GoogleContainerTools
Content descriptor with optional embedded `data` field breaks manifest decoding
Environment:
- Jib version: 3.4.4
- Build tool: both
- OS: linux/amd64, macos/arm64
Description of the issue:
When an embedded data is present in the base image manifest's config JSON, Jib fails as it doesn't expect the field.
This is an issue with the latest Debian base images, which we use at work to build custom JVM images.
But I assume this will eventually trickle down to Debian based images for several popular JDK such as Adopt, Zulu and so on.
Example of this in the recent bookworm-slim images:
{
"config": {
"data": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJDbWQiOlsiYmFzaCJdLCJFbnRyeXBvaW50IjpbXSwiRW52IjpbIlBBVEg9L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluIl19LCJjcmVhdGVkIjoiMjAyNC0xMi0wMlQwMDowMDowMFoiLCJoaXN0b3J5IjpbeyJjb21tZW50IjoiZGVidWVycmVvdHlwZSAwLjE1IiwiY3JlYXRlZCI6IjIwMjQtMTItMDJUMDA6MDA6MDBaIiwiY3JlYXRlZF9ieSI6IiMgZGViaWFuLnNoIC0tYXJjaCAnYW1kNjQnIG91dC8gJ2Jvb2t3b3JtJyAnQDE3MzMwOTc2MDAnIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7ImRpZmZfaWRzIjpbInNoYTI1NjpjMGYxMDIyYjIyYTliMzY4NTFiMzU4ZjQ0ZTU0NzVlMzlkMTY2ZTcxYTgwNzNjZjUzYzg5NGEyOTkyMzliMWM1Il0sInR5cGUiOiJsYXllcnMifX0K",
"digest": "sha256:a815f2ceb3b0c8e16829cfa5c6b5a96dad4d17f5e35be3d52ee81ce2e3cc0ced",
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 453
},
"layers": [
{
"digest": "sha256:bc0965b23a04fe7f2d9fb20f597008fcf89891de1c705ffc1c80483a1f098e4f",
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"size": 28231580
}
],
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"schemaVersion": 2
}
Expected behavior:
data field is optional and should be decoded as such.
It's been part of the OCI spec for content descriptors since 2021:
- https://github.com/opencontainers/image-spec/blob/main/descriptor.md#properties
Kaniko and other tools using go-containerregistry handle it properly:
- https://github.com/google/go-containerregistry/blob/main/pkg/v1/manifest.go#L48
- https://github.com/google/go-containerregistry/blob/main/pkg/v1/mutate/image.go#L140
Steps to reproduce:
- Set base image to an offending value
- Run jib:build
jib-maven-plugin Configuration:
<build>
<plugins>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>3.4.4</version>
<configuration>
<from>
<image>internal.mirror/library/debian:bookworm-slim</image>
<platforms>
<platform>
<os>linux</os>
<architecture>amd64</architecture>
</platform>
</platforms>
</from>
<to>
<image>internal.mirror/foo/bar</image>
<tags>
<tag>${project.version}</tag>
<tag>latest</tag>
</tags>
</to>
</configuration>
</plugin>
</plugins>
</build>
Log output:
[ERROR] I/O error for image [internal.mirror/library/debian]:
[ERROR] com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException
[ERROR] Unrecognized field "data" (class com.google.cloud.tools.jib.image.json.BuildableManifestTemplate$ContentDescriptorTemplate), not marked as ignorable (5 known properties: "size", "digest", "mediaType", "urls", "annotations"])
at [Source: (String)"{"config":{"data":"eyJhcmNoa...zIjpbI"[truncated 521 chars]; line: 1, column: 20]
(through reference chain: com.google.cloud.tools.jib.image.json.OciManifestTemplate["config"]->com.google.cloud.tools.jib.image.json.BuildableManifestTemplate$ContentDescriptorTemplate["data"])
Additional Information: Obviously even if it succeeded, the plain Debian slim image doesn't include any JVM. This is for reproducibility illustration only.
Should be an easy fix to annotate BuildableManifestTemplate.ContentDescriptorTemplate with @JsonIgnoreProperties(ignoreUnknown = true) (like #4172) or add an unused data field. Maybe better to annotate to be future proof.
Hi Everybody. Iām also encountering this exact issue. Thanks @nicolas-boussuge-fintech for the PR
