Can't specify tags in urls on official docker images

[caldwell]

Environment

rkt Version: 1.30.0
appc Version: 0.8.11
Go Version: go1.13.1
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL
--
Linux 5.2.0-2-amd64 x86_64
--
PRETTY_NAME="Debian GNU/Linux bullseye/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
--
systemd 244 (244-3)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

What did you do?

sudo rkt fetch --insecure-options=image docker://busybox:1.31.1

What did you expect to see?

A successful download.

What did you see instead?

$ sudo rkt fetch --insecure-options=image docker://busybox:1.31.1
fetch: parse docker://busybox:1.31.1: invalid port ":1.31.1" after host

From looking at the output of rkt image list I found a work-around:

$ sudo rkt fetch --insecure-options=image docker://library/busybox:1.31.1

But I think the simple no-slash version of the url (docker://busybox:1.31.1) should work based on the documentation (and I don't see library/ documented anywhere).

[dongsupark]

Yeah, I have seen this issue since several months.
Go >= 1.12.8 or Go >= 1.13 includes a security fix around URL parsing.
So when we build rkt with the newer Go versions, a URL like docker://busybox:1.31.1 is not valid any more.
That is why we Flatcar Container Linux reverted that specific commit from Go 1.12, to make rkt fetch work again. That will be the same case also for CoreOS Container Linux.

It might be easier for users to simply run the command with a registry hostname included, for example, rkt fetch --insecure-options=image docker://docker.io/busybox:1.31.1. Then it should work.