image/internal: sha512 support for skopeo copy #475
Conversation
|
✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6507 |
|
Packit jobs failed. @containers/packit-build please check. |
|
/packit rebuild-failed |
|
@mtrmac PTAL |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Thanks!
ACK to the image part; the dir: part needs a bit more.
| }() | ||
|
|
||
| digester, stream := putblobdigest.DigestIfCanonicalUnknown(stream, inputInfo) | ||
| digester, stream := putblobdigest.DigestIfUnknown(stream, inputInfo) |
There was a problem hiding this comment.
I think the destination-transport-side digest computation must be a more complex logic, see in the earlier PR about the interaction with cannotModifyManifestReason.
… and dirReference.layerPath discards the algorithm name; that does not generalize for other algorithms, we need to move towards agility where adding an extra algorithm is a ~parameter change and does not require any more changes to the “code proper”; i.e. discarding algorithm names is no longer much of an option.
(We need to keep the existing file names for sha256, to retain compatibility. And… do we define a new value for versionPath?!)
There was a problem hiding this comment.
Updated PutBlob to store blob under provided digest algorithm with the algorithm name prepended (except for Canonical) along with a canonical digest hardlink.
$ /usr/bin/ls
dc518581817f4e75a7dcfd35383e67c3ef85438250c17e10090b5a31ab8f68d4 manifest.json sha512-2ee373e378345b35e7966a106c5c0a40a005a13bfc87695d89c5bb217f969c351e73810cf78d3d841237098731cf76878f05af8f8d28176c316681f9422ff688 version
$ diff dc518581817f4e75a7dcfd35383e67c3ef85438250c17e10090b5a31ab8f68d4 sha512-2ee373e378345b35e7966a106c5c0a40a005a13bfc87695d89c5bb217f969c351e73810cf78d3d841237098731cf76878f05af8f8d28176c316681f9422ff688
$
do we define a new value for
versionPath?!)
Doesn't break existing behaviour but there's new stuff, so maybe we should? I'll defer to you.
There was a problem hiding this comment.
- Hard links are not supported by all file systems (FAT)
- Symbolic links are not supported by all file systems either, and generally restricted to admin users on Windows
And, anyway, readers of dir: can only start with the manifest, and the values provided in the manifest. So if PutBlob returns sha512, and the manifest is written to include sha512, readers will not know the sha256 value and have no way to use it.
So I don’t think we need to compute both digests at all; just the layerPath changes to the path computation, + some (as-yet-undefined) logic for PutBlob to use “the algorithm the user wanted”, should be sufficient.
do we define a new value for
versionPath?!)
I think with the changes to layerPath, we need to. Previously it was, hypothetically, possible to read a complete sha512 image from dir:, and those images will now break. And we will need to update both dir…Dest… and dir…Src…: destinations should refuse to work on future versions, and still assign the existing 1.1 version for sha256 images for maximum compatibility. sources should detect+refuse future versions.
Consider making the dir changes a separate PR.
There was a problem hiding this comment.
I'll keep the dir changes here because of the review comments. Separate PR for image/internal at #486
|
@mtrmac PTA(nother)L . I think I have addressed all comments so far. Used Claude too, but hopefully no AI slop this time 🤞 . LMK. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
The internal/image part LGTM.
| return filepath.Join(ref.path, digest.Encoded()), nil | ||
|
|
||
| var filename string | ||
| if digest.Algorithm().String() == "sha256" { |
There was a problem hiding this comment.
digest.Algorithm == digest.Canonical? Pedantically I’m not sure equality of Algorithm is documented to work, but pragmatically it does. At the very least, please don’t use a string constant here.
(I don’t have much of a preference for digest.Canonical vs. digest.SHA256. I assume Canonical will never change. Canonical sort of better expresses the intent.)
| }() | ||
|
|
||
| digester, stream := putblobdigest.DigestIfCanonicalUnknown(stream, inputInfo) | ||
| digester, stream := putblobdigest.DigestIfUnknown(stream, inputInfo) |
There was a problem hiding this comment.
- Hard links are not supported by all file systems (FAT)
- Symbolic links are not supported by all file systems either, and generally restricted to admin users on Windows
And, anyway, readers of dir: can only start with the manifest, and the values provided in the manifest. So if PutBlob returns sha512, and the manifest is written to include sha512, readers will not know the sha256 value and have no way to use it.
So I don’t think we need to compute both digests at all; just the layerPath changes to the path computation, + some (as-yet-undefined) logic for PutBlob to use “the algorithm the user wanted”, should be sufficient.
do we define a new value for
versionPath?!)
I think with the changes to layerPath, we need to. Previously it was, hypothetically, possible to read a complete sha512 image from dir:, and those images will now break. And we will need to update both dir…Dest… and dir…Src…: destinations should refuse to work on future versions, and still assign the existing 1.1 version for sha256 images for maximum compatibility. sources should detect+refuse future versions.
Consider making the dir changes a separate PR.
| if d.Algorithm() == digest.Canonical { | ||
| filename = d.Encoded() | ||
| } else { | ||
| filename = d.Algorithm().String() + "-" + d.Encoded() |
There was a problem hiding this comment.
I wonder whether we need to do a version check and conditionally use the old logic here. I guess that doesn’t matter in practice.
image/directory/directory_src.go
Outdated
| contents, err := os.ReadFile(versionPath) | ||
| if err != nil { | ||
| if os.IsNotExist(err) { | ||
| return nil, fmt.Errorf("version file not found at %q: not a valid directory transport image", versionPath) |
There was a problem hiding this comment.
I’m worried this might break some users who create dir: manually. (I have no data to support or refute that.)
There was a problem hiding this comment.
removed this in favour of assuming 1.1 if no version file.
image/directory/directory_dest.go
Outdated
| // create version file | ||
| err = os.WriteFile(ref.versionPath(), []byte(version), 0o644) | ||
| // Start with 1.1 for maximum compatibility | ||
| err = os.WriteFile(ref.versionPath(), []byte(version1_1), 0o644) |
There was a problem hiding this comment.
I think deferring this to Commit… time entirely would be good enough.
When storing blobs with non-canonical digest algorithms (e.g., sha512), store the blob under the provided digest algorithm with an algorithm prefix (e.g., "sha512-abc" instead of just "abc"). SHA256 (canonical) digests continue to be stored without a prefix for backward compatibility. Signed-off-by: Lokesh Mandvekar <[email protected]>
Introduce version 1.2 and dynamically assign versions based on the digest algorithms used: - Version 1.1 for sha256-only images (backward compatibility) - Version 1.2 for images using non-sha256 digest algorithms (e.g., sha512) Add validation in both ImageDestination and ImageSource to: - Assume 1.1 if no version file found in dir transport images - Accept both version 1.1 and 1.2 - Refuse unsupported future versions Signed-off-by: Lokesh Mandvekar <[email protected]>
|
good for another look. |
3 participants
See individual commits.
Vendored by containers/skopeo#2747