Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman save capability to remove signatures #7659

Closed
jdockter opened this issue Sep 16, 2020 · 5 comments · Fixed by #7956
Closed

podman save capability to remove signatures #7659

jdockter opened this issue Sep 16, 2020 · 5 comments · Fixed by #7956
Assignees
@QiWang19
Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@jdockter
Copy link

jdockter commented Sep 16, 2020
edited
Loading

/kind feature

Description
When using podman save, via opm tool (which just shells out to podman), we have no way to save images that are signed.

sudo opm registry add -b "docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373" -d index.db -c podman
...
...
INFO[0004] running podman save                           bundles="[docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373]"
ERRO[0004] Error: unable to save "docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373": Error copying image to the remote destination: Can not copy signatures: Storing signatures for docker tar files is not supported  bundles="[docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373]"
ERRO[0004] permissive mode disabled                      bundles="[docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373]" error="error loading bundle from image: error saving image: Error: unable to save \"docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373\": Error copying image to the remote destination: Can not copy signatures: Storing signatures for docker tar files is not supported\n. exit status 125"
Error: error loading bundle from image: error saving image: Error: unable to save "docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373": Error copying image to the remote destination: Can not copy signatures: Storing signatures for docker tar files is not supported
. exit status 125

At just a podman level the same is seen.

podman save -o test.tar docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373
Error: unable to save "docker.io/ibmcom/ibm-cp-integration-bundle@sha256:47461a7543c71108a578178efa11507910eaf895113aab3612bf21300e598373": Error copying image to the remote destination: Can not copy signatures: Storing signatures for docker tar files is not supported

Tried using the policy.json to ignore via https://bugzilla.redhat.com/show_bug.cgi?id=1633482 but that did not work. Not sure if there is some other option so listed as feature request.

Believe skopeo has this capability as outlined in containers/skopeo#589 with --remove-signatures

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

$ podman version
Version:      2.0.6
API Version:  1
Go Version:   go1.14.4
Built:        Wed Dec 31 16:00:00 1969
OS/Arch:      linux/amd64

Output of podman info --debug:

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.15.1
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.18, commit: '
  cpus: 8
  distribution:
    distribution: ubuntu
    version: "18.04"
  eventLogger: file
  hostname: coc-devops-builder1.fyre.ibm.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.15.0-76-generic
  linkmode: dynamic
  memFree: 26711396352
  memTotal: 33730019328
  ociRuntime:
    name: runc
    package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
    path: /usr/lib/cri-o-runc/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 15997071360
  swapTotal: 15997071360
  uptime: 556h 1m 33.5s (Approximately 23.17 days)
registries:
  cp.icr.io/cp:
    Blocked: false
    Insecure: false
    Location: cp.icr.io/cp
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: cp.stg.icr.io/cp
    Prefix: cp.icr.io/cp
  docker.io/ibmcom:
    Blocked: false
    Insecure: false
    Location: docker.io/ibmcom
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: cp.stg.icr.io/cp
    Prefix: docker.io/ibmcom
  search:
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 7
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Wed Dec 31 16:00:00 1969
  GitCommit: ""
  GoVersion: go1.14.4
  OsArch: linux/amd64
  Version: 2.0.6

Package info (e.g. output of rpm -q podman or apt list podman):

$ apt list podman
Listing... Done
podman/unknown,unknown,now 2.0.6~1 amd64 [installed]

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 16, 2020
@jdockter
Copy link
Author

@mtrmac please let me know if there is currently a workaround I should try or if this is a new feature

@jdockter jdockter changed the title podman save capability to strip off signatures podman save capability to remove signatures Sep 16, 2020
@mtrmac
Copy link
Collaborator

mtrmac commented Sep 17, 2020

Currently It might be possible to use podman push --remove-signatures podman save -o $image@sha256:… docker-archive:test.tar (probably losing some functionality like the ability to add extra tags); I didn’t try in practice.

I agree adding --remove-signatures to podman save makes some sense. (To an extent, arguably it should be the default for Podman because podman pull, in general, breaks signatures of the typical compressed images, so pushing the pre-existing signatures is rarely useful. OTOH I’m not sure it always breaks signatures, it might be possible to construct a workflow with uncompressed images without registries or something like that, and always using --remove-signatures would break that.)

@jdockter
Copy link
Author

Thanks @mtrmac is this something we can get into the next release or what is your thought moving forward on this?

@jdockter
Copy link
Author

@QiWang19 is this something you will be working on?

@QiWang19
Copy link
Contributor

@jdockter I can take look at this, I was distracted by other issues.

@rhatdan rhatdan added the In Progress This issue is actively being worked by the assignee, please do not work on this at this time. label Oct 1, 2020
@QiWang19 QiWang19 mentioned this issue Oct 7, 2020
Merged
QiWang19 added a commit to QiWang19/podman that referenced this issue Oct 21, 2020
@QiWang19
save image remove signatures
b898f91 
remove signatures to podman save since the image formats do not support signatures
Close: containers#7659

Signed-off-by: Qi Wang <[email protected]>
@fgiloux fgiloux mentioned this issue Sep 21, 2021
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@QiWang19 QiWang19

Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow save image remove-signatures QiWang19/podman
5 participants
@rhatdan @mtrmac @jdockter @QiWang19 @openshift-ci-robot