Support pull/push redirect

[robberphex]

I noticed that distribution spec v1.0.0 doesn't support pull blobs via 307 status code:

To pull a blob, perform a GET request to a URL in the following form: /v2/<name>/blobs/<digest>
A GET request to an existing blob URL MUST provide the expected blob, with a response code that MUST be 200 OK.

That's a really strong requirement.

And at Docker Registry HTTP API V2, client can accept 307 response:

This endpoint may issue a 307 (302 for <HTTP 1.1) redirect to another service for downloading the layer and clients should be prepared to handle redirects.

Currently, almost all registries are using CDN to distribute blobs:

DockerHub is using 307 to redirect to CDN

GET /v2/robberphex/sc-b/blobs/sha256:fa4166ff90052a9515b0311468349a94e5c0d45abcee8901db963c189b6a44fd HTTP/1.1
Host: registry-1.docker.io

HTTP/1.1 307 Temporary Redirect
content-type: application/octet-stream
docker-distribution-api-version: registry/2.0
location: https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/fa/fa4166ff90052a9515b0311468349a94e5c0d45abcee8901db963c189b6a44fd/data?verify=1632139768-qcB4OlxVYmlgJCLs3bmIYo14nJQ%3D
date: Mon, 20 Sep 2021 11:19:28 GMT
content-length: 0
strict-transport-security: max-age=31536000
Connection: close

Github Packages(ghcr.io) is using 307 to redirect to CDN

GET /v2/graalvm/graalvm-ce/blobs/sha256:694935c7310c92d6cf4722e90553f236d820387b71366e0e1e6b6d45f0a9e0ee HTTP/1.1
Host: ghcr.io

HTTP/1.1 307 Temporary Redirect
Content-Length: 0
Content-Type: application/octet-stream
docker-distribution-api-version: registry/2.0
Location: https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:694935c7310c92d6cf4722e90553f236d820387b71366e0e1e6b6d45f0a9e0ee?se=2021-09-20T11%3A15%3A00Z&sig=6FFDgv16W%2BQq%2FYJjU4bOOj2dkzYAXLGM4t6irVGNSsE%3D&sp=r&spr=https&sr=b&sv=2019-12-12
Date: Mon, 20 Sep 2021 11:09:33 GMT
X-GitHub-Request-Id: CD51:360C:3622A:AD2EF:61486BEC
Connection: close

Aliyun CR is using 307 to redirect to CDN

GET /v2/arms-docker-repo/arms-pilot-init/blobs/sha256:709e152e7530c99ea8a591f1da0c8e628a72b1c0757549aba61452ae77d149ca HTTP/1.1
Host: registry.cn-beijing.aliyuncs.com

HTTP/1.1 307 Temporary Redirect
Content-Type: application/octet-stream
Docker-Distribution-Api-Version: registry/2.0
Location: http://aliregistry-cn-beijing.oss-cn-beijing.aliyuncs.com/docker/registry/v2/blobs/sha256/70/709e152e7530c99ea8a591f1da0c8e628a72b1c0757549aba61452ae77d149ca/data?Expires=1632137093&OSSAccessKeyId=LTAI4FyN99sZuwGQsaDkPxbv&Signature=DTFaQ68yPMkDrGaeX83Uw3uk6CE%3D&x-oss-traffic-limit=113763972
Date: Mon, 20 Sep 2021 10:54:54 GMT
Content-Length: 0
Connection: close

I propose we add the pull/push redirect to the distribution spec.

Any ideas?

[jdolitsky]

Yep, you're right. We should allow 307 for any downloaded content.

@robberphex - how does this apply to push, though?

[guacamole]

hey guys , does this mean that conformance tests would fail with redirect enabled?
We actually saw the failing behaviour when we enabled redirect (307) while pulling images

[jdolitsky]

@guacamole I do not think so.. please let us know if so.

The underlying client should be configured to follow redirects: https://github.com/bloodorangeio/reggie/blob/master/client.go#L80

[guacamole]

@jdolitsky , you're absolutely right. It was my little fault. fixed it and it works just fine!!
Thank you so much though :)