jib icon indicating copy to clipboard operation
jib copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

Slightly different json output causes dockerBuild with podman to fail with "Invalid digest" error for docker://<image> URIs

Open sherter opened this issue 1 year ago • 6 comments

Environment:

  • Jib version: 3.4.0
  • Build tool: Maven 3.9.4
  • OS: Linux

Description of the issue: When using a URI like docker://ubuntu:latest for the base image, the build fails with the following exception when using podman (v4.7.1) as jib.dockerClient.executable:

Caused by: java.security.DigestException: Invalid digest: e03c05f86eda698d40d66ca2c8542ebf597ebc5254cee070dde6c407a132a385
    at com.google.cloud.tools.jib.api.DescriptorDigest.fromDigest (DescriptorDigest.java:74)
    at com.google.cloud.tools.jib.docker.CliDockerClient$DockerImageDetails.getImageId (CliDockerClient.java:83)
    at com.google.cloud.tools.jib.builder.steps.LocalBaseImageSteps.getCachedDockerImage (LocalBaseImageSteps.java:183)
    at com.google.cloud.tools.jib.builder.steps.LocalBaseImageSteps.lambda$retrieveDockerDaemonLayersStep$0 (LocalBaseImageSteps.java:114)

The problem seems to be that in https://github.com/GoogleContainerTools/jib/blob/440bd4897c6c427cc9a491128aa76c72378d605b/jib-core/src/main/java/com/google/cloud/tools/jib/docker/CliDockerClient.java#L70C17-L70C17 the value of the "Id" property is used as the "digest". The json output for "inspect" differs slightly between podman and docker:

podman inspect -f "{{json .}}" --type image ubuntu:latest:

{"Id":"e4c58958181a5925816faa528ce959e487632f4cfd192f8132f71b32df2744b4","Digest":"sha256:2b7412e6465c3c7fc5bb21d3e6f1917c167358449fecac8176c6e496e5c1f05f", ...

docker inspect -f "{{json .}}" --type image ubuntu:latest

{"Id":"sha256:e4c58958181a5925816faa528ce959e487632f4cfd192f8132f71b32df2744b4",

So it seems that in the output of podman we would have to use the value of the "Digest" property instead.

Would you consider adjusting the logic here a bit so that building images from the local cache with podman can also work?

sherter avatar Nov 02 '23 14:11 sherter

Since this report was labeled with type:bug and priority: p2, I assume that you really do consider this a bug in jib that should be fixed. Is there an ETA for a new version that includes a fix? Or if you don't have the capacity to work on this at the moment, would you consider accepting a pull request if I tried to fix it myself?

sherter avatar Dec 18 '23 12:12 sherter

Thanks again for filing this issue! Taking a deeper look at this issue. I don't have much familiarity with how podman works but is it accurate to say that in the case the digest isn't being derived from the correct parameter when podman is being used? Additionally, do you happen to have a very small reproducer to help us understand this use case better?

mpeddada1 avatar Apr 26 '24 19:04 mpeddada1