Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23899

Artifactory might cache the wrong manifest in Docker images with fat manifests

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: 4 - Normal
    • Resolution: Done
    • Affects Version/s: 7.10.5
    • Fix Version/s: 7.12.3, 7.10.9
    • Component/s: None
    • Labels:
      None
    • Severity:
      Medium

      Description

      Problem description:

      Docker client shows the following error when pulling a docker image by digest:

      $ sudo docker pull docker-local.art.local/operator/acecc-ecp-prod@sha256:ba693bb12fdbe08c05b1ead96c4680058c8b68465d6cd20b40292dd6eaafa103
      
      sha256:ba693bb12fdbe08c05b1ead96c4680058c8b68465d6cd20b40292dd6eaafa103: Pulling from operator/acecc-ecp-prod
      manifest verification failed for digest sha256:75bc6a5a2ea08422cfb88a430db7121069555a09d4d28a62ff240d34a3a49efa

       

      Steps to reproduce:

      1. Start Artifactory (i used 7.10.6)
      2. Start nginx listening to 443 (important, since docker manifest create requires https registry)
      3. Create this tree locally:

      .
      |-- amd64
      |   |-- Dockerfile
      |   `-- hello.c
      |
      `-- s390x
          |-- Dockerfile
          `-- hello.c 

      Dockerfile content:

      FROM alpine:latest AS builder
      RUN apk add build-base
      WORKDIR /home
      COPY hello.c .
      RUN gcc hello.c -o hello
      FROM alpine:latest
      WORKDIR /home
      COPY --from=builder /home/hello .
      ENTRYPOINT ["./hello"] 

      hello.c content:

      I used this.
      Make sure that the content of amd64 and s309 hello.c files are a bit different, to generate different checksums

       

      4. Run these commands:

       

      cd s390x
      sudo docker build -f Dockerfile --tag docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-s390x .
      sudo docker push docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-s390x
      sudo docker tag docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-s390x docker-local.art.local/operator/acecc-ecp-prod:latest-s390x
      sudo docker push docker-local.art.local/operator/acecc-ecp-prod:latest-s390x
      
      cd ../amd64
      sudo docker build -f Dockerfile --tag docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-amd64 .
      sudo docker push docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-amd64
      sudo docker tag docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-amd64 docker-local.art.local/operator/acecc-ecp-prod:latest-amd64
      sudo docker push docker-local.art.local/operator/acecc-ecp-prod:latest-amd64
      
      cd ..
      sudo docker manifest create docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542 docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-amd64 docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542-s390x
      sudo docker manifest create docker-local.art.local/operator/acecc-ecp-prod:latest docker-local.art.local/operator/acecc-ecp-prod:latest-amd64 docker-local.art.local/operator/acecc-ecp-prod:latest-s390x
      
      sudo docker manifest push docker-local.art.local/operator/acecc-ecp-prod:13.0.0.10-r3-eus-20201106-144542 --purge
      sudo docker manifest push docker-local.art.local/operator/acecc-ecp-prod:latest --purge 

       

      5. Pull the manifest list by digest (with any user).

      The path should be: docker-local/operator/acecc-ecp-prod/13.0.0.10-r3-eus-20201106-144542/list.manifest.json
      So the command should look like this:

      sudo docker pull docker-local.art.local/operator/acecc-ecp-prod@sha256:<checksum of that list.manifest.json file> 

      Should be successful

       

      6. Create another manifest list and push it to Artifactory this way:

      • Change the hello.c of both archs a bit, in order for the checksums to be different
      • Run the commands from step 4, but use version 14.0.0.10 instead of 13.0.0.10 (for all the commands)

       

      7. Create another user in Artifactory (with Read permissions for this Docker local repo)

       

      8. Repeat step 5 (pulling the same manifest list from before, not the new one), this time with the new user (created in step 7):

      - sudo docker logout docker-local.art.local
      - sudo docker login docker-local.art.local (with the new user)
      - sudo docker pull docker-local.art.local/operator/acecc-ecp-prod@sha256:<checksum of that list.manifest.json file> 

      You should see the error:

      manifest verification failed for digest sha256:75bc6a5a2ea08422cfb88a430db7121069555a09d4d28a62ff240d34a3a49efa 

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              alexeiv Alexei Vainshtein
              Reporter:
              avivb Aviv Blonder
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-23899 -
                  SYNCHRONIZED
                  • Last Sync Date: