-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Starting swarm services results in images with <none>
tag
#28908
Comments
Yeah, pull by digest won't create a tag. If we were to change A possible workaround would be to make the swarm executor create the tag after pulling by digest if one does not exist, but this seems like a hack and I feel like it's not a good design to have the executor mucking around with tags. |
I agree that we shouldn't add this hack into the Swarm executor. We could consider resolving this issue for 1.14, but I suspect this will also go hand in hand with making |
Tags may not map directly to digests. You could run two |
@aluzzardi yes, was discussing with @aaronlehmann, we definitely can't fix this for 1.13 without major refactoring, but since swarm resolves the digest from the I'm adding this to the 1.14 milestone so that we can discuss what options are possible |
@aluzzardi makes a good point that there may be multiple services that reference the same tag but were resolved to different digests. In this case, it would be bad for the tag to switch between the two images depending which was pulled most recently. This seems like a good argument for services not having ownership of the tag. |
Observed the same image tag set to when using docker stack deploy on 17.03.0-ce. In this case, the tag should have been set to a specific version such as "1.255" docker info |
This behavior causes some tools such as Artifactory to fail as they expect a not null tag:
The tag is not empty if we call
But as @thaJeztah mentioned, in the case of
the tag is empty. Therefore, while
works
fails as it causes Artifactory to throw |
https://www.jfrog.com/jira/browse/RTFACT-10543 fixed with Artifactory 5.2.1 release. I confirmed Artifactory happily handles null tag now. |
This is really bad imo, the tag column was created because it's really needed rather than a luxury, otherwise what am I supposed to infer from this output?
|
Is the behavior not consistent with Windows? It appears on Windows you do get an image tag whereas Linux you do not |
Milestone 17.04 and still not fixed in 17.09 🙃 |
@thaJeztah weird thing I'm seeming with v18.3:
not only was the service started with "none", but |
any solutions for this ? |
When "manual mode" is enabled, Shepherd will manually pull locally the latest tagged image from the registry, check if its newer compared to the one in use by the service (by comparing their unique identifiers, called _digests_), and in such case it will try and force Docker to update the service with it. This feature has been initially developed to have a temporary workaround/alternative until the "pulled images with none tag" issue is fixed: SEE: moby/moby#28908 It could also be used to isolate and troubleshoot issues that one thinks may be related to the "update process", by setting some services in "manual mode" and monitoring their status, compared to the ones updated using the built-in logic. Includes: - Add "manual mode" feature to the main script. - Update the README. - Add more comments to the code.
When "manual mode" is enabled, Shepherd will manually pull locally the latest tagged image from the registry, check if its newer compared to the one in use by the service (by comparing their unique identifiers, called _digests_), and in such case it will try and force Docker to update the service with it. This feature has been initially developed to have a temporary workaround/alternative until the "pulled images with none tag" issue is fixed: SEE: moby/moby#28908 It could also be used to isolate and troubleshoot issues that one thinks may be related to the "update process", by setting some services in "manual mode" and monitoring their status, compared to the ones updated fully using the built-in logic and not "forcing". Includes: - Add "manual mode" feature to the main script. - Update the README. - Add more comments to the code.
When "manual mode" is enabled, Shepherd will manually pull locally the latest tagged image from the registry, check if its newer compared to the one in use by the service (by comparing their unique identifiers, called _digests_), and in such case it will try and force Docker to update the service with it. This feature has been initially developed to have a temporary workaround/alternative until the "pulled images with none tag" issue is fixed: SEE: moby/moby#28908 It could also be used to isolate and troubleshoot issues that one thinks may be related to the "update process", by setting some services in "manual mode" and monitoring their status, compared to the ones updated fully using the built-in logic and not "forcing". Includes: - Add "manual mode" feature to the main script. - Update the README. - Add more comments to the code.
When "manual mode" is enabled, Shepherd will manually pull locally the latest tagged image from the registry, check if its newer compared to the one in use by the service (by comparing their unique identifiers, called _digests_), and in such case it will try and force Docker to update the service with it. This feature has been initially developed to have a temporary workaround/alternative until the "pulled images with none tag" issue is fixed: SEE: moby/moby#28908 It could also be used to isolate and troubleshoot issues that one thinks may be related to the "update process", by setting some services in "manual mode" and monitoring their status, compared to the ones updated fully using the built-in logic and not "forcing". Includes: - Add "manual mode" feature to the main script. - Update the README. - Add more comments to the code.
I have same question.
|
<none>
tag<none>
tag
@thaJeztah any plans on this? |
I think the resolution of the image id could or should be up to the user to decide. it's nice, that docker swarm does this behind the scenes, but I think users that care about this (same id on every node) would be just fine to do it by themselves. users that don't care about it, would be fine if swarm didn't prevent minor discrepancies. Is this argument good enough to change the current behaviour?🤔 |
What is the exact problem you're running into because of this?
Manually pulling images to keep them up-to-date on each node means you'd need (ssh) access to each node, and to authenticate with registries on each node, which is a risk as those credentials would/could persist on worker nodes, and compromising a worker node would also compromise those credentials.
Minor discrepancies could include the difference between an image with a critical vulnerability on one node, and a patched image on another node. It also avoids "spoofing" images (e.g., putting a fake
The default will definitely not change. The default is to resolve the digest;
But if you want images to be pulled by their reference, you can pass the
The service will now reference the image by name/tag:
And use
|
Thanks for the explanation.
|
Possibly just a "nit"; but now that services "pin" an image by digest, the pull also pulls by digest, resulting in local images to not have a "tag" visible;
before creating the service; no images are available;
create a service using the
nginx:alpine
imageAfter the service is created, the
nginx
image is present locally, but tag is empty (<none>
);Not sure this can be solved easily, but I can see this being confusing.
/cc @nishanttotla @aaronlehmann
The text was updated successfully, but these errors were encountered: