Fix ResolveImageConfig to evaluate source policy #3956
Conversation
cpuguy83
force-pushed
the
source_policy_resolve_image
branch
2 times, most recently
from
b9f72e4
to
283ccb3
Compare
|
Looks like panic in CI: |
cpuguy83
force-pushed
the
source_policy_resolve_image
branch
10 times, most recently
from
4466473
to
ca5b0c0
Compare
|
All green here now. |
frontend/dockerui/namedcontext.go
Outdated
| Platform: opt.Platform, | ||
| ResolveMode: opt.ResolveMode, | ||
| LogName: fmt.Sprintf("[context %s] load metadata for %s", nameWithPlatform, ref), | ||
| ResolverType: llb.ResolverTypeRegistry, | ||
| }) | ||
| if err != nil { | ||
| var e imageutil.ResolveToNonImageError |
There was a problem hiding this comment.
I think this needs to be a pointer because it looks like &ResolveToNonImageError{} is returned when this error happens.
There was a problem hiding this comment.
Its passed into errors.As as a pointer. We don't ever propagate this error beyond this point, though.
There was a problem hiding this comment.
https://go.dev/play/p/BQwN9fEeWHl
I don't quite understand how the current one even builds though. I get a build error if I don't remove pointer from func (e ResolveToNonImageError) Error() string { in that example.
There was a problem hiding this comment.
I see the error in the playground but it makes very little sense to me why it would be failing or why the test suite is passing.
There was a problem hiding this comment.
Oh it is passing because that's a panic not a compile error.
There was a problem hiding this comment.
It still doesn't look correct to me in the latest version. Now it doesn't error but the As() check never matches. It's the case1 vs case2 example in the playground example.
There was a problem hiding this comment.
Ideally, we could have a test for this as seems to be quite easy to break this behavior.
cpuguy83
force-pushed
the
source_policy_resolve_image
branch
from
ca5b0c0
to
04b2bf6
Compare
frontend/dockerui/namedcontext.go
Outdated
| Platform: opt.Platform, | ||
| ResolveMode: opt.ResolveMode, | ||
| LogName: fmt.Sprintf("[context %s] load metadata for %s", nameWithPlatform, ref), | ||
| ResolverType: llb.ResolverTypeRegistry, | ||
| }) | ||
| if err != nil { | ||
| var e imageutil.ResolveToNonImageError |
cpuguy83
force-pushed
the
source_policy_resolve_image
branch
2 times, most recently
from
1145f69
to
a118f4e
Compare
Before this change, ResolveImageConfig was unaware of source policies. This means that: 1. Images for denied sources may be resolved 2. Image configs may get pulled for sources that are later converted to a different image The update makes it so the image resolver first runs a given ref through the source policy and uses any mutated ref for the actual resolve (instead of the original ref). It also returns the mutated ref so it can be used correctly by the frontend (e.g. don't want to do llb.Image(oldRef@resolvedDigest)). Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cpuguy83
force-pushed
the
source_policy_resolve_image
branch
from
a118f4e
to
330cf7a
Compare
Before this change, ResolveImageConfig was unaware of source policies. This means that:
The update makes it so the image resolver first runs a given ref through the source policy and uses any mutated ref for the actual resolve (instead of the original ref).
It also returns the mutated ref so it can be used correctly by the frontend (e.g. don't want to do llb.Image(oldRef@resolvedDigest)).
Fixes #3911