Commit graph

337 commits

Author SHA1 Message Date
Derek McGowan
735a112415 Fix list tags
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
e5744a3bad Refactor from feedback
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Josh Hawn
826bde851b Add Tarsum Calculation during v2 Pull operation
While the v2 pull operation is writing the body of the layer blob to disk
it now computes the tarsum checksum of the archive before extracting it to
the backend storage driver. If the checksum does not match that from the
image manifest an error is raised.

Also adds more debug logging to the pull operation and fixes existing test
cases which were failing. Adds a reverse lookup constructor to the tarsum
package so that you can get a tarsum object using a checksum label.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Stephen J Day
6f09abd5c9 Correctly check and propagate errors in v2 session
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Derek McGowan
22c7328529 Get token on each request
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
6f36ce3a01 Allow private V2 registry endpoints
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
751a1a8dd0 Update push and pull to registry 2.1 specification
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Stephen J Day
ee1e1abb15 Remove dependencies on registry packages
Because docker core cannot vendor non-master Go dependencies, we need to remove
dependencies on registry package. The definition of digest.Digest has been
changed to a string and the regular expressions have been ported from
docker-registry/common library.

We'll likely change this be dependent on the registry in the future when the
API stabilizies and use of the master branch becomes the norm.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Stephen J Day
2fcad2a10f Registry V2 HTTP route and error code definitions
This package, ported from next-generation docker regsitry, includes route and
error definitions. These facilitate compliant V2 client implementation. The
portions of the HTTP API that are included in this package are considered to be
locked down and should only be changed through a careful change proposal.
Descriptor definitions package layout may change without affecting API behavior
until the exported Go API is ready to be locked down.

When the new registry stabilizes and becomes the master branch, this package
can be vendored from the registry.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Josh Hawn
e256a0e0bc Update token response handling
Registry authorization token is now taken from the response body rather than
the repsonse header.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Derek McGowan
24895820bd Update push to use mount blob endpoint
Using mount blob prevents repushing images which have already been uploaded

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Derek McGowan
06d0ef4179 Push flow
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Josh Hawn
6b400cd63c Adds support for v2 registry login
summary of changes:

registry/auth.go
  - More logging around the login functions
  - split Login() out to handle different code paths for v1 (unchanged logic)
    and v2 (does not currently do account creation)
  - handling for either basic or token based login attempts
registry/authchallenge.go
  - New File
  - credit to Brian Bland <brian.bland@docker.com> (github: BrianBland)
  - handles parsing of WWW-Authenticate response headers
registry/endpoint.go
  - EVEN MOAR LOGGING
  - Many edits throught to make the coad less dense. Sparse code is more
    readable code.
  - slit Ping() out to handle different code paths for v1 (unchanged logic)
    and v2.
  - Updated Endpoint struct type to include an entry for authorization
    challenges discovered during ping of a v2 registry.
  - If registry endpoint version is unknown, v2 code path is first attempted,
    then fallback to v1 upon failure.
registry/service.go
  - STILL MOAR LOGGING
  - simplified the logic around starting the 'auth' job.
registry/session.go
  - updated use of a registry.Endpoint struct field.
registry/token.go
  - New File
  - Handles getting token from the parameters of a token auth challenge.
  - Modified from function written by Brian Bland (see above credit).
registry/types.go
  - Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'`

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:04:14 -08:00
Alexander Morozov
1f98347924 Fix format calls as suggested by vet
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-14 14:12:03 -08:00
Qiang Huang
23f9f8c3f4 registry: fix minor type
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-09 09:06:27 +08:00
Don Kjer
c899a49a95 Moving NewIndexInfo, NewRepositoryInfo and associated helpers into config.go
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:15:00 +00:00
Don Kjer
64b000c3ea Deprecating ResolveRepositoryName
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository

Moving --registry-mirror configuration to registry config

Created resolve_repository job

Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.

Adding test for RepositoryInfo

Adding tests for opts.StringSetOpts and registry.ValidateMirror

Fixing search term use of repoInfo

Adding integration tests for registry mirror configuration

Normalizing LookupImage image name to match LocalName parsing rules

Normalizing repository LocalName to avoid multiple references to an official image

Removing errorOut use in tests

Removing TODO comment

gofmt changes

golint comments cleanup.  renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig

Splitting out builtins.Registry and registry.NewService calls

Stray whitespace cleanup

Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test

Factoring out ValidateRepositoryName from NewRepositoryInfo

Removing unused IndexServerURL

Allowing json marshaling of ServiceConfig.  Exposing ServiceConfig in /info

Switching to CamelCase for json marshaling

PR cleanup; removing 'Is' prefix from boolean members.  Removing unneeded json tags.

Removing non-cleanup related fix for 'localhost:[port]' in splitReposName

Merge fixes for gh9735

Fixing integration test

Reapplying #9754

Adding comment on config.IndexConfigs use from isSecureIndex

Remove unused error return value from isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

Adding back comment in isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:14:58 +00:00
Matthew Riley
eb9ddb7b86 Allow hyphens in namespaces.
Signed-off-by: Matthew Riley <mattdr@google.com>
2015-01-05 11:06:16 -08:00
Tibor Vass
4170effd5a registry: remove accidentally added --insecure-registry feature
If `--insecure-registry mydomain.com` was specified, it would match a registry at mydomain.com on any port.
This was accidentally added in #9735 and is now being reverted.

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-19 16:46:29 -05:00
Tibor Vass
d1fcbd9028 registry: handle unresolvable domain names in isSecure
to allow HTTP proxies to work as expected.

Fixes #9708

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Tibor Vass
807bb5eb18 registry: add tests for unresolvable domain names in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Daehyeok Mun
b11b1e06e9 Chnage LookupRemoteImage to return error
This commit is patch for following comment
// TODO: This method should return the errors instead of masking them and returning false

Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-16 16:23:19 -08:00
unclejack
fdd4f4f2d1 validate image ID properly & before load
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

Conflicts:
	graph/load.go
2014-12-11 16:29:27 -05:00
Michael Crosby
6ad54e3df6 Refactor put image function's redirect loop
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 18:11:27 -08:00
Michael Crosby
3911c8b8dc Prevent loop with var overshadowing
Incase of a 3xx redirect the var was being overshowed and ever changed
causing an infinite loop.

Fixes #9480

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 17:43:21 -08:00
Vaidas Jablonskis
df85a0f700 registry: fix ServerAddress setting
This ensures that ServerAddress is set, while previously it was getting
set after configFile.Configs.

Signed-off-by: Vaidas Jablonskis <jablonskis@gmail.com>
2014-11-24 18:26:41 +00:00
Tibor Vass
ae0ebb9d07 Add the possibility of specifying a subnet for --insecure-registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-14 12:31:11 -08:00
Tibor Vass
f0920e61bf registry: parse INDEXSERVERADDRESS into a URL for easier check in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-13 07:02:24 -08:00
Tibor Vass
cca910e878 Put mock registry address in insecureRegistries for unit tests
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Tibor Vass
80255ff224 registry: refactor registry.IsSecure calls into registry.NewEndpoint
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Erik Hollensbe
524aa8b1a6 registry: always treat 127.0.0.1 as insecure for all cases anytime anywhere
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-11-12 12:14:43 -08:00
Johan Euphrosine
8582d04393 registry: default --insecure-registry to localhost and 127.0.0.1
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-12 09:12:42 -08:00
Tibor Vass
c00cd583e9 Merge pull request #9095 from proppy/is-secure-test
registry: add tests for IsSecure
2014-11-11 16:52:36 -05:00
Johan Euphrosine
cd246befe2 registry: add tests for IsSecure
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-11 11:02:32 -08:00
Vincent Batts
7dd4199fe8 registry: don't iterate through certs
the golang tls.Conn does a fine job of that.
http://golang.org/src/pkg/crypto/tls/handshake_client.go?#L334

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-11-04 16:12:23 -05:00
Tibor Vass
47a494e0fd Fix login command
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-10-30 19:44:44 -04:00
Tibor Vass
1b72e0234e Do not verify certificate when using --insecure-registry on an HTTPS registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Conflicts:
	registry/registry.go
	registry/registry_test.go
	registry/service.go
	registry/session.go

Conflicts:
	registry/endpoint.go
	registry/registry.go
2014-10-30 19:44:09 -04:00
Michael Crosby
552c17d618 Don't hard code true for auth job
Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	registry/service.go
2014-10-30 19:41:55 -04:00
Michael Crosby
50e11c9d8e Refactor IsSecure change
Fix issue with restoring the tag store and setting static configuration
from the daemon. i.e. the field on the TagStore struct must be made
internal or the json.Unmarshal in restore will overwrite the insecure
registries to be an empty struct.

Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	graph/pull.go
	graph/push.go
	graph/tags.go
2014-10-30 19:41:55 -04:00
unclejack
034c1cfb9d make http usage for registry explicit
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)

Conflicts:
	daemon/config.go
	daemon/daemon.go
	graph/pull.go
	graph/push.go
	graph/tags.go
	registry/registry.go
	registry/service.go
2014-10-30 19:41:55 -04:00
Victor Vieux
5685221c5f Merge pull request #8387 from vbatts/vbatts-registry_test_enpoint
registry/endpoint: make it testable
2014-10-29 13:36:17 -07:00
Jessie Frazelle
21ba3078b6 Merge pull request #8669 from monsterzz/8668-dualstack-registry
Use dual-stack Dialer when talking to registy
2014-10-29 12:03:12 -07:00
Jessica Frazelle
22f87eb9be Fix error on successful login.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-28 17:42:03 -07:00
Igor Dolzhikov
1a8edd0d55 excluding unused transformation to []byte
Signed-off-by: Igor Dolzhikov <bluesriverz@gmail.com>
2014-10-28 01:04:36 +06:00
Alexandr Morozov
0827b71157 Mass gofmt
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:11:48 -07:00
Alexandr Morozov
32654af8b6 Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Vincent Batts
bcbb7e0c41 registry/endpoint: make it testable
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-24 16:27:17 -04:00
Tibor Vass
d81951fffa Merge pull request #8423 from unclejack/lint_changes
lint changes part 1
2014-10-21 12:15:58 -04:00
Gleb M Borisov
ef57ab120c Use dual-stack Dialer when talking to registy
Signed-off-by: Gleb M. Borisov <borisov.gleb@gmail.com>
2014-10-21 03:59:11 +04:00
Dan Walsh
3a6fe4c5c9 On Red Hat Registry Servers we return 404 on certification errors.
We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.

According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."

https://www.ietf.org/rfc/rfc2616.txt

10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
   If the request method was not HEAD and the server wishes to make
   public why the request has not been fulfilled, it SHOULD describe the
   reason for the refusal in the entity.  If the server does not wish to
   make this information available to the client, the status code 404
   (Not Found) can be used instead.

10.4.5 404 Not Found

   The server has not found anything matching the Request-URI. No
   indication is given of whether the condition is temporary or
   permanent. The 410 (Gone) status code SHOULD be used if the server
   knows, through some internally configurable mechanism, that an old
   resource is permanently unavailable and has no forwarding address.
   This status code is commonly used when the server does not wish to
   reveal exactly why the request has been refused, or when no other
   response is applicable.

When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-10-20 13:20:48 -04:00
Daniel, Dao Quang Minh
20867c3b1f Avoid fallback to SSL protocols < TLS1.0
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-10-15 22:39:51 -04:00
Derek McGowan
479ed10e61 Support tarsum dev version to fix issue with mtime
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
1538e42d56 Update manifest format to rename blobsums and use arrays of dictionaries
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
f290f44632 Use direct registry url
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:28 -07:00
unclejack
7bfdb6d495 registry: lint
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-10-06 22:34:39 +03:00
Derek McGowan
c47aa21c35 Add comment for permission and fix wrong format variable
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-02 17:41:57 -07:00
Derek McGowan
b7f7b0a2c9 Add provenance pull flow for official images
Add support for pulling signed images from a version 2 registry.
Only official images within the library namespace will be pull from the
new registry and check the build signature.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-01 18:26:06 -07:00
Vincent Batts
d629bebce2 registry: getting Endpoint ironned out
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-01 13:19:40 -07:00
Tibor Vass
48b43c2645 Replace get.docker.io -> get.docker.com and test.docker.io -> test.docker.com
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-09-24 18:53:27 -04:00
Phil Estes
b7da79fd14 Refactor all pre-compiled regexp to package level vars
Addresses #8057

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2014-09-16 12:57:44 -04:00
Vincent Batts
898bcf0f5d TarSum: versioning
This introduces Versions for TarSum checksums.
Fixes: https://github.com/docker/docker/issues/7526

It preserves current functionality and abstracts the interface for
future flexibility of hashing algorithms. As a POC, the VersionDev
Tarsum does not include the mtime in the checksum calculation, and would
solve https://github.com/docker/docker/issues/7387 though this is not a
settled Version is subject to change until a version number is assigned.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-09-10 15:41:52 -04:00
Jessie Frazelle
8440052689 Merge pull request #7862 from Gandi/bugfixes/segfault-registry-session
Fix SEGFAULT if dns resolv error
2014-09-08 11:38:34 -07:00
Michael Crosby
5e47333091 Merge pull request #7609 from ewindisch/max_imgname
Restrict length of repository names
2014-09-08 11:06:54 -07:00
Arthur Gautier
eaf57e8f55 Fix SEGFAULT if dns resolv error
Per registry.doRequest, res and client might be nil in case of error
For example, dns resolution errors, /etc/docker/certs.d perms, failed
loading of x509 cert ...
This will make res.StatusCode and res.Body SEGFAULT.

Signed-off-by: Arthur Gautier <baloo@gandi.net>
2014-09-05 13:40:06 +02:00
unclejack
2c78019539 registry/session: fix panic in GetRemoteImageLayer
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-09-03 17:26:56 +03:00
Eric Windisch
307e253d33 Restrict repository names from matching hexadecimal strings
To avoid conflicting with layer IDs, repository names must
not be tagged with names that collide with hexadecimal strings.

Signed-off-by: Eric Windisch <eric@windisch.us>
2014-08-27 13:46:10 -04:00
Michael Crosby
48096dad19 Merge pull request #7740 from LK4D4/registry_style
Style fixes for registry/registry.go
2014-08-26 18:02:11 -07:00
Alexandr Morozov
27e0ec3d58 Style fixes for registry/registry.go
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-26 12:28:40 +04:00
Erik Hollensbe
4d8f45a94d fix return values in registry mock service
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-25 10:29:38 -07:00
Daniel Menet
283fba4821 Expand hostname before passing it to NewRegistry()
Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:25:46 +02:00
Daniel Menet
744919be3d Enable docker search on private docker registry.
The cli interface works similar to other registry related commands:

  docker search foo

... searches for foo on the official hub

  docker search localhost:5000/foo

... does the same for the private reg at localhost:5000

Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:24:32 +02:00
Erik Hollensbe
94ff3f3e4d move utils.Fataler to pkg/log.Fataler
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-13 15:32:41 -07:00
Josiah Kiehl
2a7cf96c8f Extract log utils into pkg/log
Docker-DCO-1.1-Signed-off-by: Josiah Kiehl <josiah@capoferro.net> (github: capoferro)
2014-08-13 15:18:15 -07:00
Vincent Batts
7ef3a5bc73 registry.Registry -> registry.Session
renaming this struct to more clearly be session, as that is what it
handles.

Splitting out files for easier readability.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-08-13 09:27:43 -04:00
Tibor Vass
2ccfaf1484 Merge pull request #7324 from erikh/move_tarsum
Move tarsum to pkg/
2014-07-31 16:56:24 -04:00
Erik Hollensbe
47261aa8cf Remove CheckSum from utils; replace with a TeeReader
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 11:23:43 -07:00
Erik Hollensbe
7f2dca77d4 utils/tarsum* -> pkg/tarsum
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 06:42:12 -07:00
Erik Hollensbe
052128c4fc Move parsing functions to pkg/parsers and the specific kernel handling
functions to pkg/parsers/kernel, and parsing filters to
pkg/parsers/filter. Adjust imports and package references.

Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-29 13:09:10 -07:00
unclejack
775ca3caa3 move resumablerequestreader to pkg
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-29 16:30:45 +03:00
Victor Vieux
822f8c1b52 update go import path and libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:19:50 +00:00
Vincent Batts
2ff0ef4407 Merge pull request #6727 from unclejack/improve_bytes_range
Improve layer downloading
2014-07-23 15:31:25 -04:00
Michael Crosby
f946208721 Merge pull request #7146 from dmp42/master
Joining registry maintainers
2014-07-21 17:02:52 -07:00
Olivier Gambier
6365d94ef4 Joining registry maintainers
Docker-DCO-1.1-Signed-off-by: Olivier Gambier <olivier@docker.com> (github: dmp42)
2014-07-22 01:50:32 +02:00
Vincent Batts
c9bcc63cc7 Merge pull request #7050 from Aigeruth/fix/push_image_layer_registry_content_type
Add Content-Type header in PushImageLayerRegistry
2014-07-21 15:07:01 -04:00
unclejack
78a499ac67 get layer: remove HEAD req & pass down response
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-21 20:21:18 +03:00
Solomon Hykes
bc35ac4afd Merge pull request #3070 from alexlarsson/certificates 2014-07-18 18:27:00 -07:00
Gabor Nagy
19b4616baa Add Content-Type header in PushImageLayerRegistry
Docker-DCO-1.1-Signed-off-by: Gabor Nagy <mail@aigeruth.hu> (github: Aigeruth)
2014-07-16 12:23:25 +02:00
LK4D4
7cd8de1329 Fix go vet errors
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-18 17:39:57 +00:00
Alexander Larsson
d95235cc50 Add support for client certificates for registries
This lets you specify custom client TLS certificates and CA root for a
specific registry hostname. Docker will then verify the registry
against the CA and present the client cert when talking to that
registry.  This allows the registry to verify that the client has a
proper key, indicating that the client is allowed to access the
images.

A custom cert is configured by creating a directory in
/etc/docker/certs.d with the same name as the registry hostname. Inside
this directory all *.crt files are added as CA Roots (if none exists,
the system default is used) and pair of files <filename>.key and
<filename>.cert indicate a custom certificate to present to the registry.

If there are multiple certificates each one will be tried in
alphabetical order, proceeding to the next if we get a 403 of 5xx
response.

So, an example setup would be:
/etc/docker/certs.d/
└── localhost
    ├── client.cert
    ├── client.key
    └── localhost.crt

A simple way to test this setup is to use an apache server to host a
registry. Just copy a registry tree into the apache root, here is an
example one containing the busybox image:
  http://people.gnome.org/~alexl/v1.tar.gz

Then add this conf file as /etc/httpd/conf.d/registry.conf:

 # This must be in the root context, otherwise it causes a re-negotiation
 # which is not supported by the tls implementation in go
 SSLVerifyClient optional_no_ca

 <Location /v1>
 Action cert-protected /cgi-bin/cert.cgi
 SetHandler cert-protected

 Header set x-docker-registry-version "0.6.2"
 SetEnvIf Host (.*) custom_host=$1
 Header set X-Docker-Endpoints "%{custom_host}e"
 </Location>

And this as /var/www/cgi-bin/cert.cgi

 #!/bin/bash
 if [ "$HTTPS" != "on" ]; then
     echo "Status: 403 Not using SSL"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then
     echo "Status: 403 Client certificate invalid"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)"
 echo "x-docker-registry-version: 0.6.2"
 echo "X-Docker-Endpoints: $SERVER_NAME"
 echo "X-Docker-Size: 0"
 echo

 cat $PATH_TRANSLATED

This will return 403 for all accessed to /v1 unless *any* client cert
is presented. Obviously a real implementation would verify more details
about the certificate.

Example client certs can be generated with:

openssl genrsa -out client.key 1024
openssl req -new -x509 -text -key client.key -out client.cert

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-06-13 11:13:18 +02:00
Brandon Philips
46cc7603d4 registry: remove unneeded time.Duration()
These constants don't need to use time.Duration(). Fixup this file since
it seems to be the only one using this style.

Docker-DCO-1.1-Signed-off-by: Brandon Philips <brandon.philips@coreos.com> (github: philips)
2014-06-08 11:04:06 -07:00
Victor Vieux
4ec6e68e04 Disable timeout for push
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 23:48:25 +00:00
Victor Vieux
5cef006c5a improve trusted location detection
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 21:17:56 +00:00
Victor Vieux
8e8ffacf49 only forward auth to trusted locations
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 19:47:33 +00:00
Victor Vieux
0ac3b3981f Add redirect and env proxy support to docker login
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-03 00:46:06 +00:00
unclejack
96412d40fd resume pulling the layer on disconnect
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-06-02 21:41:22 +03:00
Derek
3a21f339f1 Use Timeout Conn wrapper to set read deadline for downloading layer
Docker-DCO-1.1-Signed-off-by: Derek <crq@kernel.org> (github: crquan)
2014-05-27 22:50:04 -07:00
Vincent Batts
a9a754dad1 registry: adding vbatts to the MAINTAINERS
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-05-06 14:31:47 -04:00
Victor Vieux
335cdaba6f Merge pull request #5600 from unclejack/sha512_registry_support
import sha512 to make sha512 ssl certs work
2014-05-05 15:27:11 -07:00
unclejack
f293adf7f9 import sha512 to make sha512 ssl certs work
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-05-05 20:29:20 +03:00
Solomon Hykes
bbebff75b6 Move 'search' to the registry subsystem
This continues the effort to separate all registry logic from the
deprecated `Server` object.

* 'search' is exposed by `github.com/dotcloud/docker/registry/Service`
* Added proper documentation of Search while I was at it

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:32 +00:00
Solomon Hykes
8934560bbc Move 'auth' to the registry subsystem
This is the first step towards separating the registry subsystem from
the deprecated `Server` object.

* New service `github.com/dotcloud/docker/registry/Service`
* The service is installed by default in `builtins`
* The service only exposes `auth` for now...
* ...Soon to be followed by `pull`, `push` and `search`.

