Open tri-adam opened 2 years ago
kzantow
commented
3 months ago Hey, @tri-adam -- sorry for the delay here. Do you happen to have a working example of this issue with a public repository we could look at? We'd definitely like to get any panics fixed if this is still happening.
Additionally, I created this issue to add support for ORAS: https://github.com/anchore/stereoscope/issues/253
tri-adam
commented
3 months ago Hey, @tri-adam -- sorry for the delay here. Do you happen to have a working example of this issue with a public repository we could look at? We'd definitely like to get any panics fixed if this is still happening.
Additionally, I created this issue to add support for ORAS: #253
Hi @kzantow, apologies for the slow response. I just pushed a SIF up to Dockerhub here: https://hub.docker.com/r/sylabsadam/alpine-sif.
It looks like things have improved since my original report. syft isn't able to process the SIF from the registry, but doesn't panic now:
$ syft packages registry:sylabsadam/alpine-sif
Command "packages" is deprecated, use `syft scan` instead
✔ Parsed image sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
could not determine source: an error occurred attempting to resolve 'sylabsadam/alpine-sif': oci-registry: unknown layer media type: application/vnd.sylabs.sif.layer.v1.sifRunning against the SIF locally still seems to work as expected:
$ singularity pull oras://sylabsadam/alpine-sif
INFO: Downloading oras image
3.4MiB / 3.4MiB [==============================================================================================================] 100 % 1.7 MiB/s 0s
$ syft packages singularity:alpine-sif_latest.sif
Command "packages" is deprecated, use `syft scan` instead
✔ Parsed image sha256:bd640a41460ae7bfae0d608ad063c84cf5b61ef1b9647531bd59cbf57e519dde
✔ Cataloged contents ff77047d9cb035df6be6800b79aea4df63d2fb3e46c59125b2fc2d5235062496
├── ✔ Packages [14 packages]
├── ✔ File digests [77 files]
├── ✔ File metadata [77 locations]
└── ✔ Executables [17 executables]
NAME VERSION TYPE
alpine-baselayout 3.6.5-r0 apk
alpine-baselayout-data 3.6.5-r0 apk
alpine-keys 2.4-r1 apk
apk-tools 2.14.4-r0 apk
busybox 1.36.1-r29 apk
busybox-binsh 1.36.1-r29 apk
ca-certificates-bundle 20240226-r0 apk
libcrypto3 3.3.1-r0 apk
libssl3 3.3.1-r0 apk
musl 1.2.5-r0 apk
musl-utils 1.2.5-r0 apk
scanelf 1.3.7-r2 apk
ssl_client 1.36.1-r29 apk
zlib 1.3.1-r1 apkI think we still probably have something to do here: support non-OCI image types from registry. There are a couple ways to do that today, one of which is detecting the media type somewhere around here: https://github.com/anchore/stereoscope/blob/main/pkg/image/oci/registry_provider.go#L92, but since that is the OCI provider, it might be more correct to add another registry provider for SIF and it just needs the right registry tags (see here), but this would result in checking the registry twice when really we just need to check the media type of the initial response, and the registry is still actually an OCI registry, just not an OCI image.
After a very short deliberation, I think my preferred approach would be to move the registry provider from the oci package into a registry package, and have this delegate reading images based on the media type to the appropriate oci or sif providers. Any feedback how to implement this otherwise would be appreciated!
I've retitled this issue to better reflect the ask, let me know if I've misrepresented anything @tri-adam !
tri-adam
commented
2 months ago I think we still probably have something to do here: support non-OCI image types from
registry. There are a couple ways to do that today, one of which is detecting the media type somewhere around here: https://github.com/anchore/stereoscope/blob/main/pkg/image/oci/registry_provider.go#L92, but since that is the OCI provider, it might be more correct to add another registry provider for SIF and it just needs the rightregistrytags (see here), but this would result in checking the registry twice when really we just need to check the media type of the initial response, and the registry is still actually an OCI registry, just not an OCI image.After a very short deliberation, I think my preferred approach would be to move the registry provider from the
ocipackage into aregistrypackage, and have this delegate reading images based on the media type to the appropriateociorsifproviders. Any feedback how to implement this otherwise would be appreciated!I've retitled this issue to better reflect the ask, let me know if I've misrepresented anything @tri-adam !
Yeah, agreed that there's still some work to do here...
It seems to me that the logic you suggest near https://github.com/anchore/stereoscope/blob/main/pkg/image/oci/registry_provider.go#L92 is in the right area. In the case of the SingularityCE image I listed in my last comment, the config mediaType and/or the layer mediaType could tee things off to the sif package that knows how to build a *image.Image from the contents of the remote layer.
As for where that logic should live structurally, seems to me like there are good arguments for pulling the detection logic into its own package. Would you envision that logic calling into the oci/sif packages via a NewRegistryProvider interface that accepts the remote.Image retrieved by the detection logic?
What happened:
When running
syft packagesagainst aregistry:source that contains a SIF image, apanicoccurs:What you expected to happen:
Expected the same output as running
syft packagesagainst the SIF image locally:How to reproduce it (as minimally and precisely as possible):
Using SingularityCE, push a SIF image to a supported OCI registry (I used Harbor), and process with Syft:
Anything else we need to know?:
Environment: