Use new build URL #930
Use new build URL #930
Conversation
According to https://github.com/mozilla-services/cloudops-infra-deploylib/blob/7d668384e41fbf936af3b706a9a3cce2d10499ff/deploylib/docker.py#L152 the digest of the docker image should be in the log. The digest printed using the locally built image doesn't produce the same sha256 with the one pushed to Docker Hub, because Taskcluster uses an older version of docker.
scripts/push-dockerimage.sh
Outdated
| @@ -45,6 +45,9 @@ for tag in ${tags[*]}; do | |||
| docker tag buildtemp "mozilla/balrog:${tag}" | |||
| echo "Pushing Docker image tagged with ${tag}" | |||
| docker push mozilla/balrog:${tag} | |||
| # Pull the image to print its digest. cloudops-deploylib verifies the | |||
| # images comparing their digests to the digests in the logs | |||
There was a problem hiding this comment.
Can you revise this comment? I think the pull is necessary because the digest changes when you push it (?), but this comment doesn't make it clear.
There was a problem hiding this comment.
Does pulling defeat the purpose of printing the digest in the log? My assumption is that it is printed so we don't have to trust docker.
There was a problem hiding this comment.
Does pulling defeat the purpose of printing the digest in the log? My assumption is that it is printed so we don't have to trust docker.
It does. So far I haven't found any better way to find the digest using this old image format... :/
There was a problem hiding this comment.
After some investigation it turns out that the digest is something registry specific, so you have to pull or push the image to get the digest. Since we push in the same task, there is no need to pull again, docker push prints the digest.
|
It's worthing noting the current state is that images are not verified, so this patch doesn't regress in any way. We should try to find a way to get it working though. |
|
Let me investigate it more and keep this PR open as a reminder. |
|
Without any changes to |
|
Yes, image validation should work, just need to fix the URL to the new format, it's used in parsing the task ID. |
The old URL still works though AFAICT, so how will this patch help? Deploylib pulls the task id out with:
Which seems to pull the taskId out OK:
And then it generates the log with:
Which works fine:
|
|
Bah, I misread the code and missed the |
According to
https://github.com/mozilla-services/cloudops-infra-deploylib/blob/7d668384e41fbf936af3b706a9a3cce2d10499ff/deploylib/docker.py#L152
the digest of the docker image should be in the log. The digest printed
using the locally built image doesn't produce the same sha256 with the
one pushed to Docker Hub, because Taskcluster uses an older version of
docker.