Digest from `push --digestfile` can not be used to look up the local image

[btrepp]

Buildahs images seem to use a digest strategy that doesn't align with dockers. This makes it difficult to get the digest to use in other images.

If you try to get a local built buildah digest out, it changes when pushed, the only way to get the 'registry' digest, seems to be to push, delete your image, and then pull it back. This seems fairly wasteful.

In my CI servers, I would like to get the imagedigest from the buildah build, so that this can be used to update further container configurations, to ensure they point to the exact image just built.

It does appear that registries may change this digest, this is fine, but how can I make buildahs inspect report the digest with the full name, so that it is valid in other tools?. Currently the digest would be completely unique to your own machine, so you have to 'leave' your machine to get the actual digest, that will work in other buildah/podman/docker/kubernetes instances.

Steps to reproduce the issue:

1. build a container
2. buildah push registryxyz/mycontainer
3. note buildah images --digests
4. docker pull registryxyz/mycontainer
5. note docker images --digests (these are completely different)
6. try `buildah pull registryxyz/mycontainer
7. note buildah images --digests -> unchanged.

The workaround at the moment is build rm registryxyz/myconatiner, and then pulling it again. Which seems a bit awkward. Also the --digestfile argument, prints out the 'unuseable' digest, so is not very helpful in the instance

Describe the results you received:

Buildah uses it's own image digests

Describe the results you expected:

digest in buildahs local install and on remote registry is the same. This expectatation has come from that this is the case when building using docker

Output of rpm -q buildah or apt list buildah:

Installed on arch, unsure of equiuvalent

Output of buildah version:

buildah --version
buildah version 1.24.2 (image-spec 1.0.2-dev, runtime-spec 1.0.2-dev)

Output of podman version if reporting a podman build issue:

  (paste your output here)

Output of cat /etc/*release:

cat /etc/*release
DISTRIB_ID=Manjaro-ARM
DISTRIB_RELEASE=22.03
DISTRIB_CODENAME=
DISTRIB_DESCRIPTION="Manjaro ARM Linux"
NAME="Manjaro-ARM"
ID="manjaro-arm"
ID_LIKE="manjaro arch"
PRETTY_NAME="Manjaro ARM"
ANSI_COLOR="1;32"
HOME_URL="https://www.manjaro.org/"
SUPPORT_URL="https://forum.manjaro.org/c/arm/"
LOGO=manjarolinux

Output of uname -a:

uname -a
Linux beau-pc 5.16.15-2-MANJARO-ARM #1 SMP PREEMPT Fri Mar 18 12:47:43 UTC 2022 aarch64 GNU/Linux

Output of cat /etc/containers/storage.conf:

cat /etc/containers/storage.conf
# This file is is the configuration file for all tools
# that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf
# files.
#
#  Note: The storage.conf file overrides other storage.conf files based on this precedence:
#      /usr/containers/storage.conf
#      /etc/containers/storage.conf
#      $HOME/.config/containers/storage.conf
#      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
# ensure  the labeling matches the default locations labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/lib/containers/storage"


# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Inodes is used to set a maximum inodes of the container image.
# inodes = ""

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather then the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

[btrepp]

A better workaround for now is to use skopeo https://git.sr.ht/~btrepp/blog/tree/host/item/Makefile#L6

This way I am not pulling the whole image back so it is less network load, but is still a bit less secure than using digests my builder computed.

Not 100% sure if this is a bug, or me misunderstanding some critical buildah concept. Could be some sugar service is helping me in ways I don't understand :)

[flouthoc]

@btrepp I think digest generation strategy of buildah is quite different from docker and the one on your local is uncompressed digest while on remote it is changed since its compressed on push and there is no prior way of knowing that. There is a similar issue discussed here https://github.com/containers/buildah/issues/2034#issuecomment-575386367

I'll tag @mtrmac @nalind here since they can comment on this better and the design part of this.

• One potential solution is we can also tag the pushed remote digest locally so it becomes use-able and not present just as a string although it will still point to the uncompressed image. @nalind WDYT ?

[btrepp]

Thanks for the reply. I can appreciate there may be some intricacies in the different systems.

What is suprising, is that docker is consistent with this, e.g the locally computed digest is the same as what gets sent over when using docker build. So docker build, push, == registry uses the digest the local build had buildah bud, push, == registry and local build are different digests

Strangely with the above, buildah pull is smart enough to know remote and local are the same, and doesn't pull it, but I am not sure why.

If there is a difference, e.g in compression on the registry, but not locally, would it be difficult to compress locally too (perhaps as an extra flag)?. If docker cli itself is 'stable' on the digest, it must be compressing locally then as well.

This would be great from a CI perspective, we can build images using buildah (which is fantastic, and faster than docker), as the CI server can then report what digest it made, and then anything it updates can read the same digest from the registry. Thus we know it's the exact same container we intended to get. My workaround above technically would have some race conditions, as it's getting the 'latest' digest, rather than the one just built.

I switched to buildah as it was stable on digests between multiple runs (when supplying the timestamp flag). This is great!, but the missing link is stable/consistent on push.

[btrepp]

https://stackoverflow.com/questions/67062271/are-docker-image-digests-really-secure

This may be the divergence, perhaps docker doesn't have a digest until push happens, buildah is at least computing something. The question is whether it would be possible to get that digest back in buildah push

[mtrmac]

If you try to get a local built buildah digest out, it changes when pushed, the only way to get the 'registry' digest, seems to be to push, delete your image, and then pull it back.

