-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix skopeo copy can't decrypt to docker-daemon image #1604
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR.
This is not accurate: manifest.DockerV2Schema2ForeignLayerMediaTypeGzip
just isn’t an encrypted MIME type, and this conversion logic is correct to reject encrypted inputs.
Besides the conceptual cleanliness point, this would also drop the encrypted MIME type even if not decrypting at all! That case must continue to fail.
I suppose the change from encrypted to non-encrypted MIME types should happen before even considering a format conversion.
will this new commit be ok? @mtrmac |
I’m sorry about the previous very brief comment. Just moving Also, I suspect (but didn’t verify) that this implementation modifies the original image, which must not happen. That’s best ensured with a unit test within the existing test function — that would also help with making sure the use case in question doesn’t break. I think we have to bite the conceptual bullet, accept, and express more the complexity … in this case I think |
oh, maybe not, |
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, without unit tests we can’t be confident this will keep working.
manifestTmp := m | ||
defer func() { | ||
if retErr != nil { | ||
m = manifestTmp | ||
} | ||
}() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don’t understand at all what this is intended to do. m
is local to this function, and just a pointer. Assigning to it, AFAICS, does nothing visible to the caller.
} | ||
}() | ||
|
||
// No conversion required, update manifest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment is not correct an this place.
|
||
// No conversion required, update manifest | ||
if options.LayerInfos != nil { | ||
if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned previously, this would break one-step ”convert to OCI and encrypt”.
We need to split that, and do the decryption MIME type changes before format conversions, and encryption MIME type changes after format conversions.
#1932 should make all of this work. Thanks for your work in this area! |
Signed-off-by: ningmingxiao ning.mingxiao@zte.com.cn