2 - Critical Problem Description
Docker pull by digest returns the wrong manifest.json from Artifactory, which is declined by the Docker client:
docker pull artifactory:8081/docker-local/repro2@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/repro2
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Steps to reproduce:
1. Steup Artifactory 7.9.0 with Docker repository.
2. docker tag [ANYIMAGE] artifactory:8081/docker/reproduction:latest
3. Push the image tagged in step #2:
docker push artifactory:80819/docker/reproduction:latest The push refers to repository [artifactory:8081/docker/reproduction] 908cf8238301: Layer already exists eabfa4cd2d12: Layer already exists 60c688e8765e: Layer already exists f431d0917d41: Layer already exists 07cab4339852: Layer already exists latest: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
4. Tag the same image with an additional tag:
docker tag [SAMEIMAGE] artifactory:8081/docker/reproduction:tag1
5. Push the new tag as well:
docker push artifactory:8081/docker/reproduction:tag1 The push refers to repository [artifactory:8081/docker/reproduction] 908cf8238301: Layer already exists eabfa4cd2d12: Layer already exists 60c688e8765e: Layer already exists f431d0917d41: Layer already exists 07cab4339852: Layer already exists tag1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
6. Mandatory step for reproduction (gets the manifest to a cache): Confirm you can pull by digest:
docker pull artifactory:8081/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
Digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Status: Downloaded newer image for artifactory:8081/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
artifactory:8081/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
7. Tag a new, different, tag as latest:
docker tag nginx artifactory:8081/docker/reproduction:latest
8. Push the new tag:
docker push artifactory:8081/docker/reproduction:latest The push refers to repository [artifactory:8081/docker/reproduction] 98b4c818e603: Layer already exists 1698c1b7e3e6: Layer already exists 227442bb48dc: Layer already exists d899691659b0: Layer already exists 95ef25a32043: Layer already exists latest: digest: sha256:deb724a427ea79face617392a5a471fdcb4cdb57f971ee6b7e492b90fecb199f size: 1362
9. Try to pull the first tag by digest, it fails:
docker pull artifactory:8081/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
The error - "manifest verification failed for digest" indicates Artifactory has returned another manifest.json. By further checking it seem to return the manifest of the new, unrelated image.
- relates to
-
RTFACT-23899 Artifactory might cache the wrong manifest in Docker images with fat manifests
-
- Done
-