In one of my ZOT repositories, I have a OCI v1.1.0 manifest A with its subject pointing to another manifest B. When I get the referrers of B (via GET /v2/<name>/referrers/<digest_of_b>), I can see one entry with descriptor of A.
If I add a tag to A (via PUT /v2/<name>/manifests/<digest_of_a>) and get the referrers of B again, there are two duplicated entries in the returned result of GET /v2/<name>/referrers/<digest_of_b>, both pointing to A.
To reproduce
Configuration: Running ghcr.io/project-zot/zot-linux-amd64:v2.0.1 based on ext4 file system
Client tools: oras v1.2.0 and curl for listing referrers
Steps
Create a subject and a referrer artifact.
List referrers of subject (get one entry).
Tag the referrer artifact.
List referrers of subject (get two duplicated entries)
> ## Create a subject and a referrer artifact.
> oras push localhost:7000/test:subject
...
Pushed [registry] localhost:7000/test:subject
ArtifactType: application/vnd.unknown.artifact.v1
> oras attach --artifact-type billy/test -a test=true localhost:7000/test:subject
...
Attached to [registry] localhost:7000/test@sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442
Digest: sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71
> ## List referrers of subject (get one entry).
> curl -u hello:oras-test http://localhost:7000/v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 -v | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1:7000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7000 (#0)
* Server auth using Basic with user 'hello'
> GET /v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 HTTP/1.1
> Host: localhost:7000
> Authorization: Basic aGVsbG86b3Jhcy10ZXN0
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,content-type,X-ZOT-API-CLIENT
< Access-Control-Allow-Methods: GET,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.oci.image.index.v1+json
< Date: Mon, 01 Jul 2024 03:12:26 GMT
< Content-Length: 356
<
{ [356 bytes data]
100 356 100 356 0 0 44500 0 --:--:-- --:--:-- --:--:-- 44500
* Connection #0 to host localhost left intact
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
"size": 687,
"annotations": {
"org.opencontainers.image.created": "2024-07-01T03:11:06Z",
"test": "true"
},
"artifactType": "billy/test"
}
]
}
> ## Tag the referrer artifact.
> oras tag localhost:7000/test@sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71 new
Tagging [registry] localhost:7000/test@sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71
Tagged new
> ## List referrers of subject (get two duplicated entries)
> curl -u hello:oras-test http://localhost:7000/v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 -v | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1:7000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7000 (#0)
* Server auth using Basic with user 'hello'
> GET /v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 HTTP/1.1
> Host: localhost:7000
> Authorization: Basic aGVsbG86b3Jhcy10ZXN0
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,content-type,X-ZOT-API-CLIENT
< Access-Control-Allow-Methods: GET,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.oci.image.index.v1+json
< Date: Mon, 01 Jul 2024 03:15:52 GMT
< Content-Length: 625
<
{ [625 bytes data]
100 625 100 625 0 0 78125 0 --:--:-- --:--:-- --:--:-- 78125
* Connection #0 to host localhost left intact
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
"size": 687,
"annotations": {
"org.opencontainers.image.created": "2024-07-01T03:11:06Z",
"test": "true"
},
"artifactType": "billy/test"
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
"size": 687,
"annotations": {
"org.opencontainers.image.created": "2024-07-01T03:11:06Z",
"test": "true"
},
"artifactType": "billy/test"
}
]
}
Expected behavior
Returned result of referrers API should be deduplicated.
zot version
ghcr.io/project-zot/zot-linux-amd64:v2.0.1
Describe the bug
In one of my ZOT repositories, I have a OCI v1.1.0 manifest
A
with itssubject
pointing to another manifestB
. When I get the referrers of B (viaGET /v2/<name>/referrers/<digest_of_b>
), I can see one entry with descriptor ofA
.If I add a tag to
A
(viaPUT /v2/<name>/manifests/<digest_of_a>
) and get the referrers ofB
again, there are two duplicated entries in the returned result ofGET /v2/<name>/referrers/<digest_of_b>
, both pointing toA
.To reproduce
ghcr.io/project-zot/zot-linux-amd64:v2.0.1
based on ext4 file systemoras
v1.2.0 andcurl
for listing referrersExpected behavior
Returned result of referrers API should be deduplicated.
Screenshots
No response
Additional context
No response