-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oras pull error: empty response Docker-Content-Digest #225
Comments
AWS ECR is not compliant with Docker Registry HTTP API V2 where In OCI spec,
/cc @michaelb990 |
Hmm... A client failure based on a registry not returning a header that SHOULD be present seems like a client issue, not a registry issue. We can still look into fixing this on the registry side, but I'm curious why this is a required header for the ORAS client. Do you know why this changed in |
Before Since it is a "MUST" in the docker spec and a "SHOULD" in the OCI spec, |
As we don't have an ECR to test with, @michaelb990 can you ask @nima to help fixing this? |
Okay I have a repro, and will look into this today/weekend. Side-questions: any discussions (or existence) of black-box/smoke-testing that would have caught something like this? Even something very basic; single command to test out various common and valid critical permutations of commands that should never fail. |
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic pathology. At least in the pull workflow, no where does the library (on behalf of the client) verify on its own the digest returned by the server. By not doing so, it also has become dependent on the optional response header `Docker-Content-Digest`, which has lead to this bug. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`).
That this issue existed is a side-effect of an earlier chronic pathology. At least in the pull workflow, no where does the library (on behalf of the client) verify on its own the digest returned by the server. By not doing so, it also has become dependent on the optional response header `Docker-Content-Digest`, which has lead to this bug. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic pathology. At least in the pull workflow, no where does the library (on behalf of the client) verify on its own the digest returned by the server. By not doing so, it also has become dependent on the optional response header `Docker-Content-Digest`, which has lead to this bug. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
I think I need some help with this; I've started a thread here describing my current approach and its shortcomings. |
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
Please note that this issue also caused the |
I've been away for a couple of weeks; taking a look at this now; will update here. |
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
Part of this change was to revert unrelated changes in `registry/reference*.go'; those to be posted as a separate PR. Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
Fixes the `oras pull error: empty response Docker-Content-Digest` bug (oras-project#225). In this PR, the PR comments were addressed, and unrelated changes in `registry/reference*.go' were reverted for a separate PR (not yet out). Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <github@nima.id.au>
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue #225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <github@nima.id.au>
Pulling a container from AWS ECR fails with error
empty response Docker-Content-Digest
.Steps to reproduce:
oras pull ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}:${TAG}
Expected result:
Actual result:
Verbose error message:
Version Information:
Oras:
0.13.0
Note: I have tested the same command with
v0.12.0
and it works fine in this version. So it looks like this issue was introduced in v0.13.0.The text was updated successfully, but these errors were encountered: