Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-19699

Docker manifest's digest is getting modified during pushes to local repository

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Not a Bug
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Docker, Docker Image
    • Labels:
      None

      Description

      Certain docker images are getting their manifests edited (pretty printed and rearranged) when being deployed onto Artifactory. Note the digest when pulling directly:

      $ docker pull gcr.io/google_containers/defaultbackend:1.0
      1.0: Pulling from google_containers/defaultbackend
      Digest: sha256:ee3aa1187023d0197e3277833f19d9ef7df26cee805fef32663e06c7412239f9
      Status: Downloaded newer image for gcr.io/google_containers/defaultbackend:1.0
      

      and being pulled via a remote:

      $ docker pull localhost:8081/gcr/google_containers/defaultbackend:1.0
      1.0: Pulling from gcr/google_containers/defaultbackend
      a3ed95caeb02: Pull complete 
      35c8bf5fd6cd: Pull complete 
      8edadfcfba11: Pull complete 
      Digest: sha256:ee3aa1187023d0197e3277833f19d9ef7df26cee805fef32663e06c7412239f9
      

      results in the same digest. However, if you perform:

      $ docker tag gcr.io/google_containers/defaultbackend:1.0 localhost:8081/docker-local/google_containers/defaultbackend:1.0
      $ docker push localhost:8081/docker-local/google_containers/defaultbackend  
      The push refers to repository [localhost:8081/docker-local/google_containers/defaultbackend]
      5f70bf18a086: Layer already exists 
      f6671fee8760: Layer already exists 
      7f02483a9752: Layer already exists 
      latest: digest: sha256:3ed35f9e1998f374b732a80783a4e5ed702aca916e275df7d5cab563db3e1cce size: 1563
      

      see now the digest has changed! This is because the manifest.json has been changed in the local. comparing the one from a remote vs the one pushed to a local, you'll see that the ordering of certain fields has been changed, as well as certain newline characters has been inserted.

      This means that if you try to docker pull via the digest on the local with the original digest, it fails:

      $ docker pull localhost:8081/docker-local/google_containers/defaultbackend@sha256:ee3aa1187023d0197e3277833f19d9ef7df26c63e06c7412239f9
      Error response from daemon: manifest for localhost:8081/docker-local/google_containers/defaultbackend@sha256:ee3aa1187023d0197e3277833f19d9ef7df26cee805fef32663e06c7412239f9 not found
      

      but works with the "new" digest it works:

      $ docker pull localhost:8081/docker-local/google_containers/defaultbackend@sha256:3ed35f9e1998f374b732a80783a4e5ed702aca5cab563db3e1cce
      sha256:3ed35f9e1998f374b732a80783a4e5ed702aca916e275df7d5cab563db3e1cce: Pulling from docker-local/google_containers/defaultbackend
      Digest: sha256:3ed35f9e1998f374b732a80783a4e5ed702aca916e275df7d5cab563db3e1cce
      Status: Image is up to date for localhost:8081/docker-local/google_containers/defaultbackend@sha256:3ed35f9e1998f374b732a80783a4e5ed702aca916e275df7d5cab563db3e1cce
      

      I have attached the two manifests as well.

      $ shasum -a256 manifest-gcr-cache.json manifest-docker-local.json 
      ee3aa1187023d0197e3277833f19d9ef7df26cee805fef32663e06c7412239f9  manifest-gcr-cache.json
      3ed35f9e1998f374b732a80783a4e5ed702aca916e275df7d5cab563db3e1cce  manifest-docker-local.json
      

      manifest-docker-local.json manifest-gcr-cache.json

        Attachments

          Activity

            People

            Assignee:
            danf Dan Feldman (Inactive)
            Reporter:
            loreny Loren Yeung
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: