dockerTools.pullImage: use skopeo to pull the image #29302
Conversation
|
@nlewo, thanks for your PR! By analyzing the history of the files in this pull request, we identified @lethalman, @matejc and @0arthur to be potential reviewers. |
nlewo
changed the title
nlewo
force-pushed
the
pr/dockerpull
branch
from
bdcdb6f to
19744ec
Compare
nlewo
changed the title
|
+1 for the idea in general because it is faster and better maintainable. I think there should be a release note item or hint that we broke |
nlewo
force-pushed
the
pr/dockerpull
branch
from
19744ec to
2aa5dcb
Compare
Before this patch, a VM was used to spawn docker that pulled the VM. Now, the tool Skopeo does this job well so we can simplify our dockerTools since we doesn't need Docker anymore:) This also fixe the regression described in NixOS#29271 : cntlm proxy doesn't work in 17.09 while it worked in 17.03. Note Skopeo doesn't produce the same output than docker pull so, we have to update sha.
nlewo
force-pushed
the
pr/dockerpull
branch
from
2aa5dcb to
e5e70cb
Compare
|
This looks great to me, but I haven't tested it yet. |
nlewo
force-pushed
the
pr/dockerpull
branch
from
e5e70cb to
99728df
Compare
nlewo
requested review from
copumpkin,
edolstra,
FRidh,
LnL7 and
peti
as code owners
nlewo
force-pushed
the
pr/dockerpull
branch
from
99728df to
e5e70cb
Compare
| nameReplace = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name; | ||
| in | ||
| # For simplicity we only support sha256. | ||
| { imageName, imageTag ? "latest", imageId ? "${imageName}:${imageTag}" |
There was a problem hiding this comment.
Does "latest" really make sense as a tag to use here? I know you're just carrying it over from the previous version, but it seems like a recipe for distributing unreproducible code: I use imageTag = "latest";, set the sha256 I get, and then as long as it stays in my store, I don't think about it for a while. I push up the code to my colleagues who don't share my store, and they pull latest and get a different image. If anything I'd try to actively discourage folks from using latest. That might be a topic for a separate review though 😄
There was a problem hiding this comment.
I fully agree with you.
Since this PR will be backported into 17.09, maybe it would be better to minimize changes.
So I could open another PR to remove the default "latest" value and go further.
It's possible to pull image by using the image digest (immutable):
https://docs.docker.com/engine/reference/commandline/pull/#pull-an-image-by-digest-immutable-identifier
Moreover, this is supported by Skopeo. So maybe we could add a digest argument and print a warning if the user uses the tag. I'm not sure that removing the tag argument is a good idea because it's not easy to find the digest of an image (I was not able to find it on the docker hub...).
There was a problem hiding this comment.
Being able to pull by the image digest, previously called imageId in dockerTools, is what my team has been using. The change earlier this year repurposed imageId to what it is now, which is not nearly as useful and has prevented us from updating nixpkgs on our projects. I am in favor of changing imageId back to what it meant before the change use a VM.
There was a problem hiding this comment.
@purefn is there an open issue for that? We shouldn't be breaking interfaces without providing reasonable alternatives, at least
There was a problem hiding this comment.
@copumpkin Sadly, no. I had run into another issue with that commit, #27294, and thought when that had been fixed it fixed our only issue. I tried it and encountered more problems, but didn't get to in any further until just recently.
There was a problem hiding this comment.
Can we come to a decision and get this merged and backported? My $0.02 is I think it is important to be able to pull by digest. This tooling has been largely broken forever. I'm not convinced too many people are depending on it.
There was a problem hiding this comment.
@grahamc we depend on digests but I think we agree that this PR is better than the current state.
There was a problem hiding this comment.
I think this is not relevant to this improvement.
There was a problem hiding this comment.
Thanks.
And I've open #29505 to continue the discussion :)
|
I'm reverting the skopeo stuff for now.. I generally think it's a good idea but creates too many incompatibilities right now.. sorry and I really hope you don't feel discouraged by that as you have been doing awesome work on the dockerTools! But having a clean release is a priority there.. I really hope we can improve this to make this compatible as it is definitely superior otherwise.. |
|
Did you revert on master or on the release branch? |
|
Ah ok so mesos was the reason here: dabb296 |
This reverts commit 01174c5. See #29302 (comment) for more information. This broke image format compatibility and therefore amongst others mesos.
This reverts commit 01174c5. See #29302 (comment) for more information. This broke image format compatibility and therefore amongst others mesos. (cherry picked from commit 5c6dc71)
|
@globin Don't worry. I don't have any problems with these reverts! I'm waiting for some feedbacks from the Skopeo community before resubmitting improved versions of these patches. How could I reproduce your issue with Mesos? |
|
Just running |
Motivation for this change
Fixes #29271
Before this patch, a VM was used to spawn docker that pulled the
VM. Now, the tool Skopeo does this job well so we can simplify our
dockerTools since we doesn't need Docker anymore:)
This also fixe the regression described in
#29271 : cntlm proxy doesn't
work in 17.09 while it worked in 17.03.
Note Skopeo doesn't produce the same output than docker pull so, we
have to update sha.
Things done
Successfully run:
And also the ubuntu:latest image.
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)