Return image ID from PullImage instead of repo digest#9728
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughPull operations now return and propagate a storage-provided image ID ( Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant CRI_Server
participant Storage as Storage_ImageService
participant Artifact as Artifact_Store
Client->>CRI_Server: PullImage(request)
CRI_Server->>Storage: PullImage(imageName)
Storage-->>CRI_Server: (imageID) or (nil) or error
alt imageID returned
CRI_Server-->>Client: PullImageResponse(ImageRef=imageID)
else imageID nil (OCI artifact)
CRI_Server->>Artifact: Status(imageName)
alt Artifact returns CRI image ID
Artifact-->>CRI_Server: CRIImage().GetId()
CRI_Server-->>Client: PullImageResponse(ImageRef=artifact CRI ID)
else
CRI_Server-->>Client: PullImageResponse(ImageRef=canonicalRef)
end
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
f501204 to
27c5fd4
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
server/image_pull_test.go (1)
32-53: Use the storage ID formatter to avoid prefix mismatches.Line 53 hard-codes a bare hex value even though Line 32 parses a prefixed digest. To keep the test aligned with the intended “sha256:” format and with production formatting, compare against the StorageImageID formatter instead of a literal.
✅ Suggested fix
- Expect(response.ImageRef).To(Equal("1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef")) + Expect(response.ImageRef).To(Equal(imageID.IDStringForOutOfProcessConsumptionOnly()))
🤖 Fix all issues with AI agents
In `@test/image.bats`:
- Around line 479-495: The test currently strips the "sha256:" prefix by
extracting only the final word into pulled_id and validating only 64 hex chars;
change the extraction and validation to capture and verify the full prefixed
digest (e.g., capture "sha256:<64-hex>" from pulled_ref into pulled_id using a
regex and assert it matches ^sha256:[a-f0-9]{64}$), and ensure imageid (from
crictl images --quiet "$IMAGE") is not altered so the subsequent equality check
[ "$pulled_id" = "$imageid" ] compares the full prefixed digest strings.
7b52ca7 to
a134fb3
Compare
a134fb3 to
a5e24a7
Compare
|
@cri-o/cri-o-maintainers PTAL |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #9728 +/- ##
==========================================
+ Coverage 67.45% 67.52% +0.07%
==========================================
Files 210 210
Lines 29123 29141 +18
==========================================
+ Hits 19644 19678 +34
+ Misses 7790 7778 -12
+ Partials 1689 1685 -4 🚀 New features to boost your workflow:
|
|
/retest |
|
/hold Integration tests are not happy. |
|
iiuc ID field is not well-defined. I'd want to define the format first though I'm not opposed to the change. |
We can also follow-up on CRI docs for that, yep. |
ca614a9 to
da079e0
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (2)
internal/storage/image.go (1)
831-837: Minor: unnecessaryelseafterreturninPullImage.Both branches return, so the
elseis redundant. This is a pre-existing pattern, but a trivial cleanup opportunity.Optional simplification
func (svc *imageService) PullImage(ctx context.Context, imageName RegistryImageReference, options *ImageCopyOptions) (*StorageImageID, error) { if options.CgroupPull.UseNewCgroup { return svc.pullImageParent(ctx, imageName, options.CgroupPull.ParentCgroup, options) - } else { - return pullImageImplementation(ctx, svc.lookup, svc.store, svc.storageTransport, imageName, options) } + return pullImageImplementation(ctx, svc.lookup, svc.store, svc.storageTransport, imageName, options) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/storage/image.go` around lines 831 - 837, In PullImage (method imageService.PullImage) remove the unnecessary else: since the if branch returns svc.pullImageParent(...), follow it with a bare return of pullImageImplementation(ctx, svc.lookup, svc.store, svc.storageTransport, imageName, options) without wrapping it in an else block; update the function body to return directly when the if is false, keeping svc.pullImageParent and pullImageImplementation calls unchanged.server/image_pull.go (1)
126-146: Clean branching on imageID nilness for regular images vs. OCI artifacts.The nil check on
pullOp.imageIDbefore callingIDStringForOutOfProcessConsumptionOnly()correctly prevents a panic on the value-type method. The OCI artifact fallback viaArtifactStore().Status()is a sensible alternative path.One consideration: if
ArtifactStore().Status()also fails, the error message at line 141 ("get image status after pull") could be confusing since the pull itself succeeded (with a nil imageID). Consider adding context that this is an OCI artifact lookup.Suggested clarification in error message
- return nil, fmt.Errorf("get image status after pull: %w", err) + return nil, fmt.Errorf("get OCI artifact status after pull: %w", err)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@server/image_pull.go` around lines 126 - 146, The error returned from ArtifactStore().Status(...) after a nil pullOp.imageID can be misleading because the pull succeeded but the OCI artifact lookup failed; update the error returned from the Status call to include context that this was an OCI artifact lookup (include the image variable and mention "OCI artifact lookup" in the message) so callers see "OCI artifact lookup for <image> failed: %w" (or similar) instead of "get image status after pull"; adjust the fmt.Errorf invocation in the branch that calls ArtifactStore().Status to provide that clarified message and include the original error.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@internal/storage/image.go`:
- Around line 831-837: In PullImage (method imageService.PullImage) remove the
unnecessary else: since the if branch returns svc.pullImageParent(...), follow
it with a bare return of pullImageImplementation(ctx, svc.lookup, svc.store,
svc.storageTransport, imageName, options) without wrapping it in an else block;
update the function body to return directly when the if is false, keeping
svc.pullImageParent and pullImageImplementation calls unchanged.
In `@server/image_pull.go`:
- Around line 126-146: The error returned from ArtifactStore().Status(...) after
a nil pullOp.imageID can be misleading because the pull succeeded but the OCI
artifact lookup failed; update the error returned from the Status call to
include context that this was an OCI artifact lookup (include the image variable
and mention "OCI artifact lookup" in the message) so callers see "OCI artifact
lookup for <image> failed: %w" (or similar) instead of "get image status after
pull"; adjust the fmt.Errorf invocation in the branch that calls
ArtifactStore().Status to provide that clarified message and include the
original error.
|
/retest |
|
/override ci/prow/e2e-gcp-ovn |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-aws-ovn, ci/prow/e2e-gcp-ovn DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
da079e0 to
b661a05
Compare
b661a05 to
692a101
Compare
|
/test ci-fedora-integration |
| type pullImageOutputItem struct { | ||
| Progress *types.ProgressProperties `json:",omitempty"` | ||
| Result string `json:",omitempty"` // If not "", in the format of RegistryImageReference.StringForOutOfProcessConsumptionOnly(), and always contains a digest. | ||
| ImageID string `json:",omitempty"` // If not "", the storage image ID in the format of StorageImageID.IDStringForOutOfProcessConsumptionOnly() |
There was a problem hiding this comment.
nit:
| ImageID string `json:",omitempty"` // If not "", the storage image ID in the format of StorageImageID.IDStringForOutOfProcessConsumptionOnly() | |
| // ImageID is in the format of StorageImageID.IDStringForOutOfProcessConsumptionOnly(), or "" if it's OCI artifacts | |
| ImageID string `json:",omitempty"` |
692a101 to
3533b03
Compare
| // OCI artifacts are not stored in container storage and therefore have | ||
| // no storage image ID. Returning nil signals callers to fall back to | ||
| // the artifact store for status lookups (see PullImage in server/image_pull.go). | ||
| return nil, nil |
There was a problem hiding this comment.
Probably we shouldn't have implemented artifact pull in this storage, but returning nil here doesn't sound right to me.
If we think the OCI artifacts are managed by this package, artifacts should have storageID, and otherwise we should move pull implementation to elsewhere.
For now, I think keeping it return reference, and return ID in image_pull is better. Sorry for backing down my initial comment.
There was a problem hiding this comment.
I've updated the PR to keep pullImageImplementation returning RegistryImageReference (unchanged storage layer) and moved the ref to ID resolution to server/image_pull.go via a new resolveImageRefToID method. It tries ImageStatusByName first, then falls back to the artifact store for OCI artifacts. No more nil return path.
There was a problem hiding this comment.
I really have no idea why doing that outside of pullImageImplementation should be easier (what if an object with the same name@digest exists in both??) but it’s not my codebase to maintain.
Resolve the pulled image reference to a storage image ID in the server layer (server/image_pull.go) rather than changing the storage layer's PullImage return type. This keeps the storage layer's contract unchanged while the server resolves references to IDs via ImageStatusByName, with a fallback to the artifact store for OCI artifacts. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
3533b03 to
aed9671
Compare
|
lgtm, though I want to make sure there's enough time for others to review it. |
|
/lgtm |
|
/cherry-pick release-1.35 |
|
@haircommander: #9728 failed to apply on top of branch "release-1.35": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR changes
PullImageto return the storage image ID instead of the repo digest, fixing a compatibility issue with Kubernetes credential verification which expectsPullImageandGetImageRefto return compatible values for pull record lookups.The ref-to-ID resolution happens in the server layer (
server/image_pull.go) via a newresolveImageRefToIDmethod, keeping the storage layer'sPullImagecontract unchanged. For OCI artifacts (not stored in container storage), it falls back to the artifact store.Which issue(s) this PR fixes:
None
Special notes for your reviewer:
None
Does this PR introduce a user-facing change?