-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify supported digest algorithms for manifests #494
Comments
I'd consider removing "canonical" from the
I don't think there is, clients get the registry server preferred value.
I think this hints at some of the many waiting issues we'll face whenever someone tries to use anything other than sha256. I expect a lot of things will break the day someone tries to switch to sha512. In addition to parts of the spec not covering all the scenarios, I expect registries, runtimes, and other client tooling, are all lacking full support. |
cc: @ktarplee |
I am going to assume that we want to be able to copy an image from one registry to another without the manifest ID changing. That is the digest of the manifest does not change during a copy and thus none of the digest algorithms for the blobs may change as well. We have that property now and I am proposing we keep it. This implies a few things:
In regards to the question "In case the reference is a tag, is there a way for the server to know what algorithm it should use to track this manifest?". I think the solution has to allow the client to provide the digest algorithm but since this is a manifest I think it should be the entire digest. Given the above argument, I would say that both of the suggested options are not desirable:
I am proposing that the client provide the expected digest (while uploading a manifest by tag) by either adding a header to the request The key here is the client must always provide the digest algorithm. The registry can never pick one it wants unless the client gives up it's right to specify the digest algorithm for manifest or blob. |
Another aspect of this to think through is the referrers API. When the list of referrer descriptors is returned, what digest algorithm should be used? Does it return duplicate content (i.e. two descriptors to the same content but different algorithm) or just one. Is the the registry expected to de-duplicate those references? Do you limit it to the just descriptors using the same digest algorithm (I don't think so). flowchart TD
A[Manifest A\nsha256:3...] -->|subject\nsha256:0...| C[Manifest C\nsha256:0...\nsha384:1...\nsha512:2...]
B[Manifest B\nsha256:4...\nsha512:5...] --> |subject\nsha512:2...| C
In the above diagram the digests in the manifests are the digests that the client used to upload that manifest in that registry. Imagine a client makes a request to
Imagine a client makes a request to
One solution/rule is that the referrers API should return all known references to objects referred to by the provided descriptor. So in the above example, both manifest A and B should be returned when querying for Alternatively the rule can that only the manifests with the subject matching exactly are returned. So in the example above, referrers of |
The query parameter would align nicely with the blob put. That would be my preference.
I tend to prefer that as well. Registries could treat each digest algorithm as a separate list of entries in the blob store, so pushing the same manifest with two different digest algorithms would be two separate CAS entries. That also aligns with the storage model of the OCI Layout. Without that, registries would need to compute multiple hashes for every item received, and make the content available by multiple CAS names, which I expect is problematic and creates a significant overhead on large registries to support new algorithms. I doubt registries want to recompute the digest on all of their content given the understandable push back we saw for including referrers responses that were previously pushed by the fallback tag when registries enable the referrers API. |
In addition to supporting the push of manifests by tag with a non-canonical digest algorithm, I think we need similar support when a blob is pushed with the digest only being provided after the content is pushed (in the POST, PATCH, PUT). For that scenario, the client would only know the algorithm when the POST and PATCH requests are being run. Perhaps a |
Adding opencontainers/image-spec#819 to this discussion. |
See opencontainers/distribution-spec#494 and reladed work Signed-off-by: Andrei Aaron <[email protected]>
See opencontainers/distribution-spec#494 and related work Signed-off-by: Andrei Aaron <[email protected]>
See opencontainers/distribution-spec#494 and related work Signed-off-by: Andrei Aaron <[email protected]>
See opencontainers/distribution-spec#494 and related work Signed-off-by: Andrei Aaron <[email protected]>
See opencontainers/distribution-spec#494 and related work Signed-off-by: Andrei Aaron <[email protected]>
See opencontainers/distribution-spec#494 and related work Signed-off-by: Andrei Aaron <[email protected]>
The image spec mentions multiple registered digest algorithms (https://github.com/opencontainers/image-spec/blob/v1.1.0-rc5/descriptor.md#digests), out of which SHA256 is the canonical one.
The distribution spec mentions these registered digest algorithms can be used to reference manifests when:
A) pulling - https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc3/spec.md#pulling-manifests
B) pushing - https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc3/spec.md#pushing-manifests
Case A) seems relatively clear to me, but in case B) the expected behavior of the registry is not entirely clear to me, as the digest (and the implicitly the algorithm) may or may not be provided by the client.
I assume the
MUST be equal to the client provided digest
is the value of the reference.The clarifications needed are:
If this topic has already been discussed or documented, please provide a link, I could not find relevant issues here.
Thank you
The text was updated successfully, but these errors were encountered: