docker_image(_push): fix push detection (#1199)

* Fix IP address retrieval for registry setup. * Adjust push detection to Docker 29. * Idempotency for export no longer works. * Disable pull idempotency checks that play with architecture. * Add more known image IDs. * Adjust load tests. * Adjust error message check. * Allow for more digests. * Make sure a new enough cryptography version is installed.
2025-12-15 19:42:06 +00:00 · 2025-11-16 10:09:23 +01:00 · 2025-11-16 10:09:23 +01:00 · d207643e0c
commit d207643e0c
parent 90c4b4c543
16 changed files with 125 additions and 37 deletions
--- a/changelogs/fragments/1199-docker_image-push.yml
+++ b/changelogs/fragments/1199-docker_image-push.yml
@ -0,0 +1,5 @@
 bugfixes:
  - "docker_image, docker_image_push - adjust image push detection to Docker 29 (https://github.com/ansible-collections/community.docker/pull/1199)."
 known_issues:
  - "docker_image, docker_image_export - idempotency for archiving images depends on whether the image IDs used by the image storage backend correspond to the IDs used in the tarball's ``manifest.json`` files.
     The new default backend in Docker 29 apparently uses image IDs that no longer correspond, whence idempotency no longer works (https://github.com/ansible-collections/community.docker/pull/1199)."
--- a/plugins/modules/docker_image.py
+++ b/plugins/modules/docker_image.py
@ -21,6 +21,8 @@ description:
 notes:
  - Building images is done using Docker daemon's API. It is not possible to use BuildKit / buildx this way. Use M(community.docker.docker_image_build)
    to build images with BuildKit.
  - Exporting images is generally not idempotent. It depends on whether the image ID equals the IDs found in the generated tarball's C(manifest.json).
    This was the case with the default storage backend up to Docker 28, but seems to have changed in Docker 29.
 extends_documentation_fragment:
  - community.docker._docker.api_documentation
  - community.docker._attributes
@ -803,7 +805,7 @@ class ImageManager(DockerBaseClass):
                        if line.get("errorDetail"):
                            raise RuntimeError(line["errorDetail"]["message"])
                        status = line.get("status")
-                        if status == "Pushing":
+                        if status in ("Pushing", "Pushed"):
                            changed = True
                    self.results["changed"] = changed
                except Exception as exc:  # pylint: disable=broad-exception-caught
--- a/plugins/modules/docker_image_export.py
+++ b/plugins/modules/docker_image_export.py
@ -28,7 +28,13 @@ attributes:
  diff_mode:
    support: none
  idempotent:
-    support: full
+    support: partial
    details:
      - Whether the module is idempotent depends on the storage API used for images,
        which determines how the image ID is computed. The idempotency check needs
        that the image ID equals the ID stored in archive's C(manifest.json).
        This seemed to have worked fine with the default storage backend up to Docker 28,
        but seems to have changed in Docker 29.
 options:
  names:
--- a/plugins/modules/docker_image_push.py
+++ b/plugins/modules/docker_image_push.py
@ -159,7 +159,7 @@ class ImagePusher(DockerBaseClass):
                if line.get("errorDetail"):
                    raise RuntimeError(line["errorDetail"]["message"])
                status = line.get("status")
-                if status == "Pushing":
+                if status in ("Pushing", "Pushed"):
                    results["changed"] = True
        except Exception as exc:  # pylint: disable=broad-exception-caught
            if "unauthorized" in str(exc):
--- a/plugins/modules/docker_image_remove.py
+++ b/plugins/modules/docker_image_remove.py
@ -219,6 +219,7 @@ class ImageRemover(DockerBaseClass):
        elif is_image_name_id(name):
            deleted.append(image["Id"])
            # TODO: the following is no longer correct with Docker 29+...
            untagged[:] = sorted(
                (image.get("RepoTags") or []) + (image.get("RepoDigests") or [])
            )
--- a/tests/integration/targets/docker_image/tasks/tests/options.yml
+++ b/tests/integration/targets/docker_image/tasks/tests/options.yml
@ -256,6 +256,10 @@
 - ansible.builtin.assert:
    that:
      - archive_image_2 is not changed
  when: docker_cli_version is version("29.0.0", "<")
  # Apparently idempotency no longer works with the default storage backend
  # in Docker 29.0.0.
  # https://github.com/ansible-collections/community.docker/pull/1199
 - name: Archive image 3rd time, should overwrite due to different id
  community.docker.docker_image:
--- a/tests/integration/targets/docker_image_export/tasks/tests/basic.yml
+++ b/tests/integration/targets/docker_image_export/tasks/tests/basic.yml
@ -67,3 +67,7 @@
        manifests_json: "{{ manifests.results | map(attribute='stdout') | map('from_json') }}"
        manifest_json_images: "{{ item.2 | map(attribute='Config') | map('regex_replace', '.json$', '') | map('regex_replace', '^blobs/sha256/', '') | sort }}"
        export_image_ids: "{{ item.1 | map('regex_replace', '^sha256:', '') | unique | sort }}"
      when: docker_cli_version is version("29.0.0", "<")
      # Apparently idempotency no longer works with the default storage backend
      # in Docker 29.0.0.
      # https://github.com/ansible-collections/community.docker/pull/1199
--- a/tests/integration/targets/docker_image_load/tasks/tests/basic.yml
+++ b/tests/integration/targets/docker_image_load/tasks/tests/basic.yml
@ -73,11 +73,17 @@
  loop: "{{ all_images }}"
  when: remove_all_images is failed
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Load all images (IDs)
  community.docker.docker_image_load:
    path: "{{ remote_tmp_dir }}/archive-2.tar"
  register: result
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Print loaded image names
  ansible.builtin.debug:
    var: result.image_names
@ -110,11 +116,17 @@
    name: "{{ item }}"
  loop: "{{ all_images }}"
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Load all images (mixed images and IDs)
  community.docker.docker_image_load:
    path: "{{ remote_tmp_dir }}/archive-3.tar"
  register: result
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Print loading log
  ansible.builtin.debug:
    var: result.stdout_lines
@ -127,10 +139,14 @@
    that:
      - result is changed
      # For some reason, *sometimes* only the named image is found; in fact, in that case, the log only mentions that image and nothing else
-      - "result.images | length == 3 or ('Loaded image: ' ~ docker_test_image_hello_world) == result.stdout"
+      # With Docker 29, a third possibility appears: just two entries.
-      - (result.image_names | sort) in [[image_names[0], image_ids[0], image_ids[1]] | sort, [image_names[0]]]
+      - >-
-      - result.images | length in [1, 3]
+        result.images | length == 3
-      - (result.images | map(attribute='Id') | sort) in [[image_ids[0], image_ids[0], image_ids[1]] | sort, [image_ids[0]]]
+        or ('Loaded image: ' ~ docker_test_image_hello_world) == result.stdout
        or result.images | length == 2
      - (result.image_names | sort) in [[image_names[0], image_ids[0], image_ids[1]] | sort, [image_names[0], image_ids[1]] | sort, [image_names[0]]]
      - result.images | length in [1, 2, 3]
      - (result.images | map(attribute='Id') | sort) in [[image_ids[0], image_ids[0], image_ids[1]] | sort, [image_ids[0], image_ids[1]] | sort, [image_ids[0]]]
 # Same image twice
@ -139,11 +155,17 @@
    name: "{{ item }}"
  loop: "{{ all_images }}"
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Load all images (same image twice)
  community.docker.docker_image_load:
    path: "{{ remote_tmp_dir }}/archive-4.tar"
  register: result
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Print loaded image names
  ansible.builtin.debug:
    var: result.image_names
@ -151,10 +173,11 @@
 - ansible.builtin.assert:
    that:
      - result is changed
-      - result.image_names | length == 1
+      - result.image_names | length in [1, 2]
-      - result.image_names[0] == image_names[0]
+      - (result.image_names | sort) in [[image_names[0]], [image_names[0], image_ids[0]] | sort]
-      - result.images | length == 1
+      - result.images | length in [1, 2]
      - result.images[0].Id == image_ids[0]
      - result.images[1].Id | default(image_ids[0]) == image_ids[0]
 # Single image by ID
@ -163,11 +186,17 @@
    name: "{{ item }}"
  loop: "{{ all_images }}"
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Load all images (single image by ID)
  community.docker.docker_image_load:
    path: "{{ remote_tmp_dir }}/archive-5.tar"
  register: result
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Print loaded image names
  ansible.builtin.debug:
    var: result.image_names
@ -197,11 +226,17 @@
    name: "{{ item }}"
  loop: "{{ all_images }}"
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Load all images (names)
  community.docker.docker_image_load:
    path: "{{ remote_tmp_dir }}/archive-1.tar"
  register: result
 - name: Show all images
  ansible.builtin.command: docker image ls
 - name: Print loaded image names
  ansible.builtin.debug:
    var: result.image_names
--- a/tests/integration/targets/docker_image_pull/tasks/tests/basic.yml
+++ b/tests/integration/targets/docker_image_pull/tasks/tests/basic.yml
@ -142,6 +142,8 @@
          - present_3_check.actions[0] == ('Pulled image ' ~ image_name)
          - present_3_check.diff.before.id == present_1.diff.after.id
          - present_3_check.diff.after.id == 'unknown'
    - ansible.builtin.assert:
        that:
          - present_3 is changed
          - present_3.actions | length == 1
          - present_3.actions[0] == ('Pulled image ' ~ image_name)
@ -166,6 +168,11 @@
          - present_5.actions[0] == ('Pulled image ' ~ image_name)
          - present_5.diff.before.id == present_3.diff.after.id
          - present_5.diff.after.id == present_1.diff.after.id
      when: docker_cli_version is version("29.0.0", "<")
      # From Docker 29 on, Docker won't pull images for other architectures
      # if there are better matching ones. The above tests assume it will
      # just do what it is told, and thus fail from 29.0.0 on.
      # https://github.com/ansible-collections/community.docker/pull/1199
  always:
    - name: cleanup
--- a/tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml
+++ b/tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml
@ -7,11 +7,9 @@
  block:
    - name: Make sure images are not there
      community.docker.docker_image_remove:
-        name: "{{ item }}"
+        name: "sha256:{{ item }}"
        force: true
-      loop:
+      loop: "{{ docker_test_image_digest_v1_image_ids + docker_test_image_digest_v2_image_ids }}"
        - "sha256:{{ docker_test_image_digest_v1_image_id }}"
        - "sha256:{{ docker_test_image_digest_v2_image_id }}"
    - name: Pull image 1
      community.docker.docker_image_pull:
@ -82,8 +80,6 @@
  always:
    - name: cleanup
      community.docker.docker_image_remove:
-        name: "{{ item }}"
+        name: "sha256:{{ item }}"
        force: true
-      loop:
+      loop: "{{ docker_test_image_digest_v1_image_ids + docker_test_image_digest_v2_image_ids }}"
        - "sha256:{{ docker_test_image_digest_v1_image_id }}"
        - "sha256:{{ docker_test_image_digest_v2_image_id }}"
--- a/tests/integration/targets/docker_image_push/tasks/tests/basic.yml
+++ b/tests/integration/targets/docker_image_push/tasks/tests/basic.yml
@ -18,7 +18,7 @@
    - name: Push image ID (must fail)
      community.docker.docker_image_push:
-        name: "sha256:{{ docker_test_image_digest_v1_image_id }}"
+        name: "sha256:{{ docker_test_image_digest_v1_image_ids[0] }}"
      register: fail_2
      ignore_errors: true
--- a/tests/integration/targets/docker_image_push/tasks/tests/registry.yml
+++ b/tests/integration/targets/docker_image_push/tasks/tests/registry.yml
@ -80,4 +80,6 @@
            that:
              - push_4 is failed
              - >-
-                push_4.msg == ('Error pushing image ' ~ image_name_base2 ~ ':' ~ image_tag ~ ': no basic auth credentials')
+                push_4.msg.startswith('Error pushing image ' ~ image_name_base2 ~ ':' ~ image_tag ~ ': ')
              - >-
                push_4.msg.endswith(': no basic auth credentials')
--- a/tests/integration/targets/docker_image_remove/tasks/main.yml
+++ b/tests/integration/targets/docker_image_remove/tasks/main.yml
@ -8,15 +8,16 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
- block:
+- vars:
    image: "{{ docker_test_image_hello_world }}"
    image_ids: "{{ docker_test_image_hello_world_image_ids }}"
  block:
    - name: Pick image prefix
      ansible.builtin.set_fact:
        iname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
    - name: Define image names
      ansible.builtin.set_fact:
        image: "{{ docker_test_image_hello_world }}"
        image_id: "{{ docker_test_image_hello_world_image_id }}"
        image_names:
          - "{{ iname_prefix }}-tagged-1:latest"
          - "{{ iname_prefix }}-tagged-1:foo"
@ -24,8 +25,9 @@
    - name: Remove image complete
      community.docker.docker_image_remove:
-        name: "{{ image_id }}"
+        name: "{{ item }}"
        force: true
      loop: "{{ image_ids }}"
    - name: Remove tagged images
      community.docker.docker_image_remove:
@ -102,10 +104,11 @@
          - remove_2 is changed
          - remove_2.diff.before.id == pulled_image.image.Id
          - remove_2.diff.before.tags | length == 4
-          - remove_2.diff.before.digests | length == 1
+          # With Docker 29, there are now two digests in before and after:
          - remove_2.diff.before.digests | length in [1, 2]
          - remove_2.diff.after.id == pulled_image.image.Id
          - remove_2.diff.after.tags | length == 3
-          - remove_2.diff.after.digests | length == 1
+          - remove_2.diff.after.digests | length in [1, 2]
          - remove_2.deleted | length == 0
          - remove_2.untagged | length == 1
          - remove_2.untagged[0] == (iname_prefix ~ '-tagged-1:latest')
@ -174,10 +177,11 @@
          - remove_4 is changed
          - remove_4.diff.before.id == pulled_image.image.Id
          - remove_4.diff.before.tags | length == 3
-          - remove_4.diff.before.digests | length == 1
+          # With Docker 29, there are now two digests in before and after:
          - remove_4.diff.before.digests | length in [1, 2]
          - remove_4.diff.after.id == pulled_image.image.Id
          - remove_4.diff.after.tags | length == 2
-          - remove_4.diff.after.digests | length == 1
+          - remove_4.diff.after.digests | length in [1, 2]
          - remove_4.deleted | length == 0
          - remove_4.untagged | length == 1
          - remove_4.untagged[0] == (iname_prefix ~ '-tagged-1:foo')
@ -245,16 +249,22 @@
          - remove_6 is changed
          - remove_6.diff.before.id == pulled_image.image.Id
          - remove_6.diff.before.tags | length == 2
-          - remove_6.diff.before.digests | length == 1
+          # With Docker 29, there are now two digests in before and after:
          - remove_6.diff.before.digests | length in [1, 2]
          - remove_6.diff.after.exists is false
-          - remove_6.deleted | length > 1
+          - remove_6.deleted | length >= 1
          - pulled_image.image.Id in remove_6.deleted
-          - remove_6.untagged | length == 3
+          - remove_6.untagged | length in [2, 3]
          - (iname_prefix ~ '-tagged-1:bar') in remove_6.untagged
          - image in remove_6.untagged
          - remove_6_check.deleted | length == 1
          - remove_6_check.deleted[0] == pulled_image.image.Id
-          - remove_6_check.untagged == remove_6.untagged
+          # The following is only true for Docker < 29...
          # We use the CLI version as a proxy...
          - >-
            remove_6_check.untagged == remove_6.untagged
            or
            docker_cli_version is version("29.0.0", ">=")
          - info_5.images | length == 0
    - name: Remove image ID (force, idempotent, check mode)
--- a/tests/integration/targets/setup_docker/vars/main.yml
+++ b/tests/integration/targets/setup_docker/vars/main.yml
@ -4,12 +4,18 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 docker_test_image_digest_v1: e004c2cc521c95383aebb1fb5893719aa7a8eae2e7a71f316a4410784edb00a9
-docker_test_image_digest_v1_image_id: 758ec7f3a1ee85f8f08399b55641bfb13e8c1109287ddc5e22b68c3d653152ee
+docker_test_image_digest_v1_image_ids:
  - 758ec7f3a1ee85f8f08399b55641bfb13e8c1109287ddc5e22b68c3d653152ee  # Docker 28 and before
  - e004c2cc521c95383aebb1fb5893719aa7a8eae2e7a71f316a4410784edb00a9  # Docker 29
 docker_test_image_digest_v2: ee44b399df993016003bf5466bd3eeb221305e9d0fa831606bc7902d149c775b
-docker_test_image_digest_v2_image_id: dc3bacd8b5ea796cea5d6070c8f145df9076f26a6bc1c8981fd5b176d37de843
+docker_test_image_digest_v2_image_ids:
  - dc3bacd8b5ea796cea5d6070c8f145df9076f26a6bc1c8981fd5b176d37de843  # Docker 28 and before
  - ee44b399df993016003bf5466bd3eeb221305e9d0fa831606bc7902d149c775b  # Docker 29
 docker_test_image_digest_base: quay.io/ansible/docker-test-containers
 docker_test_image_hello_world: quay.io/ansible/docker-test-containers:hello-world
-docker_test_image_hello_world_image_id: sha256:bf756fb1ae65adf866bd8c456593cd24beb6a0a061dedf42b26a993176745f6b
+docker_test_image_hello_world_image_ids:
  - sha256:bf756fb1ae65adf866bd8c456593cd24beb6a0a061dedf42b26a993176745f6b  # Docker 28 and before
  - sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042  # Docker 29
 docker_test_image_hello_world_base: quay.io/ansible/docker-test-containers
 docker_test_image_busybox: quay.io/ansible/docker-test-containers:busybox
 docker_test_image_alpine: quay.io/ansible/docker-test-containers:alpine3.8
--- a/tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml
+++ b/tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml
@ -102,7 +102,17 @@
        # This host/port combination cannot be used if the tests are running inside a docker container.
        docker_registry_frontend_address: localhost:{{ nginx_container.container.NetworkSettings.Ports['5000/tcp'].0.HostPort }}
        # The following host/port combination can be used from inside the docker container.
-        docker_registry_frontend_address_internal: "{{ nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress if current_container_network_ip else nginx_container.container.NetworkSettings.IPAddress }}:5000"
+        docker_registry_frontend_address_internal: >-
          {{
            nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress
            if current_container_network_ip else
            (
              nginx_container.container.NetworkSettings.IPAddress
              | default(nginx_container.container.NetworkSettings.Networks['bridge'].IPAddress)
            )
          }}:5000
        # Since Docker 29, nginx_container.container.NetworkSettings.IPAddress no longer exists.
        # Use the bridge network's IP address instead...
    - name: Wait for registry frontend
      ansible.builtin.uri:
--- a/tests/integration/targets/setup_openssl/tasks/main.yml
+++ b/tests/integration/targets/setup_openssl/tasks/main.yml
@ -27,7 +27,7 @@
 - name: Install cryptography (Darwin, and potentially upgrade for other OSes)
  become: true
  ansible.builtin.pip:
-    name: cryptography>=1.3.0
+    name: cryptography>=3.3.0
    extra_args: "-c {{ remote_constraints }}"
 - name: Register cryptography version