search

docker / hub-feedback

Feedback and bug reports for the Docker Hub
https://hub.docker.com
232 stars 40 forks source link

Unable to upload an image with a foreign layer #2132

Closed DennisDenuto closed 3 years ago

DennisDenuto commented 3 years ago

Problem description

When uploading an image that references a foreign layer (application/vnd.docker.image.rootfs.foreign.diff.tar.gzip) and I deliberately do not upload that foreign layer blob to dockerhub, when the manifest is committed, dockerhub returns an error:

    UNKNOWN: unknown error; UNKNOWN: unknown error; map[]; MANIFEST_BLOB_UNKNOWN: blob unknown to registry; sha256:SHA-OF-FOREIGN-LAYER

Interestingly, the above works if the layer is non-distributable (application/vnd.oci.image.layer.nondistributable.v1.tar+gzip)

What you expected to happen:

A successful upload of the image containing reference to a foreign layer (similar to what happens to non-distributable layers)

milosgajdos commented 3 years ago

Hey, @DennisDenuto. Thanks for the feedback.

To avoid any speculation on our side, could you please provide a full manifest you've tried t submit so we can look into this properly?

Thanks

justincormack commented 3 years ago

What are you trying to achieve? We have a lot of strict validation on foreign layers, and we are increasing this. We only really support them for the Windows layers, and these may be changed to be distributable so its not clear that there is a future for this registry feature. There have been a number of security and other issues around these features, and the client behaviours are poorly defined.

DennisDenuto commented 3 years ago

@milosgajdos

Thanks! Sure thing! here is the manifest (This was generated by a test, exercising a workflow copying an image with foreign layers)

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 233,
    "digest": "sha256:0ad5ab0bebbb108aa636dfc0a39cf33656bf851992cac019847b7f0fad46cd4b"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip",
      "size": 1227,
      "digest": "sha256:eeeca730eb841a227b9d4a9694599c3e733d6b058bcf177d905cf1f104354bea",
      "urls": [
        "http://localhost:55738/v2/repo/airgapped-image/blobs/sha256:eeeca730eb841a227b9d4a9694599c3e733d6b058bcf177d905cf1f104354bea"
      ]
    }
  ]
}

@justincormack

Thanks for providing additional context.

What are you trying to achieve?

Our use case is: Allow copying an image from any registry to any other registry.

In the case an image contains a 'foreign' layer, we provide the user the option to copy the 'foreign' layers to the destination repo. However, when using dockerhub as the destination registry, when a user decides to not copy the foreign layers, we see the above error.

justincormack commented 3 years ago

Yes, we only allow the Windows layers (ie the layer urls have to point at Microsoft host) without a blob. I believe Windows will remove the non distribution requirement, at which point this can be removed, it was not a well designed feature, and has many security and usability issues.

milosgajdos commented 3 years ago

Closing as this is expected behaviour.