Closed juhp closed 3 years ago
This is based on the search path in your registries.conf. Since docker.io comes first, it will be chosen first. If you want to use fedora registry images first then you need to either fully specify the fedora registry or switch the search order.
Registries.conf in fedora by default have this search path. unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] Which means that docker.io should be chosen last.
Registries.conf in fedora by default have this search path. unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] Which means that docker.io should be chosen last.
It wasn't :-)
I think you mean for remote "resolution", whereas I am talking about local images.
I am wondering if it depends on the order of the original image pulls? Or it is doing lexical ordering?
To clarify my original report/question:
$ podman images fedora:33
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.fedoraproject.org/fedora 33 a23de53c4305 39 hours ago 190 MB
docker.io/library/fedora 33 1910ec046b4b 3 months ago 207 MB
$ podman run -it --rm fedora:33 rpm -q rpm
rpm-4.15.1-2.fc32.1.x86_64
$ podman run -it --rm registry.fedoraproject.org/fedora:33 rpm -q rpm
rpm-4.15.90-0.git14971.12.fc33.x86_64
So my question was why does podman choose the older (or first installed) image in my case?
I can reproduce with:
libpod (master) $ ./bin/podman inspect --format '{{.RepoTags}}' fedora:33
[docker.io/library/fedora:33]
Note that the described order of unqualified-serach-registries
only applies when pulling (and searching) but not for other operations.
I reopened to find consensus how Podman should behave.
This is one of the things I really wanted to solve in the refactor of the image package to be shared with Buildah & CRI-O - consistent resolution is shortnames is a significant issue in our tools.
@ParkerVR @ryanchpowell This is a case where the shortname table would help out, so the user referring to a shortname is always the same.
A friendly reminder that this issue had no activity for 30 days.
I think that we should tackle it now and teach NewFromLocal(name string) to iterate the search registries for short names. That should even out the semantics across other commands.
@mtrmac, I can tackle it but I want your ACK on the idea.
Yes, I would love for NewFromLocal
and pullGoalFromPossiblyUnqualifiedName
to be consistent — and pullRefPair.dstRef
values already are storage references, so it should not be very hard to do.
OTOH, read findImageInRepotags
. IIRC I was last involved with that code only to preserve the existing behavior via suspiciousRefNameTagValuesForSearch
, which also indicates my lack of understanding of the purpose of that code.
I would love for that to be replaced with something else, but if you want an ACK that a specific kind of replacement makes sense, I’m not the person to ask because I can only guess at goals of that search code; that might have to be tracked down the history, maybe all the way to atomic
.
Whatever the goals of the search code, I have a strong suspicion that removing that search is going to break some users that incorrectly relied on those very loose matching semantics. That may well be worth it, but I want to make sure it’s a conscious decision.
/kind bug
Description
podman run <imagename>
chose an older local image.Steps to reproduce the issue:
podman pull docker.io/fedora:33 && podman pull registry.fedoraproject.org/fedora:33
podman run -it --rm fedora:33
Describe the results you received: For me the older image was run (in my case my docker.io/fedora:33 was several months old).
Describe the results you expected: Newer image to used. Or is this a security feature?
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Additional environment details (AWS, VirtualBox, physical, etc.):
Physical: Fedora 31 Silverblue