Fabric8 MVN Plugin 3.5.41: Allow @sha256 digest for tags in FROM

[mmkonrad]

Hello there!

Today I ran into an error in Jenkins, using the fabric8 maven plugin, that seems to exist for quite some time. It got already reported in docker-maven-plugin Issue #541 but it looks like it never got fixed (Issue still open).

As the headline states the fabric8 maven plugin in version 3.5.41 is not able to process @sha256 digests.

In the docker-maven-plugin the responsible class seems to be ImageName.java. More likely the regex Patterns at the end of the file.

Does a solution to this problem already exist or exist plans to eliminate the problem?

If so, please give notice, that would be much appreciated

Cheers,
Marcus

Info

• f-m-p version : 3.5.41
• Jenkins Maven Integration Plugin: 3.1.2
• Kubernetes / OpenShift setup and version : >=3.7
• If it's a bug, how to reproduce :
  Start a Maven build with fabric8 maven plugin to build a docker image that holds a sha256 digest in the FROM clause in Dockerfile
  Error Message:

[main] ERROR org.apache.maven.cli.MavenCli - Failed to execute goal io.fabric8:fabric8-maven-plugin:3.5.41:build (default) on project ###-###-docker-image: Failed to execute the build: Error while trying to build the image: Given Docker name '###########/solr:7.4-alpine@sha256:dd81436461637eac88c4a2ebfb59af3cffd3d5b928fd68315d8a1a175243242c' is invalid:
[main] ERROR org.apache.maven.cli.MavenCli - * image part 'solr:7.4-alpine@sha256' doesn't match allowed pattern '[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?' ''

Note: ### means anonymization of information

[rhuss]

Yes, fabric8io/docker-maven-plugin#541 is still open, mostly because of lack of time and now picked it up to send a PR (shouldn't be hard to fix).

As d-m-p is currently an intergral part of f-m-p, we need to update f-m-p then. There is issue #1327 to track this. Unfortunately, this is not trivial yet but is on the table.

[mmkonrad]

Thank you for the heads-up. I am looking forward to it.

[mmkonrad]

Can you inform me about the current state of this issue?
I can see in the referenced issue #1327 that there is activity, but I do not have the time to analyse it in detail.

Thank you^^

[mmkonrad]

@rhuss
We just checked out your most recent release: v4.0.0-M1 which features the "Fix 1327: Update docker maven plugin version" of issue #1327.

Our Dockerfile FROM line contains a sha256 digest like solr:7.4-alpine@sha256:{DIGEST}.

We were looking forward to building Docker images with this schema, but still receive:
[main] ERROR org.apache.maven.cli.MavenCli - * image part 'solr:7.4-alpine@sha256' doesn't match allowed pattern '[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?'

Why is this still an issue? Wasn't it supposed to be fixed by the issue #1327?
What did we miss and what do we need to fix in order to solve this problem?

Thanks and regards

[mmkonrad]

Just fyi: out of curiosity I entered the regex into regex101.com to check if it is able to work with the sha256 digest.
Entering [a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)? as the regex you get the information that the dash in the middle of the expression is an error (unescaped delimiter) and has to get escaped.
If you escape the delimiter or remove it the expression works with a sha256 digest without an error. The engine is able to capture the URL, the version, the sha256 indicator and of course the digest.

[mmkonrad]

Anyone?

[rhuss]

Sorry, November is still crazy busy for me with travelling. @rohanKanojia @lordofthejars @dev-gaur anyone could pick up this issue ? d-m-p is supposed to fix this issue but this apparently didn't work,.

[rohanKanojia]

@mmkonrad : Will provide an update within 1-2 working days

[mmkonrad]

Thank you a lot guys, I am looking forward to it.

[rohanKanojia]

@mmkonrad : I have raised PR in dmp for this: fabric8io/docker-maven-plugin#1131

[mmkonrad]

Sounds very good, thank you!

What are your schedule plans for integrating the request and releasing it?

[rohanKanojia]

@mmkonrad : I can't possibly comment on release plan(Since it's purely community-driven project). But I feel we would see a dmp release somewhere around Christmas holidays ;-)

[rhuss]

@mmkonrad I plan to make a dmp release this week.

[rohanKanojia]

@mmkonrad : bdw, fmp 4.0.0-M2 has been released along with dmp update. Would really appreciate if you could try it out.

[mmkonrad]

Hello together,
thank you for your fast reply and efforts. I will check it out as soon as possible and give you a heads-up about the outcome

[mmkonrad]

It is still not functioning, but there is a slight improvement:
Before (see above): image part 'solr:7.4-alpine@sha256' doesn't match allowed pattern
Now: image part 'solr:7.4-alpine' doesn't match allowed pattern

[main] ERROR org.apache.maven.cli.MavenCli - Failed to execute goal io.fabric8:fabric8-maven-plugin:4.0.0-M2:build (default) on project evi-solr-docker-image: Failed to execute the build: Error while trying to build the image: Given Docker name 'some.docker.repo.url.com/solr:7.4-alpine@sha256:dd81436461637eac88c4a2ebfb59af3cffd3d5b928fd68315d8a1a175243242c' is invalid: [main] ERROR org.apache.maven.cli.MavenCli - * image part 'solr:7.4-alpine' doesn't match allowed pattern '[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?'

[rohanKanojia]

@mmkonrad : ah, crap. I didn't test this for case when image also has tag with it 😞 . Does it work when you simply use solr@sha256***** ??? But why do you need a tag in image name when you're using image digest?

[mmkonrad]

That is actually a good question! The image is not coming from us but we have to rely on it anyway :(
Maybe it is a relic but I can not say for sure. If I get the chance I will look into it but I am now on a break until january.
I will keep you posted.

[mmkonrad]

@rohanKanojia @rhuss
Alright,
after some time we had the opportunity to look into the issue again.
As a result we come to the conclusion that we need Fabric8 to be able to handle 'solr:7.4-alpine@sha256' image tags. This is due to the requirement to work with fixed versions (not latest), but be able to get updates for that specific version (e.g. security).

[rohanKanojia]

@mmkonrad : okay, would raise a PR on dmp side to resolve this in few days.

[mmkonrad]

Can you please tell me the current status?
It looks like we will need this feature quite soon as we progress with the usage of renovate

[rohanKanojia]

@mmkonrad : ah, apologies for the inconvenience caused. I missed this somehow :-( . Will try to look into it as soon as I get time

[mmkonrad]

Thank you.
We are looking forward to it ;)

[mmkonrad]

I see there was an additional reaction to your response. Should we re-open the issue, just for the sake of the workflow?

[mmkonrad]

To contribute sth instead of just asking for you support I created a pull request Enhance Fix 541.
It is just a start that allows ImageName.java and its test class to handle sha256 digests as we require it.

But it is not final, since

src/main/java/io/fabric8/maven/docker/access/UrlBuilder.java

has not been adjusted accordingly. It looks like I have to invest some more time to figure out what is going on there -> "-p" either with tag OR digest?

As you can see in the PR there are now additional constellations that have to be considered.

[mmkonrad]

Ah, it looks like I messed up the indents even more instead of fixing them.
Well I most likely have to close the PR and reopen it again, since the commits aren't squashed either.
But so far it should suffice to get the conversation going on and to show some initiative towards fixing the "demand"...

[rohanKanojia]

@mmkonrad : oh, I see. You don't have to worry about squashing commits. Github has a squash and merge option before merging PR. Looking forward to your first contribution 😃 merged.

[mmkonrad]

I reopened the PR without the indent issues:
DMP PR 1176

[rohanKanojia]

We just need to update to docker-maven-plugin 0.29.0 in order to fix this issue.

[mmkonrad]

So far everything looks good.
As soon as all our pipelines succeeded I am going to close this issue.

Thank you for your support