Support for image indexes with multiple manifests #175
Comments
|
Hey y'all! My team has a similar desire for support for multiple manifests as we have begun shipping multi-arch images in our project. @matthewpi are you still looking into this? |
I was but had to take time to work on some other things, the PR I opened works correctly but I am still unsure about it's API design. Ignoring any potential changes to the API design, the code works and is ready to be merged. I will see about looking over the code myself later today and ensuring it is ready for review. Following that, we would need to get any consumers of the library to update and change their code-paths to support the new image index provider and types. |
|
Cool, thanks for the update. In the meantime we've found a workaround of pushing our multi-arch OCI archives to a local docker registry, and then generating the SBOM via syft on the local registry images which seems to work. |
|
This is related to the analogous issue in Syft: anchore/syft#1683 |
What would you like to be added:
Currently stereoscope will throw an error when using image providers when they are passed an image index that contains references to multiple manifests. I'd like to request that this behaviour is changed (or a new feature is implemented) to support image indexes with references to multiple manifests.
Why is this needed:
Multi manifest image indexes are becoming increasingly more common, especially with the prominence of multiple supported architectures for containers (primarily
amd64andarm64). If stereoscope is passed one of these multi manifest indexes, it errors out with no ability to filter or select one of the manifests from the index (at least with theoci-dirprovider).My primary use-case for this change is to be able to use Syft to generate SBOMs for each manifest within a multi-arch
oci-dir. While I'm unsure exactly how the SBOMs will be generated for multi-arch images, the changes I am requesting here seem to be a prerequisite to be able to support any type of multi-arch SBOM (or generating SBOMs per image manifest) when given a multi-manifest index.Additional context:
I have already prototyped the code for supporting this and plan to open a PR but thought I would open an issue before doing so. My main concerns about making this change is to what extent is changing or breaking the existing API allowed.
My current implementation adds a new
Indexstruct, a newIndexProviderinterface with aProvideIndexmethod so providers can optionally add support for multi-manifest indexes, however this feels very awkward for two reasons.The first is providers will still error out if you call
Providewith a multi-manifest index, this is due to the existing API not being changed at all andProvidestill only supporting a single image.Secondly, there would now another entire code path to support multi-manifest indexes. While this code path does still fully support single-manifest indexes (or just single images if the format doesn't have the concept of multiple manifests), it does mean users of this library will need to implement support for a different API and new users may be confused about using the Index vs non-index functions.
The text was updated successfully, but these errors were encountered: