Update docker_registry2

[NautiluX]

• Fixes specs that break after 1.15
• Bump to 1.17 to allow pagination on registry.access.redhat.com based images

Closes #7562.

[jurre]

Could you provide a little bit of context on the update, it looks like the minor update contained some breaking changes? Thanks!

[NautiluX]

Yes.
Prior art in PR #7289
I added a fix to docker_registry2 which will come with the next tag. The tag is not yet created, hence I started updating to the current latest tag to adjust to the changes in docker_registry2, so pulling in the next update is hopefully a quick thing.

[NautiluX]

Tag 1.17 has been pushed in the meantime, so I added updating to 1.17 in this PR.

[NautiluX]

Not sure the docker smoke test is related, can you have a look @jurre?

[jurre]

@NautiluX yeah that does look related, seems like dockerhub is requiring us to auth for these requests now? Let me re-run them to make sure it wasn't just a hiccup

[NautiluX]

right so these requests:

  proxy | 2023/07/18 14:58:43 [016] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest
  proxy | 2023/07/18 14:58:44 [016] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest

used to be HEAD requests before 1.15, that could explain the difference.
There are some authorized requests to /list, probably we can do the same with GET.

[NautiluX]

I tried reproducing the behaviour with a minimal example, doing the same calls that dependabot would do:

require "docker_registry2"

client = DockerRegistry2.connect(
            "https://registry.hub.docker.com:443",
            user: nil,
            password: nil,
            read_timeout: 10,
            http_options: { proxy: "https://localhost:8080",verify_ssl: false }
            
          )
client.tags("library/ubuntu", auto_paginate: true).fetch("tags").each do |t|
    print t
end
print client.digest("library/ubuntu", "latest")

Interjected the requests with a proxy and got similar requests than the smoketest:

[13:32:03.281] HTTP(S) proxy listening at *:8080.
127.0.0.1:51575: GET https://registry.hub.docker.com/v2/library/ubuntu/tags/list
 << 401 Unauthorized 157b
127.0.0.1:51577: GET https://auth.docker.io/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
127.0.0.1:51579: GET https://registry.hub.docker.com/v2/library/ubuntu/tags/list
 << 200 OK 9.6k
127.0.0.1:51581: GET https://registry.hub.docker.com/v2/library/ubuntu/manifests/latest
 << 401 Unauthorized 157b
127.0.0.1:51583: GET https://auth.docker.io/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
 << 200 OK 4.3k
127.0.0.1:51585: GET https://registry.hub.docker.com/v2/library/ubuntu/manifests/latest
 << 200 OK 1.1k

However, the second GET got a 200 as response, not a 401 as in the smoketest.

[NautiluX]

managed to get the test running locally, it's succeeding as well. Not sure what's still different to the environment where they run in the GitHub action.

  proxy | 2023/07/19 13:46:41 [010] GET https://registry.hub.docker.com:443/v2/library/ubuntu/tags/list
  proxy | 2023/07/19 13:46:41 [010] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/tags/list
  proxy | 2023/07/19 13:46:41 [012] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:41 [012] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:41 [014] GET https://registry.hub.docker.com:443/v2/library/ubuntu/tags/list
  proxy | 2023/07/19 13:46:42 [014] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/tags/list
  proxy | 2023/07/19 13:46:42 [016] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest
  proxy | 2023/07/19 13:46:42 [016] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest
  proxy | 2023/07/19 13:46:42 [018] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [018] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [020] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest
  proxy | 2023/07/19 13:46:42 [020] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/latest
  proxy | 2023/07/19 13:46:42 [022] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.10
  proxy | 2023/07/19 13:46:42 [022] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.10
  proxy | 2023/07/19 13:46:42 [024] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [024] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [026] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.10
  proxy | 2023/07/19 13:46:42 [026] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.10
  proxy | 2023/07/19 13:46:42 [028] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.04
  proxy | 2023/07/19 13:46:42 [028] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.04
  proxy | 2023/07/19 13:46:42 [030] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [030] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:42 [032] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.04
  proxy | 2023/07/19 13:46:42 [032] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/23.04
  proxy | 2023/07/19 13:46:42 [034] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.10
  proxy | 2023/07/19 13:46:42 [034] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.10
  proxy | 2023/07/19 13:46:43 [036] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:43 [036] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:43 [038] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.10
  proxy | 2023/07/19 13:46:43 [038] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.10
  proxy | 2023/07/19 13:46:43 [040] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.04
  proxy | 2023/07/19 13:46:43 [040] 401 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.04
  proxy | 2023/07/19 13:46:43 [042] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:43 [042] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fubuntu%3Apull&account
  proxy | 2023/07/19 13:46:43 [044] GET https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.04
  proxy | 2023/07/19 13:46:43 [044] 200 https://registry.hub.docker.com:443/v2/library/ubuntu/manifests/22.04

[NautiluX]

@jurre I think I found the problem. When I download the cache and run against it, the test run fails for me locally as well. Looking at the test output in the github action, it says:

proxy | 2023/07/18 14:58:44 7/9 calls cached (77%)

My understanding is, for some reason, it uses cached HTTP responses for the GET calls and in the cache there is the 401 response.
Any idea how to fix that? Is there a way to disable or clear that cache?

[NautiluX]

If I understand how the smoke-tests work correctly, I don't think recaching before merging will help since this PR is responsible for the changed responses right?
I tried disabling the cache for the docker smoke test to verify my assumption.

[jurre]

Ah, I think that's something about how our e2e tests work, let me ask someone internally

[NautiluX]

@jurre I verified the docker e2e test works without cache locally, so the PR should be ready to get merged from my perspective. I had to update the digest querying so it behaves as it did with docker_registry2 <1.15.

[jurre]

Thanks for this fix @NautiluX 🙇 I'll try to get the change out in a bit

[jurre]

Unfortunately, it seems that with these changes we're now seeing a lot of rate limiting errors, I'm going to revert so we can dig into it more

[jurre]

So it seems like the GET request to this endpoint ends up counting towards rate-limits whereas the HEAD request didn't, and since we make a lot of requests from a relatively small set of IP addresses, a lot of our updates ended up failing when I ran this in production :(

[NautiluX]

Trying to reintroduce the old functionality in docker_registry2 lib: deitch/docker_registry2#95

[yeikel]

Commenting to add that depending on this new method goes against the spec. See deitch/docker_registry2#98

[yeikel]

I created #8010 to open this for discussion