来自私有存储库的 snyk 容器测试
snyk container test from private repository
我正在尝试将 snyk 与使用 podman 管理的私有托管存储库一起使用。
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
我也尝试过使用 oci.example.com/image:latest oci.example.com/image:arm64 并确保它们存在于存储库中。
我不断收到的错误是:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
我可以直接使用 API 重现同样的错误:
curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest
这虽然有效:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest
我想知道我错过了什么。可能snyk依赖了一个podman push oci.example.com/image好像没有提供的distribution.manifest,看了之后怀疑:https://podman.io/blogs/2021/10/11/multiarch.html
Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you’ll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you’re on Podman v3.4, use the buildah tag command instead.
我还用 manifest inspect 验证了这个偷看,实际上它似乎只附加图像,默认情况下没有 distribution.manifest。
OpenSUSE Debian Podman 仓库最新版本:
$ podman --version
podman version 3.3.1
$ buildah --version
buildah version 1.21.3 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)
摘自文章 The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1. 我不完全确定这意味着什么以及这对我的情况有何影响。
所以我尝试按照上面的文章进行操作:
podman push oci.example.com/image:arm64
podman manifest add oci.example.com/image:latest docker://oci.example.com/image:arm64
podman manifest push --all oci.example.com/image:latest docker://oci.example.com/image:latest
然后运行
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
仍然得到同样的错误:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
如果我尝试 :arm64
同样的问题
但正在尝试 :latest 标签。
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d
snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined
我尝试从注册表中删除图像并重新开始:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest
curl -u "user:pass" -X "DELETE" https://oci.example.com/v2/image/manifests/sha256:1298754b84f5fa37425cd5c2ccc4eb7a1f70433611ad430e467d8e8d52caeced
..但总是得到相似的结果。
修复步骤:
podman build --format=docker -t oci.example.com/image .
podman push oci.example.com/image oci.example.com/image
我正在尝试将 snyk 与使用 podman 管理的私有托管存储库一起使用。
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
我也尝试过使用 oci.example.com/image:latest oci.example.com/image:arm64 并确保它们存在于存储库中。
我不断收到的错误是:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
我可以直接使用 API 重现同样的错误:
curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest
这虽然有效:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest
我想知道我错过了什么。可能snyk依赖了一个podman push oci.example.com/image好像没有提供的distribution.manifest,看了之后怀疑:https://podman.io/blogs/2021/10/11/multiarch.html
Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you’ll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you’re on Podman v3.4, use the buildah tag command instead.
我还用 manifest inspect 验证了这个偷看,实际上它似乎只附加图像,默认情况下没有 distribution.manifest。
OpenSUSE Debian Podman 仓库最新版本:
$ podman --version
podman version 3.3.1
$ buildah --version
buildah version 1.21.3 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)
摘自文章 The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1. 我不完全确定这意味着什么以及这对我的情况有何影响。
所以我尝试按照上面的文章进行操作:
podman push oci.example.com/image:arm64
podman manifest add oci.example.com/image:latest docker://oci.example.com/image:arm64
podman manifest push --all oci.example.com/image:latest docker://oci.example.com/image:latest
然后运行
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
仍然得到同样的错误:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
如果我尝试 :arm64
但正在尝试 :latest 标签。
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d
snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined
我尝试从注册表中删除图像并重新开始:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest
curl -u "user:pass" -X "DELETE" https://oci.example.com/v2/image/manifests/sha256:1298754b84f5fa37425cd5c2ccc4eb7a1f70433611ad430e467d8e8d52caeced
..但总是得到相似的结果。
修复步骤:
podman build --format=docker -t oci.example.com/image .
podman push oci.example.com/image oci.example.com/image