Compute: use docker digest instead of name:tag - Githubissues

oceanprotocol / pm

Zenhub needs each issue associated with one repo. This repo is a workaround, to mark issues that span >1 repos.

4 stars 0 forks source link

Compute: use docker digest instead of name:tag #154

Closed alexcos20 closed 2 years ago

alexcos20 commented 2 years ago

we have the following definition of an algo container:

"container": {
              "entrypoint": "node $ALGO",
              "image": "node",
              "tag": "latest"
              "checksum": "sha256:867768767...",
            }

where checksum is the image digest (ie: sh256: xxxx)

For now, anyone can use an empty checksum, and c2d will start node:latest. Once this algo is approved, the algo publisher will update the image on dockethub with malicios code.

Proposal:

Always use image digest instead of image_name:tag when starting the algorithm pod
In ddo publisherTrustedAlgorithms , containerSectionChecksum is sha256(entrypoint+checksum)

See https://docs.docker.com/engine/reference/commandline/pull/#pull-an-image-by-digest-immutable-identifier

[x] Market: publish algo with checksum field
[x] Provider: on initializeCompute, make sure that algo has checksum (and not an empty string)
[x] Op-engine: use the digest, and not the tag

Docs updated in https://github.com/oceanprotocol/docs/pull/1032

calina-c commented 2 years ago

I also updated a different ticket (https://github.com/oceanprotocol/provider/issues/509) with the info regarding the container-checksums-check image. It is now available for testing and more container validation is done via provider, before paying for the job. Once the correct data reaches the c2d services, it will use the proper flow (implemented by Alex before he left). I will therefore mark both the provider and op-engine tasks as done. I added ocean.py updates as well, so only the ocean.js and marketplace tasks remain.