-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using 'docker push' to overwrite a tag fails to collect correct build-infos #804
Comments
Also here is another link to the code, where the repository is being determined using the REST API: |
Hello @s-geiger-si, and thank you for taking the time to reach out to us regarding JFrog CLI and Docker. First and foremost, I want to emphasize the utmost importance of maintaining accurate build info. Build info serves as a reliable snapshot of the components used in the build process, enabling traceability, analysis, and ensuring the security of your software. It is critical that the build info remains unchanged and accurately reflects the build metadata. If JFrog CLI encounters any discrepancies, such as an incorrect checksum, it will not generate build-info data. Upon reviewing your case, it seems that you are attempting to overwrite a Docker image with the same name and tag in Artifactory. However, during this process, JFrog CLI encounters different layer SHA values that were not included in the initial push operation to Artifactory. As a result, the build-info data cannot be generated due to these discrepancies. The removal of the repository name argument in the Docker push command in JFrog CLI from version 1.x to 2.x was driven by two primary motivations: Convenience: Our goal is to simplify and streamline the CLI commands for our users. By reducing the number of required arguments, we aim to provide a more convenient interaction with JFrog CLI. Enhanced Security: The removal of the repository name argument contributes to a more secure build-info generation process. In the previous version, specifying the repository name during Docker push could potentially allow manipulation or misconfiguration, leading to inaccurate or compromised build info. By relying on Artifactory REST API to determine the repository based on the image tag, we ensure a more robust and secure approach to build-info generation. Please accept my apologies for any inconvenience caused. If you have any further questions or concerns, please don't hesitate to reach out. |
Hello @Or-Geva, thanks for the detailed response. I absolutely agree, that accurate build-info is very important and we try to create our pipelines in such a way that they include all relevant details and submit them together with the relevant artifacts. I understand the motivation that lead to the removal of the repository argument, I am not asking to bring this option back. However I am not sure how we should solve this issue that we have or if you have any alternative suggestion for us. Let me try to explain a bit more details about this. Our repository is structured in such a way, that the virtual repository includes the For every image we usually push a unique version, such as ( As I mentioned earlier, we cannot directly update images in the stable repo to overwrite the Now my expectation would be the following, please let me know if I make incorrect assumptions here of if this is not a good way to handle this:
I would like to add that a possible work around to the issue is to use the |
@Or-Geva Did you see my reply? |
Hello, @s-geiger-si. My apologies for the delayed response. I understand that there are several missing configuration details that prevent me from fully grasping the complete picture. One specific point you mentioned is that:
Without going too deep, given this information, one approach I would suggest is to provide access to the necessary resources, such as In general, overriding images seems wrong to me, as it may lead to unexpected results and it may be worth reconsidering this practice. Again, I may have not the full picture from my point of view, so I recommend reaching out to JFrog support. They will be able to thoroughly analyze your repository structure and configuration and provide personalized assistance in designing the most suitable approach for your specific requirements. |
Thanks @Or-Geva, I always thought it was the default approach of Artifactory to interact with the virtual repo and use the "default deployment repository" to target the dev repo and then promote from there. I will check if that is an option to interact directly with the local repos. Regarding your comment on overwriting tags, we never overwrite concrete versions (i.e., If you look at postgres image for example it can be accessed using the
I don't think there currently is an alternative to overwriting the image tags on the Artifactory platform, to realize this use case, is there? Depending on the use case, we need to either pull an image by its concrete version, or by a relative tag such as |
@s-geiger-si, have you considered using a different term instead of "latest" for the build and push operation, such as "dev-latest"? By doing so, you can reserve the traditional "latest" keyword for pull operations. This approach would ensure that JFrog CLI correctly names the pushed images without any overlap with the "docker-stable" latest tag. |
@Or-Geva, I am not sure I fully understood your comment. I think we are already doing this (limited by the bug that I am describing). We have (among others) My assumptions are as following:
Not sure what you mean by this, I would still need to update the |
Describe the bug
Hello JFrog Team,
we just noticed an interesting change in behavior of the JFrog CLI that appeared with the upgrade of the CLI from major version 1.x to 2.x. For us this causes a regression when we try to promote a docker image tag that already existed and that was overwritten in a recent push. This now leads to a warning and no build-info metadata being attached to the image, which causes the image layers to be not correctly promoted.
Our setup is as following, we have three repositories:
docker
).docker-dev
,docker-stable
).We push an image with a tag such as
foobar:latest
which will first appear indocker-dev
and then we want to promote it todocker-stable
. Then later we run another pipeline, push, and try to promote to stable again, overwriting the older tag. But after the pipeline completes, we are still seeing the original image tag in the stable repository, while the new tag remains in the dev repository.This used to work fine with the CLI version 1.x, However, the
docker push
command accepted a repository name in the 1.x branch, but as far as I can see it no longer allows this argument in the 2.x branch. So we removed this argument and now the following happens:When we call
jf docker push ...
the image is pushed and a warning is emitted:This warning seems to be caused by the following code: d45734b#diff-e2f77381b07f59446c81eef9ee262f955593314bd6328e0ed5fa4f8e350c0079R55
The docker image is correctly pushed, but the build-info contains no modules. When we then try to promote the build to the stable stage, the image layers remain in the dev stage.
I am not sure how we should fix this, or if this is even intentional behavior of the JFrog CLI. The problem, was far as I understand seems to come from the fact, that the repository is now determined using a call to the REST API and this API seems to return the
docker-stable
repository, since that one appears first in the order of the virtual repository and already contains an older image tag but the hashsum of that image does not match the one we just pushed. The result is that we are not attaching any build-info to the newly pushed image tag.Current behavior
As described above, the build-info metadata is not correctly attached to the image tag and it is not correctly promoted to the stable docker repository stage as a result.
Reproduction steps
No response
Expected behavior
The image correctly receives the build-info metadata.
JFrog CLI-Core version
2.28.0
JFrog CLI version (if applicable)
2.28.1
Operating system type and version
Linux
JFrog Artifactory version
7.49.10
JFrog Xray version
No response
The text was updated successfully, but these errors were encountered: