oras pull error: empty response Docker-Content-Digest #225
Comments
|
AWS ECR is not compliant with Docker Registry HTTP API V2 where In OCI spec,
/cc @michaelb990 |
|
Hmm... A client failure based on a registry not returning a header that SHOULD be present seems like a client issue, not a registry issue. We can still look into fixing this on the registry side, but I'm curious why this is a required header for the ORAS client. Do you know why this changed in |
|
Before Since it is a "MUST" in the docker spec and a "SHOULD" in the OCI spec, |
|
As we don't have an ECR to test with, @michaelb990 can you ask @nima to help fixing this? |
shizhMSFT
added
bug
|
Okay I have a repro, and will look into this today/weekend. Side-questions: any discussions (or existence) of black-box/smoke-testing that would have caught something like this? Even something very basic; single command to test out various common and valid critical permutations of commands that should never fail. |
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 11, 2022
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 11, 2022
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 11, 2022
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 12, 2022
Fixes oras-project#225 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 15, 2022
That this issue existed is a side-effect of an earlier chronic pathology. At
least in the pull workflow, no where does the library (on behalf of the client)
verify on its own the digest returned by the server. By not doing so, it also
has become dependent on the optional response header `Docker-Content-Digest`,
which has lead to this bug.
In this change, two new functions have been added:
1) calculateDigestFromResponse
2) verifyContentDigestForPull
The former calculates the actual digest of the response body. The latter
performs a 3-way validation between the two potentially-empty digests--namely,
the reference digest (if indeed the reference supplied by the user was a digest
and not a tag), and the response header optionally set by the server (that is,
`Docker-Content-Digest`).
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 15, 2022
That this issue existed is a side-effect of an earlier chronic pathology. At
least in the pull workflow, no where does the library (on behalf of the client)
verify on its own the digest returned by the server. By not doing so, it also
has become dependent on the optional response header `Docker-Content-Digest`,
which has lead to this bug.
In this change, two new functions have been added:
1) calculateDigestFromResponse
2) verifyContentDigestForPull
The former calculates the actual digest of the response body. The latter
performs a 3-way validation between the two potentially-empty digests--namely,
the reference digest (if indeed the reference supplied by the user was a digest
and not a tag), and the response header optionally set by the server (that is,
`Docker-Content-Digest`).
Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 15, 2022
That this issue existed is a side-effect of an earlier chronic pathology. At
least in the pull workflow, no where does the library (on behalf of the client)
verify on its own the digest returned by the server. By not doing so, it also
has become dependent on the optional response header `Docker-Content-Digest`,
which has lead to this bug.
In this change, two new functions have been added:
1) calculateDigestFromResponse
2) verifyContentDigestForPull
The former calculates the actual digest of the response body. The latter
performs a 3-way validation between the two potentially-empty digests--namely,
the reference digest (if indeed the reference supplied by the user was a digest
and not a tag), and the response header optionally set by the server (that is,
`Docker-Content-Digest`).
Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
|
I think I need some help with this; I've started a thread here describing my current approach and its shortcomings. |
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 16, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 17, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Jul 18, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
|
Please note that this issue also caused the |
|
I've been away for a couple of weeks; taking a look at this now; will update here. |
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 17, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 18, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 19, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. In this change, two new functions have been added: 1) calculateDigestFromResponse 2) verifyContentDigestForPull The former calculates the actual digest of the response body. The latter performs a 3-way validation between the two potentially-empty digests--namely, the reference digest (if indeed the reference supplied by the user was a digest and not a tag), and the response header optionally set by the server (that is, `Docker-Content-Digest`). This change--depite possibly being a meager improvement, is still inadequate. The reason for the inadequacy is that it relies heavily on a response body not being close, and this is not always the case. Where it is closed, it again defaults back to scavenging from any of the two digests available to it, and neither is guaranteed to even exist: 1) The header `Docker-Content-Digest`, as already mentioned, is OPTIONAL 2) The user-supplied `reference` is polymorphic, in that it could just as well be a `digest`, as it could a `tag`. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
1 task
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 22, 2022
Part of this change was to revert unrelated changes in `registry/reference*.go'; those to be posted as a separate PR. Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 22, 2022
Fixes the `oras pull error: empty response Docker-Content-Digest` bug (oras-project#225). In this PR, the PR comments were addressed, and unrelated changes in `registry/reference*.go' were reverted for a separate PR (not yet out). Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 22, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <nima@users.noreply.github.com>
nima
added a commit
to nima/oras-go
that referenced
this issue
Aug 25, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue oras-project#225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <github@nima.id.au>
Wwwsylvia
pushed a commit
that referenced
this issue
Aug 25, 2022
That this issue existed is a side-effect of an earlier chronic issue. At least in the pull workflow, no where does the library (on behalf of the client) attempt to verify the digest returned by the register/server. By not doing so, it also has taken an unhealthy dependency on a precariously OPTIONAL response header, namely, `Docker-Content-Digest`. All this has lead to issue #225. Discussion thread on this has been opened up in Slack: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1657935407555609 Signed-off-by: Nima Talebi <github@nima.id.au>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Pulling a container from AWS ECR fails with error
empty response Docker-Content-Digest.Steps to reproduce:
oras pull ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}:${TAG}Expected result:
Actual result:
Verbose error message:
Version Information:
Oras:
0.13.0Note: I have tested the same command with
v0.12.0and it works fine in this version. So it looks like this issue was introduced in v0.13.0.The text was updated successfully, but these errors were encountered: