Skip to content

prevent ctr from creating tags with forbidden characters #9027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samuelkarp merged 2 commits into from
Oct 12, 2023
Merged

prevent ctr from creating tags with forbidden characters #9027

samuelkarp merged 2 commits into from
Oct 12, 2023

Conversation

@akhilerm
Copy link
Member

@akhilerm akhilerm commented Aug 29, 2023
edited
Loading

check if the target tag that is to be created using ctr image tag is valid and does not contain any forbidden characters.

A new flag --skip-reference-check has been added so that this check for forbidden characters can be skipped.

Fixes #8844

@akhilerm
Copy link
Member Author

akhilerm commented Aug 29, 2023

/cc @dmcgowan

There is also an alternate solution for this that I can think of as described here #8844 (comment)

@k8s-ci-robot k8s-ci-robot requested a review from dmcgowan August 29, 2023 18:16
@k8s-ci-robot
Copy link

k8s-ci-robot commented Aug 29, 2023

Hi @akhilerm. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@akhilerm
Copy link
Member Author

akhilerm commented Aug 30, 2023

/cc @samuelkarp

@samuelkarp
Copy link
Member

samuelkarp commented Aug 30, 2023

I think my preference is the alternate approach you outlined in #8844 (comment); validating in the service would prevent any client from creating an invalid tag rather than just ctr. But @dmcgowan might have a different opinion since that's arguably a breaking change.

@akhilerm
Copy link
Member Author

akhilerm commented Aug 30, 2023

/ok-to-test

@k8s-ci-robot
Copy link

k8s-ci-robot commented Aug 30, 2023

@akhilerm: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dmcgowan
Copy link
Member

dmcgowan commented Aug 30, 2023
edited
Loading

We have intentionally not added any sort of image name validation in the image service, this should be done by clients or components interacting with the registry. The reason being that the definition of a valid tag is highly contextual. We don't need to block users from creating a tag with + and running a container with that. If a user tries to push such a tag, then the tag validation is based on what is supported by the registry. Adding a definition and validation in the transfer service could make sense though.

What is the use case trying to be prevented here though? ctr is not a tool we expect end users to use, we generally don't add extra guardrails around it since users are expected to interact with CRI/Docker/Nerdctl for their use cases.

@thaJeztah
Copy link
Member

thaJeztah commented Aug 30, 2023

Also related (have not looked at the code in this PR yet, but the PR description caught my eye);

@akhilerm
Copy link
Member Author

akhilerm commented Aug 31, 2023

The reason being that the definition of a valid tag is highly contextual.

Isnt this defined as per the OCI spec?

Adding a definition and validation in the transfer service could make sense though.

for that we will have to do the tagging via transfer API right, which is not enabled by default.

What is the use case trying to be prevented here though?

The images tagged by ctr with invalid tags cannot be seen by CRI as those tags are omitted

@SergeyKanzhelev might be able to provide more use cases for it.

@dmcgowan
Copy link
Member

dmcgowan commented Aug 31, 2023

Isnt this defined as per the OCI spec?

It is defined for image distribution and for the layout annotations, maybe elsewhere as well. We always aim to support the super set for local image management though and our data model and API really has no limitation on what the image name could be. The expectation is that image name is enforced via build tooling, registry limitations, and what is supported via import. Tag was an operation we initially didn't allow in ctr because of the belief that images creation would be done elsewhere. With support for tagging and image creation, it is still the responsibility of the user or tool to pick the right format for how the image is intended to be used.

for that we will have to do the tagging via transfer API right, which is not enabled by default.

We could switch the default for tagging to use the transfer API

The images tagged by ctr with invalid tags cannot be seen by CRI as those tags are omitted

Maybe they don't even need to be omitted. CRI does not support push anyway. Any attempt to pull or refresh the image from a registry will not succeed though.

@dmcgowan
Copy link
Member

dmcgowan commented Sep 5, 2023

I am LGTM on this if we add support for --force or some other flag to get around the reference check. Also update the reference package import from #9034

@akhilerm
Copy link
Member Author

akhilerm commented Sep 6, 2023

Will update it. Better than --force, I think we can have a --skip-reference-check for the tag command or common for all commands which can then be used to ignore the check.

@akhilerm
prevent ctr from creating tags with forbidden characters
6ec0d4a 
check if the target tag that is to be created using ctr image tag
is valid and does not contain any forbidden characters.

Signed-off-by: Akhil Mohan <makhil@vmware.com>
@akhilerm akhilerm force-pushed the fix-ctr-forbidden-characters branch from 58eeffd to 9311b38 Compare September 6, 2023 11:32
akhilerm
akhilerm commented Sep 6, 2023
View reviewed changes
cmd/ctr/commands/images/tag.go Outdated

if !context.BoolT("local") {
for _, targetRef := range context.Args()[1:] {
if _, err := reference.ParseAnyReference(targetRef); !context.Bool("skip-reference-check") && err != nil {
Copy link
Member Author

@akhilerm akhilerm Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmcgowan Added a new flag, to skip the strict reference name check.

But IMHO, doesn't it make the code less clean?

Also, should we have this as a global flag, so that other commands can also have the flag to skip the strict checks

@akhilerm
Copy link
Member Author

akhilerm commented Sep 6, 2023

Should we also add a proper release note as this is a breaking change for the ctr images tag command.?

@akhilerm
Copy link
Member Author

akhilerm commented Sep 12, 2023

Can I get another round of review on the PR? Have addressed all the comments.

samuelkarp
samuelkarp reviewed Sep 17, 2023
View reviewed changes
@akhilerm
add a new flag "skip-reference-check" to skip reference name check
4b59d67 
Signed-off-by: Akhil Mohan <makhil@vmware.com>
@akhilerm akhilerm force-pushed the fix-ctr-forbidden-characters branch from 9311b38 to 4b59d67 Compare October 6, 2023 12:27
@akhilerm
Copy link
Member Author

akhilerm commented Oct 6, 2023

@samuelkarp Can you take a look once again. I have made the changes as suggested.

@samuelkarp samuelkarp merged commit 4205030 into containerd:main Oct 12, 2023
@samuelkarp samuelkarp removed their assignment Oct 12, 2023
@akhilerm akhilerm deleted the fix-ctr-forbidden-characters branch October 12, 2023 03:01
kiashok added a commit to kiashok/containerd that referenced this pull request Oct 23, 2024
@kiashok
Merged PR 8946463: [fork-external/main] Update fork-external/main wit…
ebe5b9b 
…h upstream containerd/main

update fork-external/main branch to upstream containerd/main at commit f90f80d

Related work items: containerd#8736, containerd#8861, containerd#8924, containerd#8934, containerd#9027, containerd#9076, containerd#9104, containerd#9118, containerd#9141, containerd#9155, containerd#9177, containerd#9183, containerd#9184, containerd#9186, containerd#9187, containerd#9191, containerd#9200, containerd#9205, containerd#9211, containerd#9214, containerd#9215, containerd#9221, containerd#9223, containerd#9228, containerd#9231, containerd#9234, containerd#9242, containerd#9246, containerd#9247, containerd#9251, containerd#9253, containerd#9254, containerd#9255, containerd#9268
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzys kzys kzys approved these changes

@dmcgowan dmcgowan dmcgowan approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ctr images tag allows to create tags with the forbidden characters

6 participants

@akhilerm @k8s-ci-robot @samuelkarp @dmcgowan @thaJeztah @kzys