Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[No Ticket] Stricter redirects when interacting with registry v2 api #1308

Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

[No Ticket] Stricter redirects when interacting with registry v2 api #1308

wants to merge 9 commits into from

Conversation

meghfossa
Copy link
Contributor

@meghfossa meghfossa commented Oct 19, 2023
edited

Overview

This PR, addresses some of the root cause of STM transaction errors, seen for some of container scanning runs.

Acceptance criteria

  • fossa-cli does not throw 400 Error, when docker.io decides to use s3 storage proxy for manifests and blobs.

Testing plan

To force non-cloudfront storage proxy (specifically s3),

  1. Login to AWS console.
  2. Spin EC2 instance
  3. Run fossa container-analyze -o --debug node:latest (you should see STM transaction error, and 400 HTTP Error)

Now, (download this PR's fossa binary from Build Action's summary artifact)
4. Run ./fossa container-analyze -o --debug node:latest (you should not see any errors)

Risks

There is open ticket on this: containers/image#641, but consensus is that, we ought to strip headers on redirect. There is also ticket by podman: containers/podman#15187, and https://bugzilla.redhat.com/show_bug.cgi?id=1695236

I think ideal solution is to re-implement same logic, as docker client, which only injects headers, if and only if, it matches host used for token generation - in the redirect chain - but for now I think this should be better alternative, while we replicate /ticket exact docker-client behaviour in redirect chain.

Metrics

N/A

References

I discovered this via bulk testing, as part of tar ticket.

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@meghfossa meghfossa changed the title [No Ticket] STM related 400 when s3-esq proxy is used for layer blobs [No Ticket] Stricter redirects when interacting with registry v2 api Oct 20, 2023
@meghfossa meghfossa force-pushed the feat/registry-api-docker-avoid-headers-on-redirect branch from bb84781 to 74316e5 Compare October 30, 2023 22:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@meghfossa