Project

Profile

Help

Issue #5037

Schema1 has different algorithm of digest calculation

Added by ipanova@redhat.com 5 months ago. Updated 5 months ago.

Status:
MODIFIED
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version - Docker:
Platform Release:
Blocks Release:
Target Release - Docker:
OS:
Backwards Incompatible:
No
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 55

Description

We calculate the digest of the schema1 on the whole file. As a result of current behaviour docker pull of schema1 does not work as well as sync has wrong results.

$ sudo docker pull localhost:24816/food:1.24-musl
Trying to pull repository localhost:24816/food ... 
Pulling repository localhost:24816/food
Error: image food:1.24-musl not found
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ pjournal
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
-- Logs begin at Thu 2019-05-02 13:43:21 UTC. --
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]:     messages, upgraded, tail = self._request_parser.feed_data(data)
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]:   File "aiohttp/_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: pulp: pulp_docker.app.registry:INFO: sha256:75e5a0f0c01cebf0e634a8995ab596b373e2be67cd7168e95b9de47a12ded279
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: [2019-06-26 11:06:00 +0000] [3512] [ERROR] Error handling request
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: Traceback (most recent call last):
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]:   File "/usr/local/lib/pulp/lib64/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]:     messages, upgraded, tail = self._request_parser.feed_data(data)
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]:   File "aiohttp/_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
qq^C
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ sudo docker pull localhost:24816/food@sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f
Trying to pull repository localhost:24816/food ... 
Manifest does not match provided manifest digest sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f


Note that client calculated digest sha256:75e5a0f0c01cebf0e634a8995ab596b373e2be67cd7168e95b9de47a12ded279, it does not contain signature part.

And this is the digest we calculated and store sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f. Client does not like it either, because digests do not match.

Now sync:

(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ http GET http://localhost:24817/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/
HTTP/1.1 200 OK
Allow: GET, DELETE, HEAD, OPTIONS
Connection: close
Content-Length: 1298
Content-Type: application/json
Date: Wed, 26 Jun 2019 10:27:41 GMT
Server: gunicorn/19.9.0
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "_created": "2019-06-26T10:04:31.240786Z",
    "_href": "/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/",
    "base_version": null,
    "content_summary": {
        "added": {
            "docker.manifest": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifests/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            },
            "docker.manifest-tag": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            }
        },
        "present": {
            "docker.manifest": {
                "count": 329,
                "href": "/pulp/api/v3/content/docker/manifests/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            },
            "docker.manifest-blob": {
                "count": 487,
                "href": "/pulp/api/v3/content/docker/blobs/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            },
            "docker.manifest-tag": {
                "count": 135,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            }
        },
        "removed": {
            "docker.manifest-tag": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_removed=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/" 
            }
        }
    },
    "number": 2
}

(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ http GET http://localhost:24817/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/
HTTP/1.1 200 OK
Allow: GET, DELETE, HEAD, OPTIONS
Connection: close
Content-Length: 1298
Content-Type: application/json
Date: Wed, 26 Jun 2019 10:28:05 GMT
Server: gunicorn/19.9.0
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "_created": "2019-06-26T10:07:03.977935Z",
    "_href": "/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/",
    "base_version": null,
    "content_summary": {
        "added": {
            "docker.manifest": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifests/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            },
            "docker.manifest-tag": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            }
        },
        "present": {
            "docker.manifest": {
                "count": 351,
                "href": "/pulp/api/v3/content/docker/manifests/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            },
            "docker.manifest-blob": {
                "count": 487,
                "href": "/pulp/api/v3/content/docker/blobs/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            },
            "docker.manifest-tag": {
                "count": 135,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            }
        },
        "removed": {
            "docker.manifest-tag": {
                "count": 22,
                "href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_removed=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/" 
            }
        }
    },
    "number": 3
}

What we should do is to disregard the signature part, which changes with every response from the registry.

See pulp2 code https://github.com/pulp/pulp_docker/blob/2-master/plugins/pulp_docker/plugins/models.py#L102

Associated revisions

Revision a9c1ff9e View on GitHub
Added by ipanova@redhat.com 5 months ago

Problem: Schema1 manifest digest is calculated on the unsigned version.

Solution: Remove the signatures when calculating the digest.

closes #5037
https://pulp.plan.io/issues/5037

Revision a9c1ff9e View on GitHub
Added by ipanova@redhat.com 5 months ago

Problem: Schema1 manifest digest is calculated on the unsigned version.

Solution: Remove the signatures when calculating the digest.

closes #5037
https://pulp.plan.io/issues/5037

History

#1 Updated by ipanova@redhat.com 5 months ago

  • Status changed from NEW to MODIFIED

#2 Updated by ipanova@redhat.com 5 months ago

  • Sprint set to Sprint 55

#3 Updated by ipanova@redhat.com 5 months ago

  • Assignee set to ipanova@redhat.com

Please register to edit this issue

Also available in: Atom PDF