Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support manifest list #807

Closed
lucacome opened this issue Oct 20, 2022 · 9 comments · Fixed by #829
Closed

Support manifest list #807

lucacome opened this issue Oct 20, 2022 · 9 comments · Fixed by #829
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@lucacome
Copy link

Is your feature request related to a problem? Please describe.

I want to run preflight check container once for my multi-arch manifest

Describe the solution you'd like.

preflight certifies all the images in a manifest list.

Describe alternatives you've considered.

Manually certifying every architecture

Additional context.

Maybe I'm missing a flag or something? It seems like preflight is able to read the manifest list but defaults to using the image for amd64.
@lucacome lucacome added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 20, 2022
@acornett21
Copy link
Contributor

Hi @lucacome preflight uses a library crane to pull the images, get their configs, and send them to our backend, crane defaults to uses the architecture value for the system that it is run on.

Currently, the workaround is what you mentioned, to certify every architecture individually on the appropriate base system.

With that said, multi-arch/manifest list is something that has been talked about being added to the container certification process. I'm not sure what the priority of that is, but it would not be just a change in preflight, backend systems at Red Hat would also need to be changed as well.

@lucacome
Copy link
Author

Hi @acornett21 thanks for the response and the explanation.

... crane defaults to uses the architecture value for the system that it is run on.

It seemed to default to amd64 🤔

Currently, the workaround is what you mentioned, to certify every architecture individually on the appropriate base system.

For the latest round of certifications I was able to do everything from one system, just specifying different SHAs...I hope everything worked 😅

but it would not be just a change in preflight, backend systems at Red Hat would also need to be changed as well.

Is there a better place for me to open an issue to ask for the backend systems to support this?

@acornett21
Copy link
Contributor

It seemed to default to amd64 🤔

If you are on an amd64 system using our amd64 binary that would be the default, arm64 would be arm64, and so on...

For your other questions I've messaged you on slack.

@lucacome
Copy link
Author

lucacome commented Oct 21, 2022
edited

Sorry I forgot to mention that I'm on arm64 and it defaulted to amd64.

Thanks!

@bcrochet
Copy link
Contributor

bcrochet commented Nov 2, 2022

Sorry I forgot to mention that I'm on arm64 and it defaulted to amd64.

Thanks!

I just tried on arm64, and you are correct. It pulled the amd64 image. I'll take a look at why that's happening.

bcrochet added a commit to bcrochet/openshift-preflight that referenced this issue Nov 3, 2022
@bcrochet
Grab the image that matches the arch of the binary
5c8661d 
Crane defaults to "linux/amd64" as the platform, unless an option
is passed with WithPlatform. This defaults to an OS of "linux", and
an architecture of runtime.GOARCH, which is basically set at build
time.

Additional work will be required to process all arches of an image
in one go.

Fixes redhat-openshift-ecosystem#807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet added a commit to bcrochet/openshift-preflight that referenced this issue Nov 3, 2022
@bcrochet
Grab the image that matches the arch of the binary
5285d33 
Crane defaults to "linux/amd64" as the platform, unless an option
is passed with WithPlatform. This defaults to an OS of "linux", and
an architecture of runtime.GOARCH, which is basically set at build
time.

Additional work will be required to process all arches of an image
in one go.

Related redhat-openshift-ecosystem#807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@bcrochet bcrochet mentioned this issue Nov 3, 2022
Merged
bcrochet added a commit that referenced this issue Nov 7, 2022
@bcrochet
Grab the image that matches the arch of the binary
fdfe262 
Crane defaults to "linux/amd64" as the platform, unless an option
is passed with WithPlatform. This defaults to an OS of "linux", and
an architecture of runtime.GOARCH, which is basically set at build
time.

Additional work will be required to process all arches of an image
in one go.

Related #807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@lucacome
Copy link
Author

Hi @lucacome preflight uses a library crane to pull the images, get their configs, and send them to our backend, crane defaults to uses the architecture value for the system that it is run on.

Currently, the workaround is what you mentioned, to certify every architecture individually on the appropriate base system.

With that said, multi-arch/manifest list is something that has been talked about being added to the container certification process. I'm not sure what the priority of that is, but it would not be just a change in preflight, backend systems at Red Hat would also need to be changed as well.

Without any changes in the backend systems, preflight could just grab all the architectures from a tag and automatically certify all of them? Maybe even tag them with the arch.

This will definitely improve the certification process, at least while we wait for manifest list support on the backend.

bcrochet added a commit to bcrochet/openshift-preflight that referenced this issue Nov 10, 2022
@bcrochet
Add the ability to check a container from another platform
28f4704 
If a multiarch manifest is supplied to check container, it would
default to the platform preflight is running on. This --platform
flag allows the user to choose with platform image to use, without
having to resort to using SHA digests.

Fixes redhat-openshift-ecosystem#807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@bcrochet bcrochet mentioned this issue Nov 10, 2022
Merged
bcrochet added a commit to bcrochet/openshift-preflight that referenced this issue Nov 10, 2022
@bcrochet
Add the ability to check a container from another platform
ae11506 
If a multiarch manifest is supplied to check container, it would
default to the platform preflight is running on. This --platform
flag allows the user to choose with platform image to use, without
having to resort to using SHA digests.

Fixes redhat-openshift-ecosystem#807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
acornett21 pushed a commit that referenced this issue Nov 10, 2022
@bcrochet @acornett21
Add the ability to check a container from another platform
f24ae18 
If a multiarch manifest is supplied to check container, it would
default to the platform preflight is running on. This --platform
flag allows the user to choose with platform image to use, without
having to resort to using SHA digests.

Fixes #807

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@sxd
Copy link
Contributor

sxd commented Jan 26, 2023

Hi everyone!

I'm pinging here because with the latest version 1.5.0 the preflight still picking up only amd64 as architecture and it's not using the one the one that we pass in the --platform argument.

I think that as @lucacome mentioned, preflight should detect the manifest and simply certify all the architectures inside, it's this even an option?

Regards,

@acornett21 acornett21 mentioned this issue Jan 27, 2023
Merged
@acornett21
Copy link
Contributor

@sxd Sorry for this miss on our part. We have fixed the issue and cut a new release.

@sxd
Copy link
Contributor

sxd commented Jan 30, 2023

Hi @acornett21

Thank you!! everything it's working as expected now =)

Cheers!

@lucacome lucacome mentioned this issue Apr 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the ability to check a container from another platform bcrochet/openshift-preflight
4 participants
@bcrochet @lucacome @sxd @acornett21