forked from TrueCloudLab/distribution
afd61ce8f2
This updates the vendored docker/distribution to the current master branch. Note the following changes: - The manifest package was split into manifest/schema1. Most references to the manifest package in the engine needed to be updated to use schema1 instead. - Validation functions in api/v2 were replaced by the distribution/reference package. The engine code has been updated to use the reference package for validation where necessary. A future PR will change the engine to use the types defined in distribution/reference more comprehensively. - The reference package explicitly allows double _ characters in repository names. registry_test.go was updated for this. - TestPullFailsWithAlteredManifest was corrupting the manifest JSON, now that the schema1 package unmarshals the correct payload. The test is being changed to modify the JSON without affecting its length, which allows the pull to succeed to the point where digest validation happens. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
388 lines
12 KiB
Go
388 lines
12 KiB
Go
package registry
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/docker/distribution/reference"
|
|
"github.com/docker/docker/image"
|
|
"github.com/docker/docker/opts"
|
|
flag "github.com/docker/docker/pkg/mflag"
|
|
)
|
|
|
|
// Options holds command line options.
|
|
type Options struct {
|
|
Mirrors opts.ListOpts
|
|
InsecureRegistries opts.ListOpts
|
|
}
|
|
|
|
const (
|
|
// DefaultNamespace is the default namespace
|
|
DefaultNamespace = "docker.io"
|
|
// DefaultRegistryVersionHeader is the name of the default HTTP header
|
|
// that carries Registry version info
|
|
DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
|
|
|
|
// IndexServer is the v1 registry server used for user auth + account creation
|
|
IndexServer = DefaultV1Registry + "/v1/"
|
|
// IndexName is the name of the index
|
|
IndexName = "docker.io"
|
|
|
|
// NotaryServer is the endpoint serving the Notary trust server
|
|
NotaryServer = "https://notary.docker.io"
|
|
|
|
// IndexServer = "https://registry-stage.hub.docker.com/v1/"
|
|
)
|
|
|
|
var (
|
|
// ErrInvalidRepositoryName is an error returned if the repository name did
|
|
// not have the correct form
|
|
ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
|
|
|
|
emptyServiceConfig = NewServiceConfig(nil)
|
|
|
|
// V2Only controls access to legacy registries. If it is set to true via the
|
|
// command line flag the daemon will not attempt to contact v1 legacy registries
|
|
V2Only = false
|
|
)
|
|
|
|
// InstallFlags adds command-line options to the top-level flag parser for
|
|
// the current process.
|
|
func (options *Options) InstallFlags(cmd *flag.FlagSet, usageFn func(string) string) {
|
|
options.Mirrors = opts.NewListOpts(ValidateMirror)
|
|
cmd.Var(&options.Mirrors, []string{"-registry-mirror"}, usageFn("Preferred Docker registry mirror"))
|
|
options.InsecureRegistries = opts.NewListOpts(ValidateIndexName)
|
|
cmd.Var(&options.InsecureRegistries, []string{"-insecure-registry"}, usageFn("Enable insecure registry communication"))
|
|
cmd.BoolVar(&V2Only, []string{"-disable-legacy-registry"}, false, "Do not contact legacy registries")
|
|
}
|
|
|
|
type netIPNet net.IPNet
|
|
|
|
func (ipnet *netIPNet) MarshalJSON() ([]byte, error) {
|
|
return json.Marshal((*net.IPNet)(ipnet).String())
|
|
}
|
|
|
|
func (ipnet *netIPNet) UnmarshalJSON(b []byte) (err error) {
|
|
var ipnetStr string
|
|
if err = json.Unmarshal(b, &ipnetStr); err == nil {
|
|
var cidr *net.IPNet
|
|
if _, cidr, err = net.ParseCIDR(ipnetStr); err == nil {
|
|
*ipnet = netIPNet(*cidr)
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
// ServiceConfig stores daemon registry services configuration.
|
|
type ServiceConfig struct {
|
|
InsecureRegistryCIDRs []*netIPNet `json:"InsecureRegistryCIDRs"`
|
|
IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"`
|
|
Mirrors []string
|
|
}
|
|
|
|
// NewServiceConfig returns a new instance of ServiceConfig
|
|
func NewServiceConfig(options *Options) *ServiceConfig {
|
|
if options == nil {
|
|
options = &Options{
|
|
Mirrors: opts.NewListOpts(nil),
|
|
InsecureRegistries: opts.NewListOpts(nil),
|
|
}
|
|
}
|
|
|
|
// Localhost is by default considered as an insecure registry
|
|
// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
|
|
//
|
|
// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
|
|
// daemon flags on boot2docker?
|
|
options.InsecureRegistries.Set("127.0.0.0/8")
|
|
|
|
config := &ServiceConfig{
|
|
InsecureRegistryCIDRs: make([]*netIPNet, 0),
|
|
IndexConfigs: make(map[string]*IndexInfo, 0),
|
|
// Hack: Bypass setting the mirrors to IndexConfigs since they are going away
|
|
// and Mirrors are only for the official registry anyways.
|
|
Mirrors: options.Mirrors.GetAll(),
|
|
}
|
|
// Split --insecure-registry into CIDR and registry-specific settings.
|
|
for _, r := range options.InsecureRegistries.GetAll() {
|
|
// Check if CIDR was passed to --insecure-registry
|
|
_, ipnet, err := net.ParseCIDR(r)
|
|
if err == nil {
|
|
// Valid CIDR.
|
|
config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, (*netIPNet)(ipnet))
|
|
} else {
|
|
// Assume `host:port` if not CIDR.
|
|
config.IndexConfigs[r] = &IndexInfo{
|
|
Name: r,
|
|
Mirrors: make([]string, 0),
|
|
Secure: false,
|
|
Official: false,
|
|
}
|
|
}
|
|
}
|
|
|
|
// Configure public registry.
|
|
config.IndexConfigs[IndexName] = &IndexInfo{
|
|
Name: IndexName,
|
|
Mirrors: config.Mirrors,
|
|
Secure: true,
|
|
Official: true,
|
|
}
|
|
|
|
return config
|
|
}
|
|
|
|
// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
|
|
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
|
//
|
|
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
|
|
// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
|
|
// insecure.
|
|
//
|
|
// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
|
|
// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
|
|
// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
|
|
// of insecureRegistries.
|
|
func (config *ServiceConfig) isSecureIndex(indexName string) bool {
|
|
// Check for configured index, first. This is needed in case isSecureIndex
|
|
// is called from anything besides NewIndexInfo, in order to honor per-index configurations.
|
|
if index, ok := config.IndexConfigs[indexName]; ok {
|
|
return index.Secure
|
|
}
|
|
|
|
host, _, err := net.SplitHostPort(indexName)
|
|
if err != nil {
|
|
// assume indexName is of the form `host` without the port and go on.
|
|
host = indexName
|
|
}
|
|
|
|
addrs, err := lookupIP(host)
|
|
if err != nil {
|
|
ip := net.ParseIP(host)
|
|
if ip != nil {
|
|
addrs = []net.IP{ip}
|
|
}
|
|
|
|
// if ip == nil, then `host` is neither an IP nor it could be looked up,
|
|
// either because the index is unreachable, or because the index is behind an HTTP proxy.
|
|
// So, len(addrs) == 0 and we're not aborting.
|
|
}
|
|
|
|
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
|
|
for _, addr := range addrs {
|
|
for _, ipnet := range config.InsecureRegistryCIDRs {
|
|
// check if the addr falls in the subnet
|
|
if (*net.IPNet)(ipnet).Contains(addr) {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// ValidateMirror validates an HTTP(S) registry mirror
|
|
func ValidateMirror(val string) (string, error) {
|
|
uri, err := url.Parse(val)
|
|
if err != nil {
|
|
return "", fmt.Errorf("%s is not a valid URI", val)
|
|
}
|
|
|
|
if uri.Scheme != "http" && uri.Scheme != "https" {
|
|
return "", fmt.Errorf("Unsupported scheme %s", uri.Scheme)
|
|
}
|
|
|
|
if uri.Path != "" || uri.RawQuery != "" || uri.Fragment != "" {
|
|
return "", fmt.Errorf("Unsupported path/query/fragment at end of the URI")
|
|
}
|
|
|
|
return fmt.Sprintf("%s://%s/", uri.Scheme, uri.Host), nil
|
|
}
|
|
|
|
// ValidateIndexName validates an index name.
|
|
func ValidateIndexName(val string) (string, error) {
|
|
// 'index.docker.io' => 'docker.io'
|
|
if val == "index."+IndexName {
|
|
val = IndexName
|
|
}
|
|
if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
|
|
return "", fmt.Errorf("Invalid index name (%s). Cannot begin or end with a hyphen.", val)
|
|
}
|
|
// *TODO: Check if valid hostname[:port]/ip[:port]?
|
|
return val, nil
|
|
}
|
|
|
|
func validateRemoteName(remoteName string) error {
|
|
|
|
if !strings.Contains(remoteName, "/") {
|
|
|
|
// the repository name must not be a valid image ID
|
|
if err := image.ValidateID(remoteName); err == nil {
|
|
return fmt.Errorf("Invalid repository name (%s), cannot specify 64-byte hexadecimal strings", remoteName)
|
|
}
|
|
}
|
|
|
|
_, err := reference.WithName(remoteName)
|
|
return err
|
|
}
|
|
|
|
func validateNoSchema(reposName string) error {
|
|
if strings.Contains(reposName, "://") {
|
|
// It cannot contain a scheme!
