Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nerdctl images displays the wrong image id #3011

Open
apostasie opened this issue May 16, 2024 · 8 comments
Open

nerdctl images displays the wrong image id #3011

apostasie opened this issue May 16, 2024 · 8 comments
Labels
status/needs-design-discussion

Comments

@apostasie
Copy link
Contributor

Description

Whenever nerdctl displays lists of images (nerdctl images, nerdctl image list), the ID being reported are the repo sha, not the image ID.

Compare with Docker.

Steps to reproduce the issue

  1. nerdctl images
  2. docker images

Describe the results you received and expected

Expected: Docker behavior - see the image ID.

Received: repo digest

What version of nerdctl are you using?

1.7.6

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response
@apostasie apostasie added the kind/unconfirmed-bug-claim Unconfirmed bug claim label May 16, 2024
@apostasie apostasie mentioned this issue May 17, 2024
Merged
@AkihiroSuda
Copy link
Member

The image IDs are different from Docker

nerdctl/cmd/nerdctl/image_list.go

Line 37 in cefa8ce

- IMAGE ID: OCI Digest. Usually different from Docker image ID. Shared for multi-platform images.

@AkihiroSuda AkihiroSuda closed this as not planned Won't fix, can't repro, duplicate, stale May 17, 2024
@apostasie
Copy link
Contributor Author

apostasie commented May 17, 2024
edited
Loading

I see.

Was there a reason for that choice?

The problems I see:

  • it does make nerdctl and docker fundamentally disagree on what defines the "same image".

  • it will also lead to internal inconsistent behavior with nerdctl wrt to commands like rmi.

Specifically:

sudo nerdctl pull debian >/dev/null 2>&1
sudo nerdctl tag debian apostasie/nerdctl-test
sudo nerdctl push apostasie/nerdctl-test

shortid="$(sudo nerdctl inspect apostasie/nerdctl-test | jq -rc .[0].RepoDigests[0])"
shortid="${shortid##*:}"
shortid="${shortid:0:8}"

sudo nerdctl rmi -f "$shortid"

sudo nerdctl images # <- empty

# Now...

sudo nerdctl pull debian  >/dev/null 2>&1
sudo nerdctl pull apostasie/nerdctl-test  >/dev/null 2>&1

shortid="$(sudo nerdctl inspect apostasie/nerdctl-test | jq -rc .[0].RepoDigests[0])"
shortid="${shortid##*:}"
shortid="${shortid:0:8}"

sudo nerdctl rmi -f "$shortid"

sudo nerdctl images # <- not empty

This is obviously due to the fact that the RepoDigest will be different for the very same image depending on whether it has been pushed&pulled or not.

I can maybe fix it, by querying and keying images during lookup along the "docker" Id, but it is going to make things more complicated and possibly lead to some other types of discrepancies.

@apostasie apostasie mentioned this issue May 18, 2024
Open
@AkihiroSuda
Copy link
Member

containerd's image store is designed to use a single object for multi-platform image index, while Docker's image store is designed to allocate an object per platform.

@AkihiroSuda
Copy link
Member

BTW nerdctl image inspect has been using Docker-compatible ID which is incompatible with the ID shown in nerdctl images:

nerdctl/pkg/inspecttypes/dockercompat/dockercompat.go

Line 331 in 3ca6e8b

i.ID = n.ImageConfigDesc.Digest.String() // Docker ID (digest of platform-specific config), not containerd ID (digest of multi-platform index or manifest)

This behavior looks inconsistent and needs some remedy...

@AkihiroSuda AkihiroSuda reopened this May 18, 2024
@AkihiroSuda
Copy link
Member

AkihiroSuda commented May 18, 2024
edited
Loading

Relevant:

nerdctl's output should be consistent with moby/moby#47526 (when the PR gets merged)

@apostasie
Copy link
Contributor Author

Agreed.

Overall, all of it does not look good.
I strongly believe we cannot use repodigest hash as a way to define what an image is - this is just wrong and will lead to many issues (among which the fact that an image will "change" after push according to nerdctl).

I will have a look at the Moby PR and see what we can do here.

@apostasie
Copy link
Contributor Author

BTW nerdctl image inspect has been using Docker-compatible ID which is incompatible with the ID shown in nerdctl images:

nerdctl/pkg/inspecttypes/dockercompat/dockercompat.go

Line 331 in 3ca6e8b

i.ID = n.ImageConfigDesc.Digest.String() // Docker ID (digest of platform-specific config), not containerd ID (digest of multi-platform index or manifest)

This behavior looks inconsistent and needs some remedy...

Well... image list will definitely show the repo sha in the ID column (and not the Docker ID).

And image inspect does NOT allow querying by Docker id.

My "inspect" PR also respected that so far.

We might need a design discussion here.

@apostasie
Copy link
Contributor Author

containerd's image store is designed to use a single object for multi-platform image index, while Docker's image store is designed to allocate an object per platform.

The store is one thing, what we conceptually present to the user is another.

The core issue here is: what we currently show to the user is inconsistent, and breaks reproducibility and some of our commands in certain conditions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/needs-design-discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AkihiroSuda @apostasie