-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validate KicBase cache by contentDigest #15677
Comments
The kicbase cache is just an internal thing, similar to the iso cache. And minikube can do whatever with it.
It can store the digest in some side channel, it can do sha256 on the kicbase tarball. And then verify it, itself.
Opening the archive again and examining the contents, sounds like overkill ? When the cache file was created (downloading from the registry), the digest was used. For kindest/node:v1.25.3@sha256:f52781bc0d7a19fb6c405c2af83abfeb311f130707a0e219175677e366cc45d1 kindest/node:v1.25.3@sha256:f1de3b0670462f43280114eccceab8bf1b9576d2afe0582f8f74529da6fd0365 But for Even the unstable images have their own tags.
So adding the digest to it is mostly useless... |
Now for the actual image cache, the container images used by the pods, it should use the same as
It is not portable, so one needs to take care to convert the internal standards of the other runtimes. "Id": "sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148",
"RepoTags": [
"busybox:latest"
],
"RepoDigests": [
"busybox@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"
], dockerbusybox cri-odocker.io/library/busybox containerddocker.io/library/busybox That is, to add the "sha256:" prefix for crio and to use I hope you were not expecting standards. docker
podman
nerdctl
|
@x7upLime otherwise the implemenation looks correct, [
{
"Config": "sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148",
"RepoTags": [
"index.docker.io/library/busybox:i-was-a-digest"
],
"Layers": [
"205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a.tar.gz"
]
}
] While [
{
"Config": "66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148.json",
"RepoTags": null,
"Layers": [
"ad182516200d60412b9c0f8861a2f17c88c6f4976fbeaa46676542ab6197b082/layer.tar"
]
}
]
But note that you are only checking a filename. Otherwise you would have to extract and sha256 it ? PS: "crane" is the CLI of the google/go-containerregistry API https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md |
I'm checking the name of the config blob file of the image, which is synonym for the sha of its content. The config blob's content (among other things), is a list of shas of the image's layers. The worst that can happen if that image is tampered with inside the cache(I think..):
Maybe containerEngines implementations output different things for the imageId we were looking at.. In any case.. Config Blob sha persists across all implementations: kinda what we're doing with tarball.WriteToFile()
docker
podman
cri-o
containerd
|
As for our kicBase cache implementation. We could use this contentDigest-based mechanism in a number of ways.. It could be more complex tho, |
Implementation aside.. Some kind of mechanism based on something as generic as the config blob, is definitely the way. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently the main difficulty we found in moving to a less docker-centric approach,
is the the fact that the current cache-invalidation mechanism
is based upon image digest(a.k.a. ditributionDigest, a.k.a. registry reference) verification,
and that this information is not maintained in the container image itself(kicBase cache works using tarballs)
and it seems like any container engine has its own idea on how that information should be stored/retrieved.
Since this mechanism for cache-invalidation already caused quite some headache,
and the idea of dropping this mechanism for cache-invalidation has been expressed a couple of times...
#15491 (comment)
google/go-containerregistry#895 (comment)
I'd propose to change the cache invalidation mechanism first, to something based on
contentDigest(a.k.a. imageId), before trying to change the cache-access mechanism from the
kicDriver perspective. I'm sure then it'll be easier to solve a number of issues.
[+] refs:
https://windsock.io/explaining-docker-image-ids/ (contentDigest vs. distributionDigest)
https://stackoverflow.com/questions/45533005/why-digests-are-different-depend-on-registry (same as above..)
distribution/distribution#1662 (comment) -- (contentDigest is content-addressable)
google/go-containerregistry#895 (comment) (distributionDigest is not reliable)
The text was updated successfully, but these errors were encountered: