Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-25069

Docker OCI Images require specific "Accept" header

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.12.8
    • Fix Version/s: 7.18.0
    • Component/s: Docker
    • Labels:
      None
    • Severity:
      High
    • Release Notes:
      Yes

      Description

      Problem description: 

      OCI Docker Images are supported by Artifactory, however OCI Images are usually pulled by third-party tools such as "skopeo". This bug causes Artifactory to have trouble serving Docker images to these kinds tools. 

      The crux of the issue is related to the headers Artifactory expects. If you do not provide a specific header, Artifactory replies with a "MANIFEST UNKNOWN" error, despite the image being available and the API correct.

      What is the expected behavior?

      If the proper GET request is made and the OCI image exists, its manifest is sent without requiring this header.

      Steps to reproduce: 

      1] Create an OCI Docker image, or use the Repository Export attached to this Jira

         The Repository Export contains two images: A normal "Busybox" image and a "Busybox-oci" image (A test image).

      2] Attempt to get the manifest.json using the Docker API. First get a token using a simulated "docker login"

      curl -u admin:password -v docker.art.local/v2/token

      {"token":"AK[...]zZ","expires_in":3600}

      3] To show things are imported correctly, get the normal Docker image's manifest.json with no header:

      curl -H"Authorization: Bearer AK[...]zZ" docker.art.local/v2/busybox/manifests/latest

      {
      "schemaVersion" : 1,
      "name" : "busybox",
      "tag" : "latest",
      "architecture" : "amd64",
      "fsLayers" : [

      { "blobSum" : "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" }

      , {

      [...]

      4] Attempt to get the OCI Docker Image's manifest.json using the same style of command, get a 404 Not Found:

      curl -H"Authorization: Bearer AK[...]zZ" docker.art.local/v2/busybox-oci/manifests/latest*
      {"errors":[\{"code":"MANIFEST_UNKNOWN","message":"The named manifest is not known to the registry.","detail":{"manifest":"busybox-oci"}}]}*

      5] Try the same command with the now-required header:

      curl -H"Authorization: Bearer AKC[...]zZ" docker-local.art.local/v2/busybox-oci/manifests/latest -H "Accept: application/vnd.oci.image.manifest.v1+json"
      {
      "schemaVersion": 2,
      "config":

      { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:018c9d7b792b4be80095d957533667279843acf9a46c973067c8d1dff31ea8b4", "size": 1494 }

      ,
      "layers": [

      { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:61c5ed1cbdf8e801f3b73d906c61261ad916b2532d6756e7c4fbcacb975299fb", "size": 763789 }

      ]
      }

      Possible workaround:

      Include the header "Accept: application/vnd.oci.image.manifest.v1+json" in your REST API commands. This isn't always possible with third-party tools.

        Attachments

          Activity

            People

            Assignee:
            barakh Barak Hacham
            Reporter:
            patrickr Patrick Russell
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Sync Status

                Connection: RTFACT Sync
                RTMID-25069 -
                SYNCHRONIZED
                • Last Sync Date: