wenisch.tech

Category: Kairos

  • Validating Docker Image Pullability without the Docker cli or socket

    Validating Docker Image Pullability without the Docker cli or socket

    When you’re developoing an uptime monitor like Kaiors, or in general checking whether a container image is actually pullable is a surprisingly deep problem. The naive approach — spinning up a Docker daemon and running docker pull — is heavy, requires socket access, and introduces a serious security risk in most environments. Kairos solves this differently: by speaking directly to the OCI Distribution API, it can validate image pullability with nothing but plain HTTPS calls.

    How Docker Pull Actually Works

    Before skipping the CLI, it helps to understand what docker pull does under the hood. Every container registry — Docker Hub, GitHub Container Registry, your self-hosted Harbor or JFrog Artifactory — implements the OCI Distribution Specification. A pull is really just a sequence of three HTTP steps:

    1. Authenticate — obtain a bearer token from the registry’s auth endpoint
    2. Fetch the manifest — retrieve the image manifest by name and tag
    3. Download blobs — pull each layer referenced in the manifest

    To validate pullability, you only need steps 1 and 2. If you can successfully authenticate and retrieve the manifest, the image exists, the credentials work, and the layers are reachable. You never need to actually download gigabytes of layer data.

    Step 1 — Authentication

    Most registries use token-based authentication described in the Docker Registry Auth Specification. When you hit the manifest endpoint unauthenticated, the registry responds with:

    textHTTP 401 Unauthorized
WWW-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/nginx:pull"

    You parse the WWW-Authenticate header and make a token request:

    GET https://auth.docker.io/token
  ?service=registry.docker.io
  &scope=repository:library/nginx:pull

    For private registries, add Basic credentials:

    GET https://registry.example.com/token
  ?service=registry.example.com
  &scope=repository:myapp/backend:pull
Authorization: Basic base64(user:password)

    The response is a short-lived Bearer token you attach to all subsequent requests.

    Step 2 — Fetching the Manifest

    With the token in hand, request the image manifest:

    GET /v2/{name}/manifests/{reference}
Authorization: Bearer <token>
Accept: application/vnd.oci.image.manifest.v1+json,
        application/vnd.docker.distribution.manifest.v2+json,
        application/vnd.docker.distribution.manifest.list.v2+json

    200 OK response means the image exists and is pullable. That’s all you need. The response body contains the full manifest — digest, layers, config — but you don’t need to download any of it for a health check.

    The important Accept headers tell the registry you support both OCI manifests and Docker manifest lists (multi-arch images). Without them, some registries return a legacy v1 manifest or a 404.

    Handling Multi-Architecture Images

    Modern images are often manifest lists (also called “fat manifests”) that bundle multiple architecture-specific images under one tag. A manifest list response looks like:

    {
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "manifests": [
    { "platform": { "os": "linux", "architecture": "amd64" }, "digest": "sha256:abc..." },
    { "platform": { "os": "linux", "architecture": "arm64" }, "digest": "sha256:def..." }
  ]
}

    For a pullability check, receiving this response is already a success — the tag is valid and resolvable. If you want to validate a specific architecture, you make a second manifest request using the digest from the relevant entry.

    Step 3 — No Docker Socket Needed

    The entire flow above is pure HTTPS. Kairos implements it in Java without ever touching a Docker socket or spawning a subprocess. The key advantages:

    • No privileged access — no need to mount /var/run/docker.sock into your pod
    • No daemon overhead — no Docker or containerd process running just for checks
    • Works anywhere — runs inside a distroless container, a serverless function, or a restricted Kubernetes namespace
    • Fast — a manifest check typically completes in under 500 ms, even for remote registries
    • Auditable — standard HTTPS traffic, fully loggable by any proxy or WAF

    Putting It Together — The Full Flow

    1.  GET /v2/{image}/manifests/{tag}        → 401 + WWW-Authenticate header
2.  GET {realm}?service=...&scope=...      → { "token": "eyJ..." }
3.  GET /v2/{image}/manifests/{tag}        → 200 OK  ✅  image is pullable
                Authorization: Bearer eyJ...

