Skip to content

Pulling an image index without a media type attribute always fails

Context

Found while debugging gitlab#301398 (closed), which was reported a long time ago, and much has changed since then. Therefore, it is unlikely that this is was the root cause when the issue was created, but rather a related problem that we now have.

Problem

If we try to pull an image index that has no mediaType attribute, the registry is interpreting it as a schema 1 manifest, and the download fails (regardless of the request Accept header).

Sample index:

{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:3c941fdcdaf20de3e7482b593fd09e8275c366a6bfe43f0f45334d858cc4703e",
      "size": 123,
      "platform": {
        "architecture": "arm64",
        "os": "linux",
        "variant": "v8"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:e0c4475d341e6363c4d4a7c77a0f71c00c25f4b0ade8c4b4ea093001a135803d",
      "size": 456,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    }
  ]
}
❯ docker pull registry.gitlab.com/mygroup/myproject:latest
Error response from daemon: manifest invalid: Schema 1 manifest not supported
HTTP/1.1 400 Bad Request
Content-Length: 85
Content-Type: application/json
Date: Thu, 13 Jan 2022 11:16:27 GMT
Docker-Distribution-Api-Version: registry/2.0
Gitlab-Migration-Path: old
X-Content-Type-Options: nosniff

{
    "errors": [
        {
            "code": "MANIFEST_INVALID",
            "message": "Schema 1 manifest not supported"
        }
    ]
}

I didn't test it myself but I believe this wouldn't happen if the index had the mediaType attribute. Regardless, this attribute is not mandatory.

Solution

Fix type detection. We should not fall back to a schema 1 type when the input is clearly an index. Once the fix is in place, confirm that gitlab#301398 (closed) gets fixed as well.

Workaround

So far, this issue is only replicable when using buildah to build and push the multi-arch image. As noticed by @DagoRed in gitlab#301398 (comment 813241186), it's possible to work around this by using the option --format=v2s2. That will instruct buildah to generate a Docker-compatible multi-arch image, which in turn ensures that the mediaType parameter is filled.

Edited by João Pereira