-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dockerd neglects to populate OCI Descriptor size field #46641
Comments
Here are the mitmdump logs: |
oh shoot, since i didn't file this issue in the web ui i neglected to include some important info:
|
The mechanisms that generate the descriptors are different for config vs. layer blobs; see my dive here: moby/buildkit#4328 (comment) In the case of the config descriptor, the descriptor is generated in distribution/distribution, in the client |
Here's a new set of captures, but this time I made sure to clear out the local storage in each registry (I think my previous mitmdumps excluded actual upload of blobs for distribution because it had cached data from previous pushes): This also includes tcpdump captures as per @neersighted's request in slack DM. The tcpdump captures were grabbed using the following command: # for distribution
tcpdump -i lo -XX -s 0 'tcp port 5001 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | tee distribution.pcap
# for portfolio
tcpdump -i lo -XX -s 0 'tcp port 13030 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | tee portfolio.pcap |
@waynr the PCAP files appear corrupt (at least according to wireshark), and the new mitmproxy flow still shows layers already present in the distribution/distribution registry. |
@neersighted here's another attempt, but this time using I did open the tcpdump captures in wireshark this time to verify that works. The tcpdump capture looks more reliable than the mitmproxy capture so I'll probably leave the latter out of future captures. |
Okay one more try...one of my previous tcpdump captures was bad, this time I've checked in wireshark that both the distribution and the portfolio captures include all the expected http exchanges. |
Actually, forget this -- I was using mitmproxy again and compared with tcpdump it doesn't seem to show all the requests strangely. In the tcpdump capture I do see HTTP PATCH requests for distribution. 🤦 |
Okay, I figured out what I need to do in my registry to get the The problem seems to be that I was using the empty string ( I'm guessing that returning the wrong content type in the While I acknowledge that the behavior of my code was wrong (I mostly raised this issue to understand what i was doing wrong), I still think it's wrong for dockerd to have a descriptor-generating code path that doesn't include a |
One more quick update! So in my previous comment I mentioned replacing plain text body in all my registry's API endpoint responses with I initially assumed that just having I fixed the route handler in my app for This suggests that in dockerd's image pushing code it sets the config descriptor's size field from the Is any of this a bug in dockerd? I don't know. I would think that it would try to calculate the size of the image config directly rather than rely on the registry response header as described above. The OCI Distribution spec doesn't even say anything about |
It appears docker/for-linux#1296 was a duplicate/the first report of this, but the reporter chose not to open an issue once they realized that their registry was returning the 'wrong' size. |
As background, I originally reported this issue in the buildkit repo: moby/buildkit#4328
Since that issue was closed yesterday I felt a bit crazy because on the one hand I can clearly see in my WIP registry implementation that manifests pushed to it by dockerd definitely do not contain the
size
field in the descriptors as required by the OCI image spec, yet on the other hand the issue doesn't seem reproducible pushing images to a local copy of distribution.@neersighted mentioned I should open a PR here if I can prove that the size field is missing from manifests on the wire during a
PUT /v2/<name>/manifests/<reference>
call so that's what I'm doing.Here are the details of my setup:
mitmdump --mode reverse:http://127.0.0.1:13030@8080 --flow-detail 4 > portfolio.mitmproxy.flow
mitmdump --mode reverse:http://127.0.0.1:5000@8081 --flow-detail 4 > distribution.mitmproxy.flow
With this setup I run the following docker build commands:
(I will upload a tarball with the resulting logs after submitting this issue since I am not using a web browser to write this description)
The relevant snippet of mitmdump output for portfolio (note the missing
size
filed in theconfig
descriptor):The relevant snippet of mitmdump output for distribution (note the presence of the
config.size
field here, in contrast with the above snippet):I believe that if I build the image without cached layers and push it first to my WIP registry I can get a manifest where the layer descriptors also don't include the
size
field, but the above logs should be enough to establish the fact that this is happening (and i'm not crazy 😄)For what it's worth, I would like to share my WIP registry so others can more easily reproduce this but the dev env setup is somewhat complicated by the need for a postgresql wire compatible DB and a live S3 compatible API. I'll eventually implement support for sqlite metadata storage and local file system bulk data storage but that could be a while.
In the short term I intend to work on a cloud deployment of this that I will be happy to share with maintainers who want to see the issue for themselves. (probably won't be ready until next week)
I've also noticed some differences between distribution and my implementation in terms of the
/v2/
response (eg distribution includes an empty json in the response body, mine doesn't) and various headers. I suspect that if I align the behavior of my registry more closely to distribution this problem might go away.But I'm reporting this bug anyway because it does definitely seem like a bug somewhere in dockerd or one of the registry client libraries it might be using to exclude the descriptor size field under any circumstance.
The text was updated successfully, but these errors were encountered: