Immutable image manifest references

[stevvooe]

After discussion in moby/moby#9015 and docker-archive/docker-registry#804, its clear that we need support for immutable references to v2 image references.

Here are the following conditions for support, from #804.

1. For the initial version, the manifest id is controlled by the registry. The manifest id should be returned as part of the response to a manifest PUT, in addition to a Location header with the canonical URL for the manifest (ie /v2/<name>/manifests/<tag>/<digest>).
2. The "digest" of the manifest is the sha256 of the "unsigned" portion of manifest, with sorted object keys. The id is only calculated by the registry. This is dependent on Store manifest signatures separately from content #25, allowing us to merge signatures from separate pushes of identical content.
3. PUT operations on the manifest are no longer destructive. If the content is different, the "tag" is updated to point at the new content. All revisions remain addressable by digest. Conflicting signatures are stored separately.
4. The DELETE method on /v2/<name>/manifests/<tag> should be clarified to delete all revisions of a given tag, whereas DELETE on /v2/<name>/manifests/<tag>/<digest> should only delete the revision with the request digest.

The following are the tasks required to accomplish this:

• API Specification must be updated with the following endpoints:

Method	Path	Entity	Description
GET	/v2/<name>/manifests/<tag>/<digest>	Manifest	Fetch the manifest identified by name, tag and digest.
DELETE	/v2/<name>/manifests/<tag>/<digest>	Manifest	Delete the manifest identified by name, tag and digest

• Add a header to /v2/<name>/manifests/<tag> that includes the manifest id.
• Registry implementation must support new API methods that qualify reference with id and backend must store revisions.
• Registry client PR (Proposal: add support for pull/create/run by immutable identifier moby/moby#10740) needs to updated with support for pulling qualified image references in the following format:

docker pull <image>:<tag>@<id>

[mmdriley]

This seems a bit odd -- it's like we're implementing tags of tags.

What if two manifest versions with the same "signed" components are uploaded? This would seem to recommend abandoning the idea of any "unsigned" part.

Can these digests be enumerable through the API?

Can the API provide an endpoint to get the digest of the current version of a manifest?

[stevvooe]

@mmdriley I understand this may seem slightly odd, but the V2 manifest format is in flux and we are just getting the distribution project up and running. It's a step in the right direction to start supporting a number of requested features without adding too much complexity that must be supported in the long term.

This seems a bit odd -- it's like we're implementing tags of tags.

The "tag" in the V2 manifest is really like a version field. This is not ideal but I cannot change this right away. The "digest" is an immutable reference to a revision of that "tag" (or version). The goal of this is to find a compromise that can support moving off this broken model of tags and move to a more familiar, git-like tag model in the future. Eventually, we can actually externalize tags from the manifest, allowing one to tag a specific revision and change the revision to which a tag points.

What if two manifest versions with the same "signed" components are uploaded? This would seem to recommend abandoning the idea of any "unsigned" part.

The signatures are going to be separated from the content on the backend, allowing us to merge manifest signatures and not destroy content when a new signature is added. This work has been specified in #25.

Can these digests be enumerable through the API?

Yes, they can, but that endpoint is not part of this particular proposal. This is not ideal, but we need to be slightly conservative with API surface area.

Can the API provide an endpoint to get the digest of the current version of a manifest?

This is covered under item 3 above. The manifest's digest will be available in an http header in the response to GET /v2/<name>/manifests/<tag>, along with a canonical Location header. This will also be available via notification webhooks (#42), which we haven't fully specified out yet, to support determinant builds and deployment.

If you still have questions, please come by #docker-distribution in IRC and ping me (stevvooe). A lot of the proposed changes here are based directly on your feedback. I'll be happy to go over the details with you and make sure we're on the same page.

[ncdc]

This proposal LGTM

[mmdriley]

What if two manifest versions with the same "signed" components are uploaded? This would seem to recommend abandoning the idea of any "unsigned" part.

The signatures are going to be separated from the content on the backend, allowing us to merge manifest signatures and not destroy content when a new signature is added. This work has been specified in #25.

It seems like the most important aspect of this is as yet unspecified. What does it mean to "merge" two manifests? This goes back to the question of why there are unsigned parts of the manifest at all.

[wking]

On Fri, Jan 09, 2015 at 10:20:46AM -0800, Matthew Riley wrote:

What if two manifest versions with the same "signed" components
are uploaded? This would seem to recommend abandoning the idea
of any "unsigned" part.

The signatures are going to be separated from the content on the
backend, allowing us to merge manifest signatures and not destroy
content when a new signature is added. This work has been
specified in #25.

It seems like the most important aspect of this is as yet
unspecified. What does it mean to "merge" two manifests? This goes
back to the question of why there are unsigned parts of the manifest
at all.

It's not merging the manifests, it's merging the signatures. That's
just “create a list of all signatures associated with the signed
portion of this manifest”. We have a signed portion to break the:

manifest → make signature → update manifest

loop, since you can't have the signature signing itself. An easier
approach (which it seems like we're taking on the backend) is to just
use detached signatures.

[stevvooe]

@mmdriley The use of the term "unsigned" was inaccurate. This is the "payload" portion of the JWS signed manifest. This can best be explained with an example. A very simple payload might be like this:

{
   "schemaVersion": 1,
   "name": "foo/bar",
   "tag": "0.1",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "demo"
      }
   ],
   "history": null
}

Party A signs the manifest with their private key, getting the following manifest:

{
   "schemaVersion": 1,
   "name": "foo/bar",
   "tag": "0.1",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "demo"
      }
   ],
   "history": null,
   "signatures": [
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "YGDA:Y3ZD:USKI:4L4E:4HZU:KGPU:YC7E:3SJH:VH7R:7VUW:STJK:O24Q",
               "kty": "EC",
               "x": "MsExpH8eIv60vHvz1p1HJ03ctSy1ZRh9pzsG32I-vaI",
               "y": "VJPadjcQK8AnqlOTyONJUFtizN5xAygEA6VCbwPXZ9U"
            },
            "alg": "ES256"
         },
         "signature": "dUWS_SpB6TuKGdfmv4uyizaz8kiXWZcv5sHuAi84GH5mLdYlslHVwIzBotdg4Sbyh0hy1B9hTQvbQ2BuhbZA4w",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjE3NiwiZm9ybWF0VGFpbCI6IkNuMCIsInRpbWUiOiIyMDE1LTAxLTA5VDIxOjM1OjQwWiJ9"
      }
   ]
}

The above can be verified with public key "YGDA:Y3ZD:USKI:4L4E:4HZU:KGPU:YC7E:3SJH:VH7R:7VUW:STJK:O24Q" using libtrust.

Now, let's say party B, with a different private key, signs the same payload and gets the following:

{
   "schemaVersion": 1,
   "name": "foo/bar",
   "tag": "0.1",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "demo"
      }
   ],
   "history": null,
   "signatures": [
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "U4P3:BQAB:L75W:Q7WX:NN3C:ND3V:XBSS:2MM6:XSXP:ZB5Q:XL6Q:JDFD",
               "kty": "EC",
               "x": "W1ul5T2qa_xM8ATqIhu80_5Z0Mhff9TLMKQofBruA3Q",
               "y": "KElpSRkBOM0Y7TNspJh0jlReLKlS7-EqHvqHut9c7Gk"
            },
            "alg": "ES256"
         },
         "signature": "ZaF-2gEMN4yzxQwr86WEkbC4uEaRW6zgMlpW3iL-4-4jpgpklua8IonJm75QCzCp6rsfbLcyWAIddYHqwcZZ1A",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjE3NiwiZm9ybWF0VGFpbCI6IkNuMCIsInRpbWUiOiIyMDE1LTAxLTA5VDIxOjM1OjQwWiJ9"
      }
   ]
}

The above can be verified to have public key "U4P3:BQAB:L75W:Q7WX:NN3C:ND3V:XBSS:2MM6:XSXP:ZB5Q:XL6Q:JDFD". These two signed manifests have identical payloads with different signatures. With modifications to libtrust, we can trivially merge the signatures, getting the following:

{
   "schemaVersion": 1,
   "name": "foo/bar",
   "tag": "0.1",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "demo"
      }
   ],
   "history": null,
   "signatures": [
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "YGDA:Y3ZD:USKI:4L4E:4HZU:KGPU:YC7E:3SJH:VH7R:7VUW:STJK:O24Q",
               "kty": "EC",
               "x": "MsExpH8eIv60vHvz1p1HJ03ctSy1ZRh9pzsG32I-vaI",
               "y": "VJPadjcQK8AnqlOTyONJUFtizN5xAygEA6VCbwPXZ9U"
            },
            "alg": "ES256"
         },
         "signature": "dUWS_SpB6TuKGdfmv4uyizaz8kiXWZcv5sHuAi84GH5mLdYlslHVwIzBotdg4Sbyh0hy1B9hTQvbQ2BuhbZA4w",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjE3NiwiZm9ybWF0VGFpbCI6IkNuMCIsInRpbWUiOiIyMDE1LTAxLTA5VDIxOjM1OjQwWiJ9"
      },
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "U4P3:BQAB:L75W:Q7WX:NN3C:ND3V:XBSS:2MM6:XSXP:ZB5Q:XL6Q:JDFD",
               "kty": "EC",
               "x": "W1ul5T2qa_xM8ATqIhu80_5Z0Mhff9TLMKQofBruA3Q",
               "y": "KElpSRkBOM0Y7TNspJh0jlReLKlS7-EqHvqHut9c7Gk"
            },
            "alg": "ES256"
         },
         "signature": "ZaF-2gEMN4yzxQwr86WEkbC4uEaRW6zgMlpW3iL-4-4jpgpklua8IonJm75QCzCp6rsfbLcyWAIddYHqwcZZ1A",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjE3NiwiZm9ybWF0VGFpbCI6IkNuMCIsInRpbWUiOiIyMDE1LTAxLTA5VDIxOjM1OjQwWiJ9"
      }
   ]
}

The above can then be verified to have been signed by both "YGDA:Y3ZD:USKI:4L4E:4HZU:KGPU:YC7E:3SJH:VH7R:7VUW:STJK:O24Q" and "U4P3:BQAB:L75W:Q7WX:NN3C:ND3V:XBSS:2MM6:XSXP:ZB5Q:XL6Q:JDFD". The registry just needs to store the signature components to be merged when serving a manifest.