Bug
The OCI index for mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130 labels its child manifests as application/vnd.docker.distribution.manifest.v2+json in the index descriptors, but the actual manifest bodies at those digests declare application/vnd.oci.image.manifest.v1+json.
This causes mirroring via OCI-compliant registries (e.g. zot, Harbor) to fail, as they strictly validate that the descriptor mediaType matches the manifest body.
Reproducer
docker buildx imagetools inspect mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130
Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130
MediaType: application/vnd.oci.image.index.v1+json
Digest: sha256:3fd03825b3f9d87fc839a799804d13db4a5757cab47add62aeb1490c0693f596
Manifests:
Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130@sha256:dbde60d706de9bd9dc878749f989e4da998d06e9e9ae428896e1d4e0326ab8c2
MediaType: application/vnd.docker.distribution.manifest.v2+json
Platform: linux/amd64
Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130@sha256:977df69972d20c268409dbee259d69cd6924c0a26a2aeeaea009d17f4afb53e6
MediaType: application/vnd.docker.distribution.manifest.v2+json
Platform: linux/arm64Expected behaviour
The descriptor mediaType in the index should match the mediaType field in the manifest body — either:
- re-push the child manifests in Docker schema2 format, or
- relabel the index descriptors as
application/vnd.oci.image.manifest.v1+json
Impact
Any spec-compliant registry mirror rejects the image at sync time with:
mediaType in manifest should be 'application/vnd.docker.distribution.manifest.v2+json' not 'application/vnd.oci.image.manifest.v1+json'
Bug
The OCI index for
mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130labels its child manifests asapplication/vnd.docker.distribution.manifest.v2+jsonin the index descriptors, but the actual manifest bodies at those digests declareapplication/vnd.oci.image.manifest.v1+json.This causes mirroring via OCI-compliant registries (e.g. zot, Harbor) to fail, as they strictly validate that the descriptor
mediaTypematches the manifest body.Reproducer
docker buildx imagetools inspect mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130 Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130 MediaType: application/vnd.oci.image.index.v1+json Digest: sha256:3fd03825b3f9d87fc839a799804d13db4a5757cab47add62aeb1490c0693f596 Manifests: Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130@sha256:dbde60d706de9bd9dc878749f989e4da998d06e9e9ae428896e1d4e0326ab8c2 MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/amd64 Name: mcr.microsoft.com/containernetworking/cilium/hubble-relay:v1.18.6-260130@sha256:977df69972d20c268409dbee259d69cd6924c0a26a2aeeaea009d17f4afb53e6 MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/arm64Expected behaviour
The descriptor
mediaTypein the index should match themediaTypefield in the manifest body — either:application/vnd.oci.image.manifest.v1+jsonImpact
Any spec-compliant registry mirror rejects the image at sync time with: