Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve enforcement of destination digest references on copy #994

Open
mtrmac opened this issue Jul 29, 2020 · 1 comment
Open

Improve enforcement of destination digest references on copy #994

mtrmac opened this issue Jul 29, 2020 · 1 comment
Labels
kind/bug A defect in an existing functionality (or a PR fixing it)

Comments

@mtrmac
Copy link
Collaborator

mtrmac commented Jul 29, 2020
edited

skopeo copy --all docker://$src@$digest docker://$dest@$digest does not set canModifyManifestList to false, so the copy will try to send a modified manifest to the registry.

This is easiest to reproduce by adding --format {oci,v2s2} (one of the values, to trigger conversion).

Typically, the registry rejects that with digest invalid or something similar, because the manifest list we send does not match the digest reference used for the upload, so, this does not fail silently; still, we should recognize this case and either fail explicitly, or (to be consistent with the single-image copy case) ignore the --format option and preserve the original manifest — probably some combination of both, e.g. with ImageListSelection: CopySpecificImages.

Separately, the code in copyOneImage for enforcing destination digest references handles corner cases badly:

  • skopeo copy --all docker://$src@$digest docker://$dest@$differentDigest actually fails when copying the first architecture-specific image, because the destination $differentDigest matches neither the architecture-specific image nor the $digest of the manifest list
  • skopeo copy docker://$src@$digest docker://$dest$digest on a multi-arch image (i.e. writing only the current-architecture image to the destination, not a manifest list, with $digest a digest of the manifest list) is accepted by that check, and only rejected by the registry with digest invalid later.
@mtrmac
Copy link
Collaborator Author

mtrmac commented Feb 1, 2022

skopeo copy --all docker://$src@$digest docker://$dest@$digest does not set canModifyManifestList to false, so the copy will try to send a modified manifest to the registry.

This is easiest to reproduce by adding --format {oci,v2s2} (one of the values, to trigger conversion).

This was fixed in #1413.

  • skopeo copy --all docker://$src@$digest docker://$dest@$differentDigest actually fails when copying the first architecture-specific image, because the destination $differentDigest matches neither the architecture-specific image nor the $digest of the manifest list

This was fixed in #1413, $differentDigest must match the source image, or the copies immediately rejected.

  • skopeo copy docker://$src@$digest docker://$dest$digest on a multi-arch image (i.e. writing only the current-architecture image to the destination, not a manifest list, with $digest a digest of the manifest list) is accepted by that check, and only rejected by the registry with digest invalid later.

This is still outstanding, but directly changing that would probably break digested pulls to c/storage .

@mtrmac mtrmac added the kind/bug A defect in an existing functionality (or a PR fixing it) label Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A defect in an existing functionality (or a PR fixing it)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mtrmac