Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker digest validation is too strict #32627

Merged
merged 1 commit into from
Sep 14, 2016
Merged

Docker digest validation is too strict #32627

merged 1 commit into from
Sep 14, 2016

Conversation

smarterclayton
Copy link
Contributor

@smarterclayton smarterclayton commented Sep 14, 2016
edited by k8s-oncall
Loading

Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of #30366 cannot be pulled by Kube from a Docker 1.10
system.

This partially reverts commit 875fd16.

This change is Reviewable

@smarterclayton
Copy link
Contributor Author

@eparis if you want to normal cherry-pick we can use this one - I wanted to make sure the patch compiled against 1.4 which is why I opened the other PR

@ncdc
Copy link
Member

ncdc commented Sep 14, 2016

LGTM

@k8s-cherrypick-bot
Copy link

Removing label cherrypick-candidate because no release milestone was set. This is an invalid state and thus this PR is not being considered for cherry-pick to any release branch. Please add an appropriate release milestone and then re-add the label.

@yujuhong yujuhong added this to the v1.4 milestone Sep 14, 2016
@yujuhong yujuhong added cherrypick-candidate release-note Denotes a PR that will be considered when it comes time to generate release notes. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Sep 14, 2016
@k8s-github-robot k8s-github-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 14, 2016
@yujuhong yujuhong assigned yujuhong and unassigned vishh Sep 14, 2016
@yujuhong yujuhong added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. retest-not-required and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Sep 14, 2016
@yujuhong yujuhong mentioned this pull request Sep 14, 2016
Merged
@smarterclayton
Copy link
Contributor Author

Hold until I validate in the morning whether Docker 1.10 is correctly setting RepoDigest on all supported versions.

@k8s-github-robot k8s-github-robot mentioned this pull request Sep 14, 2016
Closed
@smarterclayton
Copy link
Contributor Author

Updated to use RepoDigest first, use stricter parsing (which could break if Docker updates, but prevents us from missing string format changes). I would prefer to use the Docker structures (since we already are for parsing the ref) so as to avoid potential prefix attacks due to comparison.

@smarterclayton
Copy link
Contributor Author

All 3 major RHEL versions and 2 fedora versions I tested returned RepoDigest.

@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 14, 2016
@pwittrock
Copy link
Member

pwittrock commented Sep 14, 2016
edited
Loading

@yujuhong Why did you remove the lgtm?

Nevermind, I read Clayton's last comment

@smarterclayton
Copy link
Contributor Author

Hold for re-review with the new code approach

@smarterclayton
Copy link
Contributor Author

This is ready for re-review

ncdc
ncdc reviewed Sep 14, 2016
View reviewed changes
pkg/kubelet/dockertools/docker.go
if d, isDigested := named.(dockerref.Digested); isDigested {
// Allow prefix matches for shorter SHA values
if digest.Digest().Algorithm().String() == d.Digest().Algorithm().String() &&
strings.HasPrefix(digest.Digest().Hex(), digest.Digest().Hex()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't one of these digests be d?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

yujuhong
yujuhong reviewed Sep 14, 2016
View reviewed changes
pkg/kubelet/dockertools/docker.go
continue
}
if d, isDigested := named.(dockerref.Digested); isDigested {
// Allow prefix matches for shorter SHA values
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: remove the comment.

@yujuhong
Copy link
Contributor

lgtm. just a nit to remove the outdated comment.

@smarterclayton
Copy link
Contributor Author

Nit fixed

On Wed, Sep 14, 2016 at 12:24 PM, Yu-Ju Hong notifications@github.com
wrote:

lgtm. just a nit to remove the outdated comment.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#32627 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p7uZvR7edB7-d1RYhJMFbf8ePnWsks5qqB-6gaJpZM4J8SYk
.

@yujuhong yujuhong added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2016
@yujuhong
Copy link
Contributor

Thanks a lot for fixing this!

@ncdc ncdc removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2016
@ncdc
Copy link
Member

ncdc commented Sep 14, 2016

Removing lgtm b/c of 1 issue which I'll comment on shortly

ncdc
ncdc reviewed Sep 14, 2016
View reviewed changes
pkg/kubelet/dockertools/docker.go
}
if d, isDigested := named.(dockerref.Digested); isDigested {
if digest.Digest().Algorithm().String() == d.Digest().Algorithm().String() &&
digest.Digest().Hex() == digest.Digest().Hex() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

double digest again

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch. Add a unit test?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as an FYI, if we get into this for loop, it means:

  1. pod.containers[i].image is digested
  2. the image exists on the node
  3. the kubelet was able to docker inspect the image using the digest

It should be impossible to get here and not have a match between pod.containers[i].image and the value from RepoDigests.

We should be defensive, so I'm not suggesting we remove or change anything here. Just an FYI

@smarterclayton
Docker digest validation is too strict
4a48bf8 
Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of kubernetes#30366 cannot be pulled by Kube from a Docker 1.10
system.

Instead, use RepoDigests field as the primary match, validating the
digest, and then fall back to ID (also validating the match). Adds more
restrictive matching.
@smarterclayton
Copy link
Contributor Author

Updated with all comments.

@smarterclayton smarterclayton mentioned this pull request Sep 14, 2016
Closed
@ncdc
Copy link
Member

ncdc commented Sep 14, 2016

LGTM

@yujuhong yujuhong added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2016
@yujuhong
Copy link
Contributor

@smarterclayton I'll create a cherrypick PR using the script.

@yujuhong yujuhong mentioned this pull request Sep 14, 2016
Closed
@smarterclayton
Copy link
Contributor Author

Thanks

On Wed, Sep 14, 2016 at 2:24 PM, Yu-Ju Hong notifications@github.com
wrote:

@smarterclayton https://github.com/smarterclayton I'll create a
cherrypick PR using the script.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#32627 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p8Xgi6TPaWHry578bJMOtOSf-kuRks5qqDvJgaJpZM4J8SYk
.

@k8s-bot
Copy link

k8s-bot commented Sep 14, 2016

GCE e2e build/test passed for commit 4a48bf8.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit b841a8b into kubernetes:master Sep 14, 2016
eparis pushed a commit to eparis/kubernetes that referenced this pull request Sep 14, 2016
@eparis
Merge pull request kubernetes#32627 from smarterclayton/relax_content_id
61ffa8b 
Automatic merge from submit-queue

Docker digest validation is too strict

Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of kubernetes#30366 cannot be pulled by Kube from a Docker 1.10
system.

This partially reverts commit 875fd16.
(cherry picked from commit b841a8b)
@eparis eparis added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Sep 14, 2016
@eparis eparis mentioned this pull request Sep 14, 2016
Merged
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.4" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

shyamjvs pushed a commit to shyamjvs/kubernetes that referenced this pull request Dec 1, 2016
@eparis
Merge pull request kubernetes#32627 from smarterclayton/relax_content_id
d496906 
Automatic merge from submit-queue

Docker digest validation is too strict

Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of kubernetes#30366 cannot be pulled by Kube from a Docker 1.10
system.

This partially reverts commit 875fd16.
(cherry picked from commit b841a8b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@yujuhong yujuhong

Labels
cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.4
Development

Successfully merging this pull request may close these issues.
10 participants
@smarterclayton @ncdc @k8s-cherrypick-bot @pwittrock @yujuhong @k8s-bot @k8s-github-robot @googlebot @vishh @eparis