Commit graph

314 commits

Author SHA1 Message Date
Phil Estes
e2e22cb830 Merge pull request #13650 from jvgogh/master
Upon HTTP 302 redirect do not include "Authorization" header on 'untr…
2015-06-02 14:23:20 -04:00
Arnaud Porterie
3a96a9e039 Merge pull request #13576 from stevvooe/verify-digests
Properly verify manifests and layer digests on pull
2015-06-02 11:16:23 -07:00
Jeffrey van Gogh
5418e3be0c Upon HTTP 302 redirect do not include "Authorization" header on 'untrusted' registries.
Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect.

This closes #13649

Signed-off-by: Jeffrey van Gogh <jvg@google.com>
2015-06-01 16:12:56 -07:00
Alexander Morozov
767c5283a2 Fix race condition in registry/session
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-01 13:25:18 -07:00
Stephen J Day
0ecc759684 Properly verify manifests and layer digests on pull
To ensure manifest integrity when pulling by digest, this changeset ensures
that not only the remote digest provided by the registry is verified but also
that the digest provided on the command line is checked, as well. If this check
fails, the pull is cancelled as with an error. Inspection also should that
while layers were being verified against their digests, the error was being
treated as tech preview image signing verification error. This, in fact, is not
a tech preview and opens up the docker daemon to man in the middle attacks that
can be avoided with the v2 registry protocol.

As a matter of cleanliness, the digest package from the distribution project
has been updated to latest version. There were some recent improvements in the
digest package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-29 15:20:28 -07:00
Antonio Murdaca
7d11fc6e5c Remove PortSpecs from Config
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-29 22:38:09 +02:00
Alexander Morozov
acdf61c7fd Merge pull request #13430 from runcom/fix-race-modify-request
Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
2015-05-28 11:31:04 -07:00
Richard
287cf41118 Registry v2 mirror support.
The v2 registry will act as a pull-through cache, and needs to be
handled differently by the client to the v1 registry mirror.

See docker/distribution#459 for details

Configuration

Only one v2 registry can be configured as a mirror. Acceptable configurations
in this chanage are: 0...n v1 mirrors or 1 v2 mirror. A mixture of v1 and v2
mirrors is considered an error.

Pull

If a v2 mirror is configured, all pulls are redirected to that mirror. The
mirror will serve the content locally or attempt a pull from the upstream mirror,
cache it locally, and then serve to the client.

Push

If an image is tagged to a mirror, it will be pushed to the mirror and be
stored locally there. Otherwise, images are pushed to the hub. This is
unchanged behavior.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-26 11:08:19 -07:00
Antonio Murdaca
8fc7d769ab Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-23 23:50:08 +02:00
Tibor Vass
a1ade52bb6 registry: fix auth bug
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-21 16:53:22 -04:00
Jacob Atzen
07e5885de1 Fix wording in comment
Signed-off-by: Jacob Atzen <jatzen@gmail.com>
2015-05-20 18:03:46 +02:00
Arnaud Porterie
38f0c6fa8a Windows: fix registry filepath and location
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-05-19 10:58:45 -07:00
Tibor Vass
808c87ce27 Add transport package to support CancelRequest
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 23:31:42 -04:00
Tibor Vass
9e6affc364 requestdecorator: repurpose the package and rename to useragent
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:54 -04:00
Tibor Vass
89bd48481c registry: Refactor requestfactory to use http.RoundTrippers
This patch removes the need for requestFactories and decorators
by implementing http.RoundTripper transports instead.

It refactors some challenging-to-read code.

NewSession now takes an *http.Client that can already have a
custom Transport, it will add its own auth transport by wrapping
it.

The idea is that callers of http.Client should not bother
setting custom headers for every handler but instead it should
be transparent to the callers of a same context.

This patch is needed for future refactorings of registry,
namely refactoring of the v1 client code.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:53 -04:00
James Lal
3c34b3c87e Increase default connection timeout to 30s
Closes #13307
Signed-off-by: James Lal <jlal@mozilla.com>
2015-05-18 13:26:33 -07:00
Lei Jitang
351babbf07 Fix invalid tag name
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-05-13 14:28:52 +08:00
Phil Estes
eea521cfe4 Merge pull request #12828 from tdmackey/trivial-spelling
trivial: typo cleanup
2015-04-27 17:05:46 -04:00
David Mackey
bb93129df4 trivial: typo cleanup
Signed-off-by: David Mackey <tdmackey@booleanhaiku.com>
2015-04-27 13:35:08 -07:00
Antonio Murdaca
9a26753d41 Small if err cleaning
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-27 21:50:33 +02:00
Jessie Frazelle
54aab2e9b8 Merge pull request #12417 from hashneo/patch-1
What if authConfig or factory is Nill?
2015-04-23 13:54:47 -07:00
Doug Davis
a8b9bec104 Move CLI config processing out from under registry dir
No logic changes should be in here, just moving things around.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-23 10:18:38 -07:00
Doug Davis
34d1494c7f Make .docker dir have 0700 perms not 0600
Thanks to @dmcgowan for noticing.

