containertool cannot download a base image from Docker Hub when running on Linux #166
Description
containertool fails to build a container image using the default base image when running on Linux:
% containertool \
--verbose \
--architecture amd64 \
--netrc-file netrc \
--repository localhost:5555/hello-world \
hello-world
Base image architecture: amd64
Connected to source registry: index.docker.io
Connected to destination registry: localhost:5555
Using base image: index.docker.io/library/swift:slim
Found base image manifest: sha256:e02fd41584b2a98ee93d9e2264bfd493f613eac63b5214c43610080e9311b0d7
Error: Registry returned an unexpected HTTP error code: 400
The same command succeeds when running on macOS:
% containertool \
--verbose \
--architecture amd64 \
--netrc-file netrc \
--repository localhost:5555/hello-world \
hello-world
Base image architecture: arm64
Connected to source registry: index.docker.io
Connected to destination registry: localhost:5555
Using base image: index.docker.io/library/swift:slim
Found base image manifest: sha256:ff39d888ed62ce56fa69c5039816beea463b74a1d1e065cab62b4d668cc024f3
Found base image configuration: sha256:74b7c6967b5380d6ee78d2e2c55a3bf9338384ff5b9c6ea3c4e25002e09817d5
application layer: sha256:82f0fe8d67d268700eaad0b178fd747f12b657c5c68cad27794c9cf26cfe9ca8 (61076519 bytes)
image configuration: sha256:fa616ac89a84cde505f4bad8bbe1dcaeca24afff60b961cbdd8d9adc45282fe1 (1324 bytes)
Layer sha256:b8a35db46e38ce87d4e743e1265ff436ed36e01d23246b24a1cbbeaae18ec432: already exists
Layer sha256:7d75a6603aab32f37c53902d6bb406d32d564bf217d994b703752f8c4fe324c8: already exists
Layer sha256:6667262b7bb582a846d2c048a008919201f525b30ebf94307aee80757d863753: already exists
manifest: sha256:e8e8511e6f83b819b46e7564fbc761768fe3401dd5547d9c34b6aae1afb9ebda (1080 bytes)
index: sha256:3e208e74a4600d514dc9fb1766aabd2ff0280a4e8f03b1fcaf716a684eccdf31 (384 bytes)
localhost:5555/hello-world@sha256:3e208e74a4600d514dc9fb1766aabd2ff0280a4e8f03b1fcaf716a684eccdf31
The problem occurs when containertool tries to download the base image's configuration blob. Adding some more debugging output shows that the 400 response has a body with an error message, which appears to come from Amazon S3:
<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidRequest</Code><Message>Missing x-amz-content-sha256</Message></Error>
Some more debugging output shows that Docker Hub redirects the request for the configuration blob to a Cloudflare address, presumably proxying to S3. The redirect URL includes various S3 signatures and credentials. The redirect URL can be fetched successfully with curl and does not need an Authorization header. Adding containertool's Authorization header to the curl command results in the same 400 response and error message.
Many HTTP clients remove the Authorization header when following a redirect because the credentials might not be relevant to the destination server. URLSession appears to do this on macOS, but the Linux implementation is different and leaves the Authorization header in the redirected request. Adding a URLSessionDelgate to remove the header when following a redirect allows containertool to pull the base image when running on Linux.