server
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/knicknic/myq-garage-server/
=> parsing dependency files
=> updating 1 dependencies: python

=== python (slim)
 => checking for updates 1/1
 => latest available version is slim
 => latest allowed version is slim
 => requirements to unlock: own
 => requirements update strategy:
 => updating python from slim to slim

    ± Dockerfile
    ~~~
    7c7
    < FROM python:slim@sha256:4d92968b26bb6b7b62d957244de86fc1054f03793577d49e85c00864eb03ca07 as python-base
    ---
    > FROM python:slim@sha256:56d9bdc243bc53d4bb055305b58cc0be15b05cc09dcda9b9d5e224233889b61b as python-base
    ~~~
@KnicKnic
Copy link
Author

KnicKnic commented Jan 20, 2021

@greysteil since you seem to be the person most active in /docker and this has yet to be assigned to someone.

@greysteil
Copy link
Contributor

I'm afraid I don't work on Dependabot anymore (and I'm a product manager these days, not an engineer), so I'm not the best person to help here. @feelepxyz @jurre - any thoughts on the above?

@feelepxyz
Copy link
Contributor

@KnicKnic will take a look this week.

@jurre jurre self-assigned this Jan 29, 2021
@jurre
Copy link
Member

jurre commented Jan 29, 2021

Interestingly.. This is what the docker API returns as the digest for that repo+tag 😕

 curl --head -v https://registry.hub.docker.com:443/v2/library/python/manifests/slim --header "Authorization: Bearer eyJ.. snip"

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 13024
Content-Length: 13024
< Content-Type: application/vnd.docker.distribution.manifest.v1+prettyjws
Content-Type: application/vnd.docker.distribution.manifest.v1+prettyjws
< Docker-Content-Digest: sha256:f534fbbdd97ba94d573cbd129e1fd0d4ae56b37bb8e0c17bfcd694f75131c0f0
Docker-Content-Digest: sha256:f534fbbdd97ba94d573cbd129e1fd0d4ae56b37bb8e0c17bfcd694f75131c0f0
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< Etag: "sha256:f534fbbdd97ba94d573cbd129e1fd0d4ae56b37bb8e0c17bfcd694f75131c0f0"
Etag: "sha256:f534fbbdd97ba94d573cbd129e1fd0d4ae56b37bb8e0c17bfcd694f75131c0f0"
< Date: Fri, 29 Jan 2021 16:08:39 GMT
Date: Fri, 29 Jan 2021 16:08:39 GMT
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000

We may need to call whatever docker buildx imagetools inspect docker.io/library/python:slim calls under the hood and check if any of the digests match the one we have. Going to dig into this a bit further.

@jurre
Copy link
Member

jurre commented Feb 1, 2021

🎉 we need to pass in Accept: application/vnd.docker.distribution.manifest.list.v2+json to get the full list. Hoping to be able to open up a PR in a bit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants