Open cp-fabian-pittroff opened 1 year ago
We observed the same problem. After removal of the tag dependabot even fails with error (see https://github.com/zalando/skipper/pull/2546)
updater | 2023/08/29 13:52:01 INFO <job_715278877> Checking if library/alpine-3 2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 needs updating
proxy | 2023/08/29 13:52:01 [030] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
proxy | 2023/08/29 13:52:02 [030] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
proxy | 2023/08/29 13:52:02 [032] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
proxy | 2023/08/29 13:52:02 [032] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
updater | 2023/08/29 13:52:02 INFO <job_715278877> Latest version is
updater | 2023/08/29 13:52:02 INFO <job_715278877> Sending event e767ddc58ce84841ba7cb7c0cc6fd880 to Sentry
proxy | 2023/08/29 13:52:03 [034] POST https://sentry.io:443/api/1451818/store/
proxy | 2023/08/29 13:52:03 [034] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/08/29 13:52:03 ERROR <job_715278877> Error processing library/alpine-3 (NoMethodError)
updater | 2023/08/29 13:52:03 ERROR <job_715278877> undefined method `match?' for nil:NilClass
updater |
updater | name.match?(FileParser::DIGEST)
updater | ^^^^^^^
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/tag.rb:31:in `digest?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:185:in `updated_digest'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:90:in `block in digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `all?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:71:in `version_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:34:in `up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:79:in `check_and_create_pull_request'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:59:in `check_and_create_pr_with_error_handling'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `block in perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `each'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:63:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:38:in `perform_job'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> bin/update_files.rb:23:in `<main>'
updater | 2023/08/29 13:52:03 INFO <job_715278877> Finished job processing
updater | 2023/08/29 13:52:03 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +----------------------------------+
updater | | Dependencies failed to update |
updater | +------------------+---------------+
updater | | library/alpine-3 | unknown_error |
updater | +------------------+---------------+
updater | time="2023-08-29T13:52:03Z" level=info msg="task complete" container_id=job-715278877-updater exit_code=0 job_id=715278877 step=updater
The Dockerfile docs https://docs.docker.com/engine/reference/builder/#from allow:
FROM [--platform=<platform>] <image> [AS <name>]
# or
FROM [--platform=<platform>] <image>[:<tag>] [AS <name>]
# or
FROM [--platform=<platform>] <image>[@<digest>] [AS <name>]
forms.
Dependabot neither supports undocumented (see https://github.com/moby/moby/issues/37866) FROM foo:atag@sha256:112233...
nor documented FROM foo@sha256:112233...
forms with digest.
@cp-fabian-pittroff when attempting to run Dependabot on your sample repo, it seems to update correctly for me:
=> bump steamcmd/steamcmd from `091eb51` to `6681332`
± Dockerfile
~~~
--- /tmp/original20230905-11-7gl513 2023-09-05 12:25:57.250082000 +0000
+++ /tmp/updated20230905-11-bpm2ze 2023-09-05 12:25:57.250082000 +0000
@@ -1 +1 @@
-FROM steamcmd/steamcmd:ubuntu-22@sha256:091eb51de70e22deacb316671f90d526e253721d391138df82c5541ced75c2f9
+FROM steamcmd/steamcmd:ubuntu-22@sha256:6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15
~~~
2 insertions (+), 2 deletions (-)
Could it maybe have been resolved since this issue was opened?
@AlexanderYastrebov what's the best way to reproduce the issue you were running into, is there a specific sha in the repo you referenced that I can check?
@jurre Hello. It failed on
FROM registry.opensource.zalan.do/library/alpine-3@sha256:2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 AS default
Note that we attempted to remove tag (and only use hash) within https://github.com/zalando/skipper/pull/2546 because dependabot stopped updating hash and said that "Pull request already exists for library/alpine-3 with latest version latest":
updater | 2023/08/29 00:21:53 INFO <job_714994438> Checking if library/alpine-3 latest needs updating
updater | 2023/08/29 00:21:53 INFO <job_714994438> Latest version is latest
proxy | 2023/08/29 00:21:53 [018] HEAD https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
proxy | 2023/08/29 00:21:53 [018] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
updater | 2023/08/29 00:21:53 INFO <job_714994438> Pull request already exists for library/alpine-3 with latest version latest
Hello @jurre
I manually triggered a dependabot rebase and the sha got updated. But the scheduled update with dependabot doesn't update the pr:
updater | 2023/09/04 15:32:30 INFO <job_717694753> Pull request already exists for steamcmd/steamcmd with latest version ubuntu-22
updater | 2023/09/04 15:32:30 INFO <job_717694753> Finished job processing
Now the current latest sha is: 6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15
In 2-3 hours the docker sha should be changed again and also the pr should update with the next dependabot schedule.
