Issues with manifest lists | KeyError: 'config'

[judokan9]

The check has problems with images that use manifest lists. Ironically, for example, the Icinga2 image cannot be checked and the check gives the following error:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/check_docker/check_docker.py", line 998, in main
    [x.result() for x in futures.as_completed(threads)]
  File "/usr/local/lib/python3.11/dist-packages/check_docker/check_docker.py", line 998, in <listcomp>
    [x.result() for x in futures.as_completed(threads)]
     ^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/_base.py", line 449, in result
    return self.__get_result()
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/_base.py", line 401, in __get_result
    raise self._exception
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/check_docker/check_docker.py", line 632, in check_version
    registry_hash = get_digest_from_registry(url)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/check_docker/check_docker.py", line 378, in get_digest_from_registry
    return registry_info['config'].get('digest', None)
           ~~~~~~~~~~~~~^^^^^^^^^^
KeyError: 'config'

This happens because the manifest does not contain a Config entry:

{
    'schemaVersion': 2, 
    'mediaType': 'application/vnd.oci.image.index.v1+json', 
    'manifests': [
        {'mediaType': 'application/vnd.oci.image.manifest.v1+json', 'digest': 'sha256:dacfc0b8d5bc567b5de103296529c72fddc2688dcc821aa08caf9c301b5d6c35', 'size': 2385, 'platform': {'architecture': 'amd64', 'os': 'linux'
            }
        },
        {'mediaType': 'application/vnd.oci.image.manifest.v1+json', 'digest': 'sha256:fed9386c1ec1564707e95520b4c7b9af153ab4341e5b9bec558222e44a4d2acc', 'size': 2385, 'platform': {'architecture': 'arm64', 'os': 'linux'
            }
        },
        {'mediaType': 'application/vnd.oci.image.manifest.v1+json', 'digest': 'sha256: 3b58251d1c86f2d4ec37123ffdce146e7d7e1652112accdccd34dccc3ff6a658', 'size': 566, 'annotations': {'vnd.docker.reference.digest': 'sha256:dacfc0b8d5bc567b5de103296529c72fddc2688dcc821aa08caf9c301b5d6c35', 'vnd.docker.reference.type': 'attestation-manifest'
            }, 'platform': {'architecture': 'unknown', 'os': 'unknown'
            }
        },
        {'mediaType': 'application/vnd.oci.image.manifest.v1+json', 'digest': 'sha256: 3b14989985a71fa8adc77c92ed3f738c2cbd9ccb47dc6037a9106629878c59d1', 'size': 566, 'annotations': {'vnd.docker.reference.digest': 'sha256:fed9386c1ec1564707e95520b4c7b9af153ab4341e5b9bec558222e44a4d2acc', 'vnd.docker.reference.type': 'attestation-manifest'
            }, 'platform': {'architecture': 'unknown', 'os': 'unknown'
            }
        }
    ]
}

To solve this, the manifest for the target architecture must be downloaded by using the digest hash from the manifest list instead of the latest tag to get the correct image digest hash:

{'schemaVersion': 2, 'mediaType': 'application/vnd.oci.image.manifest.v1+json', 'config': {'mediaType': 'application/vnd.oci.image.config.v1+json', 'digest': 'sha256: 667de65f235bb86b8423e4bf670d93227430257ad32deaaeab778bc9e26697ec', 'size': 3989
    }, 'layers': [
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256:c29f5b76f736a8b555fd191c48d6581bb918bcd605a7cbcc76205dd6acff3260', 'size': 28212303
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 6454c3450d268c04910a3d96cc09c70250d6da07e9fa7489a91917f535e611b5', 'size': 99753703
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 5a59cfc41ef2ee01f61cd07aedd96836577332b8b65bd8a6770b3cd23a073af2', 'size': 1786292
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 76772d7c47d48075dddad3cf62f12bad7e8ac8af0d0b333f20612e2b71819818', 'size': 1194
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 9e66e0420e15afb5a6fd7d7ad08d1cc0f6c54dbdcc85d926192a86d6e40d7046', 'size': 25437
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256:cfc9491d8558dd7aecf83a87882faee5aab3b5fe570b06a179fcf62e83d2c785', 'size': 38126
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 047c7797326c8233e6d2ea32ba54f278378cd28dacd49a43b2276c8aeb81e232', 'size': 118597
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256:0ec2b999dccf896bbdf1c71d5d5acae74375f4cd466d5a4d07ca111e5c137d2b', 'size': 54486
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 31f88142c6475fe02c719f227e3bc0ed89b6df1c122abce0a15418da1cad0d9e', 'size': 8123583
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 064771a6dcb5d10374aff02aabfc8460147fd1a65f097c9d7f75fff4ef1626c9', 'size': 98
        },
        {'mediaType': 'application/vnd.oci.image.layer.v1.tar+gzip', 'digest': 'sha256: 73b6bcc0bb40e9c207235eb0761cb531facd5f18c4a462a40950cdcb4a0e5b4e', 'size': 9285
        }
    ]
}

I have incorporated the fix in #92

[martialblog]

Hi, Thanks I will have a look at it

[martialblog]

This will be included in the next release.