Added a testcase to make sure Save() can create the dir and then
read from it.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-20 14:16:50 -07:00
Doug Davis
7b8b61bda1 Add .docker/config.json and support for HTTP Headers
This PR does the following:
- migrated ~/.dockerfg to ~/.docker/config.json. The data is migrated
  but the old file remains in case its needed
- moves the auth json in that fie into an "auth" property so we can add new
  top-level properties w/o messing with the auth stuff
- adds support for an HttpHeaders property in ~/.docker/config.json
  which adds these http headers to all msgs from the cli

In a follow-on PR I'll move the config file process out from under
"registry" since it not specific to that any more. I didn't do it here
because I wanted the diff to be smaller so people can make sure I didn't
break/miss any auth code during my edits.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-20 13:05:24 -07:00
Rick Wieman
4778468202 Removes redundant else in registry/session.go
Fixes #12523

Signed-off-by: Rick Wieman <git@rickw.nl>
2015-04-19 23:58:55 +02:00
Antonio Murdaca
742cf000d3 Refactor else branches
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-19 15:32:54 +02:00
Steven Taylor
2bd5eb9d7c What if authConfig or factory is Null?
Signed-off-by: Steven Taylor <steven.taylor@me.com>
2015-04-15 15:35:18 -07:00
Antonio Murdaca
ad3d879929 Refactor utils/utils, fixes #11923
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 01:37:36 +02:00
Tibor Vass
0120d1c7db Merge pull request #11478 from dmcgowan/v2-vendored-api
Use v2 api from distribution
2015-04-10 17:22:38 -04:00
Doug Davis
e5408bd911 Remove engine.Table from docker search and fix missing field
registry/SearchResults was missing the "is_automated" field.
I added it back in.

Pull this 'table' removal one from the others because it fixed
a bug too

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-03 11:27:30 -07:00
Michael Crosby
638ccff564 Remove jobs from registry.Service
This makes `registry.Service` a first class type and does not use jobs
to interact with this type.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-03-31 16:38:04 -07:00
Derek McGowan
67e5c940c4 Use vendored v2 registry api
Update registry package to use the v2 registry api from distribution. Update interfaces to directly take in digests.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-31 15:02:27 -07:00
Antonio Murdaca
5fa2d814f8 Refactor utils/http.go, fixes #11899
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-30 17:59:57 +02:00
Brian Goff
9e9a8add19 Merge pull request #11788 from reikani/pchoi
Changed snake case naming to camelCase.
2015-03-26 23:55:50 -07:00
Antonio Murdaca
d5045d054b Replace aliased imports of logrus, fixes #11762
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-26 23:22:04 +01:00
Peter Choi
b085d5556e Changed snake case naming to camelCase
Signed-off-by: Peter Choi <phkchoi89@gmail.com>
2015-03-26 15:05:45 -06:00
Don Kjer
eff5278d12 Fix for issue 9922: private registry search with auth returns 401
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-03-26 18:59:16 +00:00
Antonio Murdaca
9c08a43624 Remove engine.Status and replace it with standard go error
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-25 22:32:08 +01:00
Derek McGowan
10128f6e8c Add struct tags on v2 remote tags struct
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-23 14:33:52 -07:00
Meaglith Ma
0e7650f958 Fix decode tags value error when call get /v2/<name>/tags/list in registry api v2.
Signed-off-by: Meaglith Ma <genedna@gmail.com>
2015-03-23 14:33:52 -07:00
Derek McGowan
9f5184c111 Add check for 404 on get repository data
No longer add the body to the error when a 404 is received on get repository data.

closes #11510

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-22 18:15:18 -07:00
Michael Crosby
50b10850bb Merge pull request #11528 from jlhawn/separate_init_blob_upload
Separate init blob upload
2015-03-20 16:39:31 -07:00
Josh Hawn
bcccf35bb2 Separate init blob upload
Pushing a v2 image layer has two steps:

- POST to get a new upload URL
- PUT to that upload URL

We were previously not checking the response code of
the POST request and the PUT would fail in weird ways.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-20 13:11:05 -07:00
Josh Hawn
11d08c3065 Add verification of image manifest digests
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-20 09:34:39 -07:00
Arnaud Porterie
4377a9a3bc Merge pull request #11477 from dmcgowan/fix-auth-http-client
Update auth client configuration to use proper tls config
2015-03-19 14:17:47 -07:00
Derek McGowan
4bf6791328 Update auth client configuration to use proper tls config
Currently the http clients used by auth use the default tls config.  The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-18 14:52:49 -07:00
Zhang Wei
7d4c1d1e97 print detailed error info for docker pull
When docker push get response with unknown HTTP status, docker daemon
print:
"Error: Status XXX trying to push repository XXX: XXX"
But when docker pull meets response with unknown status code, it gives:
"HTTP code: XXX"

This commit helps docker pull print more detailed error info like push
does, so push and pull can behave consistently when error happens.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2015-03-18 11:35:44 +08:00
Arnaud Porterie
606d538448 Merge pull request #11118 from shishir-a412ed/restriction_username_length
Docker Tag command: Relax the restriction on namespace (username) length from 30 to 255 characters.
2015-03-17 09:41:12 -07:00
Andy Goldstein
4b813b3847 Add ability to refer to image by name + digest
Add ability to refer to an image by repository name and digest using the
format repository@digest. Works for pull, push, run, build, and rmi.

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-17 10:10:42 +00:00
Derek McGowan
1d6ccc1b72 Quote registry error strings
Currently when registry error strings contain new line characters only the last line is displayed to the client. Quote the string to ensure the client can see the entire body value.

fixes #11346

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-16 15:32:47 -07:00