Support sha512 content #543
Conversation
sudo-bmitch
force-pushed
the
pr-digest-on-tag-push
branch
from
b347347
to
811619c
Compare
sudo-bmitch
changed the title
|
CI is failing on this because Zot will need to be updated for the changed APIs. I've been testing against olareg so I know this can work. This gives me more reasons to want to rewrite the conformance tests to focus on a matrix of content and APIs to test. The current tests are getting difficult to follow and manage. |
|
@rchincha it would be good to get your feedback on this, and whether Zot would be able to support it. |
|
project-zot/zot#2075 |
| @@ -329,6 +331,12 @@ The process remains unchanged for chunked upload, except that the post request M | |||
| Content-Length: 0 | |||
| ``` | |||
|
|
|||
| When pushing a blob with a digest algorithm other than `sha256`, the post request SHOULD include the `digest-algorithm` parameter: | |||
There was a problem hiding this comment.
Why do we need this new query param? We already send the expected digest (including the algorithm) as a mandatory parameter when closing the blob upload.
There was a problem hiding this comment.
Two reasons I can think of. It's a courtesy to registries that compute the digest as the blob is received and don't want to reread the blob to recompute it with a new algorithm. It's also a way for clients to get a fast failure if they request an algorithm not supported by the registry, before spending the time and bandwidth to upload the blob.
There was a problem hiding this comment.
Any particular reason this is a query param instead of a header? so API endpoint defs don't change (?)
What are our guidelines regarding what gets set as a header and what as a query param.
There was a problem hiding this comment.
We use query params in a lot of other parts of the spec. Is there a reason this should be a header?
There was a problem hiding this comment.
In the POST, PATCH, PUT sequence, we could have alternatively modeled this as 'Content-Type'/'Accept' type header exchange.
'OCI-Digest-Type'/'OCI-Accept-Digest-Type'? in the POST step itself.
^ just a thought!
In general, older registries will reject in the PUT step, and we cannot assume that registries are implementing streamed hashing.
There was a problem hiding this comment.
In general, older registries will reject in the PUT step, and we cannot assume that registries are implementing streamed hashing.
Correct, the failure condition on older registries requires the blob to be pushed first. This gives newer registries the ability to improve performance of the blob push.
There was a problem hiding this comment.
same here... the client may include sha256 to ensure it is supported, this for future use cases presuming there will eventually be replacement(s)
|
Hi @sudo-bmitch
This one was an intermediate step to replace hardcoded sha256 logic. This one project-zot/zot#2554 passes for me locally with the conformance tests in this PR. It implements the digest query parameter for pushing manifests. |
|
@sudo-bmitch at least in "draft" state, maybe update zot to point to @andaaron 's tree/commit. |
|
|
||
| `/v2/<name>/blobs/uploads/?digest-algorithm=<algorithm>` <sup>[end-4c](#endpoints)</sup> | ||
|
|
||
| Here, `<digest-algorithm>` is the algorithm the registry should use for the blob, e.g. `digest-algorithm=sha512`. |
There was a problem hiding this comment.
It's a minor nit, but shouldn't the example here still be sha256 since we don't want to accidentally encourage anyone to actually use sha512?
There was a problem hiding this comment.
The parameter isn't needed for sha256. That's specified on line 334. I think sha512 is the only other valid digest algorithm today that can be specified here.
There was a problem hiding this comment.
agree with the idea of at least showing both in the examples... explaining it is normally default.. and testing...
There was a problem hiding this comment.
Deprecating 256 at some point would be hard if the default for this new parameter is not specified. I general leaning towards explicit even for sha256.
There was a problem hiding this comment.
If a registry sees a request without a digest-algorithm, are we saying the registry can pick any blob algorithm it wants to, and if the client specifies a different one on the PUT then the request could fail after the blow was uploaded? I'd feel a lot safer if a missing algorithm is treated the same as a legacy client that is using sha256. In which case there won't be a difference between not specifying the parameter and specifying the parameter with sha256.
I'll still add it if that's the community desire, but I worry there may be registries that don't recognize the parameter and reject the request.
There was a problem hiding this comment.
