[Feature Improvement] Accepting OCI manifests when checking remote versions
TannerW opened this issue · 2 comments
For those of us that use OCI registries - container version update checking on the GUI is currently not working because (I think?) of DockerClient only accepting docker-specific manifests in the header https://github.com/limetech/webgui/blob/5813662359147c9072e58a467278022183ff268d/plugins/dynamix.docker.manager/include/DockerClient.php#L446. So, when requesting the manifest to check Docker-Content-Digest from an OCI registry, with the current docker-specifc accept header results in:
$ curl --head -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json" -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlhMV1Y6SDRLRzo3RlUyOjNYTFQ6WFdLSDpISE1IOjJBUzc6RE5KVDpPRUNCOklNN0o6TVVPTTozRzVRIiwidHlwIjoiSldUIn0.eyJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2NTQzMTkzNTQsImp0aSI6Ik92YVlBSFB4R3hIVGhnbVEiLCJpYXQiOjE2NTQzMTc1NTQsImlzcyI6ImhhcmJvci10b2tlbi1pc3N1ZXIiLCJuYmYiOjE2NTQzMTc1NTQsInN1YiI6ImFkbWluIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJsaWJyYXJ5L3VucmFpZC1zY3JpcHQtZG9ja2VyIiwiYWN0aW9ucyI6WyJkZWxldGUiLCJwdWxsIiwicHVzaCIsIioiXX1dfQ.CcNqdiJ4ngqwh5enI4C_yKj8K-fpo1GDYj7US-4kYrOk1yGrSrdsmqzjFoFwQQr4PSk4ynWEdjuQOFz0tqGuN5kCm1jQW_bWCNuDDmwTxtVJo07T9-hEW4d0FEMNC9ahhk3rozyAUkrmBAvAkppSxhEQ1LcG7H9vWra9qdUS6eSHizRAKCgeoB6fqnuPKyvtNlmo_0Q_Kx9JnpXCETCMMlzkLf7NIuZFaGU8ydk6fdcFqevo8NJI_8cn7wIUg1-ncNnTyvOgQPnldZZROkfDQ5_FM1ksk5XnNPaMlP4VIbG4P8nNzNBXnvIYbXho4OHWA-KTk9dpZ5w6HjgYyg0zcfyeSHy4DtDixZonb7PWUrtKQurFoPH4BNeoq0JucN_00fHWDSbz6U8uEMdWPDClv3QEE2FplF43Vy7DSnAqm6SPA97bd_4xOT478O15D0eYqQ2xUdDBi9pzj36lULe7dlJLbt0rfGqjJHmb97L1324IQnAn_x1zozN00NPJryhXzI92P6sNLHcdgaXBriKs3VJBgQir0Nm9tJyVVkdd1ef1Bt3W4jykx4BnteAN6RmnI_WhFivBPe2bj1T5hEyMQ1-RSGzbPN2x65_lCxOu2MaI_MCx_M2A802LH3E60J9J9nCbfibmriiTrin6I3OF3kJTn5JW1o_aj7MqCvC6C50" http://registry.otwilkerson.net/v2/library/unraid-script-docker/manifests/latest
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 04 Jun 2022 04:43:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 122
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Set-Cookie: sid=5e209d52ed5adec16feb899c87bd3c74; Path=/; HttpOnly
X-Request-Id: b278e3e1-fbf9-4e9c-8bdb-6434b319c682
Would it be possible for us to accept vnd.oci.image.manifest.v1+json here as well? This would allow for proper retrieval of Docker-Content-Digest like so:
$ curl --head -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json" -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlhMV1Y6SDRLRzo3RlUyOjNYTFQ6WFdLSDpISE1IOjJBUzc6RE5KVDpPRUNCOklNN0o6TVVPTTozRzVRIiwidHlwIjoiSldUIn0.eyJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2NTQzMTkzNTQsImp0aSI6Ik92YVlBSFB4R3hIVGhnbVEiLCJpYXQiOjE2NTQzMTc1NTQsImlzcyI6ImhhcmJvci10b2tlbi1pc3N1ZXIiLCJuYmYiOjE2NTQzMTc1NTQsInN1YiI6ImFkbWluIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVwb3NpdG9yeSIsIm5hbWUiOiJsaWJyYXJ5L3VucmFpZC1zY3JpcHQtZG9ja2VyIiwiYWN0aW9ucyI6WyJkZWxldGUiLCJwdWxsIiwicHVzaCIsIioiXX1dfQ.CcNqdiJ4ngqwh5enI4C_yKj8K-fpo1GDYj7US-4kYrOk1yGrSrdsmqzjFoFwQQr4PSk4ynWEdjuQOFz0tqGuN5kCm1jQW_bWCNuDDmwTxtVJo07T9-hEW4d0FEMNC9ahhk3rozyAUkrmBAvAkppSxhEQ1LcG7H9vWra9qdUS6eSHizRAKCgeoB6fqnuPKyvtNlmo_0Q_Kx9JnpXCETCMMlzkLf7NIuZFaGU8ydk6fdcFqevo8NJI_8cn7wIUg1-ncNnTyvOgQPnldZZROkfDQ5_FM1ksk5XnNPaMlP4VIbG4P8nNzNBXnvIYbXho4OHWA-KTk9dpZ5w6HjgYyg0zcfyeSHy4DtDixZonb7PWUrtKQurFoPH4BNeoq0JucN_00fHWDSbz6U8uEMdWPDClv3QEE2FplF43Vy7DSnAqm6SPA97bd_4xOT478O15D0eYqQ2xUdDBi9pzj36lULe7dlJLbt0rfGqjJHmb97L1324IQnAn_x1zozN00NPJryhXzI92P6sNLHcdgaXBriKs3VJBgQir0Nm9tJyVVkdd1ef1Bt3W4jykx4BnteAN6RmnI_WhFivBPe2bj1T5hEyMQ1-RSGzbPN2x65_lCxOu2MaI_MCx_M2A802LH3E60J9J9nCbfibmriiTrin6I3OF3kJTn5JW1o_aj7MqCvC6C50" http://registry.otwilkerson.net/v2/library/unraid-script-docker/manifests/latest
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 04 Jun 2022 04:41:12 GMT
Content-Type: application/vnd.oci.image.manifest.v1+json
Content-Length: 1914
Connection: keep-alive
Docker-Content-Digest: sha256:30b04e2f46eee2e7a96b101de36002506978d4cd935be164dc80970309aacf8c
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:30b04e2f46eee2e7a96b101de36002506978d4cd935be164dc80970309aacf8c"
Set-Cookie: sid=1b16c5ad069485b438dd42477a21ea68; Path=/; HttpOnly
X-Request-Id: 5875a815-a256-49cd-9be4-572cf37305dd
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Of course, this will need to be tested and I don't guarantee that the above details are a full solution.
But from a quick test on my setup-
Before:
After adding $header = ['Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json'];:
And after a quick test push:
For reference, I use a self-hosted instance of Harbor for my OCI Registry.
Thank you so much for any input or insights that you can offer!