    If step 3 returns:

    • 200 — image exists and is pullable ✅
    • 401 — credentials are wrong or missing ❌
    • 404 — image or tag does not exist ❌
    • 5xx — registry is down or degraded ⚠️

    How Kairos Uses This

    Kairos wraps this exact flow into a scheduled availability check. You configure a Docker image resource with the registry URL, image name, tag, and optional credentials. On each check interval, Kairos runs the three-step HTTPS flow above and records the result — available or unavailable — with a timestamp. The result feeds into the same uptime timeline and Prometheus metrics as HTTP checks, giving you a unified view of both service availability and image availability in one dashboard.

    You can explore this feature and add your first image check at kairos.wenisch.tech.

  • Introducing Kairos — Open Source Uptime & Availability Monitoring,

    Introducing Kairos — Open Source Uptime & Availability Monitoring,

    After some weeks of development, I’m excited to announce the first public release of Kairos — a fully self-hosted, open-source availability and uptime monitoring solution for developers and platform teams who want full control over their infrastructure observability.

    Why Kairos?

    Most uptime monitoring tools force you to choose between a cloud SaaS product with per-check fees, limited retention, and data leaving your network — or a heavy, complex setup that takes hours to configure. Kairos was built to close that gap: a batteries-included solution that runs on your own infrastructure, costs nothing beyond your server, and is up and running in minutes.

    What Kairos Can Do

    • HTTP Monitoring — Configurable periodic GET checks with parallelism control; checks start instantly on startup, no waiting for the first interval tick
    • Docker Image Probing — Validate whether container images are pullable via the OCI/Docker Registry API — no Docker socket required
    • Repository Discovery — Point Kairos at a registry prefix and it auto-discovers all hosted images, with optional recursive traversal
    • Status Dashboard — Public-facing dashboard with 24-hour timelines and uptime percentages (24h / 7d / 30d)
    • Announcement System — Publish rich-text announcements with INFORMATION, WARNING, or PROBLEM severity, including optional auto-expiry
    • Prometheus Metrics — Native kairos_resource_status gauge exposed at /actuator/prometheus, ready to plug straight into Grafana
    • Resource Groups — Organise monitored services into named groups with drag-and-drop reordering
    • API Keys & OIDC — Machine-to-machine access via named API keys, plus full OpenID Connect login (works perfectly with Keycloak)
    • H2 or PostgreSQL — Start immediately with embedded H2 or switch to PostgreSQL with a single property; Flyway handles all schema migrations automatically

    Getting Started

    Kairos is designed for minimal time-to-value. Pick your preferred deployment method:

    Docker

    docker run -d \
  --name kairos \
  -p 8080:8080 \
  -v kairos-data:/app/data \
  ghcr.io/wenisch-tech/kairos:latest

    Helm on Kubernetes:

    helm repo add kairos https://charts.wenisch.tech
helm repo update
helm install kairos kairos/kairos --version 1.0.4 \
  -n kairos --create-namespace \
  --set persistence.enabled=true

    Once running, navigate to http://localhost:8080, log in with the default credentials (admin@kairos.local / admin), and change your password immediately. Then add your first HTTP service or Docker image — Kairos begins checking right away.

    Built for Real Infrastructure

    Kairos ships with a full REST API at /api with an auto-generated interactive Swagger UI. There are no artificial limits on the number of monitored resources, no CDN dependencies, and no check history retention caps. Deploy it, wire up Prometheus, and let it run.

    Open Source & Free

    Kairos is released under the GNU GPLv3 licence. The source code is on GitHub at github.com/wenisch-tech/kairos and the project homepage with full documentation is at kairos.wenisch.tech. If you give it a try, feedback and contributions are very welcome — open an issue, submit a PR, or drop a ⭐ if Kairos saves you from another SaaS subscription.