search

caprover / one-click-apps

Community Maintained One Click Apps (https://github.com/caprover/caprover)
Apache License 2.0
543 stars 533 forks source link

Specifying image version by hash during one-click deploy does not work #127

Open sneak opened 4 years ago

sneak commented 4 years ago

I'm trying to deploy Gitea. I don't like deploying by image tag because those can be silently updated by developers on Docker Hub, granting them remote execution on my machine under certain circumstances.

When deploying it via one-click apps, I am prompted for the gitea version to deploy. I entered sha256:223c31793c1b486c3339cffc95e307b2094410f2fc0b0410c9488db828fe6b27 instead of latest. This failed during build.

When deploying these via the docker CLI, one must do docker run image@sha256:hash instead of docker run image:tagname.

It seems to me that CapRover should detect when a specified version starts with a hash algorithm identifier (if even only recognizing the static string sha256 for now, as is displayed on the Docker Hub website) and deploying appropriately based on image hash (cryptographically immutable) instead of tagname (developer mutable).

githubsaturn commented 4 years ago

Moving this to one-click apps repo as it's perhaps only related to regex validations of the tags which is totally one-click app specific.

sneak commented 4 years ago

I will test today to see if CR allows a definition file to support imagename@ syntax and try to fix it if not.

githubsaturn commented 4 years ago

It does support that. You can try copy-pasting this:

{"schemaVersion":2,"imageName":"nginx@sha256:253ba3484dc13498c0a2ad9e236f144dcc8c74ec08a0bcead9b776fa8a29dffc"}