cli/push: Add platform switch

[vvoland]

• needs: c8d/push: Support --platform switch moby/moby#47679
• fixes Docker push for single arch not work with containerd storage #4959

- What I did
Added a platform switch to docker image push.

- How I did it

- How to verify it

$ docker pull --platform linux/arm64 busybox
$ docker tag busybox myimage
$ docker push --platform linux/arm64 myimage

- Description for the changelog

containerd image store: Add `--platform` switch to `docker image push`.

- A picture of a cute animal (not mandatory but encouraged)

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.00%. Comparing base (cba002e) to head (9e06e58).
Report is 9 commits behind head on master.

❗ Current head 9e06e58 differs from pull request most recent head 32ac7a0

Please upload reports for the commit 32ac7a0 to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #4984       +/-   ##
==========================================
- Coverage   61.83%       0   -61.84%     
==========================================
  Files         298       0      -298     
  Lines       20731       0    -20731     
==========================================
- Hits        12818       0    -12818     
+ Misses       7000       0     -7000     
+ Partials      913       0      -913     

[vvoland]

Warn that it will strip attestations (suggested by @thaJeztah)

[rumpl]

There is no need to repeat the reset here, only one is enough: \x1b[0m\x1b[0m -> \x1b[0m

[rumpl]

Do we really want to add the cyan background color here? Why not \x1b[36m to just color the text?

[vvoland]

Ah good catch, no idea how that second one sneaked in there!

[vvoland]

No strong opinions on the colors, I just went with a colored background to make it more visible:

It could look wildly different on other terminals/color schemes, so perhaps a text color would be a safer option.

[laurazard]

I think setting a colored background + colored text is safer – if we just set the foregroung color and the users color scheme uses the same color for the background (and I've definitely seen cyan backgrounds), then the text will be unreadable. If we set a contrasting background+foreground color combination then that's less likely to happen.

[rumpl]

Thinking about the wording here, we are talking about image manifests, index, manifest list, do we really need to be this specific? Shouldn't we have a more user-friendly terms like "single-platform image" and "multi-platform image"?

No one really wants to know the difference between an index and a manifest list :)

[rumpl]

Related to the above, after talking about manifests manifest lists and indexes we say "single platform"

[vvoland]

The problem is that "single platform" isn't always a 1:1 mapping between an index and a single manifest.

Is the index below a single platform image or a multi-platform image?

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:34b7d4a2f050f8a9077fd435b3b1778e091af743f0f4c8c47d109cfda47b0c48",
      "size": 480,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a7931924962b793438f641b320d496ebca34968e850f7b8d7a5ea59dc88283cc",
      "size": 565,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:34b7d4a2f050f8a9077fd435b3b1778e091af743f0f4c8c47d109cfda47b0c48",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]
}

[laurazard]

LGTM, I think we can discuss/keep improving the messages in the future too, but I wouldn't block this on that.

[laurazard]

I think it's fine to be explicit here, I'd rather some users get annoyed by the extra message than having people not realize we're stripping attestations when they push a single-platform image.

[thaJeztah]

moby/moby#47943 was merged

[laurazard]

@krissetto @Benehiko can you TAL?

[Benehiko]

Looks good to me

[Benehiko]

what happens if none of data could be unmarshalled? should it not error?

[vvoland]

There might be other aux progress messages that are not (yet) supported by the CLI. I think it's best to just skip them instead.

[thaJeztah]

Not for this PR, and not urgent, but if we decide to add more locations to pass --platform, and we want to consume those as a platforms, we could consider implementing a platform _option_ that can be used for flags, performs the validation as part of that, and directly setting a Platform`.

[vvoland]

Yeah I think we should, but left that to a second PR that will reuse this logic.

Btw, we already have it, but for the "string" platform:

cli/cli/command/utils.go

Line 158 in 0022fe7

flags.StringVar(target, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Set platform if server is multi-platform capable")

🙈

[thaJeztah]

Ah! We should look where/how that's used. If the result is only "internal", it could still make sense to change it, and have the consumer convert it to a string (where needed 🤔).

In either case; all for separate work, just that I thought of it.

[thaJeztah]

Note that dockerCli.Out() has a IsTerminal() function that we can use. Not sure if that's fully correct though (is that correct if STDERR redirected, but STDOUT isn't?

We should consider providing this for both Out() and Err() (I looked at that a few times, and wondered why we didn't)

[vvoland]

The most common case of this is when you redirect the stderr to /dev/null:

$ docker push dckr.woland.xyz/ububuu
Using default tag: latest
The push refers to repository [dckr.woland.xyz/ububuu]
aa21f24e1940: Layer already exists
latest: digest: sha256:17c24d16d63d2d089db74c2ed3e99c1ab0fd3f4f93c00b04afa8793fa793626c size: 424

[ NOTE ] Not all multiplatform-content is present and only the available single-platform image was pushed
sha256:e3f92abc0967a6c19d0dfa2d55838833e947b9d74edbcb0113e48535ad4be12a -> sha256:17c24d16d63d2d089db74c2ed3e99c1ab0fd3f4f93c00b04afa8793fa793626c

$ docker push dckr.woland.xyz/ububuu 2>/dev/null
Using default tag: latest
The push refers to repository [dckr.woland.xyz/ububuu]
aa21f24e1940: Layer already exists
latest: digest: sha256:17c24d16d63d2d089db74c2ed3e99c1ab0fd3f4f93c00b04afa8793fa793626c size: 424

[thaJeztah]

Yeah, I think there's other places where we do it wrong, and only look at STDOUT, but not at STDERR (but switch both based on STDOUT; here's a recent discussion that I still need to reply to, because I think the same is happening for docker build ; moby/moby#47755

Perhaps a good reason to look if we should make Err() provide thee same features as Out(), so that it's easier to check for each of the outputs if they have a TTY attached or not.

[thaJeztah]

In either case; not a blocker (should I mention that isTty should be isTTY ? 😂 🙈 )

[vvoland]

Will open a follow-up with the stderr change (it will have a bunch of updates in other places, so prefer to handle it in a separate PR).

[vvoland]

isTTY

LOL, you're just merciless Sebastiaan 🤣
...done!

[thaJeztah]

so prefer to handle it in a separate PR

Yes; that's for sure something separate; and it's not a new thing, just that this is (I think) the first time we pay attention and check the right thing for a TTY 😂

OL, you're just merciless Sebastiaan 🤣

I'm the Human Linter! 😂

[thaJeztah]

LGTM

I think most comments still visible are good for follow-up work.

[thaJeztah]

LGTM

Let's go!