-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use new build URL #930
Use new build URL #930
Conversation
According to https://github.com/mozilla-services/cloudops-infra-deploylib/blob/7d668384e41fbf936af3b706a9a3cce2d10499ff/deploylib/docker.py#L152 the digest of the docker image should be in the log. The digest printed using the locally built image doesn't produce the same sha256 with the one pushed to Docker Hub, because Taskcluster uses an older version of docker.
scripts/push-dockerimage.sh
Outdated
@@ -45,6 +45,9 @@ for tag in ${tags[*]}; do | |||
docker tag buildtemp "mozilla/balrog:${tag}" | |||
echo "Pushing Docker image tagged with ${tag}" | |||
docker push mozilla/balrog:${tag} | |||
# Pull the image to print its digest. cloudops-deploylib verifies the | |||
# images comparing their digests to the digests in the logs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you revise this comment? I think the pull
is necessary because the digest changes when you push it (?), but this comment doesn't make it clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does pulling defeat the purpose of printing the digest in the log? My assumption is that it is printed so we don't have to trust docker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does pulling defeat the purpose of printing the digest in the log? My assumption is that it is printed so we don't have to trust docker.
It does. So far I haven't found any better way to find the digest using this old image format... :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some investigation it turns out that the digest is something registry specific, so you have to pull or push the image to get the digest. Since we push in the same task, there is no need to pull again, docker push
prints the digest.
It's worthing noting the current state is that images are not verified, so this patch doesn't regress in any way. We should try to find a way to get it working though. |
Let me investigate it more and keep this PR open as a reminder. |
Without any changes to |
Yes, image validation should work, just need to fix the URL to the new format, it's used in parsing the task ID. |
The old URL still works though AFAICT, so how will this patch help? Deploylib pulls the task id out with:
Which seems to pull the taskId out OK:
And then it generates the log with:
Which works fine:
|
Bah, I misread the code and missed the |
According to
https://github.com/mozilla-services/cloudops-infra-deploylib/blob/7d668384e41fbf936af3b706a9a3cce2d10499ff/deploylib/docker.py#L152
the digest of the docker image should be in the log. The digest printed
using the locally built image doesn't produce the same sha256 with the
one pushed to Docker Hub, because Taskcluster uses an older version of
docker.