Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23689

requesting manifest for a tag returns a manifest list instead

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.22.0, 3.22.1, 3.25.1
    • Fix Version/s: None
    • Component/s: Docker
    • Labels:

      Description

      making a curl request to nexus docker tag manifests endpoint with header

      Accept: application/vnd.docker.distribution.manifest.v2+json 

      actually responds with

      Content-Type: application/vnd.docker.distribution.manifest.list.v2+json

      which is not the same as requesting the same image from a non nexus registry and feels very wrong from an api standpoint.

       

      This isn't an issue for docker (somehow). but is for other apps that use the api getting an unexpected response.

       

      It feels like the default response when multiple should be for amd64 unless specifically requesting the manifest list

       

      Example below is using a mirror registry of gcr.io

      ❯ curl -L https://gcr.mymirror.com/v2/google-containers/hyperkube/manifests/v1.17.5 -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' -v
      * Trying 54.76.168.140...
      * TCP_NODELAY set
      * Connected to gcr.mymirror.com (54.76.168.140) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
      * successfully set certificate verify locations:
      * CAfile: /etc/ssl/cert.pem
       CApath: none
      * TLSv1.2 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS change cipher, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
      * ALPN, server accepted to use h2
      * Server certificate:
      * subject: CN=*.public.core.cfc.osp.tech
      * start date: Apr 2 08:15:11 2020 GMT
      * expire date: Jul 1 08:15:11 2020 GMT
      * subjectAltName: host "gcr.mymirror.com" matched cert's "*.mymirror.com"
      * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
      * SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0x7ff42300b600)
      > GET /v2/google-containers/hyperkube/manifests/v1.17.5 HTTP/2
      > Host: gcr.public.core.cfc.osp.tech
      > User-Agent: curl/7.54.0
      > Accept: application/vnd.docker.distribution.manifest.v2+json
      >
      * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
      < HTTP/2 200
      < server: nginx/1.15.6
      < date: Mon, 27 Apr 2020 13:14:41 GMT
      < content-type: application/vnd.docker.distribution.manifest.list.v2+json
      < content-length: 1670
      < x-content-type-options: nosniff
      < content-security-policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      < x-xss-protection: 1; mode=block
      < last-modified: Mon, 27 Apr 2020 13:14:41 GMT
      < docker-content-digest: sha256:9f1204bc60349d517b084f61416a1b5b05e09e14e21e78df3a4af338bb0d44f3
      < docker-distribution-api-version: registry/2.0
      < x-envoy-upstream-service-time: 599
      < strict-transport-security: max-age=300; includeSubDomains
      < x-frame-options: deny
      < x-permitted-cross-domain-policies: none
      <
      {
       "schemaVersion": 2,
       "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
       "manifests": [
       {
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "size": 2206,
       "digest": "sha256:cf35140a5f3ec997a1ee1c1f666520b1d97a0ff220a3cc6aa693f023e1715977",
       "platform": {
       "architecture": "amd64",
       "os": "linux"
       }
       },
       {
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "size": 2205,
       "digest": "sha256:eec116c3c1f81936cc3a9e221aba2bc96ed69c90cacc6c1cb5a5eae30bfcc4dd",
       "platform": {
       "architecture": "arm",
       "os": "linux"
       }
       },
       {
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "size": 2206,
       "digest": "sha256:b72cba11c729697d6ddf1e758570ac0de299bd711c186ffdb6078c80901f5632",
       "platform": {
       "architecture": "arm64",
       "os": "linux"
       }
       },
       {
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "size": 2206,
       "digest": "sha256:daf521613ab7e97699e5da06f4aeda9ef572ca2e7e3772f51171531a72f7acd6",
       "platform": {
       "architecture": "ppc64le",
       "os": "linux"
       }
       },
       {
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "size": 2206,
       "digest": "sha256:52b53e7f2ef182afc460e15f3f8f47531546cd6a58520e5d88a09942ab192c2c",
       "platform": {
       "architecture": "s390x",
       "os": "linux"
       }
       }
       ]
      * Connection #0 to host gcr.mymirror.com left intact
      }
      
      

       

      ❯ curl -L https://gcr.io/v2/google-containers/hyperkube/manifests/v1.17.5 -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' -v
      * Trying 2a00:1450:400c:c03::52...
      * TCP_NODELAY set
      * Connected to gcr.io (2a00:1450:400c:c03::52) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
      * successfully set certificate verify locations:
      * CAfile: /etc/ssl/cert.pem
       CApath: none
      * TLSv1.2 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS change cipher, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
      * ALPN, server accepted to use h2
      * Server certificate:
      * subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.gcr.io
      * start date: Apr 1 13:03:43 2020 GMT
      * expire date: Jun 24 13:03:43 2020 GMT
      * subjectAltName: host "gcr.io" matched cert's "gcr.io"
      * issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
      * SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0x7fc91b802c00)
      > GET /v2/google-containers/hyperkube/manifests/v1.17.5 HTTP/2
      > Host: gcr.io
      > User-Agent: curl/7.54.0
      > Accept: application/vnd.docker.distribution.manifest.v2+json
      >
      * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
      < HTTP/2 200
      < docker-distribution-api-version: registry/2.0
      < content-type: application/vnd.docker.distribution.manifest.v2+json
      < content-length: 2206
      < docker-content-digest: sha256:cf35140a5f3ec997a1ee1c1f666520b1d97a0ff220a3cc6aa693f023e1715977
      < date: Mon, 27 Apr 2020 13:13:30 GMT
      < server: Docker Registry
      < x-xss-protection: 0
      < x-frame-options: SAMEORIGIN
      < alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
      <
      {
       "schemaVersion": 2,
       "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
       "config": {
       "mediaType": "application/vnd.docker.container.image.v1+json",
       "size": 4392,
       "digest": "sha256:3ffe335e80783d55df484a77661556a1145656980e2319247ee6c3d23ebcfec8"
       },
       "layers": [
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 17745157,
       "digest": "sha256:346aee5ea5bcb1d5f7c32463e50687677a70ba9d6b784d9061c67d1774e91e15"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 375,
       "digest": "sha256:9c47fde751af4b387d6bd4ce5a4b4e0240e69a9cff21ba94c53b53bf247f85a1"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 651567,
       "digest": "sha256:be2693a52daf13ddd0386f633480a4b44f8056bf978be3b6860de29fa53ad2e8"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 408,
       "digest": "sha256:6b69eb11d0430c7dd5d69a34581d654ac58b38f262536b7ece560b258080e263"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 4346,
       "digest": "sha256:0abeb1500767759366e48264a7aa52b30fcacb5aefb0bcf2de619f0c3829925d"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 107192166,
       "digest": "sha256:4062d80041b7e3c63161948fc84bcab8bc442749d582d1cc4e2f3a6e3b81c357"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 15657266,
       "digest": "sha256:23b6daf06fc2e09f436a02d1d186fff27f8de33cdf6b3922a4d35889f60333ac"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 123433459,
       "digest": "sha256:9344a86b5fbe3215b0a98181423a2e79f344a2db5e2be33884eb37ceecb24d30"
       },
       {
       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
       "size": 916,
       "digest": "sha256:856b3eb8dbea134f19d6db411b7c2315eef7826c55c68390fa318d746fecf735"
       }
       ]
      * Connection #0 to host gcr.io left intact
      }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              stuart.warren Stuart Warren
              Last Updated By:
              Jerome Garec Jerome Garec
              Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title