manifest: enable DockerV2List #115
Conversation
|
Test are failing in skopeo because estesp/busybox is a manifest list (and we already had this issue in the past). We really need a way for this, otherwise we'll break docker in projectatomic/docker#200. |
|
I need to fix image.getParsedManifest to deal with manifest lists (unsure on the approach though) Manifest lists don't carry configuration or such, I think from a manifest list we need to resolve the target manifest for the current arch+platform (as docker does) and transparently work with that. Still, we need to enable this. I'll fix this tomorrow. |
|
@mtrmac I believe that by transparently resolving the target manifest for the current platform+arch we won't break signatures since we're going to retrieve and play with the correct single manifest. |
runcom
changed the title
|
@mtrmac I've added a new OCI has this concept of a manifest list also, it makes sense have this new method in the image source interface. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
So if I understand this correctly, Manifest and ManifestDigest will return the data of the manifest list, but LayerInfos etc. would all work with the underlying manifest data.
This works for the interface of types.Image narrowly read, and I guess it does allow signing of, and verifying signatures of, manifest lists, but it seems that it would completely break copy.Image; that method does need to know that there is a separate manifest list and a separate manifest to copy, and to copy both (or to copy all of the listed images, even).
docker/docker_image_src.go
Outdated
| } | ||
|
|
||
| // GetTargetManifest ... | ||
| func (s *dockerImageSource) GetTargetManifest(reference string) ([]byte, string, error) { |
There was a problem hiding this comment.
This will need a documented semantics for reference (this is definitely not a Docker reference, nor a ImageReference. I guess the input should be a digest, of perhaps a types.BlobInfo, like in GetBlob.
OCI has this concept of a manifest list also, it makes sense have this new method in the image source interface.
GetManifestFromList(arch, platform, ...)orGetTargetManifest(arch, platform, ...).
I think parsing the lists and matching by arch/platform belongs to the manifest parsing code in image, not in the individual ImageSources.
There was a problem hiding this comment.
There really should be a single function with this code, shared by GetTargetManifest and ensureManifestIsLoaded.
There was a problem hiding this comment.
I think parsing the lists and matching by arch/platform belongs to the manifest parsing code in image, not in the individual ImageSources.
isn't it that way now? that code is in image/docker_list.go
There was a problem hiding this comment.
The method declaration quoted above, and “new method in the image source interface”, are in ImageSource.
(To be clear, ImageSource.GetManifestByDigest is perfectly fine; I didn’t like the rch/platform logic in the sources.)
image/docker_list.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| switch mt { |
There was a problem hiding this comment.
This switch should really be shared with the one in genericImage.getParsedManifest. Add an genericImage.manifestInstanceFromBlob and call it from both places?
|
I guess, to proceed for now, add an That might allow not regressing docker, while we would more or less still refuse to sign/verify such images in skopeo. Assuming that they don’t become widespread… |
We use I think a natural way to solve both is to use the v2 docker registry, which accepts schema 2, in most of those tests (e.g. those which deal with signature and policy semantics); then we can use an ordinary non-manifest-list image like We’ll see which one of us will run into these test issues harder/sooner and actually update the tests that way 😀 |
I have that on my todo list since this stuff were in skopeo :( I'll try to find some time to really do that I promise :( |
|
@mtrmac updated the code, I still have to write down doc for GetTargetManifest and fix the other image transports, I'd like your ack before moving on :P |
|
Make |
|
@mtrmac PTAL |
runcom
changed the title
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
ACK apart from the two minor points.
image/docker_list.go
Outdated
| } | ||
|
|
||
| // A ManifestDescriptor references a platform-specific manifest. | ||
| type ManifestDescriptor struct { |
image/docker_list.go
Outdated
| } | ||
|
|
||
| type manifestList struct { | ||
| src types.ImageSource |
Signed-off-by: Antonio Murdaca <[email protected]>
|
@mtrmac fixed those 2 minor points |
|
👍, thanks! |
|
lgtm (merging after tests) |
|
merging, I'll fix skopeo asap and use a not-manifest-list image (like the official busybox) |
With these non-trivial test failures, I would really prefer for the test fix PR to be ready and reviewed before the containers/image part goes in. Not doing that effectively prevents merging anything else into containers/image. |
| return fmt.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef)) | ||
| } | ||
|
|
||
| // Please keep this policy check BEFORE reading any other information about the image. |
There was a problem hiding this comment.
Heh, right below the added code is this comment and neither of as has noticed :) So much for comments.
I’ll fix that…
Signed-off-by: Miloslav Trmač <[email protected]>
Signed-off-by: Miloslav Trmač <[email protected]>
2 participants
Related to #114
Needed for projectatomic/docker#200 - w/o this pulling an image with a manifest list is broken into docker.
Rigth now, by not supporting the manifest list media type we always got the single manifest for the amd64 arch instead of the whole manifest list and this broke docker because computing the digest for that single manifest isn't the same as the digest from the manifest list.
Also note that if you pull-by-digest a manifest list in docker you get back exactly the same manifest list digest (and not the one from the target manifest) which is confusing to me but still, it's how docker works.
@mtrmac PTAL - this is blocking
Signed-off-by: Antonio Murdaca [email protected]