Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compat API: allow enforcing short-names resolution to Docker Hub #12435

Merged
merged 1 commit into from
Nov 30, 2021

Conversation

vrothberg
Copy link
Member

The Docker-compatible REST API has historically behaved just as the rest
of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where
containers-registries.conf is centrally controlling which registries
a short name may resolve to during pull or local image lookups. Please
refer to a blog for more details [1].

Docker, however, is only resolving short names to docker.io which has
been reported (see #12320) to break certain clients who rely on this
behavior. In order to support this scenario, containers.conf(5)
received a new option to control whether Podman's compat API resolves
to docker.io only or behaves as before.

Most endpoints allow for directly normalizing parameters that represent
an image. If set in containers.conf, Podman will then normalize the
references directly to docker.io. The build endpoint is an outlier
since images are also referenced in Dockerfiles. The Buildah API,
however, supports specifying a custom types.SystemContext in which
we can set a field that enforces short-name resolution to docker.io
in c/image/pkg/shortnames.

Notice that this a "hybrid" approach of doing the normalization directly
in the compat endpoints and in pkg/shortnames by passing a system
context. Doing such a hybrid approach is neccessary since the compat
and the libpod endpoints share the same libimage.Runtime which makes
a global enforcement via the libimage.Runtime.systemContext
impossible. Having two separate runtimes for the compat and the libpod
endpoints seems risky and not generally applicable to all endpoints.

[1] https://www.redhat.com/sysadmin/container-image-short-names

Fixes: #12320
Signed-off-by: Valentin Rothberg [email protected]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 29, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 29, 2021
@vrothberg vrothberg marked this pull request as draft November 29, 2021 10:23
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 29, 2021
@vrothberg
Copy link
Member Author

@edsantiago, I'd appreciate your eyes on the new tests

@mheon
Copy link
Member

mheon commented Nov 29, 2021

Question: does this affect lookup of localhost/ prefixed locally-built images? I think that is OK if so, given Podman 4.0.

@@ -52,6 +52,13 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
return
}

imageName, err := utils.NormalizeToDockerHub(r, body.Config.Image)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought (I didn’t review the PR otherwise at all!)

Several (but by no means all) instances might be a tiny bit shorter with a

if err := utils.NormalizeOverwriteToDockerHub(r, &body.Config.Image); err != nil { … }

with the obvious wrapper

func NormalizeOverwriteToDockerHub(r …, inPlace *string) error {
   v, err := NormalizeToDockerHub(r, *inPlace)
   if err != nil { return err }
   *inPlace = v
   return nil
}

(*grumble* about Go’s error handling ergonomics)

@vrothberg
Copy link
Member Author

Question: does this affect lookup of localhost/ prefixed locally-built images? I think that is OK if so, given Podman 4.0.

Yes. localhost/prefixing will be disabled, just as with Docker.

@mheon mheon added the breaking-change A change that will require a full version bump, i.e. 3.* to 4.* label Nov 29, 2021
@mheon
Copy link
Member

mheon commented Nov 29, 2021

Alright. That's a breaking change (at least when the containers.conf flag is flipped on), so we'll need to document it. I threw on the correct label for that.

@vrothberg
Copy link
Member Author

Alright. That's a breaking change (at least when the containers.conf flag is flipped on), so we'll need to document it. I threw on the correct label for that.

Oh absolutely. It's changing the entire short-name resolution of the compat API, so it goes beyond the localhost/ tagging convention.

@vrothberg vrothberg marked this pull request as ready for review November 29, 2021 16:07
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 29, 2021
@vrothberg
Copy link
Member Author

Updated now with c/image@main. Ready for reviewing/merging.

@vrothberg
Copy link
Member Author

@rhatdan @baude @jwhonce PTAL

Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really thorough test suite, thank you. One nit, one question.

test/apiv2/70-short-names.at Outdated Show resolved Hide resolved
test/apiv2/70-short-names.at Show resolved Hide resolved
The Docker-compatible REST API has historically behaved just as the rest
of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where
`containers-registries.conf` is centrally controlling which registries
a short name may resolve to during pull or local image lookups.  Please
refer to a blog for more details [1].

Docker, however, is only resolving short names to docker.io which has
been reported (see containers#12320) to break certain clients who rely on this
behavior.  In order to support this scenario, `containers.conf(5)`
received a new option to control whether Podman's compat API resolves
to docker.io only or behaves as before.

Most endpoints allow for directly normalizing parameters that represent
an image.  If set in containers.conf, Podman will then normalize the
references directly to docker.io.  The build endpoint is an outlier
since images are also referenced in Dockerfiles.  The Buildah API,
however, supports specifying a custom `types.SystemContext` in which
we can set a field that enforces short-name resolution to docker.io
in `c/image/pkg/shortnames`.

Notice that this a "hybrid" approach of doing the normalization directly
in the compat endpoints *and* in `pkg/shortnames` by passing a system
context.  Doing such a hybrid approach is neccessary since the compat
and the libpod endpoints share the same `libimage.Runtime` which makes
a global enforcement via the `libimage.Runtime.systemContext`
impossible.  Having two separate runtimes for the compat and the libpod
endpoints seems risky and not generally applicable to all endpoints.

[1] https://www.redhat.com/sysadmin/container-image-short-names

Fixes: containers#12320
Signed-off-by: Valentin Rothberg <[email protected]>
@baude
Copy link
Member

baude commented Nov 30, 2021

LGTM and may i never work with images again ...

@rhatdan
Copy link
Member

rhatdan commented Nov 30, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 30, 2021
@openshift-merge-robot openshift-merge-robot merged commit 771f8c6 into containers:main Nov 30, 2021
@vrothberg vrothberg deleted the fix-12320 branch November 30, 2021 15:34
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request May 31, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jun 1, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jun 9, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jun 9, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jun 22, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jun 22, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jul 17, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
SoMuchForSubtlety added a commit to SoMuchForSubtlety/testcontainers-java that referenced this pull request Jul 29, 2023
The unqualified registries setting is no longer needed, see containers/podman#12435
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. breaking-change A change that will require a full version bump, i.e. 3.* to 4.* lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Moby client behavior rely on Moby API, and is not compatible with podman short name handling
7 participants