Support "pull-by-digest" in the Dependency Proxy
Problem
containerd and Docker 20.x depends on "pull-by-digest". The dependency proxy does not work with pull-by-digest:
→ docker pull alpine:latest
latest: Pulling from library/alpine
Digest: sha256:c0e9560cda118f9ec63ddefb4a173a2b2a0347082d7dff7dc14272e7841a5b5a
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
→ docker pull gdk.test:3001/pub-group/dependency_proxy/containers/alpine@sha256:c0e9560cda118f9ec63ddefb4a173a2b2a0347082d7dff7dc14272e7841a5b5a
Error response from daemon: missing signature keyHowever, the interesting thing is that the manifest pull was successful, the file was saved and stored, however, the digest version of the manifest is different from the one returned by alpine:latest:
Digest manifest
Raw
"{\"manifests\":[{\"digest\":\"sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"amd64\",\"os\":\"linux\"},\"size\":528},{\"digest\":\"sha256:c4f0f03cda416f3e4cfebcfea9910463121651b019c6677053ece71084699f47\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"arm\",\"os\":\"linux\",\"variant\":\"v6\"},\"size\":528},{\"digest\":\"sha256:d0f78a6ddf7a457dc72dbd44eab67209454ddb1e6d2323fa8e27275bc13dc320\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"arm\",\"os\":\"linux\",\"variant\":\"v7\"},\"size\":528},{\"digest\":\"sha256:fbb820c07896f5c2516167e7146d9938fc82d4b6b1db167defa5b0a7162e4480\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"arm64\",\"os\":\"linux\",\"variant\":\"v8\"},\"size\":528},{\"digest\":\"sha256:4e01ddea8def856ba9fee17668fa0b2e45a8bc78127b7ab6cf921f6d6fd86ac9\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"386\",\"os\":\"linux\"},\"size\":528},{\"digest\":\"sha256:e565d01665c4596b34d7836fc370342331b836b5e5623eb1c8dfaf72ef4f30cb\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"ppc64le\",\"os\":\"linux\"},\"size\":528},{\"digest\":\"sha256:eb005f6396161741e490161756dac662e946206c9d2e7ff2528be60e905be9f6\",\"mediaType\":\"application\\/vnd.docker.distribution.manifest.v2+json\",\"platform\":{\"architecture\":\"s390x\",\"os\":\"linux\"},\"size\":528}],\"mediaType\":\"application\\/vnd.docker.distribution.manifest.list.v2+json\",\"schemaVersion\":2}"Parsed
{
"manifests": [{
"digest": "sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 528
}, {
"digest": "sha256:c4f0f03cda416f3e4cfebcfea9910463121651b019c6677053ece71084699f47",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v6"
},
"size": 528
}, {
"digest": "sha256:d0f78a6ddf7a457dc72dbd44eab67209454ddb1e6d2323fa8e27275bc13dc320",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
},
"size": 528
}, {
"digest": "sha256:fbb820c07896f5c2516167e7146d9938fc82d4b6b1db167defa5b0a7162e4480",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
},
"size": 528
}, {
"digest": "sha256:4e01ddea8def856ba9fee17668fa0b2e45a8bc78127b7ab6cf921f6d6fd86ac9",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "386",
"os": "linux"
},
"size": 528
}, {
"digest": "sha256:e565d01665c4596b34d7836fc370342331b836b5e5623eb1c8dfaf72ef4f30cb",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "ppc64le",
"os": "linux"
},
"size": 528
}, {
"digest": "sha256:eb005f6396161741e490161756dac662e946206c9d2e7ff2528be60e905be9f6",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "s390x",
"os": "linux"
},
"size": 528
}],
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"schemaVersion": 2
}Named tag manifest
Raw
"{\n \"schemaVersion\": 1,\n \"name\": \"library/alpine\",\n \"tag\": \"latest\",\n \"architecture\": \"amd64\",\n \"fsLayers\": [\n {\n \"blobSum\": \"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4\"\n },\n {\n \"blobSum\": \"sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964\"\n }\n ],\n \"history\": [\n {\n \"v1Compatibility\": \"{\\\"architecture\\\":\\\"amd64\\\",\\\"config\\\":{\\\"Hostname\\\":\\\"\\\",\\\"Domainname\\\":\\\"\\\",\\\"User\\\":\\\"\\\",\\\"AttachStdin\\\":false,\\\"AttachStdout\\\":false,\\\"AttachStderr\\\":false,\\\"Tty\\\":false,\\\"OpenStdin\\\":false,\\\"StdinOnce\\\":false,\\\"Env\\\":[\\\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\\\"],\\\"Cmd\\\":[\\\"/bin/sh\\\"],\\\"ArgsEscaped\\\":true,\\\"Image\\\":\\\"sha256:3543079adc6fb5170279692361be8b24e89ef1809a374c1b4429e1d560d1459c\\\",\\\"Volumes\\\":null,\\\"WorkingDir\\\":\\\"\\\",\\\"Entrypoint\\\":null,\\\"OnBuild\\\":null,\\\"Labels\\\":null},\\\"container\\\":\\\"8c59eb170e19b8c3768b8d06c91053b0debf4a6fa6a452df394145fe9b885ea5\\\",\\\"container_config\\\":{\\\"Hostname\\\":\\\"8c59eb170e19\\\",\\\"Domainname\\\":\\\"\\\",\\\"User\\\":\\\"\\\",\\\"AttachStdin\\\":false,\\\"AttachStdout\\\":false,\\\"AttachStderr\\\":false,\\\"Tty\\\":false,\\\"OpenStdin\\\":false,\\\"StdinOnce\\\":false,\\\"Env\\\":[\\\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\\\"],\\\"Cmd\\\":[\\\"/bin/sh\\\",\\\"-c\\\",\\\"#(nop) \\\",\\\"CMD [\\\\\\\"/bin/sh\\\\\\\"]\\\"],\\\"ArgsEscaped\\\":true,\\\"Image\\\":\\\"sha256:3543079adc6fb5170279692361be8b24e89ef1809a374c1b4429e1d560d1459c\\\",\\\"Volumes\\\":null,\\\"WorkingDir\\\":\\\"\\\",\\\"Entrypoint\\\":null,\\\"OnBuild\\\":null,\\\"Labels\\\":{}},\\\"created\\\":\\\"2020-10-22T02:19:24.499382102Z\\\",\\\"docker_version\\\":\\\"18.09.7\\\",\\\"id\\\":\\\"c5f1aab5bb88eaf1aa62bea08ea6654547d43fd4d15b1a476c77e705dd5385ba\\\",\\\"os\\\":\\\"linux\\\",\\\"parent\\\":\\\"dc0b50cc52bc340d7848a62cfe8a756f4420592f4984f7a680ef8f9d258176ed\\\",\\\"throwaway\\\":true}\"\n },\n {\n \"v1Compatibility\": \"{\\\"id\\\":\\\"dc0b50cc52bc340d7848a62cfe8a756f4420592f4984f7a680ef8f9d258176ed\\\",\\\"created\\\":\\\"2020-10-22T02:19:24.33416307Z\\\",\\\"container_config\\\":{\\\"Cmd\\\":[\\\"/bin/sh -c #(nop) ADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in / \\\"]}}\"\n }\n ],\n \"signatures\": [\n {\n \"header\": {\n \"jwk\": {\n \"crv\": \"P-256\",\n \"kid\": \"JGDH:PLRW:PLSV:JKCW:4WQT:7N75:LFCY:EUXJ:JF7B:SE5X:YCGB:FY75\",\n \"kty\": \"EC\",\n \"x\": \"2tHC7IFuaOXu7bJXeeXQIvJDAvNDYEdEANIYXc6CMp4\",\n \"y\": \"KINaC1nO1A6GwxPeiE3gr-4TPO63JePn2x5KMgPFIfg\"\n },\n \"alg\": \"ES256\"\n },\n \"signature\": \"vw_jVMz662MoIti_cN-ufWG8sKwWDJcZ1CAV90dX55-QacaPmO59r07wDsRWqnVIh-YVYPKXps6TI6N44K5kug\",\n \"protected\": \"eyJmb3JtYXRMZW5ndGgiOjIxMzcsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0xMi0wM1QyMDozMzowMloifQ\"\n }\n ]\n}"Parsed
{
"schemaVersion": 1,
"name": "library/alpine",
"tag": "latest",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964"
}
],
"history": [
{
"v1Compatibility": {"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh"],"ArgsEscaped":true,"Image":"sha256:3543079adc6fb5170279692361be8b24e89ef1809a374c1b4429e1d560d1459c","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"8c59eb170e19b8c3768b8d06c91053b0debf4a6fa6a452df394145fe9b885ea5","container_config":{"Hostname":"8c59eb170e19","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD ["/bin/sh"]"],"ArgsEscaped":true,"Image":"sha256:3543079adc6fb5170279692361be8b24e89ef1809a374c1b4429e1d560d1459c","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2020-10-22T02:19:24.499382102Z","docker_version":"18.09.7","id":"c5f1aab5bb88eaf1aa62bea08ea6654547d43fd4d15b1a476c77e705dd5385ba","os":"linux","parent":"dc0b50cc52bc340d7848a62cfe8a756f4420592f4984f7a680ef8f9d258176ed","throwaway":true}
},
{
"v1Compatibility": {"id":"dc0b50cc52bc340d7848a62cfe8a756f4420592f4984f7a680ef8f9d258176ed","created":"2020-10-22T02:19:24.33416307Z","container_config":{"Cmd":["/bin/sh -c #(nop) ADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in / "]}}
}
],
"signatures": [
{
"header": {
"jwk": {
"crv": "P-256",
"kid": "JGDH:PLRW:PLSV:JKCW:4WQT:7N75:LFCY:EUXJ:JF7B:SE5X:YCGB:FY75",
"kty": "EC",
"x": "2tHC7IFuaOXu7bJXeeXQIvJDAvNDYEdEANIYXc6CMp4",
"y": "KINaC1nO1A6GwxPeiE3gr-4TPO63JePn2x5KMgPFIfg"
},
"alg": "ES256"
},
"signature": "vw_jVMz662MoIti_cN-ufWG8sKwWDJcZ1CAV90dX55-QacaPmO59r07wDsRWqnVIh-YVYPKXps6TI6N44K5kug",
"protected": "eyJmb3JtYXRMZW5ndGgiOjIxMzcsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMC0xMi0wM1QyMDozMzowMloifQ"
}
]
}Solution
Determine what needs to change to be able to use pull-by-digest.
Edited by Steve Abrams