|
|
return ErrInvalidRepositoryName
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ValidateRepositoryName validates a repository name
|
|
func ValidateRepositoryName(reposName string) error {
|
|
var err error
|
|
if err = validateNoSchema(reposName); err != nil {
|
|
return err
|
|
}
|
|
indexName, remoteName := splitReposName(reposName)
|
|
if _, err = ValidateIndexName(indexName); err != nil {
|
|
return err
|
|
}
|
|
return validateRemoteName(remoteName)
|
|
}
|
|
|
|
// NewIndexInfo returns IndexInfo configuration from indexName
|
|
func (config *ServiceConfig) NewIndexInfo(indexName string) (*IndexInfo, error) {
|
|
var err error
|
|
indexName, err = ValidateIndexName(indexName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Return any configured index info, first.
|
|
if index, ok := config.IndexConfigs[indexName]; ok {
|
|
return index, nil
|
|
}
|
|
|
|
// Construct a non-configured index info.
|
|
index := &IndexInfo{
|
|
Name: indexName,
|
|
Mirrors: make([]string, 0),
|
|
Official: false,
|
|
}
|
|
index.Secure = config.isSecureIndex(indexName)
|
|
return index, nil
|
|
}
|
|
|
|
// GetAuthConfigKey special-cases using the full index address of the official
|
|
// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
|
|
func (index *IndexInfo) GetAuthConfigKey() string {
|
|
if index.Official {
|
|
return IndexServer
|
|
}
|
|
return index.Name
|
|
}
|
|
|
|
// splitReposName breaks a reposName into an index name and remote name
|
|
func splitReposName(reposName string) (string, string) {
|
|
nameParts := strings.SplitN(reposName, "/", 2)
|
|
var indexName, remoteName string
|
|
if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
|
|
!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
|
|
// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
|
|
// 'docker.io'
|
|
indexName = IndexName
|
|
remoteName = reposName
|
|
} else {
|
|
indexName = nameParts[0]
|
|
remoteName = nameParts[1]
|
|
}
|
|
return indexName, remoteName
|
|
}
|
|
|
|
// NewRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
|
|
func (config *ServiceConfig) NewRepositoryInfo(reposName string, bySearch bool) (*RepositoryInfo, error) {
|
|
if err := validateNoSchema(reposName); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
indexName, remoteName := splitReposName(reposName)
|
|
|
|
if !bySearch {
|
|
if err := validateRemoteName(remoteName); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
repoInfo := &RepositoryInfo{
|
|
RemoteName: remoteName,
|
|
}
|
|
|
|
var err error
|
|
repoInfo.Index, err = config.NewIndexInfo(indexName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if repoInfo.Index.Official {
|
|
normalizedName := repoInfo.RemoteName
|
|
if strings.HasPrefix(normalizedName, "library/") {
|
|
// If pull "library/foo", it's stored locally under "foo"
|
|
normalizedName = strings.SplitN(normalizedName, "/", 2)[1]
|
|
}
|
|
|
|
repoInfo.LocalName = normalizedName
|
|
repoInfo.RemoteName = normalizedName
|
|
// If the normalized name does not contain a '/' (e.g. "foo")
|
|
// then it is an official repo.
|
|
if strings.IndexRune(normalizedName, '/') == -1 {
|
|
repoInfo.Official = true
|
|
// Fix up remote name for official repos.
|
|
repoInfo.RemoteName = "library/" + normalizedName
|
|
}
|
|
|
|
repoInfo.CanonicalName = "docker.io/" + repoInfo.RemoteName
|
|
} else {
|
|
repoInfo.LocalName = repoInfo.Index.Name + "/" + repoInfo.RemoteName
|
|
repoInfo.CanonicalName = repoInfo.LocalName
|
|
|
|
}
|
|
|
|
return repoInfo, nil
|
|
}
|
|
|
|
// GetSearchTerm special-cases using local name for official index, and
|
|
// remote name for private indexes.
|
|
func (repoInfo *RepositoryInfo) GetSearchTerm() string {
|
|
if repoInfo.Index.Official {
|
|
return repoInfo.LocalName
|
|
}
|
|
return repoInfo.RemoteName
|
|
}
|
|
|
|
// ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
|
|
// lacks registry configuration.
|
|
func ParseRepositoryInfo(reposName string) (*RepositoryInfo, error) {
|
|
return emptyServiceConfig.NewRepositoryInfo(reposName, false)
|
|
}
|
|
|
|
// ParseIndexInfo will use repository name to get back an indexInfo.
|
|
func ParseIndexInfo(reposName string) (*IndexInfo, error) {
|
|
indexName, _ := splitReposName(reposName)
|
|
|
|
indexInfo, err := emptyServiceConfig.NewIndexInfo(indexName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return indexInfo, nil
|
|
}
|
|
|
|
// NormalizeLocalName transforms a repository name into a normalize LocalName
|
|
// Passes through the name without transformation on error (image id, etc)
|
|
func NormalizeLocalName(name string) string {
|
|
repoInfo, err := ParseRepositoryInfo(name)
|
|
if err != nil {
|
|
return name
|
|
}
|
|
return repoInfo.LocalName
|
|
}
|