fix: oras pull error empty response Docker-Content-Digest
#237
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nima
force-pushed
the
issues/225
branch
2 times, most recently
from
0fba8f2 to
f43a780
Compare
repro prior to the change:➜ DoodleContainers git:(mainline) ✗ make setup start main
#------------------------------------------------------------------------------- oci:/home/ntd/docker/config.json
aws --profile ntd@ecr --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin 080565210187.dkr.ecr.us-west-2.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/ntd/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#------------------------------------------------------------------------------- oci:/home/ntd/docker/config.json
aws --profile ntd@ecr --region us-west-2 ecr get-login-password | oras login --username AWS --password-stdin 080565210187.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded
#------------------------------------------------------------------------------- oci:setup
aws --profile ntd@ecr --region us-west-2 ecr create-repository --repository-name my.repo --image-scanning-configuration scanOnPush=true | jq .
{
"repository": {
"repositoryUri": "080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo",
"imageScanningConfiguration": {
"scanOnPush": true
},
"encryptionConfiguration": {
"encryptionType": "AES256"
},
"registryId": "080565210187",
"imageTagMutability": "MUTABLE",
"repositoryArn": "arn:aws:ecr:us-west-2:080565210187:repository/my.repo",
"repositoryName": "my.repo",
"createdAt": 1657835189
}
}
#------------------------------------------------------------------------------- oci:setup
docker image build --tag my.repo:my.tag .
Sending build context to Docker daemon 371.2kB
Step 1/8 : FROM alpine:latest
---> e66264b98777
Step 2/8 : RUN mkdir -p /docked
---> Running in d2183399b150
Removing intermediate container d2183399b150
---> 56d7cf077766
Step 3/8 : WORKDIR /docked
---> Running in 36bac997e4ab
Removing intermediate container 36bac997e4ab
---> 8c7179532383
Step 4/8 : RUN apk add --no-cache socat
---> Running in 902e75a3a394
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ncurses-terminfo-base (6.3_p20220521-r0)
(2/4) Installing ncurses-libs (6.3_p20220521-r0)
(3/4) Installing readline (8.1.2-r0)
(4/4) Installing socat (1.7.4.3-r0)
Executing busybox-1.35.0-r13.trigger
OK: 7 MiB in 18 packages
Removing intermediate container 902e75a3a394
---> 671c5e9f24a1
Step 5/8 : EXPOSE 1234
---> Running in fec0ca2cc0aa
Removing intermediate container fec0ca2cc0aa
---> 6480cf48acca
Step 6/8 : EXPOSE 4321
---> Running in 99961c605283
Removing intermediate container 99961c605283
---> 8ca79f8cdfcd
Step 7/8 : ENTRYPOINT [ "socat" ]
---> Running in 11b11566b05a
Removing intermediate container 11b11566b05a
---> 134e5e444ce0
Step 8/8 : CMD [ "TCP4-LISTEN:1234", "TCP4-LISTEN:4321" ]
---> Running in afb7185f1033
Removing intermediate container afb7185f1033
---> 4b8f7040c20e
Successfully built 4b8f7040c20e
Successfully tagged my.repo:my.tag
#------------------------------------------------------------------------------- oci:setup
docker image tag my.repo:my.tag 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
#------------------------------------------------------------------------------- oci:setup
docker image push 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
The push refers to repository [080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo]
8e2e4e6d1ed9: Pushed
980e95506b86: Pushed
24302eb7d908: Pushed
my.tag: digest: sha256:f8f0e94c24b562c0a5059a6c5d1c23f3f15c16381e912798531522d32d496df4 size: 945
#------------------------------------------------------------------------------- oci:start
docker container run --detach --rm --name my.container --publish 1234:1234 --publish 4321:4321 my.repo:my.tag
2e9752460dc4862f0dafbbf1f1b29fe1521ce771cd58ae9208e82a1ca6ecde72
#------------------------------------------------------------------------------- oci:main
oras pull 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Error: GET "https://080565210187.dkr.ecr.us-west-2.amazonaws.com/v2/my.repo/manifests/my.tag": empty response Docker-Content-Digest
make: *** [main] Error 1
➜ DoodleContainers git:(mainline) ✗run test again...➜ DoodleContainers git:(mainline) ✗ make
################################################################################
#------------------------------------------------------------------------------- oci:/home/nima/docker/config.json
aws --profile nima@ecr --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin 12345678901.dkr.ecr.us-west-2.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/nima/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#------------------------------------------------------------------------------- oci:/home/nima/docker/config.json
aws --profile nima@ecr --region us-west-2 ecr get-login-password | oras login --username AWS --password-stdin 12345678901.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded
#------------------------------------------------------------------------------- oci:setup
aws --profile nima@ecr --region us-west-2 ecr create-repository --repository-name my.repo --image-scanning-configuration scanOnPush=true | jq .
{
"repository": {
"repositoryUri": "12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo",
"imageScanningConfiguration": {
"scanOnPush": true
},
"encryptionConfiguration": {
"encryptionType": "AES256"
},
"registryId": "12345678901",
"imageTagMutability": "MUTABLE",
"repositoryArn": "arn:aws:ecr:us-west-2:12345678901:repository/my.repo",
"repositoryName": "my.repo",
"createdAt": 1657595026
}
}
#------------------------------------------------------------------------------- oci:setup
docker image build --tag my.repo:my.tag .
Sending build context to Docker daemon 276kB
Step 1/8 : FROM alpine:latest
---> e66264b98777
Step 2/8 : RUN mkdir -p /docked
---> Using cache
---> b70ff30822c5
Step 3/8 : WORKDIR /docked
---> Using cache
---> adbf13e74342
Step 4/8 : RUN apk add --no-cache socat
---> Using cache
---> 10673949eac4
Step 5/8 : EXPOSE 1234
---> Using cache
---> fe6e2db39608
Step 6/8 : EXPOSE 4321
---> Using cache
---> 69b73391ecf3
Step 7/8 : ENTRYPOINT [ "socat" ]
---> Using cache
---> 7ed365f9b91e
Step 8/8 : CMD [ "TCP4-LISTEN:1234", "TCP4-LISTEN:4321" ]
---> Using cache
---> cffeefdfa844
Successfully built cffeefdfa844
Successfully tagged my.repo:my.tag
#------------------------------------------------------------------------------- oci:setup
docker image tag my.repo:my.tag 12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
#------------------------------------------------------------------------------- oci:setup
docker image push 12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
The push refers to repository [12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo]
336abb34c67c: Pushed
26a6b0d4e0cf: Pushed
24302eb7d908: Pushed
my.tag: digest: sha256:b9b2c380a97b8b4ab2acfd3d88850bc3ce2b95e803af33ac382e002b6683fbfd size: 945
#------------------------------------------------------------------------------- oci:main
docker image rm my.repo:my.tag
Untagged: my.repo:my.tag
#------------------------------------------------------------------------------- oci:main
oras pull 12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Downloaded empty artifact
Pulled 12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Digest:
#------------------------------------------------------------------------------- oci:teardown
docker image rm my.repo:my.tag
Error: No such image: my.repo:my.tag
make: [oci.teardown] Error 1 (ignored)
#------------------------------------------------------------------------------- oci:teardown
docker image rm 12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Error response from daemon: conflict: unable to remove repository reference "12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag" (must force) - container 799004d623e6 is using its referenced image cffeefdfa844
make: [oci.teardown] Error 1 (ignored)
#------------------------------------------------------------------------------- oci:teardown
aws --profile nima@ecr --region us-west-2 ecr batch-delete-image --repository-name my.repo --image-ids imageTag=my.tag | jq .
{
"failures": [],
"imageIds": [
{
"imageTag": "my.tag",
"imageDigest": "sha256:b9b2c380a97b8b4ab2acfd3d88850bc3ce2b95e803af33ac382e002b6683fbfd"
}
]
}
#------------------------------------------------------------------------------- oci:teardown
aws --profile nima@ecr --region us-west-2 ecr delete-repository --repository-name my.repo | jq .
{
"repository": {
"repositoryUri": "12345678901.dkr.ecr.us-west-2.amazonaws.com/my.repo",
"registryId": "12345678901",
"imageTagMutability": "MUTABLE",
"repositoryArn": "arn:aws:ecr:us-west-2:12345678901:repository/my.repo",
"repositoryName": "my.repo",
"createdAt": 1657595026
}
}
GUIDE : https://www.freecodecamp.org/news/the-docker-handbook/
DEMO : oci
TARGET : oci
ORAS_CLIENT_PATH : /home/nima/bin/oras
ORAS_CLIENT : 0.13.0+unreleased
DOCKER_CLIENT : 20.10.7
DOCKER_SERVER : 20.10.7
################################################################################
➜ DoodleContainers git:(mainline) ✗ |
qweeah
reviewed
Jul 15, 2022
nima
force-pushed
the
issues/225
branch
2 times, most recently
from
e9abfb6 to
2e04701
Compare
|
Thanks @nima for the PR! Please let us know if this is ready for review. 😀 |
Thanks for taking a look @Wwwsylvia -- I have another PR out now, it's not intended to be approved, only to be inspected because I'm still not sure how to deal with the current issue. I'm maintaining a log of my thoughts in a thread in the |
nima
force-pushed
the
issues/225
branch
8 times, most recently
from
bfe9480 to
1d4fbdb
Compare
nima
force-pushed
the
issues/225
branch
3 times, most recently
from
3521041 to
2fa1eb0
Compare
|
|
|
I've set this to R4R despite the failure to expose the PR. The failure is due to the fact that one of the dependencies of this package, |
|
Few general comments to make this PR better.
|
The ORAS community also has a simple version of Git Conventions for references. |
shizhMSFT
reviewed
Aug 25, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <github@nima.id.au>
Also drop dependency on go-digest changes, making this PR stand-alone. Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
Signed-off-by: Nima Talebi <github@nima.id.au>
nima
commented
Aug 25, 2022
shizhMSFT
reviewed
Aug 25, 2022
Wwwsylvia
reviewed
Aug 25, 2022
shizhMSFT
reviewed
Aug 25, 2022
Signed-off-by: Nima Talebi <github@nima.id.au>
nima
force-pushed
the
issues/225
branch
3 times, most recently
from
9e662e6 to
bcfd66f
Compare
Wwwsylvia
approved these changes
Aug 25, 2022
|
And a final double-check... |
Signed-off-by: Nima Talebi <github@nima.id.au>
|
Thanks @nima for chasing this issue down, and @shizhMSFT @Wwwsylvia for the reviews! |
|
We plan to release this in the next rc release. |
|
Nope! That’s my Java showing 😇… carry on.
…On Thu, Aug 18, 2022 at 17:25 Nima Talebi ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In registry/remote/repository.go
<#237 (comment)>:
> return fmt.Errorf("%s: mismatch digest: %s", expected, contentDigest)
}
return nil
}
+// verifyContentDigests is a superset of verifyContentDigest; it takes in the actual (calculated) digest, and
+// verifies against that, the other two digests, both of which may or may not be set to the empty digest. If empty,
+// there is no validation error, however is not empty, it ensures that the given digest is valid (matches the actual
+// digest)
+func verifyContentDigests(actualDigest digest.Digest, digests map[string]digest.Digest) error {
+ for src, d := range digests {
+ if len(d.String()) == 0 {
Because you can't set a string to a nil; it's not a *digest.Digest
(pointer). Am I missing something?
—
Reply to this email directly, view it on GitHub
<#237 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIDST5SMDJGM3IW22JF4CDVZ3IBBANCNFSM53IDEHXQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #225 for details, but here's the tldr:
The expected outcome (what this PR claims to fix):
Resolves #225