This might work right now, but it’s also fundamentally incorrect. The digest depends on the exact compressed representation (which is only being created on push, hence unavailable before pushing) — but the compression implementation could well create a different representation on different runs, changing the digest.

The only way to determine the digest is to create the compressed version, and and see what the digest was. Usually, that’s a push, although some other workflow might be possible (e.g. push to a localhost-running registry, or to dir:).

In particular, see buildah push --digestfile.

---

prints out the 'unuseable' digest, so is not very helpful in the instance

I’m afraid I have no idea what this means; the “expected/actual results” sections don’t contain any specific data.

[flouthoc]

prints out the 'unuseable' digest, so is not very helpful in the instance

I’m afraid I have no idea what this means; the “expected/actual results” sections don’t contain any specific data.

@mtrmac I think @btrepp meant that digest given by --digestfile is actually not use-able by buildah commands, if we do buildah inspect <digest-from-digestfile> it should throw not found or something similar.

@btrepp Is this what you meant by this "is not very helpful in the instance" ?

[mtrmac]

What is suprising, is that docker is consistent with this, e.g the locally computed digest is the same as what gets sent over when using docker build.

I don’t know the details, but I vaguely remember someone saying that recent versions of Docker do store the compressed representations locally (in some cases?). So that’s possible.

Strangely with the above, buildah pull is smart enough to know remote and local are the same, and doesn't pull it, but I am not sure why.

It deduplicates using the config blob digest, if any.

If there is a difference, e.g in compression on the registry, but not locally, would it be difficult to compress locally too (perhaps as an extra flag)?.

It’s not something that just exists right now; locally-stored images only exist as extracted filesystems, there isn’t a natural place to store a compressed representation.

You might be able to do that using buildah push … dir:…, and then using skopeo copy to actually publish the image. But I don’t see how that would be any better than a direct push to a registry. And it would still not be 100% reliable — depending on the specifics of the registry, even a copy of a compressed image to a registry might trigger a digest change (if the registry doesn’t accept the image format and it needs to be converted) — although that’s not very likely to be the case for a specific CI system with a specific combination of a Buildah version + a registry implementation.

I switched to buildah as it was stable on digests between multiple runs (when supplying the timestamp flag). This is great!, but the missing link is stable/consistent on push.

As long as the images are being compressed, there is technically no guarantee that the compression will produce consistent results over time. (It’s much more likely that the uncompressed representation, including the config blob digest mentioned above when talking about deduplication, is going to be consistent, although I can’t say whether it is guaranteed either, without more research.)

[mtrmac]

prints out the 'unuseable' digest, so is not very helpful in the instance

I’m afraid I have no idea what this means; the “expected/actual results” sections don’t contain any specific data.

@mtrmac I think @btrepp meant that digest given by --digestfile is actually not use-able by buildah commands, if we do buildah inspect <digest-from-digestfile> it should throw not found or something similar or I don't exactly know.

Oh, that might be true.

@btrepp Is this what you meant by this "is not very helpful in the instance" ?

---

@vrothberg ^^^ it might make sense for libimage’s “push” operation to locally record into c/storage the repo@digest that was just pushed.

[vrothberg]

@vrothberg ^^^ it might make sense for libimage’s “push” operation to locally record into c/storage the repo@digest that was just pushed.

Sounds good to me. @flouthoc, are you interested in opening a PR in c/common?

[flouthoc]

@vrothberg I'll take it thanks.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@flouthoc Status?

[aelij]

From what I gather, if buildah is used to push the images, it should be possible for the digest to be the same in the registry. Please see this thread where Jon explains this in detail for Crane. We currently build using docker build, save to a tar, then calculate the digest using crane digest and finally crane push. The digest calculated during build is used to pull images in our Kubernetes cluster.

[mtrmac]

Nothing about the API of the compression implementations promises them to be consistent from one execution to another. It’s nice if they have that property, but it’s just not a part of the contract right now, and so it’s not something we can build a reliable publishing pipeline around (assuming we don’t constrain ourselves to a specific compression implementation that does make that promise, but that would put us at the mercy of that implementation being maintained, and prevent us from adopting any possible future compression formats that don’t have that property. Efficient compression implementations are very non-obvious projects requiring specific expertise, and we did replace a compression implementation at least once in the past, so maintaining flexibility, at least to the extent of being able to use the standard library’s implementations, is quite valuable.)

Besides, the compression is frequently the most expensive part of the push; so it’s generally desirable to engineer a workflow that doesn’t require compression to happen twice. In a Buildah system, that means compressing during push (or, frequently, not compressing because the registry is found to already contain a compressed version), and only determining the digest based on the outcome of the push.

Sure, https://github.com/containers/buildah/issues/3866#issuecomment-1080832366 would make that workflow easier, and it’s something we should do.

[vrothberg]

@flouthoc, ping

[flouthoc]

~~Above PR should close this.~~

Edit: No we need new API at c/storage, going discussion there.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[flouthoc]

This needs API in c/storage starting on it now.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[zimmski]

I think i just stumbled onto this problem. When i do a buildah build / buildah push the digests are different to what we find in the registry, and what we find in the deployment then. That is super confusing for debugging. I mean no, you cannot even debug with that information then because the information is not linked. How are you guys debugging when the digests are not the same? How do you make sure the images are the same?

I am wondering why the digest is not part of a well defined specification for images because i thought it is. We do not have problems with other tools.

[rhatdan]

@mtrmac PTAL

[mtrmac]

This already links to various PRs and issues that are prerequisite to making this work.