Strip reserved (com.docker. io.docker, org.dockerproject) labels on docker commit #42037
+123
−12
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
added
status/2-code-review
impact/changelog
area/images
kind/bugfix
|
Tentatively adding a "cherry-pick" label, but we can discuss if this is too much of a behavior change to consider for a patch release |
thaJeztah
force-pushed
the
strip_reserved_labels_on_commit
branch
from
a71e7f3
to
667733e
Compare
cpuguy83
requested changes
Feb 18, 2021
api/types/backend/backend.go
Outdated
| Comment string | ||
| Config *container.Config | ||
| Changes []string | ||
| KeepReservedLabels bool |
There was a problem hiding this comment.
Oh! Good one, hmmm.. I think I originally thought it may be needed if there's uses elsewhere that need the old behavior, but I didn't do that in the end; let me remove
Extract the prefix-check to a function Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…ocker commit Docker uses reserved label namespaces on containers to store runtime information. For example, when creating a service (`docker service create`), deploying a stack (`docker stack deploy`), or running a compose project (`docker-compose up`), docker respectively adds `com.docker.swarm`, `com.docker.stack`, and `com.docker.compose` labels to store metadata used at runtime. These labels are not set by users, but when commiting such a container, they currently end up in the image that was committed. This patch updates `CreateImageFromContainer` to remove labels in the reserved namespace. Some remarks should be made to this change: - This patch only accounts for `docker commit`; `docker build` still allows committing labels in the reserved namespaces - Because of the above, committing a container that was started from an image that has labels in the reserved namespaces, will strip these labels, and thus remove the labels from the image that is created. - Other actions (`docker run`, `docker create`) still allow these labels to be set, and also inherit these labels if they're started from an image that has labels in the reserved namespaces. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
strip_reserved_labels_on_commit
branch
from
667733e
to
13edc7f
Compare
|
Discussing in the maintainers meeting, and we can exclude all labels on commit. The classic builder probably doesn't not need it - we need to double check this ( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Docker uses reserved label namespaces on containers to store runtime information.
For example, when creating a service (
docker service create), deploying a stack(
docker stack deploy), or running a compose project (docker-compose up),docker respectively adds
com.docker.swarm,com.docker.stack, andcom.docker.composelabels to store metadata used at runtime.These labels are not set by users, but when commiting such a container, they
currently end up in the image that was committed.
This patch updates
CreateImageFromContainerto remove labels in the reservednamespace.
Some remarks should be made to this change:
docker commit;docker buildstill allowscommitting labels in the reserved namespaces
that has labels in the reserved namespaces, will strip these labels, and
thus remove the labels from the image that is created.
docker run,docker create) still allow these labels to beset, and also inherit these labels if they're started from an image that
has labels in the reserved namespaces.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)