You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This ticket is split out from #4283 because it requires more brainstorming. Currently, there is no clear solution to get the digest for images from public Amazon ECR registries. The difficulty is that in order to use the Amazon ECR API to get image metadata (like the digest), the user must have permissions to that public registry.
Ideas so far:
Delay the checksum harvesting until we implement a backup function. We will be downloading full containers and uploading them somewhere in the future, so we could grab the checksums then).
Downside: this means that snapshotting works differently for Amazon ECR
Run something in the background that's asynchronous, like a lambda that pulls docker images and uploads the digest back to the webservice
May have a bit of a lag because the image is pulled at snapshot time
Downside: it's another lambda to manage. Lambdas also have a 500MB disk size and some images are larger than that.
Idea 4: We could use a command line tool created by Red Hat called skopeo.
Skopeo can inspect a remote image without requiring you to pull the image. If it was from a registry that allowed you to list tags, like Docker Hub, you would be able to get the image digest from the output of the command (sample output).
For Amazon ECR, the inspect command doesn't work completely since you can't list the tags, but we can still run inspect --raw, which returns the raw manifest for the image.
After that, we can apply skopeo's manifest-digest command which computes a digest for the manifest file inputted. The digest returned matches the image's digest. Alternatively, we could sha256 the manifest file ourselves.
Idea 5: If for some reason we can't use skopeo, we could try to do what skopeo does manually.
Pull the image manifest using Docker's API. This may require AWS authentication.
Calculate the sha256 digest using the image manifest obtained. May need to format the image manifest returned from the API correctly before applying sha256 (example: newlines at the end of the file will affect the digest)
This ticket is split out from #4283 because it requires more brainstorming. Currently, there is no clear solution to get the digest for images from public Amazon ECR registries. The difficulty is that in order to use the Amazon ECR API to get image metadata (like the digest), the user must have permissions to that public registry.
Ideas so far:
┆Issue is synchronized with this Jira Story
┆friendlyId: DOCK-1843
┆sprint: Sprint 67- Reef shark
┆taskType: Story
The text was updated successfully, but these errors were encountered: