Analysis fails when container image has uncompressed layers #1080
Comments
|
I tried one simple approach to the problem: diff --git a/anchore_engine/clients/skopeo_wrapper.py b/anchore_engine/clients/skopeo_wrapper.py
index ba337330..7c0515d0 100644
--- a/anchore_engine/clients/skopeo_wrapper.py
+++ b/anchore_engine/clients/skopeo_wrapper.py
@@ -187,7 +187,7 @@ def download_image(
cmd = [
"/bin/sh",
"-c",
- "skopeo {} {} copy {} {} {} {} docker://{} oci:{}:image".format(
+ "skopeo {} {} copy --dest-oci-accept-uncompressed-layers=true {} {} {} {} docker://{} oci:{}:image".format(
os_override_str,
global_timeout_str,
remove_signatures_string,this got me bit further but it just postponed the problem to a later phase: $ syft -vv -o json oci-dir:/analysis_scratch/2a278dcf-3085-481c-9396-e5b2f49f2a43/raw
[0000] DEBUG Application config:
output: json
scope: Squashed
quiet: false
log:
structured: false
level: debug
file: ""
dev:
profilecpu: false
profilemem: false
check-for-app-update: true
anchore:
upload-enabled: false
host: ""
path: ""
username: ""
password: ""
dockerfile: ""
overwrite-existing-image: false
[0000] INFO new version of syft is available: 0.16.1
[0000] DEBUG image: source=OciDirectory location=/analysis_scratch/2a278dcf-3085-481c-9396-e5b2f49f2a43/raw from-lib=stereoscope
[0000] DEBUG image metadata: digest=sha256:cdce9ebeb6e8364afeac430fe7a886ca89a90a5139bc3b6f40b5dbd0cf66391c mediaType=application/vnd.oci.image.manifest.v1+json tags=[] from-lib=stereoscope
[0000] ERROR failed to catalog input: could not fetch image '/analysis_scratch/2a278dcf-3085-481c-9396-e5b2f49f2a43/raw': could not read image: unexpected media type: application/vnd.oci.image.layer.v1.tar for layer: sha256:b2d5eeeaba3a22b9b8aa97261957974a6bd65274ebd43e1d81d0a7b8b752b116Another simple approach could be to use skopeo-generated OCI manifest during analysis, instead of the one from registry. |
If layers are not compressed on the registry, skopeo copy will compress them on the fly when executing "skopeo copy ... oci:dir". That causes disparity between image manifest that was previously fetched with "skopeo inspect", which had references to uncompressed layers. This change makes analysis rely on the OCI image manifest only. Fixes anchore#1080 Signed-off-by: Tero Saarni <[email protected]>
|
@tsaarni thanks for reporting this. Great issue writeup, and appreciate the significant time you have put into this already. We'll review, but I think your later suggestion to use the OCI manifest is the right one. The manifest used should reflect the state of the image on disk. We may want to add better handling for non-gzip layers in Syft itself as well, but the manifest used by the analyzer to process the image should be accurate. We currently don't do any digest validation against the content, but if/when that would be added it would by definition have to be against the directly raw downloads from the registry with no transformations applied during copy, so the skopeo updates and/or an intermediate staging of raw bits prior to OCI-format conversion would be necessary in order to facilitate a digest-validation stage. So, that concern can be deferred for now. I'll provide other comments in the PR directly. |
If layers are not compressed on the registry, skopeo copy will compress them on the fly when executing "skopeo copy ... oci:dir". That causes disparity between image manifest that was previously fetched with "skopeo inspect", which had references to uncompressed layers. This change makes analysis rely on the OCI image manifest only. Fixes anchore#1080 Signed-off-by: Tero Saarni <[email protected]>
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
Anchore Engine v0.9.4
Anchore CLI v0.9.1
What happened:
Analysis fails for images that contain uncompressed layers.
That is, layers with media type
application/vnd.docker.image.rootfs.diff.tarinstead ofapplication/vnd.docker.image.rootfs.diff.tar.gzip.What did you expect to happen:
Analysis should have succeeded.
Any relevant log output from analyzer:
Analyzer raises following exception and analysis fails with status
analysis_failed.What docker images are you using:
docker.io/tsaarni/uncompressed-layer-demo:latest
The image is
alpine:latestbut it has been specifically crafted and uploaded in a way that it contains a layer that is uncompressed.How to reproduce the issue:
Anything else we need to know:
The root cause is following:
(1) When image is added Anchore first runs
skopeo inspectto download manifestNote that the layer
sha256:b2d5eeeaba3a22b9b8aa97261957974a6bd65274ebd43e1d81d0a7b8b752b116is uncompressed.(2) Next, it uses
skopeo copyto download image and store it as OCI directory$ skopeo copy docker://tsaarni/uncompressed-layer-demo:latest oci:/analysis_scratch/...(3) Skopeo will automatically compresses the layer on the fly during copy operation
This is the new manifest in the OCI directory
Note that the layer
sha256:f12e03b5ef6655f2e0c3cc99f5f940e9be541a3b04703a27a1baf72325412af6is now a compressed version of the layer in the original image and that the digest changed due to compression.(4) Analyzer will still use the manifest from
skopeo inspectwhere the layer digest was for the uncompressed layer.Therefore analyzer tries to open file
/analysis_scratch/cf296952-8c5f-4e5b-b807-35dc652edc89/raw/blobs/sha256/b2d5eeeaba3a22b9b8aa97261957974a6bd65274ebd43e1d81d0a7b8b752b116(digest from original manifest) which does not exist. Exception is raised.It should have opened
/analysis_scratch/cf296952-8c5f-4e5b-b807-35dc652edc89/raw/blobs/sha256/f12e03b5ef6655f2e0c3cc99f5f940e9be541a3b04703a27a1baf72325412af6(digest afterskopeo copydid the compression)Here is contents of the work directory:
Here
manifest.jsonandparent_manifest.jsonare the original manifests fromskopeo inspect.Note that media type
application/vnd.docker.image.rootfs.diff.tarwas never explicitly mentioned in the image manifest v2 spec but it is supported by runtimes and the image works just fine:The text was updated successfully, but these errors were encountered: