image-spec

image-spec copied to clipboard

Similar to #780, there should be a fundamental limit for the manifests in an Index.

Same comment on #780: should this be in the spec, or up to each registry operator to specify?

Could it be generalized further to also limit the size of manifests and configs (i.e., blobs of unknown sizes)?

We've seen situations/attacks where a registry would continue streaming a manifest/config trying to bring down the client in hope they're writing to memory.

should this be in the spec, or up to each registry operator to specify?

I prefer the spec as this would simplify the lives of container engines (Podman, Docker, etc.) which practically already need to set some limits to protect from being DOSed.

We've seen situations/attacks where a registry would continue streaming a manifest/config trying to bring down the client in hope they're writing to memory.

That shouldn't be a problem -- descriptors have the size of the blob embedded in them. If the source you're getting blobs from is streaming more bytes than that, just kill the connection and fail. That's the entire reason they're in the spec. And you can add an artificial limit to blob sizes in your client if that's what you need.

@cyphar True, but on the flip side blobs are uploaded before the manifests and descriptors are pushed. Quay has its own defined limits on blob sizes (configurable for our end users), but it does show we've already had to put some reasonable limits into place.

As I think this is all based on the same discussion as #780, can I suggest we track the discussion there, until we think there's a difference between the two? It's good to have two issues for final closure.