RE: Clair integration with ProGet results in 'BadRequest for layer sha256' warnings in VulnerabilityDownloader job

Hi,

Yes. ProGet can be pinged from the clair server and Web.BaseUrl is set correctly.

Thanks,
Scott

Hi Rich,

What is your current version of ProGet: 5.3.36
What is your current version of the Clair extension: 1.9.0
What version of Clair are you running: 2.1.2
Is this something new that has recently started happening? Yes. Just setup the integration last week
Does it give you that warning for all layers or just some specific layers? There are ~69K WARN entries in the job output so I am thinking all layers. But without more log info from ProGet, I can't be 100% sure
Would it be possible to share any sort of example image from a third-party registry that has this issue? Sorry, no.

Hi,

We have setup Clair integration with ProGet and connections appears ok. However, the only log entries from running the VulnerabilityDownloader job are WARN: BadRequest for layer sha256:<Layer_ID>. What can I do to diagnose these warnings?

Thanks,
Scott

Just for reference, I was able to get the correct digest of a tag and delete it with this PowerShell script...

$image = "some_image"
$some_image_tag = "some_tag"

get digest

$curlReturn = curl -I HEAD https://<proget_repo>/v2/<container>/library/$image/manifests/$some_image_tag
foreach ($line in $curlReturn)
{
if ($line -match "Docker-Content-Digest: (.+)")
{
$digest = $Matches[1]
Write-Host "$image digest is $digest"
}
}

delete tag digest

$URI = "https://<proget_repo>/v2/<container>/library/$image/manifests/$digest"
Write-Host "Deleting tag $some_image_tag from image $image"
Invoke-WebRequest -Uri $URI -Method Delete -Headers @{"X-ApiKey"="<proget_api_key>"; }

Thanks for the reply!

By the way, do you have preliminary release notes for 5.3 that we can look at?

Thanks,
Scott

Hi,

I am trying to obtain the correct digest of a particular docker tag and have seen two methods, with different outputs (see below), to accomplish this.  Which is correct?  From your documentation, I need to get the digest associated with 'Docker-Content-Digest', which is option 2.  However, documentation doesn't explicitly mention using curl (unless it's assumed?).

1. place 'https://<proget_repo>/v2/<container>/library/<image_name>/manifests/<tag>' in a web browser. Alternatively, use Powershell's Invoke-WebRequest

2. type 'curl -v -H Accept: "application/vnd.docker.distribution.manifest.v2+json" -X HEAD https://<proget_repo>/v2/<container>/library/<image_name>/manifests/<tag>' on the command line

Option 1 output:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 4536,
"digest": "sha256:d8622010e224b5c7dc541c0e8843b993fd5c5afe422ed1309aac207bd06885a7"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 22524609,
"digest": "sha256:804555ee037604c40de144f9f8da0d826d38db82f15d74cded32790fe279a8f6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 17692725,
"digest": "sha256:970251047358aea56ba6db6975b14ff12470b75de0c2477f4445240ddd727fd4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2978257,
"digest": "sha256:f3d4c41a4fd13f35c0b46f19a4e27845f4695163cc7174d908ff84836bbc2f5a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 62145592,
"digest": "sha256:bd391c46585f9f8d84992bbaa9087189148c1601968eaaf097d5b3ed60840e5e"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 126,
"digest": "sha256:1674b9537e7545c5665f935cab34e05e09971a88dab2b86fdf00e516089708f5"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 25187509,
"digest": "sha256:51ecaa038642c6c35b4be45cf823e06d5f3f50f8f3f5e9cfb52c6b5151a57dc5"
}
]
}

Option 2 output:

Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.

