-
Notifications
You must be signed in to change notification settings - Fork 102
Not able to deploy apps using dockerhub images in autoupgrade format without using "docker.io" in image name. #1427
Comments
IIRC someone once said that we'll never assume some default registry when handling images? Maybe that should be popped up in a discussion round? |
I have a draft PR for this here: #1817 However, this has a major consequence that I really do not like. For auto-upgrade, the rule currently is that we will always prioritize/prefer remote images over local ones when resolving. If we allow the implicit use of Docker Hub, then we open up users to a dependency confusion attack, which could play out like this:
Imo we should not support having an implicit Docker Hub registry for auto-upgrade. It opens up too many risks. Curious to hear everyone's thoughts. Edit: a possible workaround would be to note somewhere in the AppInstance that the image started as a local image and should never switch to a remote one when auto-upgrading. That sounds a little gross but could be doable. I want to get confirmation that that's actually something that we want before I proceed forward with it though. |
I have two thoughts here:
|
There's still some inherent difference between the behavior of auto-upgrade and non-auto-upgrade, which is whether local images or remote images are preferred when resolving. We have to communicate that to the user somewhere, so imo it's not too much of an additional difference to say that users have to specify
I think this is the right idea. |
This was the crux of a debate/convo between Darren, Donnie, Grant, Sangeetha, and I. We concluded that consistency was not the most important thing here. I was originally arguing for consistency above all, but was convinced otherwise. Darren was the major proponent of auto-upgrade preferring remote and non-auto-upgrade preferring local. His argument being that they are two distinct use cases with different expectations. I think either way we go, we will eventually confuse some users. All that said, I agree with Tyler's second point. Let's insist that auto-upgrade images be fully-qualified and just make sure the error is clear and explicit. |
All of my auto-upgrade fixes have been merged. Ultimately we decided that the user does need to explicitly provide the image registry if they are using or referring to non-local images in auto-upgrade apps. |
Tested with User is provided with following error message when trying to using images in autoupgrade format without providing registry info.
|
…specified registry (acorn-io#1427) (acorn-io#1823) Signed-off-by: Grant Linville <grant@acorn.io>
acorn version v0.6.0-106-g09f636a2+09f636a2
This behavior is also seen in older versions.
Steps to reproduce the problem:
Do we expect
#2
work ?#1
working and#3
working but#2
not working is confusing behavior.The text was updated successfully, but these errors were encountered: