DDoS-ing container registry

[xlionjuan]

Sorry I'm not sure which is the problem, the user-agent is skopeo/1.17.0, but obviously it is triggered by bootc.

Summary

I'm using Bluefin 41 on my laptop, and using custom image that built and pushed to GitHub, because Fastly CDN's speed is terrible for me, I use Cloudflare Worker + ciiiii/cloudflare-docker-proxy to build a reverse proxy so I can have better download speed, but today, I got the email from Cloudflare, said my Worker quota is exceed to 81%, after checked the Dashboard, I found out lots of query that querying my custom image.

Version

bootc --version
bootc 1.1.2

skopeo --version
skopeo version 1.17.0

Log from Cloudflare Worker

{
  "$cloudflare": {
    "diagnosticsChannelEvents": [],
    "truncated": false,
    "event": {
      "request": {
        "url": "https://ghcr-cdn.redacted/v2/xlionjuan/bluefin-dx/tags/list?last=sha256-46b1b35d16e2ee378377b0ba77a8c89a9c35f234a655bab5b12e0f014474b0e7&n=0",
        "method": "GET",
        "headers": {
          "accept-encoding": "gzip, br",
          "authorization": "********",
          "cf-connecting-ip": "redacted",
          "cf-ipcity": "redacted",
          "cf-ipcontinent": "AS",
          "cf-ipcountry": "TW",
          "cf-iplatitude": "redacted",
          "cf-iplongitude": "redacted",
          "cf-ray": "redacted",
          "cf-region": "redacted",
          "cf-region-code": "redacted",
          "cf-timezone": "Asia/Taipei",
          "cf-visitor": "{\"scheme\":\"https\"}",
          "connection": "Keep-Alive",
          "docker-distribution-api-version": "registry/2.0",
          "host": "ghcr-cdn.redacted",
          "user-agent": "skopeo/1.17.0",
          "x-forwarded-proto": "https",
          "x-real-ip": "redacted"
        },
        "cf": {redacted......
          },
          "verifiedBotCategory": "",
          "tlsExportedAuthenticator": {redacted......
          },
          "tlsVersion": "TLSv1.3",
          "colo": "LAX",
          "timezone": "Asia/Taipei",
          "tlsClientHelloLength": "245",
          "requestPriority": "",
          "tlsClientExtensionsSha1": "redacted",
          "region": "redacted",
          "city": "redacted",
          "regionCode": "redacted",
          "asOrganization": "redacted",
          "tlsClientRandom": "redacted",
          "httpProtocol": "HTTP/1.1",
          "clientTcpRtt": 141,
          "asn": redacted,
          "edgeRequestKeepAliveStatus": 1
        },
        "path": "/v2/xlionjuan/bluefin-dx/tags/list"
      },
      "rayId": "redacted",
      "executionModel": "stateless",
      "response": {
        "status": 200
      }
    },
    "scriptName": "cloudflare-docker-proxy",
    "outcome": "ok",
    "eventType": "fetch",
    "scriptVersion": {
      "id": "redacted"
    },
    "$metadata": {
      "requestId": "redacted",
      "id": "redacted",
      "type": "cf-worker-event",
      "messagePattern": "GET <URL>"
    }
  },
  "level": "info",
  "message": "GET https://ghcr-cdn.redacted/v2/xlionjuan/bluefin-dx/tags/list?last=sha256-46b1b35d16e2ee378377b0ba77a8c89a9c35f234a655bab5b12e0f014474b0e7&n=0"
}

[cgwalters]

Hi!

https://ghcr-cdn.redacted/v2/xlionjuan/bluefin-dx/tags/list

That's a request to list tags, which is not to the best of my knowledge something bootc should be doing.

bootc upstream does not check for updates by default. Can you check with your image producer to see if they ship software which is running bootc upgrade --check or equivalent, and if so how often it runs?

I'm closing this here for now, but feel free to reopen if you've gathered a bit more information and have reason to believe there is a bootc issue here.