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:06 +00:00
Michael Crosby
3e064ac71c Use proper scheme with static registry
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 02:01:07 -07:00
Victor Vieux
c914523873 Merge pull request #4607 from vbatts/vbatts-static_registry
static registry support
2014-04-29 11:22:44 -07:00
unclejack
c9a32099ae Merge pull request #5199 from shin-/registry_mirrors_support
Added support for multiple endpoints in X-Docker-Endpoints header
2014-04-28 17:56:57 +03:00
Vincent Batts
2b89f57964 static_registry: update the test for the new struct
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-04-25 20:01:25 -04:00
shin-
52893cae73 Added support for multiple endpoints in X-Docker-Endpoints header
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-18 17:42:54 +02:00
Victor Vieux
4bc3522500 allow dot in repo name
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-04-14 23:15:38 +00:00
shin-
dbb9296531 Added specific error message when hitting 401 over HTTP on push
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-08 17:07:29 +02:00
Sam Alba
4f29181d9b Payload checksum now match the checksum simple
Backported for backward compatibility.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 18:31:15 -07:00
Sam Alba
d2b2bf0393 Inverted layer checksum and tarsum.
The checksum of the payload has to be computed on the Gzip'ed content.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 17:56:25 -07:00
Ryan Thomas
50ec0bbd4e Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-28 06:31:04 +11:00
Ryan Thomas
fffa920a89 Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-25 14:45:11 +11:00
Djibril Koné
9bad706a1f Harmonize / across all name-related commands/Validate images names
Docker-DCO-1.1-Signed-off-by: Djibril Koné <kone.djibril@gmail.com> (github: enokd)
2014-03-21 00:40:58 +01:00
Victor Vieux
47c4e542ba use mock for search
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-03-13 17:40:34 +00:00
Vincent Batts
c18c4b8d3c registry: Info collection
roll version and standalone information into the _ping. And to support
Headers they are checked after the JSON is loaded (if there is anything
to load). To stay backwards compatible, if the _ping contents are not
able to unmarshal to RegistryInfo, do not stop, but continue with the
same behavior.

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 23:36:51 -04:00
Vincent Batts
471d923b1b registry: make certain headers optional
For a pull-only, static registry, there only a couple of headers that
need to be optional (that are presently required.
* X-Docker-Registry-Version
* X-Docker-Size
* X-Docker-Endpoints

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 10:08:44 -04:00
Guillaume J. Charmes
f6fefb0bc1 Merge auth package within registry
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-03-10 17:16:58 -07:00
Fabio Falci
1c101d006b Remove manual http cookie management
Since docker uses cookiejar it doesn't need to manage cookies manually
anymore.
Managing cookie was duplicating it.

Docker-DCO-1.1-Signed-off-by: Fabio Falci <fabiofalci@gmail.com> (github: fabiofalci)
2014-03-09 02:25:19 +00:00
Guillaume J. Charmes
1278e74c26 Merge pull request #4270 from DevTable/fixregistryauth
Fix registry auth and remove other hidden ping commands from client code
2014-03-03 17:34:21 -08:00
Sam Alba
f29683f794 registry: Fixed unexported field
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-02-25 16:06:04 -08:00
Sam Alba
ba8dbe4b9b registry: Removed checksumPayload from exported fields
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-24 12:40:33 -08:00
Sam Alba
bae6dc35bc registry: Fixed tests
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-24 09:04:27 -08:00
Sam Alba
3bf0ee5e52 registry: Added simple checksums (sha256) for layers
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-23 18:50:04 -08:00
Jake Moshenko
bac83c7608 Fix registry auth by storing the string passed on the command line, and allowing for credential selection by normalizing on hostname. Also, remove remote ping calls from CmdPush and CmdPull.
Docker-DCO-1.1-Signed-off-by: Jake Moshenko <jake@devtable.com> (github: jakedt)
2014-02-20 18:32:33 -05:00
Michael Crosby
9274def67d Fix login prompt on push and pull because of error message
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-03 11:38:34 -08:00
Roberto G. Hashioka
4fe7a141bf Added missing attributes to api search calls:
- Added an argument to the call() method in order to control the auth sharing
- Enabled it only for search. Pulls and pushes were enabled already.
- Grouped a few variable declarations

Docker-DCO-1.1-Signed-off-by: Roberto Hashioka <roberto.hashioka@docker.com> (github: rogaha)
2014-01-21 04:06:19 +00:00
Michael Crosby
275109a6ad Make sure new repositories can be pushed with multiple tags
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-01-20 13:39:35 -08:00
Victor Vieux
78bc8d7377 move legacy stuff outside the job
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-01-13 16:20:05 -08:00
Michael Crosby
6fc5e50471 Merge pull request #3431 from shin-/ping_standalone_check
Check standalone header when pinging a registry server.
2014-01-07 10:33:07 -08:00
shin-
9bafa726be Fixed registry unit tests 2014-01-06 21:04:44 +01:00
shin-
79e0ed25db Check standalone header when pinging a registry server. Standalone has to be true to use basic auth (in addition to previous requirements) 2014-01-02 17:51:42 +01:00
Victor Vieux
10eeaec70c fix progressbar in docker push 2013-12-20 16:55:41 -08:00
shin-
d2f7d65d71 Don't return req as result of setTokenAuth 2013-12-03 16:32:13 +01:00
shin-
1ff180d1b4 missed one call to setTokenAuth 2013-12-03 16:32:13 +01:00
shin-
0fca0f12f6 Factorized auth token setting 2013-12-03 16:32:13 +01:00
shin-
d4a00ebecb gofmt 2013-12-03 16:32:13 +01:00
shin-
097f41245a Use basic auth for private registries when over HTTPS.
RequestFactory is no longer a singleton (can be different for different instances of Registry)
Registry now has an indexEndpoint member
Registry methods that needed the indexEndpoint parameter no longer do so
Registry methods will only use token auth where applicable if basic auth is not enabled.
2013-12-03 16:32:13 +01:00
Andrews Medina
52a0a052e8 go fmt.
result of `gofmt -w -s .` without vendors.
2013-11-29 22:20:59 -02:00
cressie176
c86cee210f Closing connection after ping 2013-11-29 12:07:20 +00:00
Victor Vieux
2c26420bc4 update docker search to reflect future changes of the api 2013-10-31 19:14:11 -07:00
Victor Vieux
77f6f32704 Removes \\n from debugf calls 2013-10-25 17:50:40 -07:00
Johan Euphrosine
2f94790d67 registry: fix content-type for PushImageJSONIndex 2013-10-22 11:56:48 -07:00
Jonathan Rudenberg
8d77082c92 Fix some error cases where a HTTP body might not be closed
Refs #2126
2013-10-08 15:35:00 -04:00
Ken Cochrane
cbb906e41f fix the error message so it is the same as the regex issue #1999 2013-09-25 11:33:09 -04:00
Michael Crosby
9c366e092d Modify repository name regex to match index 2013-09-19 20:25:00 -07:00
Guillaume J. Charmes
49736d5fc7 Prevent panic upon error pulling registry 2013-09-16 16:18:25 -07:00
Marco Hennings
ee38e49093 Login against private registry
To improve the use of docker with a private registry the login
command is extended with a parameter for the server address.

While implementing i noticed that two problems hindered authentication to a
private registry:

1. the resolve of the authentication did not match during push
   because the looked up key was for example localhost:8080 but
   the stored one would have been https://localhost:8080

   Besides The lookup needs to still work if the https->http fallback
   is used

2. During pull of an image no authentication is sent, which
   means all repositories are expected to be private.

These points are fixed now. The changes are implemented in
a way to be compatible to existing behavior both in the
API as also with the private registry.

Update:

- login does not require the full url any more, you can login
  to the repository prefix:

  example:
  docker logon localhost:8080

Fixed corner corner cases:

- When login is done during pull and push the registry endpoint is used and
  not the central index

- When Remote sends a 401 during pull, it is now correctly delegating to
  CmdLogin

- After a Login is done pull and push are using the newly entered login data,
  and not the previous ones. This one seems to be also broken in master, too.

- Auth config is now transfered in a parameter instead of the body when
  /images/create is called.
2013-09-03 20:45:49 +02:00
shin-
a7b3e7eb78 registry: removing opaqueRequest 2013-08-16 19:33:59 +02:00
Victor Vieux
ecd70a1948 hot fix display in parallel pull and go fmt 2013-08-15 11:42:40 +00:00
Jonathan Rudenberg
e55267bc99 Add GitHub usernames to MAINTAINERS 2013-08-09 21:16:44 -04:00