-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moby client behavior rely on Moby API, and is not compatible with podman short name handling #12320
Comments
Since that's the default behavior of moby engine, the compat API need to reflect that. Fixes containers#12320 Signed-off-by: Michael Scherer <[email protected]>
Podman's Docker-compatible REST API is in need of a mechanism to enforce resolving to Docker Hub only. Yet there is the desire for the rest of the stack to continue honoring the system's registries.conf. We recently added a new field to containers.conf [1] which allows for opting out from enforcing Docker Hub for Podman's compat API but we still lack a way of enforcement when resolving short names; which ultimately is *the* place to do that. This change does the necessary plumbing. The compat REST handlers will set the new field in the `types.SystemContext` and pass that down to libimage and buildah. [1] containers/common@e698b8c Context: containers/podman/issues/12320 Signed-off-by: Valentin Rothberg <[email protected]>
Podman's Docker-compatible REST API is in need of a mechanism to enforce resolving to Docker Hub only. Yet there is the desire for the rest of the stack to continue honoring the system's registries.conf. We recently added a new field to containers.conf [1] which allows for opting out from enforcing Docker Hub for Podman's compat API but we still lack a way of enforcement when resolving short names; which ultimately is *the* place to do that. This change does the necessary plumbing. The compat REST handlers will set the new field in the `types.SystemContext` and pass that down to libimage and buildah. [1] containers/common@e698b8c Context: containers/podman/issues/12320 Signed-off-by: Valentin Rothberg <[email protected]>
Podman's Docker-compatible REST API is in need of a mechanism to enforce resolving to Docker Hub only. Yet there is the desire for the rest of the stack to continue honoring the system's registries.conf. We recently added a new field to containers.conf [1] which allows for opting out from enforcing Docker Hub for Podman's compat API but we still lack a way of enforcement when resolving short names; which ultimately is *the* place to do that. This change does the necessary plumbing. The compat REST handlers will set the new field in the `types.SystemContext` and pass that down to libimage and buildah. [1] containers/common@e698b8c Context: containers/podman/issues/12320 Signed-off-by: Valentin Rothberg <[email protected]>
The Docker-compatible REST API has historically behaved just as the rest of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where `containers-registries.conf` is centrally controlling which registries a short name may resolve to during pull or local image lookups. Please refer to a blog for more details [1]. Docker, however, is only resolving short names to docker.io which has been reported (see containers#12320) to break certain clients who rely on this behavior. In order to support this scenario, `containers.conf(5)` received a new option to control whether Podman's compat API resolves to docker.io only or behaves as before. Most endpoints allow for directly normalizing parameters that represent an image. If set in containers.conf, Podman will then normalize the references directly to docker.io. The build endpoint is an outlier since images are also referenced in Dockerfiles. The Buildah API, however, supports specifying a custom `types.SystemContext` in which we can set a field that enforces short-name resolution to docker.io in `c/image/pkg/shortnames`. Notice that this a "hybrid" approach of doing the normalization directly in the compat endpoints *and* in `pkg/shortnames` by passing a system context. Doing such a hybrid approach is neccessary since the compat and the libpod endpoints share the same `libimage.Runtime` which makes a global enforcement via the `libimage.Runtime.systemContext` impossible. Having two separate runtimes for the compat and the libpod endpoints seems risky and not generally applicable to all endpoints. [1] https://www.redhat.com/sysadmin/container-image-short-names Fixes: containers#12320 Signed-off-by: Valentin Rothberg <[email protected]>
Podman's Docker-compatible REST API is in need of a mechanism to enforce resolving to Docker Hub only. Yet there is the desire for the rest of the stack to continue honoring the system's registries.conf. We recently added a new field to containers.conf [1] which allows for opting out from enforcing Docker Hub for Podman's compat API but we still lack a way of enforcement when resolving short names; which ultimately is *the* place to do that. This change does the necessary plumbing. The compat REST handlers will set the new field in the `types.SystemContext` and pass that down to libimage and buildah. [1] containers/common@e698b8c Context: containers/podman/issues/12320 Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg I am not sure I ran into a corner case, so I do not really know if the behavior I describe is a bug or not. For reasons I pull container images from a private registry at VM image creation time, and then after VMs are deployed I create containers over the Podman's Docker-compatible REST API. The issue I am having is that starting with podman 4, trying to start a container that was previously pulled fails because the container does not exist at Docker Hub. More precisely I get a 404 for Here is an example. Please note that I replaced real strings with words in capital letters, like NAME, and TAG.
Then if I set Is this a bug? P.S. On the VMs I have running docker, Docker is perfectly fine with containers found in local containers storage. |
Thanks for the ping, @petersenna. It definitely sounds suspicious when Docker works but Podman does not on the compat API and by definition qualifies as a bug. Judging from the logs, Podman is able to resolve the image locally when looking for "NAME:TAG":
For some reasons, Podman is then looking up the normalized version which fails:
Would you mind opening a new issue for it? It would be extremely useful to see the exact API request to isolate the bug. |
Created a new issue: #14291 |
According to https://github.com/moby/moby/blob/master/client/image_pull.go#L22-L29 , "docker.io" suffix is stripped when a program call client.ImagePull (since that's the "familiar name")
For example, trying to client.ImagePull(_, "docker.io/a6543/test_git_plugin", _ ) will result in a API call of
This is not compatible with the short-name feature of podman (https://www.redhat.com/sysadmin/container-image-short-names), since this result in podman returning this error in the API (tested with the HEAD version, see #12315 for the whole story):
Should the compat API mirror moby client expectation, eg, defaulting to docker.io ?
The text was updated successfully, but these errors were encountered: