-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix bug: media types mismatch in manifest #273
Conversation
@@ -54,6 +55,28 @@ func (v Validator) Validate(src io.Reader) error { | |||
"schema %s: unable to validate", v) | |||
} | |||
|
|||
if v == MediaTypeManifest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not part of the JSON Schema validation. Your new logic should live in manifest.validate
in image/manifest.go
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, you could adjust image-manifest-schema.json
to replace:
"config": {
"$ref": "content-descriptor.json"
},
with a version of descriptor where mediaType
was an enum listing only application/vnd.oci.image.config.v1+json
, etc.
Although see here about the spec not actually defining bounds on the referenced media types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wking validate --type manifest
type seems not to jump into manifest.validate
, instead into Validator.Validate
directly. So, manifest.validate
can't be effective.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Wed, Sep 07, 2016 at 04:00:53AM -0700, xiekeyang wrote:
- if v == MediaTypeManifest {
@wking
validate --type manifest
type seems not to jump into
manifest.validate
, instead intoValidator.Validate
directly. So,
manifest.validate
can't be effective.
? ‘oci-image-tool validate …’ calls both image.Validate(Layout) 1
and schema.MediaType(Manifest|ManifestList|Config).Validate 2. I
expect we should be calling the schema validation from the image
validation functions, but either way, code in the image validation
functions is getting called by ‘oci-image-tool validate …’.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
? ‘oci-image-tool validate …’ calls both image.Validate(Layout) [1]
and schema.MediaType(Manifest|ManifestList|Config).Validate [2]. I
expect we should be calling the schema validation from the image
validation functions, but either way, code in the image validation
functions is getting called by ‘oci-image-tool validate …’.
It is some hard to do based on current code.
What you mentioned [1] is on package order main -> image -> schema;
[2] is main -> schema;
I think it had better to add code to schema package, and better to only one place to be called by up layer. For that I figure out the PR. I tried other way, but it seems to be some brittle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Thu, Sep 08, 2016 at 12:29:29AM -0700, xiekeyang wrote:
- if v == MediaTypeManifest {
? ‘oci-image-tool validate …’ calls both image.Validate(Layout) [1]
and schema.MediaType(Manifest|ManifestList|Config).Validate [2]. I
expect we should be calling the schema validation from the image
validation functions, but either way, code in the image validation
functions is getting called by ‘oci-image-tool validate …’.It is some hard to do based on current code.
What you mentioned [1] is on package order main -> image -> schema;
[2] is main -> schema;
I think it had better to add code to schema package, and better to
only one place to be called by up layer.
I'd rather not tie the JSON Schema too tightly here. Having the
schemas and schema-only tooling in their own layer makes it easier to
share them (and there is a lot of third-party JSON Schema tooling that
can consume them, opencontainers/validator.opencontainers.org#2).
On the other hand, JSON Schema cannot represent all of our
constraints. So I'd like another layer (currently in image/*.go) to
do the full validation. That full-validation layer can save itself a
lot of work by leaning on JSON Schema for part of its validation, but
whether it uses JSON Schema or not is really an internal detail.
So I think we want to use only main → image → schema, but would also
be fine with main → image/validate → schema (if you want to separate
the validation Go code from the unpacking, etc., Go code). I don't
think we want to push a lot of Go logic into the JSON Schema
directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. So far I find that schema/*.json should not modified because they only present the generally patten and can't cover all constraints. I'd work out on image code layer.
WIP |
Updated, PTAL。 |
@runcom I think |
quoting @wking from #286 (comment)
we should first assure the spec defines or not those constraints |
ping @stevvooe @wking @philips @vbatts |
MediaTypeManifestList Validator = v1.MediaTypeImageManifestList | ||
MediaTypeImageConfig Validator = v1.MediaTypeImageConfig | ||
MediaTypeImageLayer unimplemented = v1.MediaTypeImageLayer | ||
CompatMediaTypeImageConfig Validator = "application/vnd.docker.container.image.v1+json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MediaTypeDockerImageConfig
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
On Mon, Sep 12, 2016 at 07:08:34PM -0700, xiekeyang wrote:
I agree, but that's a big if. Are we sure we want to require them? fewer types | media-types.md | more types But I'm nervous about requiring support for non-OCI media types unless |
For this I think we have announced in spec Non-Distributable Layers. As config file, it should be standard format as Container config JSON . I'm not sure if it covers your implementation case, or can you put some use case? But now any word on |
On Tue, Sep 13, 2016 at 12:12:02AM -0700, xiekeyang wrote:
(Non)distributable is about what you can push. I'm suggesting wording |
This is migrated to opencontainers/image-tools/pull/10. Here should be closed. |
It is passed validation on manifest part, even the config mediatype and layer mediatype inside is mismatch.
It had better to add media type item(config and layer) checking on manifest Validate.
bug case:
validate result is OK. But "mediaType": "application/vnd.oci.image.serialization.rootfs.tar.gzip" and "mediaType": "application/vnd.oci.image.serialization.config.v1+json" have been unsupported.
Signed-off-by: xiekeyang xiekeyang@huawei.com