image-rs: fix duplicated image layer detective logic #842
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Let me give it a quick try on my side and, as always, thanks @Xynnn007! |
|
It works as expected, thanks @Xynnn007! |
Xynnn007
force-pushed
the
fix-image-rs
branch
from
3f8c601 to
3ab14ca
Compare
|
Fixed the lint error. |
mkulke
approved these changes
Dec 11, 2024
Before this commit, when we pull images who have two encrypted layers whose corresponding plaintext layers are same like `quay.io/fidencio/prueba:encrypted`, ther will be an error like ``` index out of bounds: the len is 25 but the index is 25 ``` This is caused by the deduplication logic inside image pull logic. On one hand, it will delete duplicated layers recorded inside image manifest, who reflectes the encrypted layers/blobs. On the other hand, it will delete duplicated layers recorded inside the config.json, who reflects the plaintext of the layers. The image encryption logic will generate a random symmetric key for each layer. Thus even the same plaintext layer would be encrypted into different blobs/layers. Thus after deduplication, we might have more layers for image manifest. This patch changes the deduplicating logic, by only check the layer digests inside image manifest, s.t. even if there are two same plaintext layers, we will pull and decrypt both of them. It's ok to do some optimization later if a fully analyzation is token. Fies confidential-containers#840 Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
fix-image-rs
branch
from
3ab14ca to
aa0bbda
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this commit, when we pull images who have two encrypted layers whose corresponding plaintext layers are same. For example
quay.io/fidencio/prueba:encrypted, there will be an error likeThis is caused by the deduplication logic inside image pull logic. On one hand, it will delete duplicated layers recorded inside image manifest, who reflectes the encrypted layers/blobs. On the other hand, it will delete duplicated layers recorded inside the config.json, who reflects the plaintext of the layers.
The image encryption logic will generate a random symmetric key for each layer. Thus even the same plaintext layer would be encrypted into different blobs/layers. Thus after deduplication, we might have more layers for image manifest.
This patch changes the deduplicating logic, by only check the layer digests inside image manifest, s.t. even if there are two same plaintext layers, we will pull and decrypt both of them. It's ok to do some optimization later if a fully analyzation is taken.
Fies #840
cc @fidencio @mkulke @arronwy