Something seems broken on azure/azure sdk side - it is currently not
possible to copy a blob of type AppendBlob using `CopyFromURL`.
Using the AppendBlob client via NewAppendBlobClient does not work
either.
According to Azure the correct way to do this is by using
StartCopyFromURL. Because this is an async operation, we need to do
polling ourselves. A simple backoff mechanism is used, where during each
iteration, the configured delay is multiplied by the retry number.
Also introduces two new config options for the Azure driver:
copy_status_poll_max_retry, and copy_status_poll_delay.
Signed-off-by: Flavian Missi <fmissi@redhat.com>
Microsoft has updated the golang Azure SDK significantly. Update the
azure storage driver to use the new SDK. Add support for client
secret and MSI authentication schemes in addition to shared key
authentication.
Implement rootDirectory support for the azure storage driver to mirror
the S3 driver.
Signed-off-by: Kirat Singh <kirat.singh@beacon.io>
Co-authored-by: Cory Snider <corhere@gmail.com>
Currently when registry is run as proxy it tries to cleanup unused blobs
from its cache after 7 days which is hard-coded. This PR makes that
value configurable.
Co-authored-by: Shiming Zhang <wzshiming@foxmail.com>
Co-authored-by: Manish Tomar <manish.tomar@docker.com>
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
I am looking at aligning the types defined in this repository with the
OCI image specification, and potentially exchanging local types with
those from the specification.
This patch is a stepping-stone towards that effort, but as this changes
the format of the serialized JSON, I wanted to put this up first before
proceeding with the other work in case there are concerns.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker Image manifest v2, schema version 1 is deprecated since 2015, when
manifest v2, schema version 2 was introduced (2e3f4934a7).
Users should no longer use this specification other than for backward
compatibility.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Instead of letting the cache grow without bound, use a LRU to impose a
size limit.
The limit is configurable through a new `blobdescriptorsize` config key.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
The example shows a `GET` request to `/callback`, but it looks like it's
intending to show the `POST` request made by the registry to a
notificaitons endpoint. Unless I'm missing something, no `GET` request
should be involved.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
If s3accelerate is set to true then we turn on S3 Transfer
Acceleration via the AWS SDK. It defaults to false since this is an
opt-in feature on the S3 bucket.
Signed-off-by: Kirat Singh <kirat.singh@wsq.io>
Signed-off-by: Simone Locci <simonelocci88@gmail.com>
This code was outdated and no longer maintained, and mainly
used to pre-flight docs changes before publishing to docs.docker.com
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Allow the storage driver to optionally use AWS SDK's dualstack mode.
This allows the registry to communicate with S3 in IPv6 environments.
Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
We found some examples of manifests with URLs specififed that did
not provide a digest or size. This breaks the security model by allowing
the content to change, as it no longer provides a Merkle tree. This
was not intended, so explicitly disallow by tightening wording.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- Add missing code-hints (console, yaml)
- Consistently add an empty line after code-blocks
- Combine some examples where the output and the command were
put in separate blocks. With the "console" code-hint, this
is no longer nescessary.
- fix indentation in cloud/ecs-integration.md, which caused the
numbered-list to be interrupted.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since `Authorization` is intended to be a header applied to HTTP requests it should be indented to place it in the YAML map named `headers` instead of being a sibling of it.
* Adding in points to clarify usage of official images
* Minor style update
Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>
Configuration of list of cipher suites allows a user to disable use
of weak ciphers or continue to support them for legacy usage if they
so choose.
List of available cipher suites at:
https://golang.org/pkg/crypto/tls/#pkg-constants
Default cipher suites have been updated to:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
MinimumTLS has also been updated to include TLS 1.3 as an option
and now defaults to TLS 1.2 since 1.0 and 1.1 have been deprecated.
Signed-off-by: David Luu <david@davidluu.info>
The correct `vairant` string for ARM v6 is "v6", not "armv6l".
There is no known implementation that actually uses "armv6l".
See the discussion in opencontainers/image-spec PR 817
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Go 1.13 and up enforce import paths to be versioned if a project
contains a go.mod and has released v2 or up.
The current v2.x branches (and releases) do not yet have a go.mod,
and therefore are still allowed to be imported with a non-versioned
import path (go modules add a `+incompatible` annotation in that case).
However, now that this project has a `go.mod` file, incompatible
import paths will not be accepted by go modules, and attempting
to use code from this repository will fail.
This patch uses `v3` for the import-paths (not `v2`), because changing
import paths itself is a breaking change, which means that the
next release should increment the "major" version to comply with
SemVer (as go modules dictate).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Update insecure.md for Docker Desktop
Docker Desktop does not have "preferences" menu today.
It's changed to "Settings" > "Docker Engine" .
Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
See https://web.dev/external-anchors-use-rel-noopener/
Using noopener, as that addresses the security issue. "noreferer" blocks
the REFERER header, which may still be useful for some target URLs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Add azure config container example
I was getting errors on setting up azure, this was because I was putting the full https url into the container field. There error wasn't helpful and nor was the docs.
* Update azure.md
Reword the registry azure container example.
* Fix incorrect links in compose section
there's a bug causing wrapped links to not work, and replacing
some links to point to the .md file, so that IDE's can check
if the anchors are valid. Also replaced some links to point
to their new location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* engine/swarm: update links
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Fix various broken links
There's a bug in the "jekyll-relative-links" plugin that causes wrapped links to not work.
Also replacing some links to point to the .md file, so that IDE's can check if the anchors
are valid. Finally, replaced some links to point to their new locations, so that users don't
get redirected..
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
