Merge pull request #35751 from thaJeztah/disallow-v1-registries
Disallow using legacy (V1) registries
This commit is contained in:
Victor Vieux
GitHub
commit
549a2b9bbe
6 changed files with 15 additions and 93 deletions
|
|
@ -92,6 +92,8 @@ func installRegistryServiceFlags(options *registry.ServiceOptions, flags *pflag.
|
|||
flags.Var(insecureRegistries, "insecure-registry", "Enable insecure registry communication")
|
||||
|
||||
if runtime.GOOS != "windows" {
|
||||
// TODO: Remove this flag after 3 release cycles (18.03)
|
||||
flags.BoolVar(&options.V2Only, "disable-legacy-registry", true, "Disable contacting legacy registries")
|
||||
flags.MarkHidden("disable-legacy-registry")
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
|
|
@ -472,8 +473,15 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if !conf.V2Only {
|
||||
logrus.Warnf(`The "disable-legacy-registry" option is deprecated and wil be removed in Docker v17.12. Interacting with legacy (v1) registries will no longer be supported in Docker v17.12"`)
|
||||
if runtime.GOOS != "windows" {
|
||||
if flags.Changed("disable-legacy-registry") {
|
||||
// TODO: Remove this error after 3 release cycles (18.03)
|
||||
return nil, errors.New("ERROR: The '--disable-legacy-registry' flag has been removed. Interacting with legacy (v1) registries is no longer supported")
|
||||
}
|
||||
if !conf.V2Only {
|
||||
// TODO: Remove this error after 3 release cycles (18.03)
|
||||
return nil, errors.New("ERROR: The 'disable-legacy-registry' configuration option has been removed. Interacting with legacy (v1) registries is no longer supported")
|
||||
}
|
||||
}
|
||||
|
||||
if flags.Changed("graph") {
|
||||
|
|
|
|||
|
|
@ -97,15 +97,3 @@ func TestLoadDaemonConfigWithTrueDefaultValuesLeaveDefaults(t *testing.T) {
|
|||
|
||||
assert.True(t, loadedConfig.EnableUserlandProxy)
|
||||
}
|
||||
|
||||
func TestLoadDaemonConfigWithLegacyRegistryOptions(t *testing.T) {
|
||||
content := `{"disable-legacy-registry": false}`
|
||||
tempFile := fs.NewFile(t, "config", fs.WithContent(content))
|
||||
defer tempFile.Remove()
|
||||
|
||||
opts := defaultOptions(tempFile.Path())
|
||||
loadedConfig, err := loadDaemonCliConfig(opts)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, loadedConfig)
|
||||
assert.False(t, loadedConfig.V2Only)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,9 +13,7 @@ import (
|
|||
)
|
||||
|
||||
func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C) {
|
||||
|
||||
// @TODO TestLogoutWithExternalAuth expects docker to fall back to a v1 registry, so has to be updated for v17.12, when v1 registries are no longer supported
|
||||
s.d.StartWithBusybox(c, "--disable-legacy-registry=false")
|
||||
s.d.StartWithBusybox(c)
|
||||
|
||||
osPath := os.Getenv("PATH")
|
||||
defer os.Setenv("PATH", osPath)
|
||||
|
|
@ -62,7 +60,7 @@ func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C)
|
|||
// check I cannot pull anymore
|
||||
out, err := s.d.Cmd("--config", tmp, "pull", repoName)
|
||||
c.Assert(err, check.NotNil, check.Commentf(out))
|
||||
c.Assert(out, checker.Contains, "Error: image dockercli/busybox:authtest not found")
|
||||
c.Assert(out, checker.Contains, "no basic auth credentials")
|
||||
}
|
||||
|
||||
// #23100
|
||||
|
|
|
|||
|
|
@ -259,18 +259,6 @@ func (s *DockerHubPullSuite) TestPullClientDisconnect(c *check.C) {
|
|||
c.Assert(err, checker.NotNil, check.Commentf("image was pulled after client disconnected"))
|
||||
}
|
||||
|
||||
func (s *DockerRegistryAuthHtpasswdSuite) TestPullNoCredentialsNotFound(c *check.C) {
|
||||
// @TODO TestPullNoCredentialsNotFound expects docker to fall back to a v1 registry, so has to be updated for v17.12, when v1 registries are no longer supported
|
||||
s.d.StartWithBusybox(c, "--disable-legacy-registry=false")
|
||||
|
||||
// we don't care about the actual image, we just want to see image not found
|
||||
// because that means v2 call returned 401 and we fell back to v1 which usually
|
||||
// gives a 404 (in this case the test registry doesn't handle v1 at all)
|
||||
out, err := s.d.Cmd("pull", privateRegistryURL+"/busybox")
|
||||
c.Assert(err, check.NotNil, check.Commentf(out))
|
||||
c.Assert(out, checker.Contains, "Error: image busybox:latest not found")
|
||||
}
|
||||
|
||||
// Regression test for https://github.com/docker/docker/issues/26429
|
||||
func (s *DockerSuite) TestPullLinuxImageFailsOnWindows(c *check.C) {
|
||||
testRequires(c, DaemonIsWindows, Network)
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ func makefile(path string, contents string) (string, error) {
|
|||
return f.Name(), nil
|
||||
}
|
||||
|
||||
// TestV2Only ensures that a daemon by default does not
|
||||
// TestV2Only ensures that a daemon does not
|
||||
// attempt to contact any v1 registry endpoints.
|
||||
func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
|
||||
reg, err := registry.NewMock(c)
|
||||
|
|
@ -56,65 +56,3 @@ func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
|
|||
s.d.Cmd("push", repoName)
|
||||
s.d.Cmd("pull", repoName)
|
||||
}
|
||||
|
||||
// TestV1 starts a daemon with legacy registries enabled
|
||||
// and ensure v1 endpoints are hit for the following operations:
|
||||
// login, push, pull, build & run
|
||||
func (s *DockerRegistrySuite) TestV1(c *check.C) {
|
||||
reg, err := registry.NewMock(c)
|
||||
defer reg.Close()
|
||||
c.Assert(err, check.IsNil)
|
||||
|
||||
v2Pings := 0
|
||||
reg.RegisterHandler("/v2/", func(w http.ResponseWriter, r *http.Request) {
|
||||
v2Pings++
|
||||
// V2 ping 404 causes fallback to v1
|
||||
w.WriteHeader(404)
|
||||
})
|
||||
|
||||
v1Pings := 0
|
||||
reg.RegisterHandler("/v1/_ping", func(w http.ResponseWriter, r *http.Request) {
|
||||
v1Pings++
|
||||
})
|
||||
|
||||
v1Logins := 0
|
||||
reg.RegisterHandler("/v1/users/", func(w http.ResponseWriter, r *http.Request) {
|
||||
v1Logins++
|
||||
})
|
||||
|
||||
v1Repo := 0
|
||||
reg.RegisterHandler("/v1/repositories/busybox/", func(w http.ResponseWriter, r *http.Request) {
|
||||
v1Repo++
|
||||
})
|
||||
|
||||
reg.RegisterHandler("/v1/repositories/busybox/images", func(w http.ResponseWriter, r *http.Request) {
|
||||
v1Repo++
|
||||
})
|
||||
|
||||
s.d.Start(c, "--insecure-registry", reg.URL(), "--disable-legacy-registry=false")
|
||||
|
||||
tmp, err := ioutil.TempDir("", "integration-cli-")
|
||||
c.Assert(err, check.IsNil)
|
||||
defer os.RemoveAll(tmp)
|
||||
|
||||
dockerfileName, err := makefile(tmp, fmt.Sprintf("FROM %s/busybox", reg.URL()))
|
||||
c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile"))
|
||||
|
||||
s.d.Cmd("build", "--file", dockerfileName, tmp)
|
||||
c.Assert(v1Repo, check.Equals, 1, check.Commentf("Expected v1 repository access after build"))
|
||||
|
||||
repoName := fmt.Sprintf("%s/busybox", reg.URL())
|
||||
s.d.Cmd("run", repoName)
|
||||
c.Assert(v1Repo, check.Equals, 2, check.Commentf("Expected v1 repository access after run"))
|
||||
|
||||
s.d.Cmd("login", "-u", "richard", "-p", "testtest", reg.URL())
|
||||
c.Assert(v1Logins, check.Equals, 1, check.Commentf("Expected v1 login attempt"))
|
||||
|
||||
s.d.Cmd("tag", "busybox", repoName)
|
||||
s.d.Cmd("push", repoName)
|
||||
|
||||
c.Assert(v1Repo, check.Equals, 2)
|
||||
|
||||
s.d.Cmd("pull", repoName)
|
||||
c.Assert(v1Repo, check.Equals, 3, check.Commentf("Expected v1 repository access after pull"))
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue