Enhance Fix #541: Allow @sha256 digest for tags in FROM #1176
Conversation
ImageName.java and respective test class adjusted to be able to handle image names with tag AND sha256 digest like: image_name:image_tag@sha256<digest> Signed-off-by: Marcus Konrad <M.M.Konrad@web.de>
Codecov Report
@@ Coverage Diff @@
## master #1176 +/- ##
============================================
+ Coverage 52.31% 52.32% +0.01%
- Complexity 1473 1475 +2
============================================
Files 150 150
Lines 7855 7857 +2
Branches 1169 1171 +2
============================================
+ Hits 4109 4111 +2
Misses 3343 3343
Partials 403 403
|
2 similar comments
Codecov Report
@@ Coverage Diff @@
## master #1176 +/- ##
============================================
+ Coverage 52.31% 52.32% +0.01%
- Complexity 1473 1475 +2
============================================
Files 150 150
Lines 7855 7857 +2
Branches 1169 1171 +2
============================================
+ Hits 4109 4111 +2
Misses 3343 3343
Partials 403 403
|
Codecov Report
@@ Coverage Diff @@
## master #1176 +/- ##
============================================
+ Coverage 52.31% 52.32% +0.01%
- Complexity 1473 1475 +2
============================================
Files 150 150
Lines 7855 7857 +2
Branches 1169 1171 +2
============================================
+ Hits 4109 4111 +2
Misses 3343 3343
Partials 403 403
|
Codecov Report
@@ Coverage Diff @@
## master #1176 +/- ##
============================================
- Coverage 52.36% 52.32% -0.05%
+ Complexity 1482 1475 -7
============================================
Files 150 150
Lines 7889 7857 -32
Branches 1176 1171 -5
============================================
- Hits 4131 4111 -20
+ Misses 3354 3343 -11
+ Partials 404 403 -1
|
|
Updated PR without indent issues for Fabric8 MVN Plugin Issue 1386 |
| @@ -64,25 +64,35 @@ public ImageName(String fullName, String givenTag) { | |||
| throw new NullPointerException("Image name must not be null"); | |||
| } | |||
|
|
|||
| // set digest to null as default | |||
| digest = null; | |||
There was a problem hiding this comment.
I don't understand the intention of this change, why do you need tag when you're not passing it in REST call to docker daemon?
There was a problem hiding this comment.
Do you need it only for ImageName?
There was a problem hiding this comment.
Do you mean why only ImageName.java ist modified but not e.g. UrlBuilder.java?
There was a problem hiding this comment.
Yeah, since this would only have an effect on ImageName object and this won't be propagated to api server. Maybe I misunderstood your use case earlier and delayed it because I wasn't sure how docker api server handles digests.
There was a problem hiding this comment.
True. I did not dive deep into the entire architecture. (i do not have enough time) As I said in the F8 MVN thread, it is not final.
I just wanted to make a start towards solving our/my request instead of just asking all the time when it will be done.
If you have some hints where to look and probably some docs about the missing parts, that would be great.
There was a problem hiding this comment.
Right now we're ignoring tag and sending image digest in place of tag, need to check in docker api on how to pass both(but I'm still not sure why do we need both)
There was a problem hiding this comment.
I am not sure whether others have the necessity for this.
But we do.
We have multiple applications with each several docker images being involved.
We have the demand, to know (and control) exactly what base images are used and whether we adapt newer versions/patches/updates or not.
In case we decide to adapt a change in a base image, follow-up processes will be triggered.
Going with the latest image does not work for us.
Instead we will use an open-source tool called "renovate" to pin the hash digest to the used base images.
This tool then will then check if there is any change to the base image, based on the hash digest that is pinned to the image and its tag.
This can be an update within the same tag e.g. version 1.2.3.4-alpine, a minor patch and also major patches.
Version tags like 1.2.3.4-alpine may consist of different version even though it is displayed to the outside as version 1.2.3.4-alpine.
Even these small changes within the same version may cause issues and side-effects to us.
But then we may also have to adapt to certain patches and updates at some time.
Right now multiple use-cases exist for us.
Relying on image tags AND hash digests together, gives us the possibility to meet the demand of controlling what updates/patches/changes we want to adapt.
Additionally fabric8 is a major component in the build processes of our docker images.
As a result we need the docker-maven-plugin to allow tags AND hash digest in the FROM statement.
Maybe there is a better solution out there, but time and available resource do not allow it right now to rethink and reconstruct all of our processes just to meet that demand.
Therefore it is the convenient way to enable the docker-maven-plugin to handle tags and hash digests together in the FROM statement.
There was a problem hiding this comment.
@mmkonrad so the only reason for specifying the tag and the digest together is that a tool like https://github.com/renovatebot/renovate can automatically update the digest of a tag, if a tag changed, right?
Imho when pulling the "pinned" image only the digest needs to be sent to the registry.
According to the author of renovatebot, when specifiying tag and digest in an image reference, the tag will be indeed ignored:
One useful trick know is that you don’t have to remove the tag if you want to add a digest. If both are present then the tag is ignored, so you can leave it in for human readability, e.g
(refering to https://renovatebot.com/blog/docker-mutable-tags)
But i don't know if the pulling client is handling this by not sending the tag or if the pull client can send both and the registry just ignores it. I did not find any specification for that. May be we can try to look how the docker daemon behaves on this by looking at pull requests with a man-in-the-middle proxy.
There was a problem hiding this comment.
@schuch Thank you for pointing this out.
Human readability is indeed the key factor.
If a source tag is updated with a new semver version, you will receive a PR with a new FROM line that looks something like FROM node:8.10.1@sha256:eks9abc802b2a8464b3bfc1f8c3c409f89e9b70a31f1dccce70bd14mxwris. i.e. tag has changed and digest has changed. If only the digest is updated, you would see that too (and the PR will tell you that it’s a digest update, not a version update).
@rohanKanojia Sorry for not stating it so clearly from the beginning
There was a problem hiding this comment.
@mmkonrad: Hi, Sorry for late reply(I saw this in notifications but somehow forgot to reply). Are you trying to say that you're okay with tag to stay just in ImageName class(like you've done here)? I think we're good to merge this then ;-) . I think we should handle this case as well and simply ignore tag even if it's parsed properly.
|
@rhuss : Could you please share your thoughts? I think we can merge this. |
|
Thanks a lot! |
ImageName.java and respective test class adjusted to be able to handle
image names with tag AND sha256 digest like:
image_name:image_tag@sha256
Signed-off-by: Marcus Konrad M.M.Konrad@web.de