These images can and will change at any time and thus can break our CI
without any external changes which is very bad. The TestPush test is
failing because it expects two not one image as it converts from docker
to oci on push. However the upstream docker.io/library/alpine was
switched to an oci image thus the test started failing as the local
storage now has the same id and just stores two different tags for the
same image.
Switch to our own controlled quay.io images where possible. This is
neither complete nor do I fully understand the tests here. I did a quick
search and replace and will see what works or not.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Update the libimage/pull_test.go file, changing quote in one line
Based on https://github.com/containers/image/pull/2408 from @mtrmac
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
To prevent the podman remote client from using libimage which causes a
lot of bloat due the c/image and c/storage dependencies add the
`!remote` tag.
This will cause a hard compile time failure if the remote client ends up
pulling in libimage.
Fixes#1702
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When pulling from an OCI source, make sure to preseve the optional name.
For instance, a `podman pull oci:/tmp/foo:quay.io/foo/bar:latest` should
pull the image and name it `quay.io/foo/bar:latest`.
While at it, also fix a bug when pulling an OCI without the optional
name. Previously, we used the path to name the image which will error
in most cases due to invalid characters (e.g., capital ones). Hence,
apply the same trick as for the `dir` transport and generate a sha.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When looking up an image by a short name that prefixes another image's
ID, the one matching the short name should be returned.
This means that we need to do a final lookup in the storage with the
specified name (without normalization) to continue matching short IDs.
Since it's common that users of libimage (e.g., Buildah) internally
refer to images by full ID, let's make sure that we check for that
first. This way, we'll match full IDs on first lookup and keep the
expected performance.
Note that a name starting with `sha2556:` must be followed by a 64-byte
hex value; something we didn't check for before.
Fixes: containers/podman/issues/12761
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Unfortunately, it the table was commented out, so it was a NOP.
Fix one test where the image being pulled was not present on
the GCR mirror.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
After containers/podman/issues/10682, we decided to always re-pull
images of non-local platforms and match *any* local image. Over time, we
refined this logic to not *always* pull the image but only if there is a
*newer* one. This has slightly changed the semantics and requires to
perform platform checks when looking up a local image. Otherwise, bogus
values would match a local image and mistakenly return it.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When pulling down an image with a user-specified custom platform, we
try to make sure that user gets what they are asking for. An inherent
issue with multi-arch images is that there are many images in the wild
which do not get the platform right (see containers/podman/issues/10682).
That means we need to pessimistically assume that the local image is
wrong and pull the "correct" one down from the registry; in the worst case
that is redundant work but we have a guarantee of correctness.
Motivated by containers/podman/issues/12707 I had another look at the
code and found some space for optimizations. Previously, we enforced
the pull policy to "always" but that may be too aggressive since we may
be running in an airgapped environment and the local image is correct.
With this change, we enforce the pull policy to "newer" which makes
errors non-fatal in case a local image has been found; this seems like a
good middleground between making sure we are serving the "correct" image
and user friendliness.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Path-based transports may contain characters that are invalid for a
reference. In such cases, we should pessimistically generate an ID
and not attempt to look at the (possibly path-based) string within the
transport.
This fixes an error when running `podman run dir:/tmp/CapitalChar` and
will prevent the same issue for the upcoming SIF transport.
Extend the tests to make sure we're not going to regress in the future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Buildah, containers and probably other container engines are normalizing
the platform parameters to support common values. For instance, "x86_64"
is normalized to the OCI conformant "amd64".
Use the same normalization when copying images and looking up local
images. Also add some debug logs to facilitate future debugging.
Fixes: containers/podman/issues/12680
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Path-based transports may contain characters that are invalid for a
reference. In such cases, we should pessimistically generate an ID
and not attempt to look at the (possibly path-based) string within the
transport.
This fixes an error when running `podman run dir:/tmp/CapitalChar` and
will prevent the same issue for the upcoming SIF transport.
Extend the tests to make sure we're not going to regress in the future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to enforce the "latest" tag when looking up images in the
local storage. Also make sure that digested short-names are subject
to the extended digest lookups.
Context: containers/podman/issues/11964
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Normalize images pulled from the docker-daemon transport to docker.io
and not to localhost. That preserves previous behavior of Podman.
Also fix a parsing bug in the pull code that was revealed while testing
the changes; parsing errors should be returned if there is a matching
transport without falling through to pulling the input string as an
image from a registry.
Context: containers/podman/issues/10998
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When writing LookupImage, I thought that it's a good idea to always
attempt to match an image against the local (or requested) platform.
The use case I had in mind is multi-arch support:
`$ podman run image` should only match `image` if it matches the local
platform. We may have previously pulled `image` for another
architecture.
The core criteria for these checks is that images set their platform
(arch/os/variant) correctly. As it turned out that is not the case.
We recently performed a number of fixes to better support multi-arch
images and this change should put the last nail in the coffin.
Hence, entirely remove the `IgnorePlatform` option and only perform
platform matches if the arch, os or variant is specified explicitly via
the LookupImageOptions or the runtime's system context (as Buildah likes
to do it).
Note that this is a breaking change, so I need to update Buildah and
Podman.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Allow for looking up images via customizable arch, os and variant.
This prevents `podman run --arch=xxx` from redundantly pulling down the
image if needed.
Context: containers/podman/issues/10648
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
For the sake of Docker compatibility, support the tag@digest notation.
In that case, the tag is stripped off the reference and the digest is
the sole source of truth.
Add a number of tests to make sure we're behaving as expected.
Context: containers/podman/issues/6721
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Paul Holzinger
tomsweeneyredhat
Oleksandr Redko
Valentin Rothberg
Kir Kolyshkin
Valentin Rothberg
OpenShift Merge Robot
Daniel J Walsh