registry-image-resource icon indicating copy to clipboard operation
registry-image-resource copied to clipboard

Published 20 hours ago verified publisher icon concourse

Get step fails with images from old schema version

Open cirocosta opened this issue 6 years ago • 4 comments

Hey,

As noticed by Trevor in Discord (sorry, I don't know how to link to a message there), old images like tutum/hello-world and tutum/curl fail to be fetched by registry-image when performing being geted.

That seems very related to the fact that these images use an older schema version (although that's detectable).

Using the following snippet (click to expand), we can see the different schema versions:

snippet 
#!/bin/bash

set -o errexit


main() {
check_args "$@"


local image=$1
local tag=$2
local token=$(get_token $image)


echo "$(get_tag $image $tag $token)"
}


get_token() {
local image=$1


echo "Retrieving Docker Hub token.
IMAGE: $image
" >&2


curl 

--silent 

"https://auth.docker.io/token?scope=repository:$image:pull&service=registry.docker.io" 

| jq -r '.token'
}


get_tag() {
local image=$1
local tag=$2
local token=$3


echo "Retrieving tag config.
IMAGE:  $image
TAG:    $tag
TOKEN:  $token
" >&2


curl 

--silent 

--header "Accept: application/vnd.docker.distribution.manifest.v2+json" 

--header "Authorization: Bearer $token" 

"https://registry-1.docker.io/v2/$image/manifests/$tag" 

| jq -r '.'
}


check_args() {
if (($# != 2)); then
echo "Error:
Two arguments must be provided - $# provided.


Usage:
  $0 <image> <tag>



Aborting."
exit 1
fi
}


main "$@"


./get-tag.sh concourse/concourse latest | grep schema
  "schemaVersion": 2,

./get-tag.sh tutum/hello-world latest | grep schema
  "schemaVersion": 1,

To reproduce:

resources:
  - name: image-docker
    type: docker-image
    source:
      repository: tutum/hello-world

  - name: image-registry
    type: registry-image
    source:
      repository: tutum/hello-world

jobs:
  - name: test
    plan:
      - aggregate:
        - get: image-docker
        - get: image-registry
Screen Shot 2019-03-11 at 9 12 03 AM

If that should be considered a bug ... I'm not sure 🤷‍♂️

Maybe for now it's more of a matter of documenting the behavior?

Thanks!

cirocosta avatar Mar 11 '19 13:03 cirocosta

Upstream issue which I think would make this 'just work':

https://github.com/google/go-containerregistry/issues/377

edit: Looks like we can at least get a better error message by bumping go-containerregistry to get this change: https://github.com/google/go-containerregistry/pull/344

edit edit: nevermind, that was closed in favor of the first issue.

vito avatar Mar 11 '19 16:03 vito

After thinking about it some more, I think I'd rather just add a better error message and try to convince the world to upgrade their dependencies on ancient images 🤷‍♂️

jonjohnsonjr avatar Mar 11 '19 19:03 jonjohnsonjr

I confirm (trevor from discord); the listed test exactly discriminates between the images which registry-image-resource will fetch for me, and those it won't, including several images not listed in the issue.

As a practical matter, I can easily swap from an old image like tutum/curl to a newer one like byrnedo/alpine-curl (or just build an image myself) and it all works fine.

I have one three-year-old non-trivial image that I'm still using, and for which I've lost the original Dockerfile; reconstructing that one will be a bit of a bother. But probably worth doing? (And certainly will teach me to keep my Dockerfiles in version control, silly)

vectorstorm avatar Mar 12 '19 00:03 vectorstorm

@jonjohnsonjr I could be convinced.

Let's leave this open for now and collect feedback as people adopt this resource type. Folks who need support for older images could continue to use the docker-image resource type, which will be deprecated, but hey, so are v1 manifests.

vito avatar Mar 12 '19 00:03 vito