api: implement compat distribution inspect endpoint by aaron-ang · Pull Request #28358 · containers/podman

aaron-ang · 2026-03-25T05:40:58Z

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
the sign-off email address. See CONTRIBUTING.md
for more information.
Referenced issues using Fixes: #00000 in commit message (if applicable)
Tests have been added/updated (or no tests are needed)
Documentation has been updated (or no documentation changes are needed)
All commits pass make validatepr (format/lint checks)
Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

Added Docker-compatible support for the `/distribution/{name}/json` API endpoint.

Honny1 · 2026-03-31T10:49:35Z

+func DistributionInspect(w http.ResponseWriter, r *http.Request) {
+	runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
+	imageName := utils.GetName(r)
+	if _, err := reference.ParseNormalizedNamed(imageName); err != nil {


I believe this check is redundant with the check on row 42.

Honny1 · 2026-03-31T10:53:14Z

+	}
+
+	var latestErr error
+	appendErr := func(e error) {


Please use multierror

Honny1 · 2026-03-31T11:00:55Z

+t GET "/distribution/quay.io/idonotexist/idonotexist:dummy/json" 401
+
+# Exercise the single-manifest path using a digest from the multi-arch test image.
+single_manifest_digest=sha256:6953980e46925f8ac2c09fc7ecf9f353c2cac49f87e7e60ed78287d55a14c296


I am not sure about hardcoding the manifest digest.

Honny1 · 2026-03-31T11:07:38Z

+	utils.InternalServerError(w, latestErr)
+}
+
+func distributionInspectFromManifest(ctx context.Context, src types.ImageSource, named reference.Named, manifestBytes []byte, manifestType string) (dockerRegistry.DistributionInspect, error) {


I think this function can be simplified with things from container-libs. Please check that repository; there are definitely things that can help simplify it.

aaron-ang · 2026-03-31T20:08:34Z

thanks for the comments @Honny1, will review and implement the changes.

packit-as-a-service · 2026-04-06T05:40:59Z

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

packit-as-a-service · 2026-04-06T05:40:59Z

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

packit-as-a-service · 2026-04-06T05:41:00Z

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

packit-as-a-service · 2026-04-06T05:41:00Z

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

baude · 2026-04-06T19:00:20Z

@mtrmac mind adding this to your list of things to review at your convience ?

mtrmac

(I didn’t study the Podman API integration in detail, looking mostly at the c/image parts.)

mtrmac · 2026-04-07T12:27:32Z

+	runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
+	imageName := utils.GetName(r)
+
+	normalizedImageName, err := utils.NormalizeToDockerHub(r, imageName)


This looks up images in local storage, and changes the results based on that. Do we want that?!

mtrmac · 2026-04-07T12:28:53Z

+	sys := runtime.SystemContext()
+	sys.AuthFilePath = authfile
+	sys.DockerAuthConfig = authConf
+	if err := utils.PossiblyEnforceDockerHub(r, sys); err != nil {


Does this do anything after NormalizeToDockerHub?

no effect, removed.

mtrmac · 2026-04-07T12:37:45Z

+	}
+
+	var registryErrCode errcode.ErrorCoder
+	if errors.As(combinedErr, &registryErrCode) {


(This is pretty inaccurate but I also don’t have any better ideas.)

use last error, similar to moby: https://github.com/moby/moby/blob/e4a7cd2de3b7850d32ac9f5680d83eb287ad8dd9/daemon/server/router/distribution/distribution_routes.go#L66-L75

It’s not exactly the same situation — Moby collects errors per mirror (where the last one is the primary registry), we collect errors per short name candidate (where the first one is the one we prefer).

By “pretty inaccurate” I meant that we have no good way to report “authentication error or not” when we resolve to multiple short name candidates, and the answers may differ for different candidates.

[Maybe we don’t want the short name resolution and all this goes away? I don’t know.]

I think it makes more sense to report errors for all of the short name candidates (regardless of what HTTP status we use, the text is more useful if it contains everything).

changed back to reporting all candidate errors

mtrmac · 2026-04-08T18:59:00Z

+	sys.AuthFilePath = authfile
+	sys.DockerAuthConfig = authConf
+
+	resolved, err := shortnames.Resolve(sys, named.String())


ParseNormalizedNamed().String() is never a short name.

I don’t know what we want to do here (compare earlier use of utils.NormalizeToDockerHub), but this specific combination doesn’t make sense.

(I think being consistent with the rest of the handlers/compat’s handling would be preferable, but I’ll leave that to experts.)

(I think being consistent with the rest of the handlers/compat’s handling would be preferable, but I’ll leave that to experts.)

I think we should match other compat handlers Docker Hub normalization behavior. Becuase this API is for compatibility with Docker.

ok, I've changed it back to use utils.NormalizeToDockerHub and corresponding reference.ParseNormalizedNamed

I think we should match other compat handlers Docker Hub normalization behavior. Becuase this API is for compatibility with Docker.

Then we are back to #28358 (comment) . Is that desirable? OTOH, looking now, pulls using the compat API also do this, and that might be a pretty strong reason to have that behavior for remote inspect as well. I’ll leave that to Podman maintainers.

mtrmac · 2026-04-08T19:04:14Z

+	}
+
+	var registryErrCode errcode.ErrorCoder
+	if errors.As(combinedErr, &registryErrCode) {


It’s not exactly the same situation — Moby collects errors per mirror (where the last one is the primary registry), we collect errors per short name candidate (where the first one is the one we prefer).

By “pretty inaccurate” I meant that we have no good way to report “authentication error or not” when we resolve to multiple short name candidates, and the answers may differ for different candidates.

[Maybe we don’t want the short name resolution and all this goes away? I don’t know.]

I think it makes more sense to report errors for all of the short name candidates (regardless of what HTTP status we use, the text is more useful if it contains everything).

Honny1 · 2026-04-15T12:11:30Z

+	sys.AuthFilePath = authfile
+	sys.DockerAuthConfig = authConf
+
+	resolved, err := shortnames.Resolve(sys, named.String())


(I think being consistent with the rest of the handlers/compat’s handling would be preferable, but I’ll leave that to experts.)

I think we should match other compat handlers Docker Hub normalization behavior. Becuase this API is for compatibility with Docker.

Honny1

LGTM

Honny1 · 2026-04-17T10:49:29Z

PTAL @containers/podman-maintainers

mtrmac · 2026-04-17T20:27:57Z

+	for _, candidate := range resolved.PullCandidates {
+		inspect, err := inspectCandidate(r.Context(), sys, candidate.Value)
+		if err != nil {
+			merr = multierror.Append(merr, err)


If we report all errors, the individual ones must be annotated with candidate.Value.String(), otherwise users would have no idea how the failures and the registries correspond.

thanks, i've added the annotation using the format candidate.Value.String(): error

Honny1 · 2026-04-29T07:28:02Z

@aaron-ang, can you please rebase on main? Thanks

Signed-off-by: Aaron Ang <aaron.angyd@gmail.com>

packit-as-a-service · 2026-05-01T19:04:59Z

Cockpit tests failed for commit 0a72f99. @martinpitt, @jelly, @mvollmer please check.

aaron-ang · 2026-05-10T21:53:21Z

Hi there, could you let me know if I need to rebase or fix my tests? I can't tell if the CI failures are due to my changes. Thanks!

mheon · 2026-05-10T23:48:46Z

The remaining two are allowed failures, this is actually merge ready now

mheon

LGTM
@containers/podman-maintainers PTAL

github-actions Bot added the kind/api-change Change to remote API; merits scrutiny label Mar 25, 2026

aaron-ang force-pushed the issue-17726-distribution-api branch 3 times, most recently from df2ff09 to 12e4664 Compare March 30, 2026 01:52

aaron-ang marked this pull request as ready for review March 30, 2026 01:52

aaron-ang force-pushed the issue-17726-distribution-api branch from 12e4664 to 8dd8fed Compare March 30, 2026 03:03

Honny1 requested changes Mar 31, 2026

View reviewed changes

aaron-ang force-pushed the issue-17726-distribution-api branch 2 times, most recently from da4dd25 to d2d374f Compare April 6, 2026 05:40

aaron-ang force-pushed the issue-17726-distribution-api branch 2 times, most recently from 56bd7e5 to 9454b2a Compare April 7, 2026 01:29

mtrmac reviewed Apr 7, 2026

View reviewed changes

aaron-ang force-pushed the issue-17726-distribution-api branch 2 times, most recently from f9c45c1 to 03b2ea2 Compare April 8, 2026 04:16

mtrmac reviewed Apr 8, 2026

View reviewed changes

Honny1 reviewed Apr 15, 2026

View reviewed changes

aaron-ang force-pushed the issue-17726-distribution-api branch 2 times, most recently from 6c3c566 to dfdbc40 Compare April 16, 2026 00:53

Honny1 approved these changes Apr 17, 2026

View reviewed changes

mtrmac reviewed Apr 17, 2026

View reviewed changes

aaron-ang force-pushed the issue-17726-distribution-api branch from dfdbc40 to 1018613 Compare April 17, 2026 23:47

api: implement compat distribution inspect endpoint

0a72f99

Signed-off-by: Aaron Ang <aaron.angyd@gmail.com>

aaron-ang force-pushed the issue-17726-distribution-api branch from 1018613 to 0a72f99 Compare May 1, 2026 18:39

mheon approved these changes May 11, 2026

View reviewed changes

Conversation

aaron-ang commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Checklist

Does this PR introduce a user-facing change?

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

aaron-ang commented Mar 31, 2026

Uh oh!

packit-as-a-service Bot commented Apr 6, 2026

Uh oh!

packit-as-a-service Bot commented Apr 6, 2026

Uh oh!

packit-as-a-service Bot commented Apr 6, 2026

Uh oh!

packit-as-a-service Bot commented Apr 6, 2026

Uh oh!

baude commented Apr 6, 2026

Uh oh!

mtrmac left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Honny1 left a comment

Choose a reason for hiding this comment

Uh oh!

Honny1 commented Apr 17, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

aaron-ang Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Honny1 commented Apr 29, 2026

Uh oh!

packit-as-a-service Bot commented May 1, 2026

Uh oh!

aaron-ang commented Mar 25, 2026 •

edited

Loading

aaron-ang Apr 17, 2026 •

edited

Loading

aaron-ang commented May 10, 2026 •

edited

Loading