Details
Description
Currently we validate docker layers are either gzip or tar content. Uploads or proxies of anything else will fail.
This is not consistent with OCI images, which can contain other types of content.
Example:
$ file sha256__* sha256__13e86d6c24c6619aa3fe10dffffd116388f3652d5f87315beaaade9e78eb1864: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows sha256__204cccf259732a35c3ad4df0d011d81706f3069390f32f6f4dd783fa9471cbdd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=xMYTrzayNZSOk_MfmrHz/3sal8jvXOtZs5hkOCgNt/TA2foo7ezIu2to7eqVSY/6CO8iA1nEIxRfLd5Q563, stripped sha256__5ed116d10f336bcaf470568b57a6843a6f27e6af59b0054a2c12934095cc9024: JSON data sha256__83482e6395a37aa7a80ca6990e13c024e7f40418f0a2bdcf65ed225f896858cb: Mach-O 64-bit executable x86_64 sha256__d7c22f85958d30142f1ed758cf6a5e0f8121fc3a4eddcb010b54bb883d530a7e: POSIX tar archive
The OCI specification FAQ says:
Q: Should I validate the content type of the patch request body?
A. The content type for blob uploads isn't meaningful since it's consistently the same (application/octet-stream). However, you may so choose to check that the content type is consistent for each chunk in the upload. It would not be logical for it to change part of the way through.
Expected: It should be possible to upload OCI image layers "out of the box", no configuration changes needed. If we can detect that a layer is associated with an OCI image we could be smart about this, and disable validation only for that case. If not, we should just not validate layers. If layer validation is still going to be done disabling content validation in the repository configuration should disable the validation. Whatever is done should be the same for both proxy and hosted repositories.
Note: Disabling content validation does not provide a workaround, the code in question does not check that flag.
Attachments
Issue Links
- is related to
-
NEXUS-10166 RedHat docker 1.8.2 push HTTP PUT uploads tar content instead of gzip and triggers JsonParseException 400
-
- Closed
-
- relates
-
NEXUS-27494 Can't push image with oci mediatype
-
- Closed
-