Project

Profile

Help

Story #4244

Updated by ipanova@redhat.com over 2 years ago

h2. *Problem:*

When pulling newer format manifest by tag old clients are not supported.

h2. *Solution:*

Rewrite available manifest to schema1 to support old clients.

h2. *Workflow:*

Fetch
Depending on the available manifest from the storage backend, if it exists. Parse incoming accept headers that Pulp registry will receive from client (client indicates support for certain manifest formats) the client( docker/podman pull) and if necessary rewrite manifest when depending on what Pulp registry has currently in its storage it is being fetched by tag. If it is being fetched by digest, conversion is not possible. will:

If available 1) convert schema2--> schema1
2) convert
manifest is a manifest list - within by looking up the appropriate manifest list find for the image amd64 platform and linux OS, rewrite that manifest corresponding into the old format if necessary, and return the result to the default platform and arch (amd64 platform and linux OS). client. If no suitable manifest is found in the manifest list, the registry will return a 404 error.
If necessary( based on incoming accept headers), convert the image manifest to schema1. Invoke Schema1ManifestBuilder to create skeleton of 3) schema1 format. Populate the builder with the data incoming from parsed image manifest schema2 json.
Sign schema1 manifest with the provided signing key (in config). If no signing key
is provided generate an ephemeral rsa key to be used for signing converted manifests.

If available manifest is a manifest schema2 , if necessary( based on incoming accept headers), convert
returned the image manifest to schema1.

If available manifest
way it is a manifest schema1, return as is. without conversion

h3. +Signed Manifest Field Description+

Signed manifests include an image manifest and a list of signatures. A signature consists of the following fields:

header JOSE

A JSON Web Signature

signature string

A signature for the image manifest, signed by a private key

protected string

The signed protected header

h3. +Optional conversion+

The
conversion will be optional. There will be a boolean flag called for example 'schema_conversion` added as a parameter to the docker distribution [0] where its default value would be set to False.
Conversion would happen only if enabled.

[0] https://github.com/pulp/pulp_docker/blob/master/pulp_docker/app/models.py#L297
https://docs.docker.com/registry/spec/manifest-v2-2/#backward-

h3. +Opened questions:+

Do we convert manifest schema2 if it had foreign layers?
https://docs.docker.com/registry/spec/manifest-v2-2/#backward-compatibility

Back