Kaniko: Ignore non matching digests

Created on 21 Aug 2018  路  2Comments  路  Source: GoogleContainerTools/kaniko

Hi,

I am running Kaniko on Kubernetes (1.9) in Huawei cloud. I use the registry provided by Huawei.
Currently my build fail with the following error messages:

time="2018-08-21T12:28:45Z" level=error msg="manifest digest: \"sha256:bc1c0e105251471a09b19d3f12ca4917646548a63c3022f9e0e1b1b3832baabf\" does not match Docker-Content-Digest: \"bc1c0e105251471a09b19d3f12ca4917646548a63c3022f9e0e1b1b3832baabf\" for \"x.x.x.x/test1234/docker-pyspark:latest\""

The digests are identical, but the manifest digest contains a leading 'sha:'. Is there a way to tell Kaniko to ignore this?

Thx

kinbug
Source
picture xvzup

All 2 comments

This looks like a possible bug in the huawei registry. The Docker API spec requires the digest to contain the algorithm:

https://docs.docker.com/registry/spec/api/#content-digests

@jonjohnsonjr should we default to sha256 if nothing is specified?

dlorenc picture dlorenc on 23 Aug 2018

That's definitely a registry bug, but I'm not sure how readily we could get them to fix it...

The client may choose to ignore the header or may verify it to ensure content integrity and transport security. This is most important when fetching by a digest. To ensure security, the content should be verified against the digest used to fetch the content.

I'm okay with just ignoring this header when fetching by tag. We also don't care about the header when fetching by digest, since we just hash the response. Since Docker Hub _still_ hasn't fixed a similar bug on their side, we should probably just treat this header as completely unreliable :/

jonjohnsonjr picture jonjohnsonjr on 23 Aug 2018
😕2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tejal29 picture tejal29  路  4Comments
HoiPangCHEUNG picture HoiPangCHEUNG  路  4Comments
den-is picture den-is  路  3Comments
ErikWegner picture ErikWegner  路  4Comments
cdupuis picture cdupuis  路  4Comments