Image inspect rework #3017
Image inspect rework #3017
Conversation
| i := &Image{} | ||
|
|
||
| imgoci := n.ImageConfig | ||
| func ImageFromNative(nativeImage *native.Image) (*Image, error) { |
There was a problem hiding this comment.
Light cleanup:
- improve variable name readability
- introduce Variant, Parent and VirtualSize
- populate RepoDigest
| // Deprecated: TODO: ContainerConfig *container.Config | ||
| } | ||
|
|
||
| // From: https://github.com/moby/moby/blob/v26.1.2/api/types/graph_driver_data.go |
There was a problem hiding this comment.
Provisional for future implementation
| @@ -47,28 +47,39 @@ import ( | |||
| "github.com/tidwall/gjson" | |||
| ) | |||
|
|
|||
| // Image mimics a `docker image inspect` object. | |||
| // From https://github.com/moby/moby/blob/v20.10.1/api/types/types.go#L340-L374 | |||
| // From https://github.com/moby/moby/blob/v26.1.2/api/types/types.go#L34-L140 | |||
| type Image struct { | |||
There was a problem hiding this comment.
Updated with latest definition and reordered a bit for readability.
- moved down deprecated fields
- added VirtualSize, Parent, Variant
| @@ -37,7 +37,7 @@ import ( | |||
|
|
|||
| "github.com/containerd/containerd" | |||
| "github.com/containerd/containerd/runtime/restart" | |||
| gocni "github.com/containerd/go-cni" | |||
README.md
Outdated
| @@ -268,6 +268,10 @@ docker build -t test-integration --target test-integration . | |||
| docker run -t --rm --privileged test-integration | |||
| ``` | |||
|
|
|||
| To run a single integration test (in this case, `image_inspect_test`): | |||
There was a problem hiding this comment.
Just a note for newcomers.
| // test RawFormat support | ||
| base.Cmd("image", "inspect", testutil.CommonImage, "--format", "{{.Id}}").AssertOK() | ||
|
|
||
| // test typedFormat support | ||
| base.Cmd("image", "inspect", testutil.CommonImage, "--format", "{{.ID}}").AssertOK() | ||
| } | ||
|
|
||
| func inspectImageHelper(base *testutil.Base, identifier ...string) []dockercompat.Image { |
There was a problem hiding this comment.
Cannot use the one in testutil, as it assumes single entry array.
apostasie
force-pushed
the
dev-image-inspect
branch
2 times, most recently
from
3dbeff3
to
27becf0
Compare
| } | ||
|
|
||
| func TestImageInspectDifferentValidReferencesForTheSameImage(t *testing.T) { | ||
| testutil.DockerIncompatible(t) |
There was a problem hiding this comment.
If really necessary, I could split this in two parts - the part that is docker compatible and the part that is not.
Either way we need first to resolve #3011
|
Reviewer: I don't want to introduce churn here by regularly adding more fixes. |
apostasie
force-pushed
the
dev-image-inspect
branch
from
27becf0
to
909d4af
Compare
|
Windows CI failure is on me. |
|
Note this is likely fixing issues like #2061 |
|
I will convert this PR to a draft before we solve the Windows issue together. I will help to figure out what happened. |
|
https://github.com/containerd/nerdctl/blob/main/cmd/nerdctl/image_save_test.go#L35C22-L35C44 You can output the inspect.RepoDigests[0] in test during the debug, I think there one more |
Thanks @Zheaoli I believe the failure on save_test (TestSaveById) are unrelated, and are just flakyness. The actual test failing is the one I introduced, and the issue here is that I am using test images that do not have a Windows version, so, pull fails on windows: https://github.com/containerd/nerdctl/actions/runs/9133230483/job/25136088395?pr=3017#step:8:569 As I said, unfortunately, I know very little about Win... |
|
More accurately, the issue is: And I know nothing about |
apostasie
force-pushed
the
dev-image-inspect
branch
from
909d4af
to
12a3485
Compare
apostasie
force-pushed
the
dev-image-inspect
branch
from
12a3485
to
ca4e4c9
Compare
|
@Zheaoli @AkihiroSuda |
| // Prove that invalid reference return no result without crashing | ||
| for _, id := range []string{"∞∞∞∞∞∞∞∞∞∞", "busybox:∞∞∞∞∞∞∞∞∞∞"} { |
There was a problem hiding this comment.
Can we use more readable string like ! or a very long tag?
FYI: https://docs.docker.com/reference/cli/docker/image/tag/#description
The tag must be valid ASCII and can contain lowercase and uppercase letters, digits, underscores, periods, and hyphens. It can't start with a period or hyphen and must be no longer than 128 characters.
There was a problem hiding this comment.
I prefer something outside of the ASCII range if you don't mind, as this tends to uncover issues not necessarily seen without.
apostasie
force-pushed
the
dev-image-inspect
branch
from
ca4e4c9
to
ada252c
Compare
Signed-off-by: apostasie <[email protected]>
apostasie
force-pushed
the
dev-image-inspect
branch
from
ada252c
to
eb001fa
Compare
Apologies for the big commit here, but I do not believe we can fix image inspect incrementally, as some of the core assumptions are wrong (specifically in the way we walk images, in the returned data types, etc).
Furthermore, there is more work needed here.
Other command which are doing images lookup (rmi) are also faulty.
Fixing these as well would turn this PR into a large monster, and I would rather do that separately as a follow-up once this one is reviewed and accepted.
So, this PR fixes the following:
image inspect --format json#2988)Obviously, the reworked
image inspectshould be wired intoinspectat a later point, and the overall revised lookup mechanics should be generalized and used by other methods (likermi) - again, as a follow-up.Overall the current ImageWalker should either be removed or replaced with the updated workflow here.
Please note that our implementation also diverges from Docker, for good reasons:
For example, when retrieving an image using a digest and a tagged name, we do verify the tag name against the result, unlike Moby which only verifies the image name (because of their use of ParseDockerRef, which should be banned from existence IMHO…).
Because of that, Moby will allow inspecting images using random bogus tag names as long as the digest matches and return a different image than the requested one altogether.
This has had far reaching consequences: specifically, mind-bending bugs for build caching invalidation.
I do believe Moby must fix it, but it’s not my problem.
What is left overall:
inspectto fix nerdctl inspect does not allow inspecting networks, volumes #3005, nerdctl inspect should not return a stream of json array, but a single array #3006Also, this PR adds a bunch of integration tests on the above.
PTAL
cc @AkihiroSuda