Merge pull request #47459 from thaJeztah/disable_schema1

disable pulling legacy image formats by default
moby · Feb 28, 2024 · 81428bf · 81428bf
2 parents 230cb53 + 62b33a2
commit 81428bf
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 9 deletions.
diff --git a/api/server/router/distribution/distribution_routes.go b/api/server/router/distribution/distribution_routes.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"os"
 
 	"github.com/distribution/reference"
 	"github.com/docker/distribution"
@@ -12,6 +13,7 @@ import (
 	"github.com/docker/distribution/manifest/schema2"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/registry"
+	distributionpkg "github.com/docker/docker/distribution"
 	"github.com/docker/docker/errdefs"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -153,6 +155,9 @@ func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distrib
 			}
 		}
 	case *schema1.SignedManifest:
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
+		}
 		platform := ocispec.Platform{
 			Architecture: mnfstObj.Architecture,
 			OS:           "linux",

diff --git a/daemon/containerd/image_pull.go b/daemon/containerd/image_pull.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
 	"strings"
 
 	"github.com/containerd/containerd"
@@ -115,7 +116,12 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 	var sentPullingFrom, sentSchema1Deprecation bool
 	ah := images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		if desc.MediaType == images.MediaTypeDockerSchema1Manifest && !sentSchema1Deprecation {
-			progress.Message(out, "", distribution.DeprecatedSchema1ImageMessage(ref))
+			err := distribution.DeprecatedSchema1ImageError(ref)
+			if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+				log.G(context.TODO()).Warn(err.Error())
+				return nil, err
+			}
+			progress.Message(out, "", err.Error())
 			sentSchema1Deprecation = true
 		}
 		if images.IsLayerType(desc.MediaType) {

diff --git a/distribution/errors.go b/distribution/errors.go
@@ -213,6 +213,15 @@ func (e reservedNameError) Error() string {
 
 func (e reservedNameError) Forbidden() {}
 
-func DeprecatedSchema1ImageMessage(ref reference.Named) string {
-	return fmt.Sprintf("[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of %s to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/", ref)
+type invalidArgumentErr struct{ error }
+
+func (invalidArgumentErr) InvalidParameter() {}
+
+func DeprecatedSchema1ImageError(ref reference.Named) error {
+	msg := "[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release."
+	if ref != nil {
+		msg += " Suggest the author of " + ref.String() + " to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2."
+	}
+	msg += " More information at https://docs.docker.com/go/deprecated-image-specs/"
+	return invalidArgumentErr{errors.New(msg)}
 }
diff --git a/distribution/manifest.go b/distribution/manifest.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"os"
 	"strings"
 
 	"github.com/containerd/containerd/content"
@@ -292,6 +293,11 @@ func detectManifestBlobMediaType(dt []byte) (string, error) {
 		}
 		return mfst.MediaType, nil
 	case schema1.MediaTypeManifest:
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			err := DeprecatedSchema1ImageError(nil)
+			log.G(context.TODO()).Warn(err.Error())
+			return "", err
+		}
 		if mfst.Manifests != nil || mfst.Layers != nil {
 			return "", fmt.Errorf(`media-type: %q should not have "manifests" or "layers"`, mfst.MediaType)
 		}
@@ -303,6 +309,11 @@ func detectManifestBlobMediaType(dt []byte) (string, error) {
 	}
 	switch {
 	case mfst.FSLayers != nil && mfst.Manifests == nil && mfst.Layers == nil && mfst.Config == nil:
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			err := DeprecatedSchema1ImageError(nil)
+			log.G(context.TODO()).Warn(err.Error())
+			return "", err
+		}
 		return schema1.MediaTypeManifest, nil
 	case mfst.Config != nil && mfst.Manifests == nil && mfst.FSLayers == nil,
 		mfst.Layers != nil && mfst.Manifests == nil && mfst.FSLayers == nil:

diff --git a/distribution/manifest_test.go b/distribution/manifest_test.go
@@ -362,6 +362,7 @@ func TestDetectManifestBlobMediaType(t *testing.T) {
 		"mediaType and fsLayers set": {[]byte(`{"mediaType": "bananas", "fsLayers": []}`), "bananas"},
 	}
 
+	t.Setenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE", "1")
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			mt, err := detectManifestBlobMediaType(tc.json)
@@ -431,6 +432,7 @@ func TestDetectManifestBlobMediaTypeInvalid(t *testing.T) {
 		},
 	}
 
+	t.Setenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE", "1")
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			mt, err := detectManifestBlobMediaType(tc.json)

diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
@@ -424,9 +424,12 @@ func (p *puller) pullTag(ctx context.Context, ref reference.Named, platform *oci
 
 	switch v := manifest.(type) {
 	case *schema1.SignedManifest:
-		msg := DeprecatedSchema1ImageMessage(ref)
-		log.G(ctx).Warn(msg)
-		progress.Message(p.config.ProgressOutput, "", msg)
+		err := DeprecatedSchema1ImageError(ref)
+		log.G(ctx).Warn(err.Error())
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			return false, err
+		}
+		progress.Message(p.config.ProgressOutput, "", err.Error())
 
 		id, manifestDigest, err = p.pullSchema1(ctx, ref, v, platform)
 		if err != nil {
@@ -857,9 +860,12 @@ func (p *puller) pullManifestList(ctx context.Context, ref reference.Named, mfst
 
 		switch v := manifest.(type) {
 		case *schema1.SignedManifest:
-			msg := DeprecatedSchema1ImageMessage(ref)
-			log.G(ctx).Warn(msg)
-			progress.Message(p.config.ProgressOutput, "", msg)
+			err := DeprecatedSchema1ImageError(ref)
+			log.G(ctx).Warn(err.Error())
+			if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+				return "", "", err
+			}
+			progress.Message(p.config.ProgressOutput, "", err.Error())
 
 			platform := toOCIPlatform(match.Platform)
 			id, _, err = p.pullSchema1(ctx, manifestRef, v, platform)

diff --git a/hack/make/.integration-daemon-start b/hack/make/.integration-daemon-start
@@ -46,6 +46,9 @@ export DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE=1
 export DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER:-vfs}
 export DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-true}
 
+# Allow testing push/pull of legacy image formats
+export DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE=1
+
 # example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G"
 storage_params=""
 if [ -n "$DOCKER_STORAGE_OPTS" ]; then