Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix skopeo copy can't decrypt to docker-daemon image #1604

Closed
wants to merge 1 commit into from
Closed

fix skopeo copy can't decrypt to docker-daemon image #1604

wants to merge 1 commit into from

Conversation

ningmingxiao
Copy link
Contributor

Signed-off-by: ningmingxiao ning.mingxiao@zte.com.cn

@ningmingxiao ningmingxiao changed the title fix skopeo copy can't entrypt to docker-daemon image fix skopeo copy can't decrypt to docker-daemon image Jul 8, 2022
@ningmingxiao
Copy link
Contributor Author

fix containers/skopeo#1703

mtrmac
mtrmac requested changes Jul 8, 2022
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

This is not accurate: manifest.DockerV2Schema2ForeignLayerMediaTypeGzip just isn’t an encrypted MIME type, and this conversion logic is correct to reject encrypted inputs.

Besides the conceptual cleanliness point, this would also drop the encrypted MIME type even if not decrypting at all! That case must continue to fail.

I suppose the change from encrypted to non-encrypted MIME types should happen before even considering a format conversion.

@ningmingxiao
Copy link
Contributor Author

will this new commit be ok? @mtrmac

@mtrmac
Copy link
Collaborator

mtrmac commented Jul 11, 2022

I’m sorry about the previous very brief comment.

Just moving UpdateLayerInfos would, I think, work here, but the flip side is that the order of convertManifestIfRequiredWithUpdate vs. UpdateLayerInfos would be different in OCI vs. schema2, and we couldn’t make it consistent, otherwise a single step “convert from schema2 to OCI, and encrypt” would break. The code is messy and rife with with similar corner cases, so consistency of the implementation is valuable for maintenance.

Also, I suspect (but didn’t verify) that this implementation modifies the original image, which must not happen. That’s best ensured with a unit test within the existing test function — that would also help with making sure the use case in question doesn’t break.

I think we have to bite the conceptual bullet, accept, and express more the complexity … in this case I think manifestOCI1.UpdatedImage should do a separate check for info.CryptoOperation == types.Decrypt (and maybe, eventually, not in this PR, some other edits) and make an update of that kind first, so that it moves the image towards a “more interoperable” variant, then call convertManifestIfRequiredWithUpdate, and finally the original UpdateLayerInfos.

@mtrmac
Copy link
Collaborator

mtrmac commented Jul 11, 2022

Also, I suspect (but didn’t verify) that this implementation modifies the original image

oh, maybe not, UpdateLayerInfos allocates a new slice. Either way, a test would be the best way to make sure.

@ningmingxiao
fix skopeo copy can't decrypt to docker-daemon image
b3b2520 
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
mtrmac
mtrmac reviewed Aug 18, 2022
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, without unit tests we can’t be confident this will keep working.

internal/image/oci.go
Comment on lines +153 to +158
manifestTmp := m
defer func() {
if retErr != nil {
m = manifestTmp
}
}()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t understand at all what this is intended to do. m is local to this function, and just a pointer. Assigning to it, AFAICS, does nothing visible to the caller.

internal/image/oci.go
}
}()

// No conversion required, update manifest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is not correct an this place.

internal/image/docker_schema2.go

// No conversion required, update manifest
if options.LayerInfos != nil {
if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned previously, this would break one-step ”convert to OCI and encrypt”.

We need to split that, and do the decryption MIME type changes before format conversions, and encryption MIME type changes after format conversions.

@mtrmac mtrmac mentioned this pull request Sep 1, 2022
Closed
@mtrmac mtrmac added the kind/bug A defect in an existing functionality (or a PR fixing it) label Dec 7, 2022
@mtrmac mtrmac mentioned this pull request Apr 28, 2023
Merged
@mtrmac
Copy link
Collaborator

mtrmac commented Sep 11, 2023

#1932 should make all of this work. Thanks for your work in this area!

@mtrmac mtrmac closed this Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtrmac mtrmac mtrmac requested changes

Assignees
No one assigned
Labels
kind/bug A defect in an existing functionality (or a PR fixing it)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ningmingxiao @mtrmac