Failing to push OCI image index with two identical manifests


Marton, Gabor (Nokia - HU/Budapest)
 

Hi Orlix,

 

the issue is also opened here: https://github.com/goharbor/harbor/issues/16718.

 

Greetings,

 

Gábor

 

 

From: harbor-users@... <harbor-users@...> On Behalf Of Orlin Vasilev via lists.cncf.io
Sent: Wednesday, April 20, 2022 10:04
To: harbor-users@...
Subject: Re: [harbor-users] Failing to push OCI image index with two identical manifests

 

Szia Gábor,

can you open issue here: https://github.com/goharbor/harbor/issues 
as well :)
so others can participate and we can have a bit more readable conversation :)

Orlix
Harbor Community Manager


Orlin Vasilev
 

Szia Gábor,

can you open issue here: https://github.com/goharbor/harbor/issues 
as well :)
so others can participate and we can have a bit more readable conversation :)

Orlix
Harbor Community Manager


Marton, Gabor (Nokia - HU/Budapest)
 

Dear Community,

 

pushing an OCI image index similar to the below one fails:

 

cat oci-image-index.json

{

    "schemaVersion": 2,

    "mediaType": "application/vnd.oci.image.index.v1+json",

    "manifests": [ {

        "mediaType": "application/vnd.oci.image.manifest.v1+json",

        "digest": "sha256:368fdd22c21f62f93c3d9bdbb0f26f8bf13dd984f423b174dc1ec1967e1b8a58",

        "size": 583,

        "annotations": {

            "org.opencontainers.image.ref.name": "project/a/b/c/kubectl:v1.23.1"

        }

    },{

        "mediaType": "application/vnd.oci.image.manifest.v1+json",

        "digest": "sha256:368fdd22c21f62f93c3d9bdbb0f26f8bf13dd984f423b174dc1ec1967e1b8a58",

        "size": 583,

        "annotations": {

            "org.opencontainers.image.ref.name": "project/c/d/e/kubectl:v1.23.1"

        }

    }],

    "annotations": {

        "org.opencontainers.image.created": "2022-04-14T09:14:00.000000Z"

    }

}

 

curl -k -u ... -X PUT -H ... -d @oci-image-index.json https://$HARBOR_REGISTRY/v2/$PROJECT/$REPOSITORY/manifests/$TAG

{

  "errors": [

    {

      "code": "NOT_FOUND",

      "message": "artifact .../.../...@sha256:ef52a37a715e1fc601a3488e42a08a48e9c16e9e001cd5cecf70b5bf01f04501 not found"

    }

  ]

}

 

The error is caused by the two manifests referring to the the same image manifest.

 

To me, this seems like a bug. Rationale: image index (“fat manifest”) is originally meant for multi-platform support. With this in mind, it seems valid to have the same image for two different platforms, say only differing in their name.

 

The root cause of the error seems to be this database constraint (postgresql/0030_2.0.0_schema.up.sql):

 

CREATE TABLE artifact_reference

(

  id          SERIAL PRIMARY KEY NOT NULL,

  parent_id   int NOT NULL,

  child_id    int NOT NULL,

  child_digest varchar(255) NOT NULL ,

  platform    varchar(255),

  urls        varchar(1024),

  annotations jsonb,

  FOREIGN KEY (parent_id) REFERENCES artifact(id),

  FOREIGN KEY (child_id) REFERENCES artifact(id),

  CONSTRAINT  unique_reference UNIQUE (parent_id, child_id)

);

 

A possible fix could be to add platform and annotations to the uniquness set:

 

CREATE TABLE artifact_reference

(

  ...

  CONSTRAINT  unique_reference UNIQUE (parent_id, child_id, platform, annotations)

);

 

What do you think about the issue?

 

KInd regards,

 

Gábor