Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23767

Docker pull by digest could return the wrong manifest due to wrong caching

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.9.0, 7.10.2
    • Fix Version/s: 7.10.5
    • Component/s: Docker
    • Labels:
      None
    • Severity:
      Critical
    • Regression:
      Yes
    • Requirement Status:

      UNCOVERED

      Description

      Problem Description
      Docker pull by digest returns the wrong manifest.json from Artifactory, which is declined by the Docker client:

      docker pull mill.jfrog.info:12109/docker-local/repro2@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19                                                                                
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/repro2
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19

      Steps to reproduce:
      1. Steup Artifactory 7.9.0 with Docker repository.
      2. docker tag [ANYIMAGE] mill.jfrog.info:12109/docker/reproduction:latest
      3. Push the image tagged in step #2:

      docker push mill.jfrog.info:12109/docker/reproduction:latest
The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
908cf8238301: Layer already exists
eabfa4cd2d12: Layer already exists
60c688e8765e: Layer already exists
f431d0917d41: Layer already exists
07cab4339852: Layer already exists
latest: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362

      4. Tag the same image with an additional tag:

      docker tag [SAMEIMAGE] mill.jfrog.info:12109/docker/reproduction:tag1

      5. Push the new tag as well:

      docker push mill.jfrog.info:12109/docker/reproduction:tag1
The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
908cf8238301: Layer already exists
eabfa4cd2d12: Layer already exists
60c688e8765e: Layer already exists
f431d0917d41: Layer already exists
07cab4339852: Layer already exists
tag1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362

      6. Mandatory step for reproduction (gets the manifest to a cache): Confirm you can pull by digest:

      docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19   
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
Digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Status: Downloaded newer image for mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19

      7. Tag a new, different, tag as latest:

      docker tag nginx mill.jfrog.info:12109/docker/reproduction:latest

      8. Push the new tag:

      docker push mill.jfrog.info:12109/docker/reproduction:latest
The push refers to repository [mill.jfrog.info:12109/docker/reproduction]
98b4c818e603: Layer already exists
1698c1b7e3e6: Layer already exists
227442bb48dc: Layer already exists
d899691659b0: Layer already exists
95ef25a32043: Layer already exists
latest: digest: sha256:deb724a427ea79face617392a5a471fdcb4cdb57f971ee6b7e492b90fecb199f size: 1362

      9. Try to pull the first tag by digest, it fails:

      docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19

      The error - "manifest verification failed for digest" indicates Artifactory has returned another manifest.json. By further checking it seem to return the manifest of the new, unrelated image.

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product RTFACT-23899 Artifactory might cache the wrong manifest in Docker images with fat manifests

          • Done

            Forms

              Activity

                  People

                  Assignee:
                  nadavy Nadav Yogev
                  Reporter:
                  arielk Ariel Kabov
                  Votes:
                  2 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      PagerDuty