Swift storage driver with encryption middleware

[andrewrome]

I've run the latest Docker registry from the Hub using Swift as a backend, successfully uploading and downloading. However, when I enable the swift encryption and keymaster middlewares in Swift 2.9.0, I am unable to successfully pull images.

The data appears to upload correctly, with the only visible errors during upload:
time="2016-10-20T14:32:21.928589064Z" level=error msg="response completed with error" err.code="blob unknown" err.detail=sha256:4d4aa55e97e1839618094bfbd43ed4a3a1f59280a5fec29752d146a1253c6e72 err.message="blob unknown to registry" go.version=go1.6.3 http.request.host="172.30.97.46:5000" http.request.id=b1cf6582-f760-4b48-b760-fba8d4a67264 http.request.method=HEAD http.request.remoteaddr="172.30.97.46:56498" http.request.uri="/v2/jenkinsenc/blobs/sha256:4d4aa55e97e1839618094bfbd43ed4a3a1f59280a5fec29752d146a1253c6e72" http.request.useragent="docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-27-generic os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=49.233506ms http.response.status=404 http.response.written=157 instance.id=16e2ee86-2129-4f6c-887b-2a38940d074e service=registry vars.digest="sha256:4d4aa55e97e1839618094bfbd43ed4a3a1f59280a5fec29752d146a1253c6e72" vars.name=jenkinsenc version=v2.5.1

All of the uploaded swift objects appear to contain reasonable content.

If I do not delete the local copy of the image, the SHA matches correctly:

docker pull  172.30.97.46:5000/jenkinsenc
Using default tag: latest
latest: Pulling from jenkinsenc
Digest: sha256:047be5412a674d2520f5d517174bf1b0624f30adeea34cf3f71fecc44ecc974a
Status: Image is up to date for 172.30.97.46:5000/jenkinsenc:latest

But when I delete the local copy and try again, it starts downloading and verifying checksums.

docker pull 172.30.97.46:5000/jenkinsenc
Using default tag: latest
latest: Pulling from jenkinsenc
89aec0449e93: Verifying Checksum 
....
68cb9cf3ef25: Verifying Checksum 
b31c735fdce2: Downloading [====================================>              ] 51.35 MB/69.54 MB
ce152cf9fb1e: Verifying Checksum 
.....
f97979a807e2: Verifying Checksum 
Pulling repository 172.30.97.46:5000/jenkinsenc
Error: image jenkinsenc:latest not found

I found this 404 message in the registry logs, not sure it it's related.
172.30.97.46 - - [20/Oct/2016:16:58:08 +0000] "GET /v1/repositories/jenkinsenc/images HTTP/1.1" 404 19 "" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-27-generic os/linux arch/amd64"

Is swift serverside encryption at rest supported?

sysinfo.txt

[RichardScothern]

hi @andrewrome this will take some debugging.

My guess is the digest is generated for unencrypted content and used to try and locate encrypted blobs.

Can you post the registry logs for the successful push and the failed pull.

Do you use a docker container to run swift, and if so which one?

[andrewrome]

Thanks for the offer to help @RichardScothern. Just found the source of the bug: DLO middleware wasn't properly working with keymaster and encryption middlewares. This is not a storage driver problem. Closing.