Comments (8)
Thanks for reaching out.
Please provide a reproducer / expected results / actual results.
from skopeo.
Steps to Reproduce:
# Set up a docker dev environment compatible with `docker compose`
mkdir skopeo-test
cat <<EOT >> ./skopeo-test/docker-compose.yml
version: "3.9"
services:
skopeo:
image: quay.io/skopeo/stable@sha256:69d85072fe33f3f827930f6ad766154d5b411f6b0c7975a6840fda1c6cb2a80a
pull_policy: always
EOT
# Test
docker compose -f ./skopeo-test/docker-compose.yml up
Expected results: the skopeo image is pulled and the build completes
Actual results: (error output)
[+] Running 1/1
✘ skopeo Error 1.9s
Error response from daemon: manifest for quay.io/skopeo/stable@sha256:69d85072fe33f3f827930f6ad766154d5b411f6b0c7975a6840fda1c6cb2a80a not found: manifest unknown: manifest unknown
➜
Impact:
This results in build environments that fail the moment they become slightly out-of-date. Which in turn causes staff to lose trust in the the build environment.
Internal Workarounds:
We try to keep the images perfectly up to date, but this still is subject to inherent lag-time where build environments will simply break. We could specify the image via its version tag, but this tends to show up as a configuration error. See checkov docs for an example of such a configuration error policy.
Possible Solution:
I'm not familiar with your build/publish workflow, so I'm not able to diagnose any of the root causes of this behavior. But if I were attempting to fix this issue, I imagine I might experiment a couple of different ways.
- Mirror the image on another service - this might eliminate potential limitations from the image registry.
- Add an extra tag to each image that's released as an official version - this might prevent an automated process from deleting old images simply because they are not tagged.
- Release an image based on
scratch
- this may remove spurious releases that are not directly related to core software updates (which might make the process of keeping these images updated less labor-intensive).
Thanks for looking in to this. I think skopeo is a great tool & I'm looking forward to using it more.
from skopeo.
Ah, thanks, I didn’t realize this talks about the images we publish.
Yes, the most recent images keep being rebuilt to include security updates and the like. And quay.io is fairly aggressively removing untagged images.
@cevich is working on changing the image publishing workflow/design; I’m not sure if there is a specific issue to follow progress.
from skopeo.
Ah yes. I think I see it now: containers/automation_images#310 and #2133.
I'm not seeing any indication of progress however. Maybe the original issues don't communicate any consequential impact. For me, this is essentially breaking our ability to pin these images to a sha256 digest - which is a must for our more compliance oriented use cases.
Thanks again @mtrmac for taking time to look into this.
from skopeo.
Compliance-oriented use cases might also need to have a contractual relationship with some promise of security updates; what happens in this Open Source project is not really that.
Consider something like registry.access.redhat.com/ubi9/skopeo
. Now I’m not saying that they are actually preserving every past version — I wouldn’t know! — but there are build teams and build processes dedicated to making those images enterprise-consumable.
from skopeo.
@cevich is working on changing the image publishing workflow/design
Oh, completely forgot about that open containers/automation_images#310
Miloslav is correct, I have a chain of work scheduled to improve this situation. It will most likely end with us publishing (one time only) a tag having a -stable
suffix.
Those tags will be left alone forever, so you can freely use the tag+sha scheme w/o breakage. I'll update that issue to this effect.
from skopeo.
@cevich that sounds like a great solution. Thanks for looking into this.
from skopeo.
Great. I'll close this and track it over in containers/automation_images#310
from skopeo.
Related Issues (20)
- creating signature: Card error HOT 1
- Build fail on Fedora 38/39 s390x platform HOT 2
- skopeo does not work against docker daemons at version 25.0.0 or higher HOT 5
- Error parsing manifest for image HOT 2
- Using skopeo copy from Nix source to docker-daemon target produces no image HOT 2
- Skopeo Copy notation specific signatures HOT 2
- `skopeo copy docker-archive:` does not recognize media type. HOT 1
- Regarding skopeo libraries to be used in golang HOT 3
- inspect: Go template not working well on some images HOT 4
- Copying saved docker-tar to Registry with Same Sha value as Source Registry HOT 5
- Skopeo's ability to retain SHA value when copied from one registry to other HOT 6
- [bug]: go install github.com/containers/skopeo/cmd/[email protected] fails HOT 7
- Skopeo sync does not sync Notation signatures HOT 3
- Please release #2189 HOT 4
- Provide skopeo as a Go package HOT 2
- How to use skopeo container with credential helpers? HOT 3
- Error verifying signature: Invalid GPG signature: (*packet.Signature)( "nil)" HOT 7
- Have issue with upgrading skopeo version to 1.8.1 in ubuntu 22.04 HOT 4
- Does skopeo supports loading local docker tar.gz file into remote registry? HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skopeo.