New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dockerTools.pullImage: Skopeo pulls images by digest #38371
Conversation
# If the image digest is specified, the tag is only used at | ||
# Docker image loading (to set a tag), ie. it is not used to | ||
# pull the image (both digest and tag are not supported by | ||
# Skopeo yet). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean we can’t fetch specific tags with this new implementation? Or does it mean you have to fetch the digest first and use that? What happens if the tag is set but the digest isn’t?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can still use image tags to pull images.
If the tag is set but the digest is not, the tag is used to pull the image.
But if you specify a digest and a tag, Skopeo ignores the tag to pull the image. In this case, the tag is just used at image creation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, then it should really be ref
(either a tag or a digest) and finalImageName ? ref
(what the image is named). That way you don’t have to ignore user input silently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tag is only ignored to pull the image if a specified image digest doesn't match to the specified image tag. In this case, we could ensure the digest matches the expected tag by using skopeo inspect
before pulling the image.
I would like to avoid to have to encode the attribute type (digest or tag) in the reference string. For the user, it is more convenient to just have to set an attribute named digest
or tag
instead of having to put a :
or a @
in the image reference string.
Moreover, the tag is always required (even if digest is specified) to create the image.
Another way would be to create a pullImage
that only use digest and a pullImageByTag
function that could take different type of arguments.
I'm not sure if we have to let - forever - the user pull images with a tag since they are not immutable.
@Profpatsch I've tryied to handle both tag and digest ID but I think pulling images by both tag and digest is too confusing. Moreover, it seems more Nix compliant to pull by digest which are immutable. |
I think that’s the way to go, yes. |
Nice, this PR is an improvement for sure. Thanks for the effort. Only documentation left :-) |
Docs diff looks fine. LGTM? |
@GrahamcOfBorg test docker-tools |
Success on aarch64-linux Attempted: tests.docker-tools No partial log is available. |
Failure on x86_64-linux (full log) Attempted: tests.docker-tools Partial log (click to expand)
|
4b25bf8
to
1a69af0
Compare
@GrahamcOfBorg test docker-tools |
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: tests.docker-tools Partial log (click to expand)
|
Success on aarch64-linux Attempted: tests.docker-tools No partial log is available. |
@grahamc it seems like the ofborg builder is using Nix1 ( |
Test failure is not related to this PR. I locally ran |
1a69af0
to
bf1a205
Compare
I would have liked more feedback on this... since my last attempt has been reverted! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's also https://github.com/awakesecurity/hocker - how does that compare to Skopeo?
# this hash will need change if the tag is updated at docker hub | ||
sha256 = "0nncn9pn5miygan51w34c2p9qssi96jgsaqv44dxxdprc8pg0g83"; | ||
imageDigest = "sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b"; | ||
sha256 = "0mqjy3zq2v6rrhizgb9nvhczl87lcfphq9601wcprdika2jz7qh8"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should have a release note for if hashes changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see nixpkgs/nixos/doc/manual/release-notes/rl-1809.xml
@@ -77,6 +77,8 @@ following incompatible changes:</para> | |||
<itemizedlist> | |||
<listitem> | |||
<para> | |||
<literal>dockerTools.pullImage</literal> relies on image digest | |||
instead of image tag to download the image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok this was already done. It should also mention that hashes will change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@puffnfresh See https://nixos.wiki/wiki/Workgroup:Container for a short synopsis on many relevant tools. |
@Profpatsch really cool, thank you! |
@puffnfresh Skopeo is not related to Nix. It is used by many others project to manipulate container images (Docker, OCI, ...) across container image registries. One advantages of Hocker is that each layer is stored in the Nix store. This means if several images shares the same layer, it only exists one time. This is not currently the case with our implementation of |
bf1a205
to
3a58380
Compare
Skopeo is used to pull images from a Docker registry (instead of a Docker deamon in a VM). An image reference is specified with its name and its digest which is an immutable image identifier (unlike image name and tag). Skopeo can be used to get the digest of an image, for instance: $ skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
@Mic92 @Profpatsch Does this PR look good to you? |
[EDITED]
Skopeo is used to pull images from a Docker registry (instead of a
Docker daemon inside a VM).
An image reference is specified with its name, its digest. The digest is an immutable image identifier (unlike image name
and tag).
Skopeo can be used to get the Digest of an image, for instance:
skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
I still have to
but I would prefer to have some feedback first.
Note: six months ago, I already tryied to use Skopeo to pull images but these patches have been reverted because the Skopeo output format was not compliant with the Docker legacy format (it broke several script/tests). The latest Skoepo version is now compliant with it.
The
onTopOfPulledImage
docker test has been added to validate this change.cc @Profpatsch @kuznero @gilligan
Motivation for this change
Remove VM needs and pull with digest. This also fixes #29271.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)