disable pulling legacy image formats by default #47459
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as resolved.
This comment was marked as resolved.
thaJeztah
force-pushed
the
disable_schema1
branch
from
9a9e5e5
to
c41ff61
Compare
dmcgowan
approved these changes
Feb 27, 2024
AkihiroSuda
reviewed
Feb 27, 2024
distribution/errors.go
Outdated
| func DeprecatedSchema1ImageMessage(ref reference.Named) string { | ||
| return fmt.Sprintf("[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of %s to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/", ref) | ||
| return fmt.Sprintf("[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of %s to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/", ref) |
There was a problem hiding this comment.
The env var should be printed here as a hint?
There was a problem hiding this comment.
I was a bit in doubt on adding even more text to the already length error, and considered instead to include that information in the deprecation docs; we can point the "/go/" redirect to the appropriate location (which can outline the details, as well as the temporary escape hatch).
It might be good for those that need it to understand the context, and be aware that they really should not depend on it.
Happy to hear your (and other's) thoughts on that though!
There was a problem hiding this comment.
Yeah I think it's better to put more info on the deprecation page. It's also an opportunity to provide more information and mention that this env var needs to be put on the daemon side (not just DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE=1 docker pull)
AkihiroSuda
approved these changes
Feb 27, 2024
vvoland
reviewed
Feb 28, 2024
This patch disables pulling legacy (schema1 and schema 2, version 1) images by
default.
A `DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE` environment-variable is
introduced to allow re-enabling this feature, aligning with the environment
variable used in containerd 2.0 (`CONTAINERD_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE`).
With this patch, attempts to pull a legacy image produces an error:
With graphdrivers:
docker pull docker:1.0
1.0: Pulling from library/docker
[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/
With the containerd image store enabled, output is slightly different
as it returns the error before printing the `1.0: pulling ...`:
docker pull docker:1.0
Error response from daemon: [DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/
Using the "distribution" endpoint to resolve the digest for an image also
produces an error:
curl -v --unix-socket /var/run/docker.sock http://foo/distribution/docker.io/library/docker:1.0/json
* Trying /var/run/docker.sock:0...
* Connected to foo (/var/run/docker.sock) port 80 (#0)
> GET /distribution/docker.io/library/docker:1.0/json HTTP/1.1
> Host: foo
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Api-Version: 1.45
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Tue, 27 Feb 2024 16:09:42 GMT
< Content-Length: 354
<
{"message":"[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/"}
* Connection #0 to host foo left intact
Starting the daemon with the `DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE`
env-var set to a non-empty value allows pulling the image;
docker pull docker:1.0
[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/
b0a0e6710d13: Already exists
d193ad713811: Already exists
ba7268c3149b: Already exists
c862d82a67a2: Already exists
Digest: sha256:5e7081837926c7a40e58881bbebc52044a95a62a2ea52fb240db3fc539212fe5
Status: Image is up to date for docker:1.0
docker.io/library/docker:1.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
disable_schema1
branch
from
c41ff61
to
62b33a2
Compare
thaJeztah
commented
Feb 28, 2024
Comment on lines
+220
to
227
| func DeprecatedSchema1ImageError(ref reference.Named) error { | ||
| msg := "[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release." | ||
| if ref != nil { | ||
| msg += " Suggest the author of " + ref.String() + " to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2." | ||
| } | ||
| msg += " More information at https://docs.docker.com/go/deprecated-image-specs/" | ||
| return invalidArgumentErr{errors.New(msg)} | ||
| } |
There was a problem hiding this comment.
Updated; I decided to change this to return an error as well; that way we don't have to bother constructing an "InvalidParameter" error in all call-sides, and just do that here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch disables pulling legacy (schema1 and schema 2, version 1) images by default.
A
DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGEenvironment-variable is introduced to allow re-enabling this feature, aligning with the environment variable used in containerd 2.0 (CONTAINERD_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE).With this patch, attempts to pull a legacy image produces an error:
With graphdrivers:
With the containerd image store enabled, output is slightly different as it returns the error before printing the
1.0: pulling ...:Using the "distribution" endpoint to resolve the digest for an image also produces an error:
Starting the daemon with the
DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGEenv-var set to a non-empty value allows pulling the image;- What I did
- How I did it
- How to verify it
- Description for the changelog
- Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version.- A picture of a cute animal (not mandatory but encouraged)