OCPBUGS-87160: skip manifest list signatures#1443
Conversation
|
@r4f4: This pull request references Jira Issue OCPBUGS-87160, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (9)
🚧 Files skipped from review as they are similar to previous changes (9)
WalkthroughThis pull request refactors blob and history tracking from ChangesBlob Set Tracking Refactor
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (13 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: r4f4 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
a493b23 to
7b13f01
Compare
7b13f01 to
c562c4e
Compare
@adolfo-ab sorry, I changed the approach a little. Instead of just ignoring signatures for manifest lists, we still try to copy them but ignore errors. WDYT? |
c562c4e to
7a74c01
Compare
|
/jira refresh |
|
@r4f4: This pull request references Jira Issue OCPBUGS-87160, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@r4f4: This pull request references Jira Issue OCPBUGS-87160, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
aguidirh
left a comment
There was a problem hiding this comment.
Thanks for the PR @r4f4.
A lot of good refactorings. I only added one nit suggestion, please let me know if you will take it so I'll wait to add LGTM.
I'm not sure if we should be concerned about it but I got the following when building locally:
go build -mod=readonly -tags "json1 " -ldflags "-X github.com/openshift/oc-mirror/pkg/version.versionFromGit="v0.2.0-alpha.1-645-g7a74c01" -X github.com/openshift/oc-mirror/pkg/version.commitFromGit="7a74c01d" -X github.com/openshift/oc-mirror/pkg/version.gitTreeState="clean" -X github.com/openshift/oc-mirror/pkg/version.buildDate="2026-06-25T13:56:56Z" " -o './bin/oc-mirror' github.com/openshift/oc-mirror/cmd/oc-mirror
# github.com/mattn/go-sqlite3
sqlite3-binding.c: In function ‘sqlite3ShadowTableName’:
sqlite3-binding.c:123934:9: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
123934 | zTail = strrchr(zName, '_');
| ^
make[1]: Leaving directory '/home/aguidi/go/src/github.com/aguidirh/oc-mirror/v1'
But at the end the binary was built. did you face anything similar?
| if historyBlobs.Has(hash) || alreadyAddedBlobs.Has(hash) { | ||
| continue | ||
| } |
There was a problem hiding this comment.
Much cleaner now, thanks!
| blobs := make(map[string]struct{}) | ||
|
|
||
| blobs[in.digest.String()] = struct{}{} | ||
| blobs := sets.New[string](in.digest.String()) |
There was a problem hiding this comment.
nit: it seems that when you initialize sets.New inline, it does not need the type.
| blobs := sets.New[string](in.digest.String()) | |
| blobs := sets.New(in.digest.String()) |
This is valid for all the places where sets.New is initialized (I saw it over few files).
| expectedBlobs: sets.New[string]( | ||
| "sha256:467829ca4ff134ef9762a8f69647fdf2515b974dfc94a8474c493a45ef922e51", | ||
| "sha256:728191dbaae078c825ffb518e15d33956353823d4da6c2e81fe9b1ed60ddef7d", | ||
| "sha256:50b9402635dd4b312a86bed05dcdbda8c00120d3789ec2e9b527045100b3bdb4", | ||
| ), |
There was a problem hiding this comment.
nit: another example of initialization inline:
| expectedBlobs: sets.New[string]( | |
| "sha256:467829ca4ff134ef9762a8f69647fdf2515b974dfc94a8474c493a45ef922e51", | |
| "sha256:728191dbaae078c825ffb518e15d33956353823d4da6c2e81fe9b1ed60ddef7d", | |
| "sha256:50b9402635dd4b312a86bed05dcdbda8c00120d3789ec2e9b527045100b3bdb4", | |
| ), | |
| expectedBlobs: sets.New( | |
| "sha256:467829ca4ff134ef9762a8f69647fdf2515b974dfc94a8474c493a45ef922e51", | |
| "sha256:728191dbaae078c825ffb518e15d33956353823d4da6c2e81fe9b1ed60ddef7d", | |
| "sha256:50b9402635dd4b312a86bed05dcdbda8c00120d3789ec2e9b527045100b3bdb4", | |
| ), |
ART does not sign manifest lists, only the single-arch manifests. The same way, podman/clusterimagepolicy only verify single-arch manifests. If we require signatures in manifest lists, we break mirroring of `multi` OCP payloads. So let's ignore them for now. This fix/workaround will be obsolete if we ever introduce some API in container-libs to differentiate images with wrong/missing signatures vs non-signed images.
I don't see this even when I build after a |
7a74c01 to
65a7bd1
Compare
|
Update: addressed review comments. |
|
@r4f4: This pull request references Jira Issue OCPBUGS-87160, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@r4f4: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/assign @nidangavali for verified label |
|
@aguidirh: GitHub didn't allow me to assign the following users: for, verified, label. Note that only openshift members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Description
ART does not sign manifest lists, only the single-arch manifests. The same way, podman/clusterimagepolicy only verify single-arch manifests.
If we require signatures in manifest lists, we break mirroring of
multiOCP payloads. So let's ignore them for now. This fix/workaround will be obsolete if we ever introduce some API in container-libs to differentiate images with wrong/missing signatures vs non-signed images.I have also included a small refactor to simplify the existing code.
Github / Jira issue: OCPBUGS-87160
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Run d2m with ISC:
Expected Outcome
m2d succeeds and the
log-level=debugoutput contains:Summary by CodeRabbit