-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad image used by podman run with an image with a tag then without an explicit tag #11964
Comments
@mtrmac @vrothberg @mheon WDYT? |
That is interesting, thanks @guillaumerose! To explain the behavior. If we're looking for a short name such as |
Note that |
@rhatdan WDYT? |
Lets fix it for podman 4.0. I think we state that when you don't specify a tag, it defaults to latest. But I agree this is a breaking change. |
If we change that in In short: Docker always uses the |
Lets talk at standup. |
Personally, the (what is now) |
For reasons buried in the history of Podman, looking up an untagged image would match *any* tag of matching image. For instance, looking up `centos` would match a local image `centos:foobar`. Docker only looks for `centos:latest`. Context: github.com/containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
Testing changes for github.com/containers/podman/issues/11964 in Buildah Signed-off-by: Valentin Rothberg <[email protected]>
Testing changes for github.com/containers/podman/issues/11964 in Buildah Signed-off-by: Valentin Rothberg <[email protected]>
Since I am on it: How do you want the remainder of image look up to behave? We already decided that
Now we want to look up At the time of writing, Podman will check for matching images in If we got rid of the "trying really hard" part, Podman would not be able to find I just want confirmation before tackling more tests. |
Only using the search registries, and in that order (not even preferring already-local I have absolutely no idea whether that’s practical to change now. Looking at the tests in #12010, I think it’s a good guess that quite a few users (and scripts) everywhere now depend on the liberal lookup behavior — but I have no way to quantify that. |
@baude PTAL |
@mtrmac, I share your thoughts. I think it's cleaner but I am terrified of how impactful this change would be. A middle ground would be to stop matching |
Perhaps — I have absolutely no idea whether users rely more on lax tag matching or on lax repo matching. It could be either one. |
Fair point. We could also just do nothing and keep things are they are 😈 So far, I've only seen one complaint/issue on the current behavior. |
Why can't we have both. Always append on the :latest and then return as we do now, if there are multiple foobar:latest? |
@rhatdan, we can do that but it is not what Docker does. I just want to make sure that everybody is on board with this "middle ground". Some users may file an issue down the road if they rely on this specific behavior of Docker. |
I’m not sure what you are proposing. Are you saying we should just keep the current behavior (where running |
No I am saying if user specifies localhost/ubuntu:latest Then we return to the old system and return localhost/ubuntu (Which I think is what we do now). What does Docker do in scenario one now? |
There is a theoretical security issue here. If someone can tag an image into the system that has a higher search priority, an ambiguous run request could result in the unintended image being run, no? It's a bit of a long shot security problem, because my assumption is that someone with the access to inject a malicious tag has sufficient access already to run a malicious image. |
For an attacker with access to the full Podman surface (whether through CLI or API), I can’t see that this could be a privilege escalation. For a hypothetical platform that shares a single Podman instance among unrelated parties, and which allows clients to cause arbitrary images to be pulled and run, yes, this could result in one client affecting another, in principle. I’m not sure such a thing could be built in a way that isolates the parties enough, but I suppose it could be possible. |
A hacker like this could also remove the image, and create and tag a new image to attack future users. I don't see this as something we should care about. |
That really depends on what API operations the platform actually passes through to Podman (it can’t be a full access to the API like tagging images) — but I agree it can only matter in a quite unlikely scenario. |
I want to find consensus on how to proceed. To summarize the issue:
We do not have consensus on the already mentioned scenario:
I think we run at risk of breaking existing Podman users. In theory, we also run at risk with at breaking users with the Shall we perform the 2nd change, yay or nay? |
My fairly weak vote is in favor of strictly matching only exactly the requested repo (or a repo that results from the application of Due to the risk fo breakage, either should probably happen only during a major version bump. (Another thing to possibly consider is to keep the old lookup code, but only for an error “old version would have found and used $result; if you want to use it, use that name explicitly”. OTOH perhaps that would be more infuriating than just breaking without showing that we could continue to keep that command working but we chose not to? Either way, that would be a non-trivial amount of rarely-used code to adapt/maintain, a maintenance headache.) (This is one of those times having a robust telemetry infrastructure that would allow us to gather statistics sounds attractive.) |
Thanks, @mtrmac. I hope to find time to tackle it next week. |
Make sure to enforce the "latest" tag when looking up images in the local storage. Context: containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
Make sure to enforce the "latest" tag when looking up images in the local storage. Also make sure that digested short-names are subject to the extended digest lookups. Context: containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
Make sure to enforce the "latest" tag when looking up images in the local storage. Also make sure that digested short-names are subject to the extended digest lookups. Context: containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
Make sure to enforce the "latest" tag when looking up images in the local storage. Also make sure that digested short-names are subject to the extended digest lookups. Context: containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
Make sure to enforce the "latest" tag when looking up images in the local storage. Also make sure that digested short-names are subject to the extended digest lookups. Context: containers/podman/issues/11964 Signed-off-by: Valentin Rothberg <[email protected]>
For reasons buried in the history of Podman, looking up an untagged image would match any tag of matching image. For instance, looking up centos would match a local image centos:foobar. Change that behavior to only match the latest tag. Fix: containers#11964 Signed-off-by: Valentin Rothberg <[email protected]>
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
With podman machine on macOS:
When running podman run with an explicit tag then the same image without a tag, podman uses the first image it found in his storage.
It should pick latest instead (if we want to match what docker is doing).
Steps to reproduce the issue:
podman run -it ubuntu:18.04 cat /etc/os-release
podman run -it ubuntu cat /etc/os-release
Describe the results you received:
Describe the results you expected:
Second call without the tag should use ubuntu:latest image like Docker.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info --debug
:Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Installed with brew on macOS.
The text was updated successfully, but these errors were encountered: