search

hashicorp / nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
https://developer.hashicorp.com/nomad/plugins/drivers/podman
Mozilla Public License 2.0
224 stars 61 forks source link

Pin digest for images #354

Open Thadir opened 3 weeks ago

Thadir commented 3 weeks ago

Its common in docker wolrd to be aible to put the digest in a image to make sure that when the label is updated by remote you still have garantee nothing changed.

E.g.

''' config { image = "eclipse-temurin:17-alpine@sha256:3502ec51946589e5dbfcee9b8a69e8db0b92992657c4de22783913734015d554" } '''

Especialy when consernd on behavior and security this is a nice to have.

shoenig commented 3 weeks ago

Hi @Thadir it is already possible to specify an image by hash instead of by tag, e.g.

image = "docker://redis@sha256:9ab1297933c78915584ecdaaaca2007cdb5a50effdbd66083309868ec947d0ce"

would be the hash version of

redis:7.0.15-alpine3.20

for linux/amd64.

What you cannot do with the podman driver is specify both the hash and the image tag.