This adds a configuration setting `HTTP.TLS.LetsEncrypt.Hosts` which can
be set to a list of hosts that the registry will whitelist for retrieving
certificates from Let's Encrypt. HTTPS connections with SNI hostnames
that are not whitelisted will be closed with an "unknown host" error.
It is required to avoid lots of unsuccessful registrations attempts that
are triggered by malicious clients connecting with bogus SNI hostnames.
NOTE: Due to a bug in the deprecated vendored rsc.io/letsencrypt library
clearing the host list requires deleting or editing of the cachefile to
reset the hosts list to null.
Signed-off-by: Felix Buenemann <felix.buenemann@gmail.com>
* Reword lots of instances of 'will'
* Reword lots of instances of won't
* Reword lots of instances of we'll
* Eradicate you'll
* Eradicate 'be able to' type of phrases
* Eradicate 'unable to' type of phrases
* Eradicate 'has / have to' type of phrases
* Eradicate 'note that' type of phrases
* Eradicate 'in order to' type of phrases
* Redirect to official Chef and Puppet docs
* Eradicate gratuitous 'please'
* Reduce use of e.g.
* Reduce use of i.e.
* Reduce use of N.B.
* Get rid of 'sexagesimal' and correct some errors
* Improve Cloudfront notes regarding private buckets
* Point to CloudFront docs
This is better than outlining the steps specifically. The API steps will be different and the specific parts of the web UI may change over time. Amazon's docs are more likely to be up to date.
Using a daemon configuration file is preferred over
using command-line flags, as it allows reloading
this configuration without restarting the
daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If htpasswd authentication option is configured but the htpasswd file is
missing, populate it with a default user and automatically generated
password.
The password will be printed to stdout.
Signed-off-by: Liron Levin <liron@twistlock.com>
As the `--label` option is used before in `docker node update --label-add registry=true node1`, the Docker registry should be restricted to only run on `node1` - and nowhere else. So the `docker service create` command has to use the option `--constraint 'node.labels.registry==true` instead of `--label registry=true`- because it is a contraint, where to run the Registry - we don´t just want to set a label again.
* for all links to , changed to full path
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
* fixed link in Swarm Tutorial per review comments
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
* Reorganize registry deployment guide
Also add information about pushing non-distributable
layers to private registries
Also add an example of running a registry as a swarm service
* Add instructions to remove also proxy_set_header Host
Add instructions to remove also proxy_set_header Host when using ELB.
In my case I only had commented out X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, but not Host, and I was getting lots of retrys in Docker. Commenting the proxy_set_header Host fixed the issue, as recommended in https://github.com/moby/moby/issues/16949
* Update fedora.md
add warning class to blogquote
* Update linux-postinstall.md
add warning class to blogquote
* Update ubuntu.md
add warning class to blogquote
* Update https.md
add warning class to blogquote
* Update swarm_manager_locking.md
add warning class to blogquote
* Update dockerlinks.md
add warning class to blogquote
* Update deploying.md
add warning class to blogquote
* Update deploying.md
add warning class to blogquote
* Update insecure.md
add warning class to blogquote
* Update discovery.md
add warning class to blogquote
* Update dockerd.yaml
add warning class to blogquote
* Update docker_secret_rm.yaml
add warning class to blogquote
* Update docker_service_rm.yaml
add warning class to blogquote
* Update docker_secret_rm.yaml
add warning class to blogquote
* Update scale-your-cluster.md
add warning class to blogquote
* Update resource_constraints.md
add warning class to blogquote
* Update binaries.md
add warning class to blogquote
* Update content_trust.md
add warning class to blogquote
* Update secrets.md
add warning class to blogquote
* Update index.md
add warning class to blogquote
* Update install-sandbox-2.md
add warning class to blogquote
* Update docker-toolbox.md
add warning class to blogquote
* Update index.md
add warning class to blogquote
* Update centos.md
add warning class to blogquote
* Update debian.md
add warning class to blogquote
* Update faqs.md
add linebreak after Looking for popular FAQs on Docker for Windows?
* Update install.md
add linebreake after **Already have Docker for Windows?**
* Revert "Update dockerd.yaml"
This reverts commit 3a98eb86f700ade8941483546c33f69a9dab8ac3.
* Revert "Update docker_secret_rm.yaml"
This reverts commit 5dc1e75f37033932486c11287052b7d64bf83e55.
* Revert "Update docker_service_rm.yaml"
This reverts commit a983380a5625b471f1a03f8ed2301ead72f98f1b.
* Revert "Update docker_secret_rm.yaml"
This reverts commit 4c454b883c300e26fbb056b954bb49ec2933b172.
* First pass of tabs-based organization
* Improvements
* Second pass at tabs org
* Move tab highlighting to Liquid instead of JS
* Adding forwarding links for in-product TOCs
* Move to pre-rendered left-navs instead of post-load JS for TOC sync
* Optimizations and nosync-ing the Reference section
* Optimizations, fix Cloud YAML
* Make a "Sample applications" node
* Update index.md
* Tabs CSS fixes and 12-factor reposition
* Theme Start (#1709)
* Hooking up nav to real TOC data, formatting fixes
* Fixing JS error
* Layout updates, dark themes, tons o stuff (#1971)
* Add cookie saving for day/night mode
* Newsite tabs (#2004)
* Layout updates, dark themes, tons o stuff
* Update themes
Theme updates + scaffolding
* Update style.css
* Update style-alt.css
* Missing font fixes
* Import Open Sans from Google
* Font fix, archive removal in TOC, favicon, Feedback img fix
* Oops, returning -webkit-font-smoothing: antialiased;
* Add old favicon.ico
* Make archives a non-tiered link
* Reorder docs archive to newest-first, add local instructions
* Commenting out day/night switch for now
* Fix 'rate this page'
* Rate this page fixes
* Autocomplete and Docker Cloud fixes
* Open tree to current page
* Adding indentation for nav collapse in
* Ensure left nav visibly displays the current topic
* Update flex layout
- adjust rescale
- code block styles
* add focus to search
- force code block color (for now)
- increase section max-width
* increase content padding
- add padding to toc for wrapping long strings.
* grid adjustment
- grid
- content and wrapper adjustments for mobile
* left/right sidebar adjustments
- refine position on scroll for toc on landing
- add default height to compensate for upcoming position absolute
onScroll
* side bar overflow
- hidden on X-scroll
* fix version button
- override bstrap defaults
* tabs + buttons
* update landing svgs
* fix sidebar height
set to 100% on landing pre-affix
* Update blurb about engine/editions on front page
* add side menu to mobile collapse menu
* update classnames
* overall mobile tweaks
* Right-nav highlighting and auto-scroll
* Slightly slower right-nav highlighting, correct version
* add toggle menus for small devices
* Fixing JS error/Docker 1.13>17.03
* header updates
* re-add fan to header
* update transition time
* Add first 20 words to Twitter card
* fixed width of components
- lockdown elements on rescale (wil need more TLC)
* set max-width of content
* Left and right nav resizing w/footer scroll and window resize
* update links on landing page
* Fix for overzealous resizing, JS redundancies
* Fix for JS error on homepage
* JS error fixes
* toggle adjustments
- wrap toggle button
* add tab width
* version button type
* version button both headers
* tabs - fix typo
* landing page grid
* components
* Share images, JS fixes, Marketo removal
* Anchor links fix
* Fix for black space on mobile
* Restore hamburger (partial)
* Update run.md
Minor grammar cleanup.
* Update apparmor.md
I'm a little confused about which one is better to be used here, a period (.) or a colon (:), as a command is given below. Or both are OK, and we only have to keep consistency in a single page.
* Update apparmor.md
Fixed the indentation for the codeblock (indented by 4 spaces). Thank you for your careful review.
* Replacing service with secret
* Update networking.md
fix typo with triple "m" for command word
* Update run.md
Address PR feedback.
* Update install instructions to latest version
* Added "related topics" section
* Add documentation for mem_swappiness
* Update to new Docker version scheme (#1926)
* mem_swappiness for current version and v1
* merge other changes, fix typo
* There is no OpenSuSE and there never was
though we had SuSE and S.u.S.E.
* Add release notes for 1.12.6-cs9 (#2028)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
* need sudo to access key cache (#1931)
* need sudo to access key cache
* List other keyservers to try for cs-engine install (#2033)
* List other keyservers to try for cs-engine install
Sometimes ha.pool.sks-keyservers.net goes down, so let's provide some
other keyservers to try in such cases.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
* Update work_issue.md (#2030)
Change "re-start" to "restart". Though not included in "Prefered usages" in the documentation guide, but I think "restart" is better and used more frequently. Besides, some other docs here, such as "Keep containers alive during daemon downtime" of "Admin Guide", also use "restart".
* Update create_pr.md (#2015)
* Update work_issue.md (#2013)
Change "id" to "ID" except for those in code.
* Update set_up_dev.md (#2011)
Add periods (.) in some steps.
* Update set_up_dev.md (#2010)
Apply Oxford Comma as described in the documentation guide.
* Update create_pr.md (#2014)
Delete an extra space.
* Update trust_key_mng.md (#1883)
* Update trust_key_mng.md
* Update trust_key_mng.md
I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown.
Now I've deleted some redundant whitespace.
* Update
I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown.
Now I've deleted some redundant whitespace.
* Update content_trust.md (#1912)
* Update content_trust.md
* update deprecation policy
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
* Update info about how to check whether Docker is running
* Updated docs to reflect edge channel
Signed-off-by: French Ben <frenchben@docker.com>
* Updated wording for SP creation
Signed-off-by: French Ben <frenchben@docker.com>
* beta to edge, cloud features first draft
added cloud images
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
* Distinguish between cloud stack file and stack file
* Added EE links
Signed-off-by: French Ben <frenchben@docker.com>
* Use variables
Signed-off-by: French Ben <frenchben@docker.com>
* Replace deprecated MAINTAINER with LABEL (#1445)
Replace MAINTAINER instruction with LABEL as MAINTAINER was deprecated in https://github.com/docker/docker/pull/25466
* Updates for Docker CE and Docker EE
* Updated DDC launch button
Signed-off-by: French Ben <frenchben@docker.com>
* added Docker Cloud topics for Mac and Windows
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
* d4mac, d4win stable and beta release notes for 17.03.0
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Only append "additional" Docker-Distribution-Api-Version header in case
none were received from upstream.
Signed-off-by: forkbomber <forkbomber@users.noreply.github.com>
Update grammar to support a resource class. Add
example for plugin repository class.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Apple has changed their branding guidelines from 'OS X' to 'macOS'
so we should update ours to be within trademark / branding
guidelines. See http://www.apple.com/macos/sierra/
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
Some frontmatter such as the weights, menu stuff, etc is no longer used
'draft=true' becomes 'published: false'
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
Reading the oauth2 token documentation is misleading as it makes
no mention of it being a newer feature which may not be supported
by the token server. Add a note mentioning if it is not supported
to refer to the token documentation for getting a token.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The Hub registry generates a large volume of notifications, many of
which are uninteresting based on target media type. Discarding them
within the notification endpoint consumes considerable resources that
could be saved by discarding them within the registry. To that end,
this change adds registry configuration options to restrict the
notifications sent to an endpoint based on target media type.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
Access logging is great. Access logging you can turn off is even
better. This change adds a configuration option for that.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
Let's Encrypt uses tls-sni to validate the certificate
on the standard https port 443. If the registry is
outwardly listening on a different port Let's Encrypt
will not issue a certificate.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Previously, the specificiation incorrectly bound the fates of `urls` and
foreign layers. These are complementary but unrelated features, in that
the `urls` field may be populated for layers that aren't foreign. The
type of the layer only dictates the push behavior of the layer, rather
than involving where it came from.
For example, one may pull a foreign layer from a registry, but they may
not push it back to another registry. Conversely, a layer that has no
restrictions on push/pull behavior may be fetched via `urls` entries.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This change to the S3 Move method uses S3's multipart upload API to copy
objects whose size exceeds a threshold. Parts are copied concurrently.
The level of concurrency, part size, and threshold are all configurable
with reasonable defaults.
Using the multipart upload API has two benefits.
* The S3 Move method can now handle objects over 5 GB, fixing #886.
* Moving most objects, and espectially large ones, is faster. For
example, moving a 1 GB object averaged 30 seconds but now averages 10.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
This is already supported by ncw/swift, so we just need to pass the
parameters from the storage driver.
Signed-off-by: Stefan Majewsky <stefan.majewsky@sap.com>
* Add Object ACL Support to the S3 Storage Backend
Signed-off-by: Frank Chen <frankchn@gmail.com>
* Made changes per @RichardScothern's comments
Signed-off-by: Frank Chen <frankchn@gmail.com>
* Fix Typos
Signed-off-by: Frank Chen <frankchn@gmail.com>
This adds the `--live-restore` option to the documentation.
Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 64a8317a5a306dffd0ec080d9ec5b4ceb2479a01)
Signed-off-by: Tibor Vass <tibor@docker.com>
Updates the v1 search endpoint to also support v2 auth when an identity token is given.
Only search v1 endpoint is supported since there is not v2 search currently defined to replace it.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
(cherry picked from commit 19d48f0b8ba59eea9f2cac4ad1c7977712a6b7ac)
Signed-off-by: Tibor Vass <tibor@docker.com>
Until we have some experience hosting foreign layer manifests, the Hub
operators wish to limit foreign layers on Hub. To that end, this change
adds registry configuration options to restrict the URLs that may appear
in pushed manifests.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.
This fix fixes#23459.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In Go's header parsing, the same header multiple times results in multiple entries in the `r.Header[...]` slice, but Go does no further parsing beyond that (and in https://golang.org/cl/4528086 it was determined that until/unless the stdlib itself needs it, Go will not do so).
The consequence here for parsing of `Accept:` headers is that we support the way Go outputs headers, but not all language HTTP libraries have a facility to output multiple headers instead of a single list header.
This change ensures that the following (valid) header blocks all parse to the same result for the purposes of what is being tested here:
```
Accept: a/b
Accept: b/c
Accept: d/e
```
```
Accept: a/b; q=0.5, b/c
Accept: d/e
```
```
Accept: a/b; q=0.1, b/c; q=0.2, d/e; q=0.8
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
The client may need the content digest to delete a manifest using the digest used by the registry.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This fix tries to address the issue raised in #23055.
Currently `docker search` result caps at 25 and there is
no way to allow getting more results (if exist).
This fix adds the flag `--limit` so that it is possible
to return more results from the `docker search`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#23055.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Go will fail to parse the examples since an int is expected rather than a string for the "expires in" value
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This lets us access registry config within middleware for additional
configuration of whatever it is that you're overriding.
Signed-off-by: Tony Holdstock-Brown <tony@docker.com>
… and refactor a little bit some daemon on the way.
- Move `SearchRegistryForImages` to a new file (`daemon/search.go`) as
`daemon.go` is getting pretty big.
- `registry.Service` is now an interface (allowing us to decouple it a
little bit and thus unit test easily).
- Add some unit test for `SearchRegistryForImages`.
- Use UniqueExactMatch for search filters
- And use empty restore id for now in client.ContainerStart.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
go1.5 doesn't export http.StatusTooManyRequests while
go1.6 does. Fix this by hardcoding the status code for now.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit refactors base.regulator into the 2.4 interfaces and adds a
filesystem configuration option `maxthreads` to configure the regulator.
By default `maxthreads` is set to 100. This means the FS driver is
limited to 100 concurrent blocking file operations. Any subsequent
operations will block in Go until previous filesystem operations
complete.
This ensures that the registry can never open thousands of simultaneous
threads from os filesystem operations.
Note that `maxthreads` can never be less than 25.
Add test case covering parsable string maxthreads
Signed-off-by: Tony Holdstock-Brown <tony@docker.com>