Project

Profile

Help

Story #4244

Updated by ipanova@redhat.com over 5 years ago

h2. *Problem:* 

 When pulling newer format manifest by tag old clients are not supported. 

 h2. *Solution:* 

 Rewrite available manifest to schema1 to support old clients. 

 h2. *Workflow:* 

 Fetch Depending on the available manifest from the storage backend, if it exists. Parse incoming accept headers that Pulp registry will receive from client (client indicates support for certain manifest formats) the client( docker/podman pull) and if necessary rewrite manifest when depending on what Pulp registry has currently in its storage it is being fetched by tag. If it is being fetched by digest, conversion is not possible. will: 

 If available 1) convert schema2--> schema1 
 2) convert manifest is a manifest list -    within by looking up the appropriate manifest list find for the image amd64 platform and linux OS, rewrite that manifest corresponding into the old format if necessary, and return the result to the default platform and arch (amd64 platform and linux OS). client. If no suitable manifest is found in the manifest list, the registry will return a 404 error. 
 If necessary( based on incoming accept headers), convert the image manifest to schema1. Invoke Schema1ManifestBuilder to create skeleton of 3) schema1 format. Populate the builder with the data incoming from parsed image manifest schema2 json. 
 Sign schema1 manifest with the provided signing key (in config). If no signing key is provided generate an ephemeral rsa key to be used for signing converted manifests. 

 If available manifest is a manifest schema2 , if necessary( based on incoming accept headers), convert returned the image manifest to schema1. 

 If available manifest way it is a manifest schema1, return as is. without conversion 

 h3. +Signed Manifest Field Description+ 

 Signed manifests include an image manifest and a list of signatures. A signature consists of the following fields: 

     header JOSE 

     A JSON Web Signature 

     signature string 

     A signature for the image manifest, signed by a private key 

     protected string 

     The signed protected header 

 h3. +Optional conversion+ 

 The conversion will be optional. There will be a boolean flag called for example 'schema_conversion` added    as a parameter to the docker distribution [0] where its default value would be set to False. 
 Conversion would happen only if enabled. 

 [0]    https://github.com/pulp/pulp_docker/blob/master/pulp_docker/app/models.py#L297 
 https://docs.docker.com/registry/spec/manifest-v2-2/#backward- 

 h3. +Opened questions:+ 

 Do we convert manifest schema2 if it had foreign layers? 
 https://docs.docker.com/registry/spec/manifest-v2-2/#backward-compatibility

Back