Comments (6)
Sounds related to the caching added in this PR;
Curious; was there a specific problem you ran into, for which you can't have the cached ones?
from moby.
Curious; was there a specific problem you ran into, for which you can't have the cached ones?
Hello. I'm making a mitm proxy that prevents image downloading when the critical vulnerability was found.
A fairly good way to cancel the download was to replace the layer body with a denied error from the registry after issuing the manifest and index to the client (since only client knows the desired platform). I could specifically change the hash to the random one in the response to the head request, and upon a subsequent unsuccessful attempt to access my random hash, it would invalidate the hash as I want, but also show the warning since its a deprecated fallback. I would like to avoid it and not remake all the hashes in the image with others (its probably the right way but too hard at the moment cause then I would have to insert some garbage into the contents of the layers).
The warning looks like this:
https://docs.docker.com/engine/deprecated/#pulling-images-from-non-compliant-image-registries
from moby.
Thanks for the extra info.
Hm wondering (but not at my computer right now); wouldn't it still do a HEAD request, and would that request be interceptible for your proxy to return an error?
from moby.
Wouldn't it still do a HEAD request, and would that request be interceptible for your proxy to return an error?
All I want ideally is to always force any client to invalidate the cache when it contacts me (the proxy side). In the future, caching will be handled by the proxy itself, if necessary.
Currently, I have implemented behavior that does not replace invalidation, but adds some atomicity. It makes it so that until layers are received, manifests will always be requested, and when layers are received, docker rmi <image>
can be done.
It is a bit strange, it looks like this:
--> HEAD /v2/dockerhub/maven/manifests/latest
<-- Docker-Content-Digest: sha256:7c03439155 <- random hash
<-- 200 OK:
{}
--> GET /v2/dockerhub/maven/manifests/sha256:7c03439155
<-- 403 Forbidden:
"errors": [
{
"code": "DENIED",
"message": "errorcode404:{
\"errors\":[
{
\"code\":\"NOT_FOUND\",
\"message\":\"artifact dockerhub/library/maven@sha256:7c03439155 not found\"
}
]
}"
}
]
}
I guess, after the digests from local storage and head request do not match and docker gets error response on the new digest request, it sometimes (maybe I'm getting confused), tries to make a normal get request with the old digest, which turned out to be quite convenient for me as a proxy. Then I work as usual: I just wait for the manifest, download all the remaining parts and decide whether to return an error based on the analysis results.
Index:
GET /v2/dockerhub/maven/manifests/latest
<-- 200 OK:
{"manifests": [ {"digest": "sha256:c1a446", "type": "v2", "platform": "linux/amd64"} ]}
Manifest:
GET /v2/dockerhub/maven/manifests/sha256:c1a446
<-- 200 OK:
{"config": {"digest": "sha256:d5beea"}, "layers": [ {"digest": "sha256:6a299a"} ]}
Config:
GET /v2/dockerhub/maven/blobs/sha256:d5beea
<-- 200 OK:
{"architecture": "amd64", "os": "linux"}
Layers:
GET /v2/dockerhub/maven/blobs/sha256:6a299a
<-- 200 OK:
8f cd f9 0b a2 39 6b 45 9c ... 50
from moby.
Related Issues (20)
- `docker image ls --filter=reference=docker.io/$MY/$IMG` != `docker image ls --filter=reference=$MY/$IMG`
- Pass proxy settings from host system for Windows containers HOT 1
- Rootless docker cannot start containers bound to different IPs but the same port
- Problem with moby-engine install on raspberry zero w with bullseye.
- Internal network DNS fails to resolve HOT 9
- containerd: classic builder fails to preserve platform information correctly HOT 1
- Cannot create new containers HOT 1
- Running docker containers in existing network namespace (netns) HOT 5
- Failing tests on Apple Chip Mac HOT 2
- [swarm mode] Random published port not accessible upfront using . It needs an update
- New volume mount subpath - does not create sub directory if it doesn't ee HOT 1
- Add an option to start docker without any containers regardless of their restart policy
- Docker starts containers with restart policy `on-failure` after host reset HOT 1
- failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: “docker-entrypoint.sh”: executable file not found in $PATH: unknown
- [grafana/loki-docker-driver] Docker rootless error mounting "cgroup" to rootfs at "/sys/fs/cgroup"
- A potential goleak in cluster.go HOT 1
- Docker compose argument to replace env_file directive, or argument to enable host environment passthrough
- UDP Response Timeout in Bridge Mode Networking HOT 2
- docker cp --parents should exist, analogous to GNU cp --parents
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moby.