Closed allisonkarlitskaya closed 1 month ago
allisonkarlitskaya
commented
1 month ago After spending all morning playing with mitmproxy it's clear that (in some cases) the sha256 of the config that appears in the manifest is completely made up by some part of skopeo/containers-image-proxy. The registry sent this hash to us at absolutely no point whatsoever, so of course it's not available at the registry to fetch as a blob...
Using .fetch_config() seems to avoid the issue.
cgwalters
commented
1 month ago One thing the proxy does is convert legacy docker "v2s2" manifests to OCI automatically which we should probably support turning off. Are you pushing images in v2s2 or OCI? i.e. what does skopeo inspect --raw docker://quay.io/yourimage look like?
I actually had the inverse problem when I was looking at this in my repo. Are you using the raw API ?
allisonkarlitskaya
commented
1 month ago Ya, I copied the code from your repo at first, which meant I was using get_descriptor() for the config. That worked with eg. docker.io/fedora, but broke with quay.io/lis/box and ghcr.io/cockpit-project/tasks.
Now I use the config API:
let raw_config = self.proxy.fetch_config_raw(&self.img).await?;
let config = ImageConfiguration::from_reader(raw_config.as_slice())?;and that works with ghcr.io/cockpit-project/tasks and quay.io/lis/box but not with docker.io/fedora.
It would be lovely if there was one way that worked for both...
cgwalters
commented
1 month ago skopeo inspect --raw -n docker://quay.io/lis/box
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",It's v2s2 not OCI, so basically what the proxy is doing here is not helpful and we need to have an "open as OCI or error" mode.
cfsctl pullworks on all manner of local repositories plusdocker://repos ondocker.iobut not with quay or ghcr.For quay it complains about missing blobs. Normal
skopeo copyworks fine here.For ghcr it complains about not having the bearer token.
skopeo copyis also broken here, butpodman pullworks fine.