Problem Description
Docker pull by digest returns the wrong manifest.json from Artifactory, which is declined by the Docker client:
docker pull mill.jfrog.info:12109/docker-local/repro2@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/repro2
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Steps to reproduce:
1. Steup Artifactory 7.9.0 with Docker repository.
2. docker tag [ANYIMAGE] mill.jfrog.info:12109/docker/reproduction:latest
3. Push the image tagged in step #2:
docker push mill.jfrog.info:12109/docker/reproduction:latest The push refers to repository [mill.jfrog.info:12109/docker/reproduction] 908cf8238301: Layer already exists eabfa4cd2d12: Layer already exists 60c688e8765e: Layer already exists f431d0917d41: Layer already exists 07cab4339852: Layer already exists latest: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
4. Tag the same image with an additional tag:
docker tag [SAMEIMAGE] mill.jfrog.info:12109/docker/reproduction:tag1
5. Push the new tag as well:
docker push mill.jfrog.info:12109/docker/reproduction:tag1 The push refers to repository [mill.jfrog.info:12109/docker/reproduction] 908cf8238301: Layer already exists eabfa4cd2d12: Layer already exists 60c688e8765e: Layer already exists f431d0917d41: Layer already exists 07cab4339852: Layer already exists tag1: digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19 size: 1362
6. Mandatory step for reproduction (gets the manifest to a cache): Confirm you can pull by digest:
docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
Digest: sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
Status: Downloaded newer image for mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
7. Tag a new, different, tag as latest:
docker tag nginx mill.jfrog.info:12109/docker/reproduction:latest
8. Push the new tag:
docker push mill.jfrog.info:12109/docker/reproduction:latest The push refers to repository [mill.jfrog.info:12109/docker/reproduction] 98b4c818e603: Layer already exists 1698c1b7e3e6: Layer already exists 227442bb48dc: Layer already exists d899691659b0: Layer already exists 95ef25a32043: Layer already exists latest: digest: sha256:deb724a427ea79face617392a5a471fdcb4cdb57f971ee6b7e492b90fecb199f size: 1362
9. Try to pull the first tag by digest, it fails:
docker pull mill.jfrog.info:12109/docker-local/reproduction@sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19: Pulling from docker-local/reproduction
manifest verification failed for digest sha256:794275d96b4ab96eeb954728a7bf11156570e8372ecd5ed0cbc7280313a27d19
The error - "manifest verification failed for digest" indicates Artifactory has returned another manifest.json. By further checking it seem to return the manifest of the new, unrelated image.
- relates to
-
RTFACT-23899 Artifactory might cache the wrong manifest in Docker images with fat manifests
- Done