image manifests built with buildkit missing required `size` field in manifest

[waynr]

I have been working on a new implementation of the distribution spec using https://github.com/containers/oci-spec-rs and when attempting to push my first image, my implementation was rejecting the manifest as invalid. When I looked at my logs I saw

2023-10-12T17:18:37.639919Z  WARN request{method=PUT uri=/v2/woof/manifests/0.0.30 version=HTTP/1.1 headers={"host": "localhost:13030", "user-agent": "docker/24.0.5 go/go1.20.6 git-commit/a61e2b4c9c kernel/6.1.54-1-lts os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.5
 \(linux\))", "content-length": "2147", "content-type": "application/vnd.docker.distribution.manifest.v2+json", "accept-encoding": "gzip", "connection": "close"}}: portfolio::http::manifests: error deserializing manifest: DistributionSpecError(ManifestInvalid)

(here you can see the user agent is docker/24.0.5, @neersighted mentioned to me earlier today in an OCI Dev call that this version of docker uses buildkit by default)

This error originates with the fact that the type I'm trying to de-serialize the manifest to strictly requires that all descriptors include the size field: https://github.com/containers/oci-spec-rs/blob/833976fc161ee52588d24ac8446c44ed40222006/src/image/descriptor.rs#L34-L40

This requirement is codified in the OCI Image spec here:

This REQUIRED property specifies the size, in bytes, of the raw content.

To be clear, this descriptor without a size is occurring in the image manifest's config field:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "digest": "sha256:53eff974406dd16e9f7a083eb7da839181f0999d9277bb39891c2612ff78fe84"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:ac7f2e1c758675427623d0da4faa88b336c62466c15a98af61efd3f015282f2f"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:730f917270d3956a2c03b6fa96c905b62fbd5d584222e1aaf4441e24569a08a9"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:4a4650a2e572ca165a0add1b9a2edc5bbfe5e2d5d85f126eb137cc0fedf43198"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:8484ee9d14b6f13c8bfd9a1303032514fe5111b8a208a3691d5b71c58becbead"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:11597adb7c4e95f1928e7c7ecc752f20795bfaa7f3b697600770f97c82048a11"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:058473d14b1d7d9fbb13b37e8d66a0a85791c65817bd615469d6c81a453d42f1"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:793a3dfcbd4a4772c862357be99650cdaecaca972f125ee609b32dd158204286"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:42a9a986bf59d4a4d222fe4c65bceff269199bdba365df51d760639f6eacba21"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:29a525d13ec607f89fea2f523ea26e8e27869d832c19925df286fefc7053a289"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:a506a09b79cdce6a5877042467efd8664bd469cde03ad35dbe010ab7dd3e2379"
      }
   ]
}

[jedevc]

Yeah, that definitely looks incorrect, all descriptors need the size field 👀 Can you share how you're producing that image that's been pushed?

[waynr]

The simplest reproduction of this that I've come up with so far is to create a Dockerfile that looks like:

FROM alpine:latest

RUN echo hello

This results in an image manifest that looks lik

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "digest": "sha256:76c282af356a4ccee6fa00112ff9f7a4c737480523d733daae9a180b896b46be"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa"
      }
   ]
}

[waynr]

By the way, just as a point of contrast the manifest that gets pushed if a docker pull alpine:latest then push it to my registry looks like:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "digest": "sha256:8ca4688f4f356596b5ae539337c9941abc78eda10021d35cbc52659c74d9b443"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3401967,
         "digest": "sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa"
      }
   ]
}

Note that this merely pulled then pushed image still doesn't include the config.size field but it does include a size field in the layer descriptor (which of course has the same digest as what's in the image generated by my example Dockerfile).

[neersighted]

That doesn't look right; the manifest on Hub has the size:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 1472,
    "digest": "sha256:8ca4688f4f356596b5ae539337c9941abc78eda10021d35cbc52659c74d9b443"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 3401967,
      "digest": "sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa"
    }
  ]
}

It's possible that we're pushing something wrong in Docker, but I would expect a lot more people to notice if that was the case. During some trivial testing, the manifest appears to be pushed correctly with size in the descriptor.

[waynr]

Who would notice if a config field is missing? What struct is this being serialized from / deserialized to in docker? What client are you using for your testing?

[waynr]

If the client that is parsing a manifest blob is using the distribution definition of a descriptor I don't see anything in the struct's json field tag that would make it required during deserialization: https://github.com/distribution/distribution/blob/ebba01efeacc31a55640ee1efc858ea4e327c479/blobs.go#L71

The reason my registry fails on PUT /v2/<name>/manifests/<reference> is precisely because it does require the size field to be there and it isn't (I have modified a local copy of oci-spec-rs to make the size field optional so that this endpoint temporarily works, and may submit a PR to that repo).

[waynr]

@neersighted here's an example in distribution of the Descriptor being constructed after deserializing the manifest and the size field being manually populated:

https://github.com/distribution/distribution/blob/ebba01efeacc31a55640ee1efc858ea4e327c479/manifest/schema2/manifest.go#L52

I don't see any checking going on that the deserialized manifest actually contains a config.size field, but that could be going on elsewhere of course.

[waynr]

Hmm, I guess that is the manifest descriptor not the config descriptor. But still, I don't see the config.size field being validated.

[neersighted]

The client I'm using is not relevant; explore.ggcr.dev is just a tool for viewing the data as it exists in the registry. docker push may be reconstructing the manifest, yes; however I can't reproduce what you're seeing with a simple test against Hub:

$ docker pull docker.io/library/alpine:latest # dereferencing an index to a manifest
$ docker tag docker.io/library/alpine:latest docker.io/neersighted/alpine:latest
$ docker push docker.io/neersighted/alpine:latest

You can see the resulting content here.

[waynr]

@neersighted what version of docker are you using? What does your daemon config look like? Do you have any environment variables or CLI config that might change its behavior?

I am using docker/24.0.5 go/go1.20.6 git-commit/a61e2b4c9c, my daemon config looks like:

{
        "max-concurrent-uploads": 1,
        "debug": true,
        "log-level": "trace"
}

And my CLI config only contains auth sections for localhost:13030 (my in-development registry) and https://index.docker.io/v1/

[waynr]

This is strange:

% docker tag docker.io/library/alpine:latest localhost:13030/woof:whatever
% docker push localhost:13030/woof:whatever
The push refers to repository [localhost:13030/woof]
cc2447e1835a: Layer already exists
whatever: digest: sha256:79c24c52a0859e31ba0fb7e00305116314674230563c5a35fb76761520403b0c size: 482

But if I push the same image to docker hub I see:

% docker tag docker.io/library/alpine:latest docker.io/waynr/alpine:latest
% docker push docker.io/waynr/alpine:latest
The push refers to repository [docker.io/waynr/alpine]
cc2447e1835a: Mounted from library/alpine
latest: digest: sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86 size: 528

Why would pushing the exact same manifest to two different registries result in a different manifest digest? My implementation is calculating the sha256 digest based purely on the manifest bytes as received in the PUT /v2/<name>/manifests/<reference> request body. It's not taking the size out or changing anything else about what it receives on the wire. My implementation does deserialize the received bytes into a struct (which is why it fails unless I loosen the requirement that the config.size field be present), but it first copies the request body so that it can store the manifest in the exact byte representation provided by the client as per the spec:

The registry MUST store the manifest in the exact byte representation provided by the client.

Anyway, the fact that the digest of the manifest when pushed to docker hub is different than the digest when pushed to my local registry makes me think that docker hub may be violating this by adding missing fields to the received manifest.

[waynr]

Interestingly the actual docker.io/library/alpine:latest is an index manifest: https://explore.ggcr.dev/?image=alpine%3Alatest

And it looks like you must be on an arm64 machine @neersighted since the manifest digest of the image you pushed is sha256:6ce9a9a256a3495ae60ab0059ed1c7aee5ee89450477f2223f6ea7f6296df555

[neersighted]

In my example, I had a comment explaining the dereference. Yes, DOI provides indexes, but the engine can only store manifests. So in that initial pull, I dereferenced the index to a manifest for my platform, and pushed the manifest to my new repo.

With regard to "why does pushing to a different registry result in a different digest;" this is addressed by my earlier paragraph: the digest is calculated over the compressed bytes, but dockerd only stores the uncompressed bytes. As gzip is not repeatable, the same uncompressed content results in "different" compressed content as we only gzip during push.

To be more apples to apples, I should disable the cross-repository blob mount, which was actually used during my push (you'll notice your test didn't push any layers and instead said the same thing):

cc2447e1835a: Mounted from library/alpine
latest: digest: sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86 size: 528

This means that the blobs were cross-mounted from library/alpine, and only the manifest itself was pushed to the distribution API (with a tag associated); as the JSON is 'the same' it resulted in the same digest.

Testing again, avoiding CRBM by using ttl.sh:

$ docker pull docker.io/library/alpine:edge
$ docker tag docker.io/library/alpine:edge ttl.sh/neersighted-alpine:24h
$ docker rmi docker.io/library/alpine:edge

$ docker image inspect ttl.sh/neersighted-alpine:24h | jq .[].RepoTags
[
  "ttl.sh/neersighted-alpine:24h"
]
$ docker image inspect ttl.sh/neersighted-alpine:24h | jq .[].RepoDigests
[]

$ docker push ttl.sh/neersighted-alpine:24h
The push refers to repository [ttl.sh/neersighted-alpine]
759e7308839b: Pushed
24h: digest: sha256:9747b0f6f9fe54882e5e186e452150587460bf0a668738052302d10230052c77 size: 528

$ docker image inspect ttl.sh/neersighted-alpine:24h | jq .[].RepoDigests
[
  "ttl.sh/neersighted-alpine@sha256:9747b0f6f9fe54882e5e186e452150587460bf0a668738052302d10230052c77"
]

$ crane manifest ttl.sh/neersighted-alpine@sha256:9747b0f6f9fe54882e5e186e452150587460bf0a668738052302d10230052c77 | jq .

Resulting in:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 1487,
    "digest": "sha256:0f3687eeb1f1f1aedfd67c8cad6a4f21b31527e25a40ffba9b6e7dd9d715e617"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 3333476,
      "digest": "sha256:bd218047ff719d3306f5565faa6f561ac3e52b51391804fd7b53231f8326f059"
    }
  ]
}

[neersighted]

For reference, my docker version is:

Client:
 Cloud integration: v1.0.35+desktop.5
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.25.0 (123863)
 Engine:
  Version:          24.0.6
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       1a79695
  Built:            Mon Sep  4 12:31:36 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

And my docker info is:

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.5
    Path:     /Users/neersighted/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.22.0-desktop.2
    Path:     /Users/neersighted/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/neersighted/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/neersighted/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.8
    Path:     /Users/neersighted/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/neersighted/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/neersighted/.docker/cli-plugins/docker-scan
  scout: Docker Scout (Docker Inc.)
    Version:  v1.0.7
    Path:     /Users/neersighted/.docker/cli-plugins/docker-scout

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 34
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.4.16-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 12
 Total Memory: 11.68GiB
 Name: docker-desktop
 ID: 24db6515-ca45-4274-8dba-a59d6fb3a368
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

I'm not entirely sure what's going on, but I'm not sure it's in dockerd/BuildKit just yet. I have some time in a couple hours if you want to send me a message on the OCI Slack to set up a call, if you want more help debugging this.

[waynr]

the digest is calculated over the compressed bytes, but dockerd only stores the uncompressed bytes.

I find this kind of surprising since in my registry logs I don't see any indication in the headers that it's gzip compressed:

2023-10-12T17:23:07.148882Z DEBUG request{method=PUT uri=/v2/woof/manifests/0.0.30 version=HTTP/1.1 headers={"host": "localhost:13030", "user-agent": "docker/24.0.5 go/go1.20.6 git-commit/a61e2b4c9c kernel/6.1.54-1-lts os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.5
 \(linux\))", "content-length": "2147", "content-type": "application/vnd.docker.distribution.manifest.v2+json", "accept-encoding": "gzip", "connection": "close"}}: tower_http::trace::on_request: started processing reques

I know this probably doesn't mean much to you since you can't see my code but it i would naively expect a content-type of application/vnd.docker.distribution.manifest.v2+json to mean it's not gzip compressed.

I'm not entirely sure what's going on, but I'm not sure it's in dockerd/BuildKit just yet. I have some time in a couple hours if you want to send me a message on the OCI Slack to set up a call, if you want more help debugging this.

Sure, I'm happy to pair with you on debugging it. I'm also working on setting up mitmproxy between my docker daemon and distribution running in a container so I can get a neutral log showing exactly the contents of the PUT request body. My main concern is to figure out whether i should open a PR to oci-spec-rs loosening the requirement that Descriptors include a size field.