• Could not resolve host: application
• Closing connection 0
  curl: (6) Could not resolve host: application
  Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
  Warning: way you want. Consider using -I/--head instead.
• Trying 10.2.0.87...
• TCP_NODELAY set
• Connected to <proget_repo> port 443 (#1)
• schannel: SSL/TLS connection with <proget_repo> port 443 (step 1/3)
• schannel: checking server certificate revocation
• schannel: sending initial handshake data: sending 190 bytes...
• schannel: sent initial handshake data: sent 190 bytes
• schannel: SSL/TLS connection with <proget_repo> port 443 (step 2/3)
• schannel: encrypted data got 1842
• schannel: encrypted data buffer: offset 1842 length 4096
• schannel: sending next handshake data: sending 158 bytes...
• schannel: SSL/TLS connection with <proget_repo> port 443 (step 2/3)
• schannel: encrypted data got 51
• schannel: encrypted data buffer: offset 51 length 4096
• schannel: SSL/TLS handshake complete
• schannel: SSL/TLS connection with <proget_repo> port 443 (step 3/3)
• schannel: stored credential handle in session cache

HEAD /v2/<container>/library/<image>/manifests/<tag> HTTP/1.1
Host: <proget_repo>
User-Agent: curl/7.55.1

• schannel: client wants to read 102400 bytes
• schannel: encdata_buffer resized 103424
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: encrypted data got 483
• schannel: encrypted data buffer: offset 483 length 103424
• schannel: decrypted data length: 454
• schannel: decrypted data added: 454
• schannel: decrypted data cached: offset 454 length 102400
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: decrypted data buffer: offset 454 length 102400
• schannel: schannel_recv cleanup
• schannel: decrypted data returned 454
• schannel: decrypted data buffer: offset 0 length 102400
  < HTTP/1.1 200 OK
  < Cache-Control: public, max-age=300
  < Content-Length: 1583
  < Content-Type: application/vnd.docker.distribution.manifest.v2+json
  < Vary: Authorization
  < Server: Microsoft-IIS/10.0
  < X-AspNet-Version: 4.0.30319
  < X-ProGet-Version: 5.2.23.7
  < Docker-Distribution-API-Version: registry/2.0
  < Docker-Content-Digest: sha256:219db0d935303e3d454231d6146ee56d658c8399f10de95648cdd91379139ce5
  < X-Powered-By: ASP.NET
  < Date: Tue, 11 Feb 2020 19:25:03 GMT
  <
• schannel: client wants to read 1583 bytes
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: Curl_read_plain returned CURLE_RECV_ERROR
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: decrypted data buffer: offset 0 length 102400
• schannel: schannel_recv cleanup
• Closing connection 1
• schannel: shutting down SSL/TLS connection with <proget_repo> port 443
• Send failure: Connection was reset
• schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
• schannel: clear security context handle

Do I run option 1: 'DELETE /v2/<container>/library/<image>/manifestsd8622010e224b5c7dc541c0e8843b993fd5c5afe422ed1309aac207bd06885a7'

or option 2 (Docker-Content-Digest)

'DELETE /v2/<container>/library/<image>/manifests/219db0d935303e3d454231d6146ee56d658c8399f10de95648cdd91379139ce5'

Thanks,
Scott

Thanks for the update. I am looking forward to 5.3! :)

Hi and thank you for the reply! From what I have read, no Delete tag API exists. At least not yet. It appears that it may be in a future docker release.

https://github.com/docker/distribution/pull/2169

What I am looking for is what is outlined on this page:

https://serverfault.com/questions/872332/easy-way-to-remove-a-tag-from-a-private-docker-registry/872336

ideally: DELETE http://<docker_repo>/v2/<image>/<tag>

But in the meantime, it would be great if we could script how ProGet accomplished this in the UI. Although, ProGet's terminology is delete package\image to delete. Maybe it can be delete image\tag to delete? Also, assuming if you delete the last tag, the entire image is deleted as well.

Please correct me if I am wrong :)

Scott

Hi,

Can anyone from Inedo chime in?

Thanks,
Scott

Hi,

Since deleting docker tags is not supported via the docker registry API HTTP DELETE (yet), I was hoping we could script the process ProGet UI runs to remove tags. https://<proget_server>/feeds/<container_folder>/library%2F<image>->"Delete Package"-><tag>

Is this possible? I do not want to rely on retention rules for our docker images.

Thanks,
Scott

@gdivis Sure thing. Just let me know when something is available for me to test.

Will ProGet support 'helm push' at some point?

ex. helm push mychart-1.2.3.tgz https://<proget-server>/helm/<helm-feed>/