search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.26k stars 5.51k forks source link

Image Index/Manifestlist is defect if referenced package version is deleted #21956

Open joniw opened 1 year ago

joniw commented 1 year ago

Description

Hello,

when a package version is deleted, which is referenced by an OCI Image Index (or ManifestList for docker), the image can no longer be fetched by Image Index, if the deleted tag is needed or used.

Create an Image Index:

root@dev # docker pull amd64/alpine
    Using default tag: latest
    latest: Pulling from amd64/alpine
    c158987b0551: Pull complete
    Digest: sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c
    Status: Downloaded newer image for amd64/alpine:latest
    docker.io/amd64/alpine:latest
root@dev # docker pull arm64v8/alpine
    Using default tag: latest
    latest: Pulling from arm64v8/alpine
    261da4162673: Pull complete
    Digest: sha256:af06af3514c44a964d3b905b498cf6493db8f1cde7c10e078213a89c87308ba0
    Status: Downloaded newer image for arm64v8/alpine:latest
    docker.io/arm64v8/alpine:latest
root@dev ~ # docker tag arm64v8/alpine gitea-test/test-user/alpine:latest-arm64v8
root@dev ~ # docker tag amd64/alpine gitea-test/test-user/alpine:latest-amd64
root@dev ~ # docker push gitea-test/test-user/alpine:latest-arm64v8
    The push refers to repository [gitea-test/test-user/alpine]
    1b577a8fb8ce: Pushed
    latest-arm64v8: digest: sha256:af06af3514c44a964d3b905b498cf6493db8f1cde7c10e078213a89c87308ba0 size: 528
root@dev ~ # docker push gitea-test/test-user/alpine:latest-amd64
    The push refers to repository [gitea-test/test-user/alpine]
    ded7a220bb05: Pushed
    latest-amd64: digest: sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c size: 528
root@dev ~ # docker manifest create gitea-test/test-user/alpine gitea-test/test-user/alpine:latest-amd64 -a gitea-test/test-user/alpine:latest-arm64v8
    Created manifest list gitea-test/test-user/alpine:latest
root@dev ~ # docker manifest push gitea-test/test-user/alpine
    sha256:4a5b8d1fa34a84569d302ab7bddd9c37bad546ee2be6a94d244d8bebb19ded3a

Now delete the container image with version "latest-amd64" via the web interface.

Try to pull the image on an amd64 architecture:

root@dev ~ # docker pull gitea-test/test-user/alpine
latest: Pulling from test-user/alpine
manifest unknown

Before running the package prune, the files are still present:

/data # find packages -type f -exec file {} \;
packages/c1/58/c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715: gzip compressed data, original size modulo 2^32 7337984
packages/49/17/49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da: JSON data
packages/4a/5b/4a5b8d1fa34a84569d302ab7bddd9c37bad546ee2be6a94d244d8bebb19ded3a: JSON data
packages/af/06/af06af3514c44a964d3b905b498cf6493db8f1cde7c10e078213a89c87308ba0: JSON data
packages/c0/d4/c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c: JSON data
packages/26/1d/261da4162673b93e5c0e7700a3718d40bcc086dbf24b1ec9b54bca0b82300626: gzip compressed data, original size modulo 2^32 7745536
packages/d3/15/d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43: JSON data

After the prune they are gone:

/data # find packages -type f -exec file {} \;
packages/4a/5b/4a5b8d1fa34a84569d302ab7bddd9c37bad546ee2be6a94d244d8bebb19ded3a: JSON data
packages/af/06/af06af3514c44a964d3b905b498cf6493db8f1cde7c10e078213a89c87308ba0: JSON data
packages/26/1d/261da4162673b93e5c0e7700a3718d40bcc086dbf24b1ec9b54bca0b82300626: gzip compressed data, original size modulo 2^32 7745536
packages/d3/15/d3156fec8bcbc7b491a4edc271a7734dcfa186fc73282d4e120eeaaf2ce95c43: JSON data

With the docker-registry container the images can still be pulled via the ManifestList, but not via the deleted tag.

In my opinion when deleting the tag, the Image Index should still work. There should at least be a warning if an Image Index references the tag.

With regards Joniw

Gitea Version

1.17.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Linux

How are you running Gitea?

Test instance in Kubernetes

Database

SQLite

KN4CK3R commented 1 year ago

I don't think this is a bug. If you delete something from the web UI you are outside the specific package registry spec and you need to know what you are doing. For this reason most package managers simply disallow deleting of packages. Gitlab for example allows to delete individual files which is even more harmful if you don't take care. The deletion page already warns you about your action.

joniw commented 1 year ago

I agree that this is not necessarily a bug.

On the other side the ImageList references manifests which contain the digests of the packages. Should this not count as a reference?

KN4CK3R commented 1 year ago

The deletion of a package version via the UI is a dumb operation. (Currently) the package type and possible implications are not checked. We can leave this issue open but for me, this feature/enhancement has no priority beause the deletion of a package is "unsupported". Lots of package registries simply disallow deletions because other entities may depend on that package and so on.

joniw commented 1 year ago

Hello,

i hoped for a quick fix to reference the ids of the ImageList. If this is not possible, it is OK for me to leave this open as an low priority feature request.

It could even be closed if this behaviour is intended.

With regards Joniw