Don't try to resolve pinned sha's to versions when updating docker images #6150
Conversation
deivid-rodriguez
changed the title
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
2 times, most recently
from
27e9d97
to
b03c9a1
Compare
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
from
b03c9a1
to
1cd6b45
Compare
I think the reason we fetch versions and try to match them against the SHA is to determine the version precision. Otherwise, we can't know what version the image needs to be upgraded to Not sure if I'm misunderstanding something here though |
|
Oh I think I was missing something.... Docker doesn't support any other So we really might just be updating all Docker SHAs to Can you confirm that matches what your reasoning for removing this feature? The only exception I can think of is security updates, but GitHub doesn't publish any Docker advisories 🤔 |
|
Let me try explain what happens when Dependabot tries to update a Let's take for example the declaration This is what happens without this PR:
This is the logic with this PR:
|
Yes, that's exactly right by the way! Indeed, if we wanted a "lowest fixed version" logic for Security Updates, we wouldn't have that, but that does not seem a concern now, and we don't have that logic in place at the moment anyways. |
|
@deivid-rodriguez do you have a status on this? |
|
Hei! There's no ETA but the PR is already approved and just needs a rebase and a final look to get shipped. It should not take too long. |
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
3 times, most recently
from
7b39e2f
to
608e38b
Compare
|
This should be now ready for another review unless CI proves me wrong. It's a big PR, but mostly deletes a lot of code! |
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
from
a5a9c9b
to
00c1363
Compare
There was a problem hiding this comment.
I notice this can match tags with different prefixes. It seems like these are both valid?
sha265:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005:sha265:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005
But most tags will be in the form of FROM ghcr.io/dependabot/dependabot-updater@sha256: 654abc3436d0c99896df14d3d6bb450774fd5639a97e8a2bf88bc813151ef7bd, right?
Is there a reason you support the other prefix with a leading :? Do they also appear in Dockerfiles?
common/spec/dependabot/pull_request_creator/message_builder_spec.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
@Nishnha Regarding your comment about leading :, is it because the regex is now
IMAGE_SPEC = %r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?(?:@sha256:#{DIGEST})?#{NAME}?}xIf that's it, the ?: part before sha256 is meant to mean "match this group, but don't include it as a named match". So in other words, that leading : is not supposed to be matched, it's just a special character when preceded by ?.
See this: https://rubular.com/r/FXdZeMjcFcMH03.
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
from
00c1363
to
497cb4a
Compare
TIL! 😮 The only other question I have is why remove the private registry tests in 666c100 ? |
|
Sorry @Nishnha, not sure what happened there, I was sure I had answered the question about the removed tests 😅. I removed those because the logic they were testing has been removed. Previously, if we found an image reference with only a SHA-version (no numeric version), we would talk to the registry to try figure out whether there's a numeric tag associated to that SHA. Those tests were testing that the registry requests to do this happen correctly. With the new approach, we don't mess with trying to find a numeric version for a given SHA, and rely exclusively to the information present in the Dockerfile itself. So we don't talk to the registry anymore when parsing Dockerfile dependencies. This is why those tests were removed, I hope it makes sense! |
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
from
497cb4a
to
bd5b3c0
Compare
* If the Dockerfile specifies a version, we don't need to do this, since we already have a previous version. * If the Dockerfile only specifies a SHA, I don't think we need it either because we will be updating to another SHA, so the user seems uninterested in specific versions. And this case doesn't really work in most cases anyways because of how inefficient this is. With this patch, we can find updates to Dockerfiles specifiying only SHAs much faster.
Previously we would generate something like ``` bump ubuntu from sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba to sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21 ``` when updating a Dockerfile like ``` FROM ubuntu@sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba ``` but something like ``` bump ubuntu from `817cfe4` to `67211c1` ``` when updating a Dockerfile like ``` FROM ubuntu:22.04@sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba ``` Now we generate the shortened version consistently.
deivid-rodriguez
force-pushed
the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
from
bd5b3c0
to
865e2b8
Compare
deivid-rodriguez
deleted the
deivid-rodriguez/docker-dont-fetch-all-the-things
branch
This may seem too aggressive, and I'm probably missing something, and I haven't yet run full tests BUT, I think this is incorrect and not necessary.
When a base image is pinned to a specific sha, Dependabot does a very heavy operation of requesting the list of tags from the registry, and then asking for the sha of each of them until one tag that matches the current sha is found.
However, this is not necessary, because Dependabot will end up updating to the latest sha anyways, since it defaults to always keeping the current style/precision.
Also, I believe this is incorrect, because docker tags are mutable, so the registry will only return the latest sha associated to each tag. So this loop is likely to run forever to end up not finding any matches if the current sha present in the Dockerfile has been overwritten.
Finally, this should be a big performance boost because this operation is very very slow.
Fixes #2997.
Fixes #4419.
Just opening a WIP PR to check CI for now.