Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16947

docker repository opencontainers.org OCI compliance

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Parked
    • Affects Version/s: 3.6.0, 3.11.0
    • Fix Version/s: None
    • Component/s: Docker
    • Labels:
      None
    • Environment:
      Red Hat OpenShift v3.7.14 / Kubernetes v1.7.6+a08f5eeb62

      Description

      I build an OCI image with the buildah 0.16 tool and then I pushed it to a private docker registry on nexus.

      The push is ok and i can see the image on Nexus GUI.

      But when i try to pull it with a docker client > 1.13 i get this error :

      level=debug msg="Calling POST /v1.27/images/create?fromImage=MY_IMAGE_NAME_AND_TAG" level=debug msg="hostDir: /etc/docker/certs.d/MYREGISTRY" level=debug msg="hostDir: /etc/docker/certs.d/MYREGISTRY" level=debug msg="Trying to pull MY_IMAGE_NAME_AND_TAG from [https://MYREGISTRY|https://myregistry/] v2" level=debug msg="Calling GET /v1.30/services" level=debug msg="Calling GET /v1.30/tasks" level=error msg="Error trying v2 registry: target is unknown" level=error msg="Attempting next endpoint for pull after error: target is unknown" level=debug msg="Skipping v1 endpoint [https://MYREGISTRY|https://myregistry/] because v2 registry was detected" level=error msg="Handler for POST /v1.27/images/create returned error: target is unknown"
      
      

      When the manifest is pushed this is the request :

      PUT //docker-XXXXX/v2/test/build-docker/manifests/0.4-SNAPSHOT HTTP/1.1
      User-Agent: Go-http-client/1.1
      Content-Length: 496
      Authorization: Bearer DockerToken.48158b78-72a0-3bb7-ba67-b742XXXXX24
      Content-Type: application/vnd.oci.image.manifest.v1+json
      Docker-Distribution-Api-Version: registry/2.0
      Accept-Encoding: gzip
      Connection: close
      Host: docker-XXXXX
      X-Forwarded-Host: docker-XXXXX
      X-Forwarded-Port: 443
      X-Forwarded-Proto: https
      Forwarded: for=1XXXXX;host=docker-XXXXX;proto=https
      X-Forwarded-For: 1XXXXX
      

      And the response from Nexus : 

      201 null HTTP/1.1
      Connection: close
      Date: Wed, 25 Apr 2018 11:11:28 GMT
      Server: Nexus/3.6.0-02 (OSS)
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Docker-Distribution-Api-Version: registry/2.0
      Last-Modified: Wed, 25 Apr 2018 11:11:28 GMT
      Docker-Content-Digest: sha256:a4869aba816cb490482be506ad0eade677f7597968a6ac2df218fb95a3f3a47a
      Content-Type: application/vnd.docker.distribution.manifest.v2+json
      Content-Length: 496
      

       

      And when i visualize the manifest on nexus i get this :

      \{\{\{ "schemaVersion":2,}}
       \{\{ "config":\{ "mediaType":"application/vnd.oci.image.config.v1+json", "digest":"sha256:23d1c505e127930cae6d0540a6c8ecfd7f59fc1c674f86343c9b54233e47ea23", "size":6410 }, "layers":[ \{ "mediaType":"application/vnd.oci.image.layer.v1.tar", "digest":"sha256:f2b6b4884fc8b2f1fcef843f92f7c82c9c149df85ac77e5f0de7a342ae442412", "size":52608519 },}}
      
      

      A mediaType attribute is missing at the top level with this value : 

      application/vnd.oci.image.manifest.v1+json

       

      And then i try a curl to get the manifest content the Content-type returned by nexus is : 

      Content-Type: application/vnd.docker.distribution.manifest.v2+json

       

      This moby issue suggest that with docker > 1.13 the docker pull is more restrictive on the mediatype, it's why it's work with docker < 1.13.

      In Question: _The cause of this issue is that nexus doesn't managed the mediaType : application/vnd.oci.image.manifest.v1+json so it's actually not OCI Compliant ?_

      Expected

      Nexus Repository Manager hosted Docker registries OCI compliance:

      https://blog.docker.com/2018/04/docker-registry-api-standardized-oci/
      https://www.opencontainers.org/

      Workaround

      Specific to buildah - the tool can be forced to push docker compliant images. Example:

      buildah bud --format=docker
      

      For more information see https://github.com/projectatomic/buildah/issues/575

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              gregory.boue gregory boue
              Last Updated By:
              Joe Tom
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title