Skip to content
This repository has been archived by the owner on Oct 31, 2023. It is now read-only.

Pull Docker images by SHA digest #4267

Closed
kmazurek opened this issue Jun 3, 2019 · 0 comments · Fixed by #4392
Closed

Pull Docker images by SHA digest #4267

kmazurek opened this issue Jun 3, 2019 · 0 comments · Fixed by #4392

Comments

@kmazurek
Copy link
Contributor

kmazurek commented Jun 3, 2019

Rationale

Right now, Docker images used by Golem are described using tags (e.g. golemfactory/blender_verifier:1.3). Relying on tags alone is error-prone and may lead to non-deterministic builds, since it's possible to push an entirely new Docker image under the same tag.

One example of such issue is #4143, where an incorrect Docker image under a specific tag got cached by Buildbot workers, causing tests to fail.

To avoid similar issues in the future, Golem could rely on not only tags but also the SHA digests of Docker images.

Technical specification

For all docker environments (e.g. verifier, blender, wasm) a new field should be defined (e.g. IMAGE_SHA_DIGEST). This would contain the SHA of the expected Docker image to be used by Golem.
Initial image pulls should still be based on tags, making them more readable. The SHA sum check would be done as a second step, possibly failing or pulling the correct image if a checksum mismatch occurs.

Which application modules will be updated?

  • DockerEnvironment
  • DockerManager
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

+ Docker image integrity verifier golemfactory/clay
1 participant
@kmazurek