diable digest resolution for manifest v2 schema 1 manifests

aws · Jul 19, 2024 · 507b3c0 · 507b3c0
1 parent 8c85f33
commit 507b3c0
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/agent/engine/docker_task_engine.go b/agent/engine/docker_task_engine.go
@@ -114,6 +114,11 @@ const (
 	stopContainerBackoffJitter     = 0.2
 	stopContainerBackoffMultiplier = 1.3
 	stopContainerMaxRetryCount     = 5
+
+	// mediaTypeManifestV1 specifies the media type for v1 manifest
+	mediaTypeManifestV1 = "application/vnd.docker.distribution.manifest.v1+json"
+	// mediaTypeSignedManifestV1 specifies the media type for signed v1 manifest
+	mediaTypeSignedManifestV1 = "application/vnd.docker.distribution.manifest.v1+prettyjws"
 )
 
 var newExponentialBackoff = retry.NewExponentialBackoff
@@ -1295,6 +1300,7 @@ func (engine *DockerTaskEngine) pullContainerManifest(
 				},
 			}
 		}
+
 		imageManifestDigest = parsedDigest
 		logger.Info("Fetched image manifest digest for container from local image inspect", logger.Fields{
 			field.TaskARN:       task.Arn,
@@ -1352,6 +1358,22 @@ func (engine *DockerTaskEngine) pullContainerManifest(
 			})
 			return dockerapi.DockerContainerMetadata{Error: manifestPullErr}
 		}
+		imageManifestMediaType := distInspect.Descriptor.MediaType
+		logger.Info("Fetched image manifest MediaType for container from registry", logger.Fields{
+			field.TaskARN:        task.Arn,
+			field.ContainerName:  container.Name,
+			field.ImageMediaType: imageManifestMediaType,
+			field.Image:          container.Image,
+		})
+		if strings.Contains(imageManifestMediaType, mediaTypeManifestV1) || strings.Contains(imageManifestMediaType, mediaTypeSignedManifestV1) {
+			logger.Info("skipping digest resolution for manifest v2 schema 1", logger.Fields{
+				field.TaskARN:        task.Arn,
+				field.ContainerName:  container.Name,
+				field.ImageMediaType: imageManifestMediaType,
+				field.Image:          container.Image,
+			})
+			return dockerapi.DockerContainerMetadata{}
+		}
 		imageManifestDigest = distInspect.Descriptor.Digest
 		logger.Info("Fetched image manifest digest for container from registry", logger.Fields{
 			field.TaskARN:       task.Arn,

diff --git a/agent/engine/docker_task_engine_test.go b/agent/engine/docker_task_engine_test.go
@@ -114,6 +114,7 @@ const (
 	testTaskARN                 = "arn:aws:ecs:region:account-id:task/task-id"
 	containerNetworkMode        = "none"
 	serviceConnectContainerName = "service-connect"
+	mediaTypeManifestV2         = "application/vnd.docker.distribution.manifest.v2+json"
 )
 
 var (
@@ -4195,6 +4196,23 @@ func TestPullContainerManifest(t *testing.T) {
 			},
 			expectedDigest: testDigest.String(),
 		},
+		{
+			name:              "image pull required - skip digest resolution for schema1 image",
+			image:             "myimage",
+			imagePullBehavior: config.ImagePullAlwaysBehavior,
+			setDockerClientExpectations: func(c *gomock.Controller, d *mock_dockerapi.MockDockerClient) {
+				versioned := mock_dockerapi.NewMockDockerClient(c)
+				versioned.EXPECT().
+					PullImageManifest(gomock.Any(), "myimage", nil).
+					Return(
+						registry.DistributionInspect{
+							Descriptor: ocispec.Descriptor{MediaType: mediaTypeManifestV1},
+						},
+						nil)
+				d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil)
+			},
+			expectedResult: dockerapi.DockerContainerMetadata{},
+		},
 		{
 			name:              "image pull required - required docker API version unsupported",
 			image:             "myimage",
@@ -4229,7 +4247,12 @@ func TestPullContainerManifest(t *testing.T) {
 				versioned.EXPECT().
 					PullImageManifest(gomock.Any(), "myimage", nil).
 					Return(
-						registry.DistributionInspect{Descriptor: ocispec.Descriptor{Digest: testDigest}},
+						registry.DistributionInspect{
+							Descriptor: ocispec.Descriptor{
+								MediaType: mediaTypeManifestV2,
+								Digest:    testDigest,
+							},
+						},
 						nil)
 				d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil)
 			},
@@ -4261,7 +4284,10 @@ func TestPullContainerManifest(t *testing.T) {
 						PullImageManifest(gomock.Any(), "myimage", expectedRegistryAuthData).
 						Return(
 							registry.DistributionInspect{
-								Descriptor: ocispec.Descriptor{Digest: digest.Digest(testDigest.String())},
+								Descriptor: ocispec.Descriptor{
+									MediaType: mediaTypeManifestV2,
+									Digest:    digest.Digest(testDigest.String()),
+								},
 							},
 							nil)
 					d.EXPECT().WithVersion(dockerclient.Version_1_35).Return(versioned, nil)

diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go
diff --git a/ecs-agent/logger/field/constants.go b/ecs-agent/logger/field/constants.go
@@ -49,6 +49,7 @@ const (
 	ImageLastUsedAt         = "imageLastUsedAt"
 	ImagePullSucceeded      = "imagePullSucceeded"
 	ImageDigest             = "imageDigest"
+	ImageMediaType          = "imageMediaType"
 	ContainerName           = "containerName"
 	ContainerImage          = "containerImage"
 	ContainerExitCode       = "containerExitCode"