The spec doesn't seem to officially say that's the expected behavior, so it really doesn't seem unreasonable for it to do something different than sha256 if it has a reason to.
@rchincha I need the changes for this: Lines 95 to 105 in 11b8e3f Do you have a container image to point to? |
|
@sudo-bmitch Thinking about this some more ... Maybe split this work into two parts - 1) first the ability to handle a non-sha256 hash so no further API changes, and 2) the ability to optimize via streaming hints. It may turn out that 2) may not be needed at all. Thoughts? |
@rchincha I'm not sure I follow. What would you include in the first part, the part that has no API changes? |
I would focus only on making PUT /v2/...blob/?digest=sha512:... work first. |
I think we still need to resolve the question with guidelines of mixing and matching digests. Here is a sequence (really #494 (comment) rephrased)
We can lean on some lessons from other content-addressable projects: My concern (IMHO) is we have not set a high-level direction or rationale yet for above first.
No, will resolve shortly after. |
Once the manifest is pushed to the registry, the registry cannot modify it. Doing so would break pinned references and violate the content addressable guarantee. Before the push, it's a client decision of how they generate the manifest. I'd recommend against changing the digest of layers from a base image. Changing the digest of blobs implies foregoing cross-repository blob mounts, increases the number of copies of content on a registry and that need to be pulled to the client, and breaks tools that support rebasing images.
This.
Mirrors and the likes should not be modifying the manifest. They need to retain the content addressable guarantee.
Clients are free to do anything when building. If they modify content and change the digest, it's now their responsibility.
What if the broken algorithm is sha256 and we don't have a way to push content with other digest algorithms? What if registries respond to a broken algorithm by changing their default, breaking the ability to sign images and other uses of referrers? Will clients have to be configured differently for each registry they talk to? My goal is to solve this so we aren't stuck in one of these bad scenarios.
My goal is just to make it possible to push content with other algorithms, focusing on the currently supported algorithms first. Once that is done, I think we have a path forward to add new algorithms (keeping in mind that content built with a new algorithm is not portable to older registries or usable by older downstream consumers). I'm not focused on which algorithms we add in the future (that's a question for image-spec). And I think any security questions should get lumped into that discussion, which we can have later.
It can't be after. Without resolving #494 we'll never get to 2, because it's not possible to push a tagged manifest with anything other than the registry desired digest algorithm (hence the reason |
|
Can we capture all this (rationale) somewhere? |
Hi @sudo-bmitch, can you try out ghcr.io/andaaron/zot-minimal-linux-amd64:v2.1.0-manifest-digest? |
@rchincha I think most of this is covered by "The registry MUST store the manifest in the exact byte representation provided by the client" but feel free to open a PR and we'll discuss there. |
Let me take a stab at the text/content. Not sure where it should land yet. Maybe in the commit msg of this PR itself. |
sudo-bmitch
force-pushed
the
pr-digest-on-tag-push
branch
from
811619c
to
04c6343
Compare
sudo-bmitch
force-pushed
the
pr-digest-on-tag-push
branch
from
04c6343
to
26643ef
Compare
Signed-off-by: Brandon Mitchell <git@bmitch.net>
sudo-bmitch
force-pushed
the
pr-digest-on-tag-push
branch
from
26643ef
to
063de3f
Compare
@andaaron thanks, I've got it working with that image (along with some other cleanups). |
|
Something pointed out by @thaJeztah is this text from image-spec:
Without a MUST, that means this conformance test needs to be optional, and any content generated with a different digest should be considered non-portable, not just in practice, but also according to the spec. |
dist-spec v1.2.0? |
It would have to be image-spec v1.2 changing the MAY to MUST language, semi-independent from distribution-spec. Clients would still need to be prepared for registries and other clients on older releases of each. For distribution-spec, I think the conformance test really needs to be a matrix style of test for the different types of content running across the various APIs. And an early failure to push the content should skip the remaining tests. I think we should also reorganize for a single path through the APIs, push, query, pull, delete, instead of the setup/teardown per test we have now. I'd want to do that as a separate PR from this, and then make this PR add a new entry to the types of content to test. |
Fixes #494.
Pending tasks before removing this from draft: