Skip to content

conformance: make blob mount and upload checks more strict#399

Merged
sudo-bmitch merged 1 commit intoopencontainers:mainfrom
imjasonh:more-strict
Apr 4, 2023
Merged

conformance: make blob mount and upload checks more strict#399
sudo-bmitch merged 1 commit intoopencontainers:mainfrom
imjasonh:more-strict

Conversation

@imjasonh
Copy link
Copy Markdown
Member

@imjasonh imjasonh commented Apr 4, 2023

  1. when mounting is successful, require the Location response header to be exactly /v2/<repo>/blobs/<digest>, and not just contain the string <repo>
  2. when mounting is unsuccessful and Location points to an upload session URL, require the Location response header to start with /v2/<repo>/blobs/uploads/, and not just contain /blobs/uploads/.

In the case of (2), this corresponds to common behavior, but based on my reading of the spec it might not actually be exactly specified as such:

Alternatively, if a registry does not support cross-repository mounting or is unable to mount the requested blob, it SHOULD return a 202. This indicates that the upload session has begun and that the client MAY proceed with the upload.

(source)

We may want to clarify this failed-mounting behavior more to specify that the Location response header MUST be /v2/<repo>/blobs/uploads/, as it normally is.

@imjasonh
conformance: make blob mount and upload checks more strict
27ae6c2 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
Copy link
Copy Markdown
Member Author

imjasonh commented Apr 4, 2023

Also, I'm not sure what automated checks we have on conformance test changes to check that this doesn't regress on any currently-passing registries.

jdolitsky
jdolitsky approved these changes Apr 4, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jdolitsky jdolitsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I'm not sure what automated checks we have on conformance test changes to check that this doesn't regress on any currently-passing registries.

There isnt any currently, just individual projects running off main in CI

@sudo-bmitch sudo-bmitch merged commit b3168ea into opencontainers:main Apr 4, 2023
@mikebrow
Copy link
Copy Markdown
Member

mikebrow commented Apr 4, 2023

  1. when mounting is successful, require the Location response header to be exactly /v2/<repo>/blobs/<digest>, and not just contain the string <repo>
  2. when mounting is unsuccessful and Location points to an upload session URL, require the Location response header to start with /v2/<repo>/blobs/uploads/, and not just contain /blobs/uploads/.

In the case of (2), this corresponds to common behavior, but based on my reading of the spec it might not actually be exactly specified as such:

Alternatively, if a registry does not support cross-repository mounting or is unable to mount the requested blob, it SHOULD return a 202. This indicates that the upload session has begun and that the client MAY proceed with the upload.

(source)

We may want to clarify this failed-mounting behavior more to specify that the Location response header MUST be /v2/<repo>/blobs/uploads/, as it normally is.

we used the term name instead of repo to avoid namespace and repository format requirements

1hr approve and merge? That must be a record :-O

If memory serves at one point v1 docker api was considered acceptable for certain scenarios.. probably why this wasn't necessarily restricted?

@jdolitsky
Copy link
Copy Markdown
Contributor

jdolitsky commented Apr 4, 2023

RE:

Also, I'm not sure what automated checks we have on conformance test changes to check that this doesn't regress on any currently-passing registries.

See #401

cc @imjasonh

@jdolitsky jdolitsky mentioned this pull request Apr 19, 2023
Closed
@sudo-bmitch sudo-bmitch mentioned this pull request Feb 1, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdolitsky jdolitsky jdolitsky approved these changes

@sudo-bmitch sudo-bmitch sudo-bmitch approved these changes

@dmcgowan dmcgowan Awaiting requested review from dmcgowan dmcgowan is a code owner

@jzelinskie jzelinskie Awaiting requested review from jzelinskie jzelinskie is a code owner

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr jonjohnsonjr is a code owner

@mikebrow mikebrow Awaiting requested review from mikebrow mikebrow is a code owner

@stevvooe stevvooe Awaiting requested review from stevvooe stevvooe is a code owner

@vbatts vbatts Awaiting requested review from vbatts

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@imjasonh @mikebrow @jdolitsky @sudo-bmitch