-
Story
-
Resolution: Done-Errata
-
Minor
-
rhel-8.5.0
-
Low
-
1
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
RUN 252
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
As described in (https://github.com/containers/buildah/issues/1048) when an image is already present with buildah in a seperate registry, it will force-push it anyway the first time.
This is better described in this unfinished commit here:
https://github.com/containers/image/pull/550
In essence, in CI/CD pipelines where buildah is run in a fresh environment every time, it forces a lot of extra traffic and uploading if an image is pushed to a second location where it already exists. Docker does not do this and will query the second registry for the same image hashes and decide not to push it, whereas c/image will at the moment currently still re-push exactly the same content (the first time).
An example. Pull an image, tag it, and push it again:
$ buildah pull registry.fedoraproject.org/fedora-minimal
$ buildah tag registry.fedoraproject.org/fedora-minimal quay.io/robbmanes/trashcan-image
$ buildah push quay.io/robbmanes/trashcan-image
This does exactly what you expect, and if you try to re-push the image from this system it will skip the appropriate layers:
$ buildah push quay.io/robbmanes/trashcan-image
Getting image source signatures
Copying blob a3497ca15bbf skipped: already exists
Copying config f7e02de757 done
Writing manifest to image destination
Storing signatures
However, if you run the exact same operation from a new environment (such as in a container or in a CI/CD pipeline) it will re-push the same image despite absolutely nothing changing on the destination:
$ sudo podman run -it --rm --name buildah registry.redhat.io/ubi8/buildah bash
[root@1b1f838c9d5b /]# buildah pull registry.fedoraproject.org/fedora-minimal
[root@1b1f838c9d5b /]# buildah tag registry.fedoraproject.org/fedora-minimal quay.io/robbmanes/trashcan-image
[root@1b1f838c9d5b /]# buildah push quay.io/robbmanes/trashcan-image
Getting image source signatures
Copying blob a3497ca15bbf done
Copying config f7e02de757 [--------------------------------------] 0.0b / 1.3KiB
Writing manifest to image destination
Storing signatures
Having c/image behave in such a way that it checks the blobs on upload against the destination would prevent this from happening. Unfortunately, https://github.com/containers/image/pull/550 looks abandoned and may not be the best method moving forward from my (and others) review.
Version-Release number of selected component (if applicable):
Any
How reproducible:
Every time
Actual results:
Layer is not checked for matching content and is re-pushed despite no changes.
Expected results:
Matching layer should be detected and should not force a re-push of the same content to the destination registry.
Additional info:
This is reported in buildah as the component because I didn't know how to file against the main library for images in our container-tools suite (https://github.com/containers/image).
I'll be happy to take a shot at it, time permitting as well.
- external trackers
- links to
-
RHSA-2023:122557 container-tools:rhel8 security, bug fix, and enhancement update