Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ggcr: mutate.Append creates invalid images when appending duplicate layers (same diff ID) but different blob #2034

Open
mafredri opened this issue Nov 20, 2024 · 0 comments
Open

ggcr: mutate.Append creates invalid images when appending duplicate layers (same diff ID) but different blob #2034

mafredri opened this issue Nov 20, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@mafredri
Copy link

mafredri commented Nov 20, 2024
edited
Loading

Describe the bug

It's possible to mutate an image with a duplicate layer that has the same diff ID as a previous layer (from a parent image), but the underlying blob differs due to a difference in compression (e.g. level).

To Reproduce

docker volume create ggcr-test-data
docker run -d -p 1234:5000 --name ggcr-test --volume ggcr-test-data:/var/lib/registry registry:2

mkdir -p tmp/docker tmp/kaniko
echo $'FROM alpine:latest\nWORKDIR /home' >tmp/docker/Dockerfile
echo $'FROM localhost:1234/docker:latest\nRUN echo test' >tmp/kaniko/Dockerfile

docker build -t localhost:1234/docker:latest tmp/docker
docker push localhost:1234/docker:latest

docker run \
    --network=host \
    -v $(pwd)/tmp/kaniko:/workspace \
    gcr.io/kaniko-project/executor:latest \
    --dockerfile /workspace/Dockerfile \
    --destination "localhost:1234/kaniko:latest" \
    --context dir:///workspace/ \
    --force-build-metadata

Output (end):

INFO[0000] Pushing image to localhost:1234/kaniko:latest
error pushing image: failed to push to destination localhost:1234/kaniko:latest: PUT http://localhost:1234/v2/kaniko/manifests/latest: MANIFEST_BLOB_UNKNOWN: blob unknown to registry; sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1

Thus we see that 4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 from the Docker build is missing and replaced with the one from Kaniko (both the empty layer, different compression result). This is a manifest<->layer inconsistency.

Expected behavior

The mutation does one of the following:

  • Looks through image layers for a matching diff ID and replaces the given layer with it
  • Returns an error due to matching diff ID but otherwise mismatched digest/blob

Or perhaps something else should happen, I haven't researched the subject in-depth.

Additional context

This can easily be worked around outside the library by using LayerByDiffID(...) before calling mutate.Append as done here: coder/kaniko@131d609. But I don't think it's a good idea to allow mutate to create invalid images.

  • Version of the module: v0.20.2
  • Registry used (e.g., GCR, ECR, Quay): registry:2
@mafredri mafredri added the bug Something isn't working label Nov 20, 2024
@mafredri mafredri changed the title ggcr: ggcr: It's possible to create invalid images with mutate.Append due to layers blobs being different but sharing the same diff ID Nov 20, 2024
@mafredri mafredri changed the title ggcr: It's possible to create invalid images with mutate.Append due to layers blobs being different but sharing the same diff ID ggcr: mutate.Append creates invalid images when appending duplicate layers (same diff ID) but different blob Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mafredri