Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman image rm --force also untags other images (3.2.0 regression) #10685

Closed
Vogtinator opened this issue Jun 15, 2021 · 4 comments
Closed

podman image rm --force also untags other images (3.2.0 regression) #10685

Vogtinator opened this issue Jun 15, 2021 · 4 comments
Assignees
@vrothberg
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. needs-backport Indicates if changes in a PR should be backported to some releases.

Comments

@Vogtinator
Copy link

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When running podman image rm -f foo, not just foo is deleted, but all references to that image.

This is a behaviour change and I couldn't find any explicit mention of that in the changelog.

Steps to reproduce the issue:

Have multiple tags for the same image:

localhost:~ # podman pull registry.opensuse.org/opensuse/busybox
Trying to pull registry.opensuse.org/opensuse/busybox:latest...
Getting image source signatures
Copying blob 739c8f977454 done  
Copying config 984a5392cf done  
Writing manifest to image destination
Storing signatures
984a5392cf0c5319b77dc0202c50951652f894f27e90fec35b5444127bfbd71d
localhost:~ # podman tag registry.opensuse.org/opensuse/busybox alsobusybox
localhost:~ # podman image ls
REPOSITORY                              TAG     IMAGE ID      CREATED                 SIZE
registry.opensuse.org/opensuse/busybox  latest  984a5392cf0c  Less than a second ago  12 MB
localhost/alsobusybox                   latest  984a5392cf0c  Less than a second ago  12 MB

Then delete any one of them:

localhost:~ # podman image rm -f registry.opensuse.org/opensuse/busybox
Untagged: registry.opensuse.org/opensuse/busybox:latest
Untagged: localhost/alsobusybox:latest
Deleted: 984a5392cf0c5319b77dc0202c50951652f894f27e90fec35b5444127bfbd71d

This does not happen with podman 3.1.2:

localhost:~ # podman version
Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.13.15
Built:        Thu Apr 22 20:00:00 2021
OS/Arch:      linux/amd64
localhost:~ # podman image rm -f registry.opensuse.org/opensuse/busybox
Untagged: registry.opensuse.org/opensuse/busybox:latest

Output of podman version:

Version:      3.2.0
API Version:  3.2.0
Go Version:   go1.13.15
Built:        Mon Jun  7 20:00:00 2021
OS/Arch:      linux/amd64

and

Version:      3.2.1
API Version:  3.2.1
Go Version:   go1.13.15
Built:        Sun Jun 13 20:00:00 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

podman info --debug 

host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.27-1.3.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: unknown'
  cpus: 4
  distribution:
    distribution: '"opensuse-tumbleweed"'
    version: "20210606"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.12.9-1-default
  linkmode: dynamic
  memFree: 2376101888
  memTotal: 8330924032
  ociRuntime:
    name: runc
    package: runc-1.0.0~rc95-1.2.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc95
      commit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
      spec: 1.0.2-dev
      go: go1.13.15
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 4h 37m 1.64s (Approximately 0.17 days)
registries:
  search:
  - registry.opensuse.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Build Version: 'Btrfs v5.12.1 '
    Library Version: "102"
  imageStore:
    number: 0
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.0
  Built: 1623110400
  BuiltTime: Mon Jun  7 20:00:00 2021
  GitCommit: ""
  GoVersion: go1.13.15
  OsArch: linux/amd64
  Version: 3.2.0

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.2.0-1.1.x86_64

and

podman-3.2.1-3.1.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes.

Additional environment details (AWS, VirtualBox, physical, etc.):

VM. Originally found by openQA: https://openqa.opensuse.org/tests/1788281#step/registry/137
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 15, 2021
@mheon
Copy link
Member

mheon commented Jun 15, 2021

@vrothberg PTAL

@vrothberg
Copy link
Member

Thanks for reaching out, @Vogtinator!

I can confirm, it's a regression. We did a major rewrite of the image handling.

vrothberg added a commit to vrothberg/common that referenced this issue Jun 17, 2021
@vrothberg
libimage: force remove: only untag on multi tag image
1d1486a 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg vrothberg mentioned this issue Jun 17, 2021
Merged
@vrothberg
Copy link
Member

Opened containers/common#630

vrothberg added a commit to vrothberg/common that referenced this issue Jun 17, 2021
@vrothberg
libimage: force remove: only untag on multi tag image
6b56f30 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/common that referenced this issue Jun 17, 2021
@vrothberg
libimage: force remove: only untag on multi tag image
e0c7383 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/common that referenced this issue Jun 17, 2021
@vrothberg
libimage: force remove: only untag on multi tag image
ca01484 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/common that referenced this issue Jun 17, 2021
@vrothberg
libimage: force remove: only untag on multi tag image
c6578d7 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Also vendor in the latest HEAD in containers/image to fix a bug revealed
in Podman CI.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/common that referenced this issue Jun 18, 2021
@vrothberg
[0.38] libimage: force remove: only untag on multi tag image
d458b28 
When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Also vendor in the latest HEAD in containers/image to fix a bug revealed
in Podman CI.

Backport of commit c6578d7.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg vrothberg mentioned this issue Jun 18, 2021
Merged
@vrothberg vrothberg added the needs-backport Indicates if changes in a PR should be backported to some releases. label Jun 21, 2021
@vrothberg
Copy link
Member

This has been fixed in master. Backported to v3.2.2 (soon to be released) via #10763.

pdostal added a commit to pdostal/os-autoinst-distri-opensuse that referenced this issue Jun 28, 2021
@pdostal
Documment containers/podman#10685 bug in containers/registry test
4bd2ef3
@pdostal pdostal mentioned this issue Jun 28, 2021
Merged
trusch pushed a commit to trusch/common that referenced this issue Jun 30, 2021
@vrothberg @trusch
add shelldriver secret driver.
f8396f0 
libmage: Exists: catch corrupted images

While various execution paths in libimage already handle corrupted
images, `(*Runtime).Exists()` did not and would list an image to exist
in the storage even if it is corrupted.

Some corruptions can only be detected when accessing the individual
data.  A reliable way of accessing such data is to inspect an image.
Hence, an image will only be listed to exist if a) it has been found
and b) can be inspected.  If the inspection fails, the image will be
reported to not exists but without an error.  That allows for users
of libimage to properly recover and repull.

Further, add a new unit tests that forces a data corruption and
gradually recovers from it.

Podman will now behave as follows:
```
$ ./bin/podman run -d --rm nginx ls
ERRO[0000] Image nginx exists in local storage but may be corrupted: layer not known
ERRO[0000] Looking up nginx in local storage: layer not known
Resolved "nginx" as an alias (/home/vrothberg/.cache/containers/short-name-aliases.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 596b1d696923 skipped: already exists
Copying blob 30afc0b18f67 skipped: already exists
Copying blob febe5bd23e98 skipped: already exists
Copying blob 69692152171a skipped: already exists
Copying blob 8283eee92e2f skipped: already exists
Copying blob 351ad75a6cfa done
Copying config d1a364dc54 done
Writing manifest to image destination
Storing signatures
56b65883c3c32b67277bcc173bd9f26c27cbbdbc6d3aacf6c552be796eb7a337
```

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

Add default for log-tag

Needed for containers/podman#10204

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

build(deps): bump github.com/containers/storage from 1.32.1 to 1.32.2

Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.32.1 to 1.32.2.
- [Release notes](https://github.com/containers/storage/releases)
- [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md)
- [Commits](containers/storage@v1.32.1...v1.32.2)

---
updated-dependencies:
- dependency-name: github.com/containers/storage
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

fix autodiscovery of the secret passdriver.

add 'secret' section to the containers.conf struct.

libimage: fix Exists

Commit 964b002 introduced a regression to Exists() which would
return an error if the image does not exist.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

Sort containers.conf and containers.conf.5.md

Remove cgroup_check which is no longer needed.

Fixes: containers#372

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Add support for config drop in directories

Fixes: containers#368

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Fix spacing on name value pairs to be consistent

Replaces:  containers#556

Signed-off-by: unknowndev233@github unknowndevQwQ@protonmail.com
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

seccomp: allow timer_settime64

allow time64 variant of timer_settime which was missed in 4e31f66

Signed-off-by: Jan Palus <jpalus@fastmail.com>

seccomp: add support for defaultErrnoRet

Add support to specify the default errno return value.

The OCI runtime specs already have support for it, and both crun (>=
0.19) and runc (>= 1.0-rc95) have support for it.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: switch default to ENOSYS

add the currently blocked syscalls to a deny-list and switch the
default to ENOSYS.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

build(deps): bump github.com/containers/image/v5 from 5.12.0 to 5.13.0

Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.12.0 to 5.13.0.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](containers/image@v5.12.0...v5.13.0)

---
updated-dependencies:
- dependency-name: github.com/containers/image/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Strip extra trailing newlines in templates

When wrapping table format in range, string extra new lines from table
ends.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1855983

Signed-off-by: Jhon Honce <jhonce@redhat.com>

Use SetCredentials and add verbose to loginopts

Signed-off-by: flouthoc <flouthoc.git@gmail.com>

Bump to v0.40.0

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Move to v0.40.1-dev

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Set BigFilesTemporaryDir to GetEnv(TMPDIR) if set or /var/tmp

Currently if the caller does not specify the BigFilesTemporaryDir,
Podman and Buildah users expect this to default TMPDIR environment
variable or /var/tmp if not set.

Moving to libimage caused a regression in this functionality.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

build(deps): bump github.com/containers/image/v5 from 5.13.0 to 5.13.1

Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.13.0 to 5.13.1.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](containers/image@v5.13.0...v5.13.1)

---
updated-dependencies:
- dependency-name: github.com/containers/image/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

libimage: force remove: only untag on multi tag image

When removing an image by name, do not remove the image and all its
tags, even if force is set.  Instead, just untag the specified name.

Note: adjust the load test to preserve the order in the untagged field.

Also vendor in the latest HEAD in containers/image to fix a bug revealed
in Podman CI.

Context: containers/podman/issues/10685
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

libimage: lookup images by custom platform

Allow for looking up images via customizable arch, os and variant.
This prevents `podman run --arch=xxx` from redundantly pulling down the
image if needed.

Context: containers/podman/issues/10648
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

seccomp: allow clone3

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: let io_uring_* fail with ENOSYS

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: allow pkey_*

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: allow rseq

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: let membarrier fail with ENOSYS

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

seccomp: always allow get_mempolicy, set_mempolicy, mbind

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Vendor in containers/image v5.13.2

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Vendor in containers/image v5.13.2

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Bump to v0.40.1

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Move to v0.40.2-dev

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

feat: add external secret driver.

use /bin/sh instead of /bin/bash

fix test by removing accidentially added driver setup.

rename externaldriver to shelldriver

Signed-off-by: Tino Rusch <tino.rusch@gmail.com>

remove commented test setup

Signed-off-by: Tino Rusch <tino.rusch@gmail.com>
@ricardobranco777 ricardobranco777 mentioned this issue Sep 13, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vrothberg vrothberg

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. needs-backport Indicates if changes in a PR should be backported to some releases.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Vogtinator @mheon @vrothberg