[英]snyk container test from private repository
I'm trying to use snyk with a privately hosted repository that is managed using podman.我正在尝试将 snyk 与使用 podman 管理的私人托管存储库一起使用。
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
I've tried using oci.example.com/image:latest
oci.example.com/image:arm64
also and making sure they exist on the repository.我也尝试使用
oci.example.com/image:latest
oci.example.com/image:arm64
并确保它们存在于存储库中。
The error I keep getting is: snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
我不断收到的错误是:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
I can reproduce the same error using the API directly: curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest
我可以直接使用 API 重现相同的错误:
curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest
This works though: curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest
这虽然有效:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest
I wonder what I'm missing.我想知道我错过了什么。 Maybe snyk relies on a distribution.manifest that
podman push oci.example.com/image
does not seem to provide, suspected after reading: https://podman.io/blogs/2021/10/11/multiarch.html Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead.
也许snyk依赖的是
podman push oci.example.com/image
似乎没有提供的distribution.manifest, podman push oci.example.com/image
之后怀疑: https : podman push oci.example.com/image
Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead.
Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead.
I also verified this peeking with manifest inspect
, indeed it seems it only attaches image and no distribution.manifest by default.我还用
manifest inspect
验证了这个偷看,确实它似乎默认只附加图像而没有 distribution.manifest。
The OpenSUSE Debian Podman repo latest version: OpenSUSE Debian Podman 存储库最新版本:
$ podman --version
podman version 3.3.1
$ buildah --version
buildah version 1.21.3 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)
From the article The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1.
来自文章
The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1.
I'm not entirely sure what this means and how this affects my situation.我不完全确定这意味着什么以及这如何影响我的情况。
So I've tried to follow article as above:所以我尝试按照上面的文章进行操作:
podman push oci.example.com/image:arm64
podman manifest add oci.example.com/image:latest docker://oci.example.com/image:arm64
podman manifest push --all oci.example.com/image:latest docker://oci.example.com/image:latest
Then run snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
然后运行
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d
Still get same error: snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
same issue if I attempt :arm64
仍然得到相同的错误:
snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests
:arm64
same issue if I :arm64
But attempting :latest
tag.但是尝试
:latest
标签。 snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d
snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined
snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d
snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined
I've tried to delete the image from the registry and start over: curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest
我试图从注册表中删除图像并重新开始:
curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest
curl -u "user:pass" -X "DELETE" https://oci.example.com/v2/image/manifests/sha256:1298754b84f5fa37425cd5c2ccc4eb7a1f70433611ad430e467d8e8d52caeced
.. but always get similar results. .. 但总是得到类似的结果。
修复步骤:
podman build --format=docker -t oci.example.com/image .
podman push oci.example.com/image oci.example.com/image
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.