0

I have a Harbor registry containing docker images on AWS s3, what is the path for the manifest file for each image?

smgtkn
  • 59
  • 5
  • What problem are you trying to solve? – BMitch Sep 10 '22 at 00:26
  • I need the layer information of all of my images stored on registry @BMitch – smgtkn Sep 11 '22 at 22:20
  • This appears to be an XY problem. What do you need the layers for? Do you only care about tagged manifests? Does it need to be directly from the S3 API, or would the registry API work? Explain what you are trying to solve. Is this a vulnerability scan, GC, SBOM generation, something else? – BMitch Sep 11 '22 at 22:41
  • Both vulnerability scan and SBOM generation. Also I need to detect the base for each image, which creates the need for finding overlapping layers, so I need to see the layer digests on manifests as well. @BMitch – smgtkn Sep 11 '22 at 23:17

1 Answers1

0

I wouldn't go to the S3 backend since this can be implementation specific and subject to change.

Instead, the APIs for listing tags and pulling manifests are documented in the OCI distribution-spec. And rather than implementing the API yourself, I'd recommend looking at one of the existing implementations like go-containerregistry from Google or regclient from myself to help implement these requests. This will help with authentication, setting the needed headers, and parsing the response.

Note that there are multiple types of manifests, both the OCI and Docker schemas, plus multi-platform manifests, and an artifact manifest is being developed. For those multi-platform manifests, you need to recursively check the contained manifests.

OCI has also documented annotations that include those for the base image, but hardly anyone is setting those. So you would need to cross reference the layer digests for the image with the various layer digests in the base image repo for all manifests there. I'd supplement that by comparing the history steps between the image and it's suspected base image, since some changes to the base image will not modify the layers (it could be an environment variable change). And this will miss an intermediate base image (e.g. you may pickup debian, instead of nginx that is based on debian, if you aren't looking in the right repository).

BMitch
  • 231,797
  • 42
  • 475
  • 450