来自私有存储库的snyk容器测试

Question

我试图在一个私有存储库中使用snyk，该存储库使用podman进行管理。

snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d

我也尝试过使用oci.example.com/image:latest oci.example.com/image:arm64，并确保它们存在于存储库中。

我一直遇到的错误是：snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests

我可以直接使用API：curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest再现相同的错误。

不过，这是可行的：curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest

我想知道我错过了什么。也许snyk依赖于一个podman push oci.example.com/image似乎没有提供的podman push oci.example.com/image，在阅读后怀疑：https://podman.io/blogs/2021/10/11/multiarch.html Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you’ll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you’re on Podman v3.4, use the buildah tag command instead.我也用manifest inspect验证了这个偷窥，实际上，它似乎只附加图像，默认情况下不附加distribution.manifest。

OpenSUSE最新版本：

$ podman --version
podman version 3.3.1
$ buildah --version
buildah version 1.21.3 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)

从The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1.一文中，我不完全确定这意味着什么，以及这对我的情况有何影响。

所以我试着跟随上面的文章：

podman push oci.example.com/image:arm64
podman manifest add oci.example.com/image:latest docker://oci.example.com/image:arm64
podman manifest push --all oci.example.com/image:latest docker://oci.example.com/image:latest

然后运行snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d

仍然得到相同的错误:如果我尝试snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests :arm64，也会发出相同的问题

但是正在尝试:latest标签。snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined

我尝试从注册表中删除图像并重新开始：curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest

curl -u "user:pass" -X "DELETE" https://oci.example.com/v2/image/manifests/sha256:1298754b84f5fa37425cd5c2ccc4eb7a1f70433611ad430e467d8e8d52caeced

。。但总是得到相似的结果。

Answer 1

修复步骤：

podman build --format=docker -t oci.example.com/image .

podman push oci.example.com/image oci.example.com/image