one-click-apps icon indicating copy to clipboard operation
one-click-apps copied to clipboard
verified publisher icon caprover

Specifying image version by hash during one-click deploy does not work

Open sneak opened this issue 5 years ago • 3 comments

I'm trying to deploy Gitea. I don't like deploying by image tag because those can be silently updated by developers on Docker Hub, granting them remote execution on my machine under certain circumstances.

When deploying it via one-click apps, I am prompted for the gitea version to deploy. I entered sha256:223c31793c1b486c3339cffc95e307b2094410f2fc0b0410c9488db828fe6b27 instead of latest. This failed during build.

When deploying these via the docker CLI, one must do docker run image@sha256:hash instead of docker run image:tagname.

It seems to me that CapRover should detect when a specified version starts with a hash algorithm identifier (if even only recognizing the static string sha256 for now, as is displayed on the Docker Hub website) and deploying appropriately based on image hash (cryptographically immutable) instead of tagname (developer mutable).

sneak avatar Feb 05 '20 04:02 sneak

Moving this to one-click apps repo as it's perhaps only related to regex validations of the tags which is totally one-click app specific.

githubsaturn avatar Feb 08 '20 20:02 githubsaturn

I will test today to see if CR allows a definition file to support imagename@ syntax and try to fix it if not.

sneak avatar Feb 08 '20 22:02 sneak

It does support that. You can try copy-pasting this:

{"schemaVersion":2,"imageName":"nginx@sha256:253ba3484dc13498c0a2ad9e236f144dcc8c74ec08a0bcead9b776fa8a29dffc"}

githubsaturn avatar Feb 08 '20 23:02 githubsaturn