[FEAT] Support explicit digest in mod list #922
Comments
See linuxserver/docker-mods#922 for a feature request.
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
|
implementing this or explicit version numbers would be great |
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
|
+1 and hoping this is not closed due to inactivity |
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I'll have a look at this, it may be possible but it's going to require a bunch of changes to how we currently handle mods |
|
OK so I have this working with one minor caveat. If you look at the debug logs you'll see something like: Because you're using the manfiest SHA to identify the image to pull, but we use the layer SHA to validate the mod. It's all working, it's just potentially confusing because of the different hashes. |
|
If you want to test it out, then download https://github.com/linuxserver/docker-mods/blob/mod-scripts-sha/docker-mods.v3 and mount it into the container at Note that this will currently only support the full: format and not the shorter form: |
|
First of all, thanks for taking a look at this. If I understand correctly, the limitation you mention about the shorter form would be problematic with images published to ghcr.io if they overwrite the tag, right? For example this mod has a moving |
|
The true secret of the manifest hash format is that the tag doesn't actually do anything.
is the same as
is the same as
But from a "parsing out tags to use the correct bits in the API calls to the registry" perspective, it's significantly easier if we can always assume a tag is present. |
|
Do you think this would work? Trying to first split by IFS="@" read -ra DOCKER_MOD_WITH_SHA <<<"$DOCKER_MOD"
if [[ "${DOCKER_MOD_WITH_SHA[1]}" =~ sha256: ]]; then
TAGSHA="${DOCKER_MOD_WITH_SHA[1]}"
fi
TAG="${DOCKER_MOD_WITH_SHA[0]#*:}"
if [[ "${TAG}" == "${DOCKER_MOD_WITH_SHA[0]}" ]]; then
TAG="latest"
fi |
|
The short answer is I know roughly what needs to be done but it's a fair chunk of work to properly test and fix all the many stupid edge cases we have to deal with and it's the Christmas break so I can't be arsed to do it right now. Once I've got some time and motivation in a couple of weeks I'll fix it up but in the meantime there's a version that works as long as the long-form image format is used. |
|
I lied, I had time this afternoon #998 |
|
Thanks, worked for me running in podman. BTW, I'd suggest leaving |
Is this a new feature request?
Name of mod
mod-scripts (general)
Wanted change
Add support for specifying digests in the list of mods, e.g.:
Reason for change
This provides extra enforcement of the mod version.
I have renovate bot manage these sha256 digests for me: https://github.com/qlonik/musical-parakeet/blob/90396d3c0287656ad87c97e522a6d483f83ccf37/kubernetes/main/apps/default/lazylibrarian/app/helmrelease.yaml#L47-L60, so it is not a very big burden. I suspect other people might not have a setup like this, but it would be helpful to support explicit digests.
Proposed code change
No. It seems that either
get_blob_shaneeds to change or the call before this function needs to check for presence of sha256 in tag.The text was updated successfully, but these errors were encountered: