Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23767

Docker pull by digest could return the wrong manifest due to wrong caching

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.9.0, 7.10.2
    • Fix Version/s: 7.10.5
    • Component/s: Docker
    • Labels:
      None
    • Severity:
      Critical
    • Regression:
      Yes
    • Requirement Status:

      UNCOVERED

      Description

      Problem Description
      Docker pull by digest returns the wrong manifest.json from Artifactory, which is declined by the Docker client:

      docker pull mill.jfrog.info:12109/docker-local/repro2@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19                                                                                
      sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/repro2
      manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      

      Steps to reproduce:
      1. Steup Artifactory 7.9.0 with Docker repository.
      2. docker tag [ANYIMAGE] mill.jfrog.info:12109/docker/reproduction:latest
      3. Push the image tagged in step #2:

      docker push mill.jfrog.info:12109/docker/reproduction:latest
      The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
      908cf8238301: Layer already exists
      eabfa4cd2d12: Layer already exists
      60c688e8765e: Layer already exists
      f431d0917d41: Layer already exists
      07cab4339852: Layer already exists
      latest: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362

      4. Tag the same image with an additional tag:

      docker tag [SAMEIMAGE] mill.jfrog.info:12109/docker/reproduction:tag1
      

      5. Push the new tag as well:

      docker push mill.jfrog.info:12109/docker/reproduction:tag1
      The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
      908cf8238301: Layer already exists
      eabfa4cd2d12: Layer already exists
      60c688e8765e: Layer already exists
      f431d0917d41: Layer already exists
      07cab4339852: Layer already exists
      tag1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
      

      6. Mandatory step for reproduction (gets the manifest to a cache): Confirm you can pull by digest:

      docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19   
      sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
      Digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      Status: Downloaded newer image for mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      

      7. Tag a new, different, tag as latest:

      docker tag nginx mill.jfrog.info:12109/docker/reproduction:latest
      

      8. Push the new tag:

      docker push mill.jfrog.info:12109/docker/reproduction:latest
      The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
      98b4c818e603: Layer already exists
      1698c1b7e3e6: Layer already exists
      227442bb48dc: Layer already exists
      d899691659b0: Layer already exists
      95ef25a32043: Layer already exists
      latest: digest: sha256:deb724a427ea79face617392a5a471fdcb4cdb57f971ee6b7e492b90fecb199f size: 1362
      

      9. Try to pull the first tag by digest, it fails:

      docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
      manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
      

      The error - "manifest verification failed for digest" indicates Artifactory has returned another manifest.json. By further checking it seem to return the manifest of the new, unrelated image.

        Attachments

          Issue Links

            Forms

              Activity

                  People

                  Assignee:
                  nadavy Nadav Yogev
                  Reporter:
                  arielk Ariel Kabov
                  Votes:
                  2 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      PagerDuty