Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4279

Add override for manifest format to mirror config or loosen schema validation

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Unresolved
    • Undefined
    • None
    • None
    • quay
    • False
    • None
    • False
    • Not Selected
    • x86_64
    • 0
    • 0% 0%

    Description

      When skopeo copies images over, it copies all manifests as is, without any changes. This can cause problems if the upstream manifest is not correctly formatted. Consider the image:

      docker.io/library/ubuntu:focal

      This image will fail in copying due to schema validation error. The upstream manifest is written in OCI format, but the config layer of the image contains incorrect parameters:

      # cat config-layer.json | jq '.'
{
  "architecture": "amd64",
  "config": {
    "Hostname": "",
    "Domainname": "",
    "User": "",
    "AttachStdin": false,
    "AttachStdout": false,
    "AttachStderr": false,
    "Tty": false,
    "OpenStdin": false,
    "StdinOnce": false,
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ],
    "Cmd": [
      "/bin/bash"
    ],
    "Image": "sha256:513652b0822855744c5092dced0b4f796eb357224caaa57bee6176e1ba3cf323",
    "Volumes": null,
    "WorkingDir": "",
    "Entrypoint": null,
    "OnBuild": null,
    "Labels": {
      "org.opencontainers.image.ref.name": "ubuntu",
      "org.opencontainers.image.version": "20.04"
    }
...

      The entrypoint here has a value of Null, but according to our schema validation, this should be an array of strings, if it exists:

      https://github.com/quay/quay/blob/be1bddfd6a5bcedec411bb0140c6f153a4d044b3/image/oci/config.py#L125

      OCI image spec only mentions that the field is optional, and that if it exists it has to be an array of strings:

      https://github.com/opencontainers/image-spec/blob/main/config.md

      To me, this looks like a bad manifest, the config layer should either contain the real entrypoint or be omitted from the end image. The fact that it's present confuses skopeo who cannot push it to Quay in this format. Subsequent conversions to Docker v2 schema 2 also fail because skopeo that we have in the container does not convert the mime types properly so subsequent schema validation also fails:

      These images can usually be pushed to Quay by outside skopeo if the parameter --format v2s2 is provided. The ask here is to add such a choice to the mirror configuration as well with 3 options:

      a) don't convert manifests and copy them as is (default)
      b) convert to Docker v2 schema 2
      c) convert to OCI manifest

      Another option is to loosen our OCI schema validation for this particular parameter so that defined keys that have a Null value are also accepted. This is problematic to me as it doesn't appear that that would be according to standard.

      Please check! Thanks!

      Attachments

        Activity

          People

            DanielMesser Daniel Messer
            rhn-support-ibazulic Ivan Bazulic
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: