-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for using Digest for base image #44461
Add support for using Digest for base image #44461
Conversation
2842ab1
to
7f70916
Compare
Open question: Currently you can supply both We can leave it as is, or warn when supplying both. |
@dotnet-policy-service agree company="Cosafe Technology AB" |
I don't fully understand the CI errors but I doubt it's related to my changes. Perhaps it's a permissions error because I'm working on a fork? 🤔 🤷♂️ |
src/Containers/Microsoft.NET.Build.Containers/SourceImageReference.cs
Outdated
Show resolved
Hide resolved
This is great so far - kudos for diving in to a new codebase and doing everything almost perfectly!
I would prefer creating a warning. This warning should be raised in the
When new messages/warnings of any kind are added, we need to create them using .NET Resource strings. To do this, you create a new entry in the Strings.resx file and then trigger a build via
This is indeed just flaky CI - rerunning those legs or pushing new commits will probably clear them up. |
Thank you, but you're giving me too much credit. 😅 I basically just tried to follow the same pattern as
Would you mind choosing a
Got it, thanks! :) I'll add a test for the warning as well. Any other test you think I should add? |
The parse-related and validation-related errors are the 2xxx-series, so maybe |
It would be great to verify that a base image could be used by digest - in the EndToEnd tests, we pre-populate a few images by Tag. If we could get the Digest values for one or more of those and run an end-to-end publishing test using the Digest value of one of the pre-populated images that would be a good test. |
Any pointers to code here would be greatly appreciated! 🙏 Are these images public? Meaning, can I query/pull them and get the SHA? |
Sure - a test I would look at is Does that make sense? |
@BeyondEvil can you please add additional cases to
for:
|
@baronfel the format of including both a tag and a digest is not uncommon. This format enables to express what tag to follow while still being in control when to sync when the tag changes reference. It is used by tools like https://github.com/renovatebot/renovate.
For these reasons, I think the .NET SDK should simply ignore the tag and not issue a warning. |
@tmds thanks for bringing the details from other tools. This is enough to not do the warning, and not do the from tag/from digest work either. |
So to summarize, I should only add the missing tests? |
Maybe 😅 I'll implement what I think you're after and we can take it from there. 😊 |
7f70916
to
9f6970f
Compare
I'm guessing this is the reason why the test is failing: https://github.com/BeyondEvil/dotnet-sdk/blob/beyondevil/support-image-digest/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs#L37 Can I just remove it? Doesn't this conflict with the above: https://github.com/BeyondEvil/dotnet-sdk/blob/beyondevil/support-image-digest/src/Containers/Microsoft.NET.Build.Containers/ContainerHelpers.cs#L167 I should probably remove this comment: https://github.com/BeyondEvil/dotnet-sdk/blob/beyondevil/support-image-digest/src/Containers/Microsoft.NET.Build.Containers/ContainerHelpers.cs#L172 When I tried using this in my own project: <PropertyGroup>
<ContainerBaseImage>mcr.microsoft.com/dotnet/aspnet</ContainerBaseImage>
</PropertyGroup> I got the same error as the test. So the tag is required. Should I update the logic to require either tag or digest? If so, where would I put that? In the parser or CreateNewImage? Also, I'm having some trouble running these tests locally. I'm on an M3 Mac. Would appreciate some guidance on all of the above. 😅 🙏 |
If neither are specified, we could default to a tag of |
In my, perhaps not-so-humble, opinion - the It's fine if the resulting image, the output, is tagged with However for inputs, as the base image, this will lead to non-deterministic builds where one day your base image is bumped to a major version with breaking changes leading to difficult to find issues. Ask me how I know. 😅 With all that said, it seems like the command line argument defaults to |
Your argument is too use digests instead of tags for determinism. It isn't specific to |
Not sure what you mean 🤔 If I have tagged the base image with say But maybe I misunderstood your point? But you are correct. For guaranteed determinism, digests should be used. As recommended by docker: https://docs.docker.com/build/building/best-practices/#pin-base-image-versions |
Yes, this is what I meant and we have the same opinion on this. For UX of the SDK, I think good to follow the behavior of |
9f6970f
to
83e5984
Compare
Fair enough. Is this the correct placement of a default value? https://github.com/BeyondEvil/dotnet-sdk/blob/beyondevil/support-image-digest/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs#L192 |
83e5984
to
0a0a8b8
Compare
Looks like there was just one place missing a Digest. I've added that, let's see what CI says. |
@marcpopMSFT mind merging on red for the arm64 macos leg? |
@baronfel arm64 leg should no longer be required. There are merge conflicts though so can't be merged. |
b407d79
to
13c7cc1
Compare
Rebased again 👍 |
@BeyondEvil looks like a bad merge on the EndToEndTests, can you take a look? |
13c7cc1
to
03cb156
Compare
Sorry about that, it slipped by me somehow 🤔 Should be fixed now. |
Add support for using image digest (sha256) for the base image when using the `PublishContainer` target. For example: `mcr.microsoft.com/dotnet/aspnet@sha256:6cec36412a215aad2a033cfe259890482be0a1dcb680e81fccc393b2d4069455`
cbb0830
to
21d5505
Compare
21d5505
to
e95d9ee
Compare
Not sure what the failures are @baronfel
Is the rate limit a red herring? |
@BeyondEvil yeah - that particular one has nothing to do with your change, we have a backlog item to solve it permanently. Just trying to get through some more arm64 flakiness now... |
/backport to release/9.0.2xx |
Started backporting to release/9.0.2xx: https://github.com/dotnet/sdk/actions/runs/12434749671 |
@baronfel backporting to release/9.0.2xx failed, the patch most likely resulted in conflicts: $ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch
Applying: Add support for using Digest for base image
Using index info to reconstruct a base tree...
A src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net10.0/PublicAPI.Unshipped.txt
M test/Microsoft.NET.Build.Containers.IntegrationTests/CreateNewImageTests.cs
M test/Microsoft.NET.Build.Containers.IntegrationTests/EndToEndTests.cs
Falling back to patching base and 3-way merge...
Auto-merging test/Microsoft.NET.Build.Containers.IntegrationTests/EndToEndTests.cs
CONFLICT (content): Merge conflict in test/Microsoft.NET.Build.Containers.IntegrationTests/EndToEndTests.cs
Auto-merging test/Microsoft.NET.Build.Containers.IntegrationTests/CreateNewImageTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Add support for using Digest for base image
Error: The process '/usr/bin/git' failed with exit code 128 Please backport manually! |
…et#44461) Co-authored-by: Chet Husk <chusk3@gmail.com>
Add support for using image digest (sha256) for the base image when using the
PublishContainer
target.For example:
mcr.microsoft.com/dotnet/aspnet@sha256:6cec36412a215aad2a033cfe259890482be0a1dcb680e81fccc393b2d4069455
Closes: dotnet/sdk-container-builds#448