I'll report back after the next docker sha change.
Hello,
sha changed to 044c5c03c0d8aeb0a9e510dd4c57e6392409cb45a0ded6734fe9d8ac540b36f7. Triggered dependabot schedule update, same log and no updated pr.
Any updates on a potential repro for this?
@deivid-rodriguez I think https://github.com/dependabot/dependabot-core/issues/7387#issuecomment-1706640918 has all information and references a PR that shows the problem. If you need more let us know.
Oh, right, thanks @szuecs. #8070 should fix this!
After a closer look, my PR only fixes the last error you mentioned, but I don't think it will fix the original issue.
My understanding is that the original issue is that, when pinned to a SHA reference, Dependabot is able to create an initial PR, but then subsequent scheduled runs won't update the initial PR with newer SHAs like it happens with regular version updates. I think that's still an issue. You can workaround it as mentioned above with @dependabot recreate
or by merging the PR and letting a fresh one be created.
Something I'm not clear about is that, according to my investigation, the last error mentioned happened due to registry.opensource.zalan.do/library/alpine-3
not providing a "latest" tag. However the previous error about a PR already being opened mentions the "latest" tag. So I'm confused about that. Is it expected that your image does not provide a rolling latest
tag?
Would it help if I update the provided repository with a ci workflow, to manually update a docker image? So something like a nginx container with the github_run_id for the index.html?
Recreating the PR or merging it works.
@deivid-rodriguez I am not sure if you can access https://github.com/zalando/skipper/security/code-scanning/117 , but if so the reason why not to use "latest" tag is because OpenSSF scorecard says we should "pin by hash" and not use "latest" tag.
Here a picture of the recommendation:
I can't access that but my point was not to advice not using "latest" as the consumer of the image, but that under my testing, the "latest" label for the registry.opensource.zalan.do/library/alpine-3
did not exist. I think I'm missing something since I can pull that tag just fine, so let me double check.
So, to try better explain the problem.
While https://registry.opensource.zalan.do/v2/library/alpine-3/tags/list does not list "latest", the "latest" tag does exist as per https://registry.opensource.zalan.do/v2/library/alpine-3/manifests/latest. This confuses dependabot.
If I completely remove the line that checks whether the "latest" tag is listed:
diff --git a/docker/lib/dependabot/docker/update_checker.rb b/docker/lib/dependabot/docker/update_checker.rb
index 91fddf714..e831bca37 100644
--- a/docker/lib/dependabot/docker/update_checker.rb
+++ b/docker/lib/dependabot/docker/update_checker.rb
@@ -214,8 +214,6 @@ module Dependabot
end
def latest_digest
- return unless tags_from_registry.map(&:name).include?("latest")
-
digest_of("latest")
end
then the update succeeds just fine.
Regardless of this, I suspect the issue original reported here (and the one the title currently describes) is a separate issue, independent from the registry implementation.
@deivid-rodriguez my and @AlexanderYastrebov problem is that we would like to use pinned hash, not latest. this sha256 version is not recognized by dependabot. So the same as reported by @cp-fabian-pittroff
Are you able to get a PR bumping the pinned hash at all? I assume not for the registry.opensource.zalan.do/library/alpine-3
image as I explained.
@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.
@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.
That is correct.
I have a combination of tag and pinned hash (nginx:stable-alpine@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6). With the example, I would expect dependabot to search for stable-alpine and figure out if there is another sha associated with it.
Without a tag, dependabot can't really decide what the desired update target should be, can it? So from my point of view, there are only two options:
Unfortunately docker doesn't provide more information about a pinned image (RepoTags are empty).
```bash
docker image inspect nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6
[
{
"Id": "sha256:6dae3976ee053bb83177d82f6d05d91d669423bab48a9db94805e0b7808065c5",
"RepoTags": [],
"RepoDigests": [
"nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6"
],
"Parent": "",
"Comment": "",
"Created": "2023-08-09T02:16:04.742143271Z",
"Container": "2c525ecdd2ce275fc8fcbb28650a821965558907fee45bae682fffb7bb0c4594",
"ContainerConfig": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.24.0",
"PKG_RELEASE=1",
"NJS_VERSION=0.7.12"
],
"Cmd": [
"/bin/sh",
"-c",
"set -x && apkArch=\"$(cat /etc/apk/arch)\" && nginxPackages=\" nginx=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \" && apk add --no-cache --virtual .checksum-deps openssl && case \"$apkArch\" in x86_64|aarch64) set -x && KEY_SHA512=\"e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655\" && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub && if echo \"$KEY_SHA512 */tmp/nginx_signing.rsa.pub\" | sha512sum -c -; then echo \"key verification succeeded!\"; mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; else echo \"key verification failed!\"; exit 1; fi && apk add -X \"https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\\.[0-9]+' /etc/alpine-release)/main\" --no-cache $nginxPackages ;; *) set -x && tempDir=\"$(mktemp -d)\" && chown nobody:nobody $tempDir && apk add --no-cache --virtual .build-deps gcc libc-dev make openssl-dev pcre2-dev zlib-dev linux-headers libxslt-dev gd-dev geoip-dev libedit-dev bash alpine-sdk findutils && su nobody -s /bin/sh -c \" export HOME=${tempDir} && cd ${tempDir} && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && PKGOSSCHECKSUM=\\\"dc47dbaeb1c0874b264d34ddfec40e7d2b814e7db48d144e12d5991c743ef5fcf780ecbab72324e562dd84bb9c0e4dd71d14850b20ceaf470c46f8fe7510275b *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\\\" && if [ \\\"\\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\\\" = \\\"\\$PKGOSSCHECKSUM\\\" ]; then echo \\\"pkg-oss tarball checksum verification succeeded!\\\"; else echo \\\"pkg-oss tarball checksum verification failed!\\\"; exit 1; fi && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} && cd alpine && make module-geoip module-image-filter module-njs module-xslt && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \" && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ && apk del .build-deps && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages ;; esac && apk del .checksum-deps && if [ -n \"$tempDir\" ]; then rm -rf \"$tempDir\"; fi && if [ -n \"/etc/apk/keys/abuild-key.rsa.pub\" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi && if [ -n \"/etc/apk/keys/nginx_signing.rsa.pub\" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi && apk add --no-cache curl ca-certificates"
],
"Image": "sha256:90751f73663d6fc8df8afc448d7d65eaddd4c815176a4738891ad948fa4d5f62",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"maintainer": "NGINX Docker Maintainers
Yes, we currently fallback to the latest tag. The problem is that when checking if a PR is already opened for the latest version, we don't seem to consider SHAs, that's why you won't get the PR superseded with another PR when there's a newer SHA available.
I have a combination of tag and pinned hash
In such case tag is ignored, see https://github.com/moby/moby/issues/37866
FYI: we got an update https://github.com/zalando/skipper/pull/2635
Yes. Your problem is specific to the alpine-3
image as I explained at https://github.com/dependabot/dependabot-core/issues/7387#issuecomment-1728176715. The other images shouldn't be having any issues.
Is there an existing issue for this?
Package ecosystem
Docker
Package manager version
n/a
Language version
n/a
Manifest location and content before the Dependabot update
dependabot.yml content
Updated dependency
What you expected to see, versus what you actually saw
I would expect that the previous pr gets updated with the new SHA-digest of the newest available docker image.
The pr doesn't get an update. If the pr gets created, it works (fixed with this issue: #6150)
Note: the steamcmd/steamcmd image gets an update every 6 hours.
Native package manager behavior
n/a
Images of the diff or a link to the PR, issue, or logs
Dependabot Output:
Smallest manifest that reproduces the issue
https://github.com/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue