Actions
Issue #5037
closedSchema1 has different algorithm of digest calculation
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 55
Quarter:
Description
We calculate the digest of the schema1 on the whole file. As a result of current behaviour docker pull of schema1 does not work as well as sync has wrong results.
$ sudo docker pull localhost:24816/food:1.24-musl
Trying to pull repository localhost:24816/food ...
Pulling repository localhost:24816/food
Error: image food:1.24-musl not found
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ pjournal
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
-- Logs begin at Thu 2019-05-02 13:43:21 UTC. --
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: messages, upgraded, tail = self._request_parser.feed_data(data)
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: File "aiohttp/_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: pulp: pulp_docker.app.registry:INFO: sha256:75e5a0f0c01cebf0e634a8995ab596b373e2be67cd7168e95b9de47a12ded279
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: [2019-06-26 11:06:00 +0000] [3512] [ERROR] Error handling request
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: Traceback (most recent call last):
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: File "/usr/local/lib/pulp/lib64/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: messages, upgraded, tail = self._request_parser.feed_data(data)
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: File "aiohttp/_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
Jun 26 11:06:00 pulp3-source-fedora29.fluffy.example.com gunicorn[3500]: aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
qq^C
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ sudo docker pull localhost:24816/food@sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f
Trying to pull repository localhost:24816/food ...
Manifest does not match provided manifest digest sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f
Note that client calculated digest sha256:75e5a0f0c01cebf0e634a8995ab596b373e2be67cd7168e95b9de47a12ded279, it does not contain signature part.
And this is the digest we calculated and store sha256:02c8e85e48664f0888493dfe885f0f01f8b598e934346824e14bd1c51aed7d5f. Client does not like it either, because digests do not match.
Now sync:
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ http GET http://localhost:24817/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/
HTTP/1.1 200 OK
Allow: GET, DELETE, HEAD, OPTIONS
Connection: close
Content-Length: 1298
Content-Type: application/json
Date: Wed, 26 Jun 2019 10:27:41 GMT
Server: gunicorn/19.9.0
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"_created": "2019-06-26T10:04:31.240786Z",
"_href": "/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/",
"base_version": null,
"content_summary": {
"added": {
"docker.manifest": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifests/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
},
"docker.manifest-tag": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
}
},
"present": {
"docker.manifest": {
"count": 329,
"href": "/pulp/api/v3/content/docker/manifests/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
},
"docker.manifest-blob": {
"count": 487,
"href": "/pulp/api/v3/content/docker/blobs/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
},
"docker.manifest-tag": {
"count": 135,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
}
},
"removed": {
"docker.manifest-tag": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_removed=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/2/"
}
}
},
"number": 2
}
(pulp) [vagrant@pulp3-source-fedora29 pulp_docker]$ http GET http://localhost:24817/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/
HTTP/1.1 200 OK
Allow: GET, DELETE, HEAD, OPTIONS
Connection: close
Content-Length: 1298
Content-Type: application/json
Date: Wed, 26 Jun 2019 10:28:05 GMT
Server: gunicorn/19.9.0
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"_created": "2019-06-26T10:07:03.977935Z",
"_href": "/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/",
"base_version": null,
"content_summary": {
"added": {
"docker.manifest": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifests/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
},
"docker.manifest-tag": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_added=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
}
},
"present": {
"docker.manifest": {
"count": 351,
"href": "/pulp/api/v3/content/docker/manifests/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
},
"docker.manifest-blob": {
"count": 487,
"href": "/pulp/api/v3/content/docker/blobs/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
},
"docker.manifest-tag": {
"count": 135,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
}
},
"removed": {
"docker.manifest-tag": {
"count": 22,
"href": "/pulp/api/v3/content/docker/manifest-tags/?repository_version_removed=/pulp/api/v3/repositories/cacbcd83-b2d6-4bee-ac7b-0e14d888ebe3/versions/3/"
}
}
},
"number": 3
}
What we should do is to disregard the signature part, which changes with every response from the registry.
See pulp2 code https://github.com/pulp/pulp_docker/blob/2-master/plugins/pulp_docker/plugins/models.py#L102
Actions
Problem: Schema1 manifest digest is calculated on the unsigned version.
Solution: Remove the signatures when calculating the digest.
closes #5037 https://pulp.plan.io/issues/5037