Bug 1400197

Summary: ImageStreamTags do not properly resolve Digest(
Product: Red Hat Enterprise Linux 7 Reporter: Vladislav Walek <vwalek>
Component: docker-distributionAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: amurdaca, aos-bugs, dornelas, fkluknav, jhonce, jokerman, mfojtik, mmccomas
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-21 21:44:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1186913    

Description Vladislav Walek 2016-11-30 16:49:23 UTC 
Description of problem:

When trying to pull image from local docker registry, the incorrect digest is resolved. The image was 'docker save' from 1.8.3 version saved in tar, and 'docker load' using 1.10 and docker push to registry.
However when creating an application using the ImageStream Builder logs would print an error on the first line:
'error: build error: unabe to get registry/openshift3/httpd-24-rhel7@sha256:<digest>'.

But the registry was configured with SSL proxy (after running a while without SSL):
We have configured Docker Distribution in an unsecured manner (http on port 5000), 
and later secure it with an httpd ssl proxy on port 443, we roughly followed this guide:
https://github.com/docker/docker.github.io/blob/master/registry/recipes/apache.md

And when trying:

1. pull the image - returned digest (manifest) is the invalid one.

2. Push the same image, digest returned (presumably calculated locally on docker client)

3. Attempt pull the invalid digest fails.

4. Attempt to pull the pushed digest succeeds.

The problem is that if the pull is done from the unsecured the digest is ok, if from SSL the digest is incorrect. The question is, is it caused by docker registry?

Running:
'docker-distribution-2.4.1-2.el7.x86_64'
Openshift Container Platform Cluster v3.3.0.32
kubernetes v1.3.0+52492b4
docker 1.10.3, from package: 'docker-common-1.10.3-46.el7.14.x86_64' commit: '5206701'

Version-Release number of selected component (if applicable):
Openshift Container Platform Cluster v3.3.0.32

How reproducible:


Actual results:


Expected results:
the digest should be same on ssl and non-ssl registry

Additional info:
Comment 4 Vladislav Walek 2016-12-05 08:44:48 UTC 
Hi, I've received reply from customer:

Updating Docker-Distribution Package to version 2.5.0-1.el7.x86_64
Full Package Name: docker-distribution-2.5.0-1.el7.x86_64

Solves the issue!!!

Could you check it? Thx