diff --git a/agent/engine/docker_task_engine.go b/agent/engine/docker_task_engine.go index 13aaee0e316..322661bb0c7 100644 --- a/agent/engine/docker_task_engine.go +++ b/agent/engine/docker_task_engine.go @@ -1352,6 +1352,22 @@ func (engine *DockerTaskEngine) pullContainerManifest( }) return dockerapi.DockerContainerMetadata{Error: manifestPullErr} } + imageManifestMediatype := distInspect.Descriptor.MediaType + logger.Info("Fetched image manifest Mediatype for container from registry", logger.Fields{ + field.TaskARN: task.Arn, + field.ContainerName: container.Name, + field.ImageMediatype: imageManifestMediatype, + field.Image: container.Image, + }) + if strings.Contains(imageManifestMediatype, "application/vnd.docker.distribution.manifest.v1") { + logger.Info("skipping digest resolution for manifest v2 schema 1,", logger.Fields{ + field.TaskARN: task.Arn, + field.ContainerName: container.Name, + field.ImageMediatype: imageManifestMediatype, + field.Image: container.Image, + }) + return dockerapi.DockerContainerMetadata{} + } imageManifestDigest = distInspect.Descriptor.Digest logger.Info("Fetched image manifest digest for container from registry", logger.Fields{ field.TaskARN: task.Arn, diff --git a/agent/engine/docker_task_engine_test.go b/agent/engine/docker_task_engine_test.go index faea238fe0f..9545d8514bf 100644 --- a/agent/engine/docker_task_engine_test.go +++ b/agent/engine/docker_task_engine_test.go @@ -4147,6 +4147,40 @@ func TestPullContainerManifest(t *testing.T) { name: "digest is not resolved if already available in image reference", image: "public.ecr.aws/library/alpine@" + testDigest.String(), }, + { + name: "schema1 image - skip digest resolution", + image: "myimage", + imagePullBehavior: config.ImagePullAlwaysBehavior, + setDockerClientExpectations: func(c *gomock.Controller, d *mock_dockerapi.MockDockerClient) { + versioned := mock_dockerapi.NewMockDockerClient(c) + versioned.EXPECT(). + PullImageManifest(gomock.Any(), "myimage", nil). + Return( + registry.DistributionInspect{ + Descriptor: ocispec.Descriptor{MediaType: "application/vnd.docker.distribution.manifest.v1+json"}, + }, + nil) + d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil) + }, + expectedResult: dockerapi.DockerContainerMetadata{}, + }, + { + name: "schema1 image - skip digest resolution", + image: "myimage", + imagePullBehavior: config.ImagePullAlwaysBehavior, + setDockerClientExpectations: func(c *gomock.Controller, d *mock_dockerapi.MockDockerClient) { + versioned := mock_dockerapi.NewMockDockerClient(c) + versioned.EXPECT(). + PullImageManifest(gomock.Any(), "myimage", nil). + Return( + registry.DistributionInspect{ + Descriptor: ocispec.Descriptor{MediaType: "application/vnd.docker.distribution.manifest.v1+json"}, + }, + nil) + d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil) + }, + expectedResult: dockerapi.DockerContainerMetadata{}, + }, { name: "image pull not required - image inspect fails", image: "myimage", @@ -4229,7 +4263,12 @@ func TestPullContainerManifest(t *testing.T) { versioned.EXPECT(). PullImageManifest(gomock.Any(), "myimage", nil). Return( - registry.DistributionInspect{Descriptor: ocispec.Descriptor{Digest: testDigest}}, + registry.DistributionInspect{ + Descriptor: ocispec.Descriptor{ + MediaType: "application/vnd.docker.distribution.manifest.v2+json", + Digest: testDigest, + }, + }, nil) d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil) }, @@ -4261,8 +4300,10 @@ func TestPullContainerManifest(t *testing.T) { PullImageManifest(gomock.Any(), "myimage", expectedRegistryAuthData). Return( registry.DistributionInspect{ - Descriptor: ocispec.Descriptor{Digest: digest.Digest(testDigest.String())}, - }, + Descriptor: ocispec.Descriptor{ + MediaType: "application/vnd.docker.distribution.manifest.v2+json", + Digest: testDigest, + }}, nil) d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil) }, diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go index 9a93f4d8c25..811398e254f 100644 --- a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go +++ b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go @@ -49,6 +49,7 @@ const ( ImageLastUsedAt = "imageLastUsedAt" ImagePullSucceeded = "imagePullSucceeded" ImageDigest = "imageDigest" + ImageMediatype = "imageMediatype" ContainerName = "containerName" ContainerImage = "containerImage" ContainerExitCode = "containerExitCode" diff --git a/build-infrastructure/codebuild-devbuild-stack.yml b/build-infrastructure/codebuild-devbuild-stack.yml index ca9bc79cd70..ab0b26300c2 100644 --- a/build-infrastructure/codebuild-devbuild-stack.yml +++ b/build-infrastructure/codebuild-devbuild-stack.yml @@ -23,6 +23,7 @@ Resources: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -46,18 +47,12 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE UbuntuArmProject: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -81,18 +76,12 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE ArmProject: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -116,18 +105,12 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE AmdProject: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -151,13 +134,6 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE # Creates a CodeBuild project for Amazon Linux 2 ARM @@ -165,6 +141,7 @@ Resources: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -188,13 +165,6 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE # Creates a CodeBuild project for Amazon Linux 2 AMD @@ -202,6 +172,7 @@ Resources: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -225,13 +196,6 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE # Creates a CodeBuild project for Amazon Linux 2023 ARM @@ -239,6 +203,7 @@ Resources: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled: true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -262,13 +227,6 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE # Creates a CodeBuild project for Amazon Linux 2023 AMD @@ -276,6 +234,7 @@ Resources: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: + EncryptionDisabled : true Location: !Ref BuildBucketName NamespaceType: NONE OverrideArtifactName: true @@ -299,13 +258,6 @@ Resources: Location: !Ref GithubFullRepoName Type: GITHUB TimeoutInMinutes: 60 - Triggers: - BuildType: BUILD - # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName - # This allow list can be modified using aws-cli or aws-sdk - # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs - # so they have to be listed separately - Webhook: true Visibility: PRIVATE # Defines the service roles for the CodeBuild projects @@ -652,4 +604,4 @@ Resources: - 's3:GetBucketAcl' - 's3:GetBucketLocation' PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmzn2023Amd' - RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2023Amd' \ No newline at end of file + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2023Amd' diff --git a/ecs-agent/logger/field/constants.go b/ecs-agent/logger/field/constants.go index 9a93f4d8c25..811398e254f 100644 --- a/ecs-agent/logger/field/constants.go +++ b/ecs-agent/logger/field/constants.go @@ -49,6 +49,7 @@ const ( ImageLastUsedAt = "imageLastUsedAt" ImagePullSucceeded = "imagePullSucceeded" ImageDigest = "imageDigest" + ImageMediatype = "imageMediatype" ContainerName = "containerName" ContainerImage = "containerImage" ContainerExitCode = "containerExitCode"