123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456 |
- package registry
- import (
- "fmt"
- "net"
- "net/url"
- "regexp"
- "strconv"
- "strings"
- "github.com/Sirupsen/logrus"
- "github.com/docker/distribution/reference"
- registrytypes "github.com/docker/docker/api/types/registry"
- "github.com/docker/docker/opts"
- "github.com/pkg/errors"
- "github.com/spf13/pflag"
- )
- // ServiceOptions holds command line options.
- type ServiceOptions struct {
- AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"`
- Mirrors []string `json:"registry-mirrors,omitempty"`
- InsecureRegistries []string `json:"insecure-registries,omitempty"`
- // V2Only controls access to legacy registries. If it is set to true via the
- // command line flag the daemon will not attempt to contact v1 legacy registries
- V2Only bool `json:"disable-legacy-registry,omitempty"`
- }
- // serviceConfig holds daemon configuration for the registry service.
- type serviceConfig struct {
- registrytypes.ServiceConfig
- V2Only bool
- }
- var (
- // DefaultNamespace is the default namespace
- DefaultNamespace = "docker.io"
- // DefaultRegistryVersionHeader is the name of the default HTTP header
- // that carries Registry version info
- DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
- // IndexHostname is the index hostname
- IndexHostname = "index.docker.io"
- // IndexServer is used for user auth and image search
- IndexServer = "https://" + IndexHostname + "/v1/"
- // IndexName is the name of the index
- IndexName = "docker.io"
- // NotaryServer is the endpoint serving the Notary trust server
- NotaryServer = "https://notary.docker.io"
- // DefaultV2Registry is the URI of the default v2 registry
- DefaultV2Registry = &url.URL{
- Scheme: "https",
- Host: "registry-1.docker.io",
- }
- )
- var (
- // ErrInvalidRepositoryName is an error returned if the repository name did
- // not have the correct form
- ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
- emptyServiceConfig = newServiceConfig(ServiceOptions{})
- )
- var (
- validHostPortRegex = regexp.MustCompile(`^` + reference.DomainRegexp.String() + `$`)
- )
- // for mocking in unit tests
- var lookupIP = net.LookupIP
- // InstallCliFlags adds command-line options to the top-level flag parser for
- // the current process.
- func (options *ServiceOptions) InstallCliFlags(flags *pflag.FlagSet) {
- ana := opts.NewNamedListOptsRef("allow-nondistributable-artifacts", &options.AllowNondistributableArtifacts, ValidateIndexName)
- mirrors := opts.NewNamedListOptsRef("registry-mirrors", &options.Mirrors, ValidateMirror)
- insecureRegistries := opts.NewNamedListOptsRef("insecure-registries", &options.InsecureRegistries, ValidateIndexName)
- flags.Var(ana, "allow-nondistributable-artifacts", "Allow push of nondistributable artifacts to registry")
- flags.Var(mirrors, "registry-mirror", "Preferred Docker registry mirror")
- flags.Var(insecureRegistries, "insecure-registry", "Enable insecure registry communication")
- options.installCliPlatformFlags(flags)
- }
- // newServiceConfig returns a new instance of ServiceConfig
- func newServiceConfig(options ServiceOptions) *serviceConfig {
- config := &serviceConfig{
- ServiceConfig: registrytypes.ServiceConfig{
- InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0),
- IndexConfigs: make(map[string]*registrytypes.IndexInfo, 0),
- // Hack: Bypass setting the mirrors to IndexConfigs since they are going away
- // and Mirrors are only for the official registry anyways.
- },
- V2Only: options.V2Only,
- }
- config.LoadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts)
- config.LoadMirrors(options.Mirrors)
- config.LoadInsecureRegistries(options.InsecureRegistries)
- return config
- }
- // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config.
- func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error {
- cidrs := map[string]*registrytypes.NetIPNet{}
- hostnames := map[string]bool{}
- for _, r := range registries {
- if _, err := ValidateIndexName(r); err != nil {
- return err
- }
- if validateNoScheme(r) != nil {
- return fmt.Errorf("allow-nondistributable-artifacts registry %s should not contain '://'", r)
- }
- if _, ipnet, err := net.ParseCIDR(r); err == nil {
- // Valid CIDR.
- cidrs[ipnet.String()] = (*registrytypes.NetIPNet)(ipnet)
- } else if err := validateHostPort(r); err == nil {
- // Must be `host:port` if not CIDR.
- hostnames[r] = true
- } else {
- return fmt.Errorf("allow-nondistributable-artifacts registry %s is not valid: %v", r, err)
- }
- }
- config.AllowNondistributableArtifactsCIDRs = make([]*(registrytypes.NetIPNet), 0)
- for _, c := range cidrs {
- config.AllowNondistributableArtifactsCIDRs = append(config.AllowNondistributableArtifactsCIDRs, c)
- }
- config.AllowNondistributableArtifactsHostnames = make([]string, 0)
- for h := range hostnames {
- config.AllowNondistributableArtifactsHostnames = append(config.AllowNondistributableArtifactsHostnames, h)
- }
- return nil
- }
- // LoadMirrors loads mirrors to config, after removing duplicates.
- // Returns an error if mirrors contains an invalid mirror.
- func (config *serviceConfig) LoadMirrors(mirrors []string) error {
- mMap := map[string]struct{}{}
- unique := []string{}
- for _, mirror := range mirrors {
- m, err := ValidateMirror(mirror)
- if err != nil {
- return err
- }
- if _, exist := mMap[m]; !exist {
- mMap[m] = struct{}{}
- unique = append(unique, m)
- }
- }
- config.Mirrors = unique
- // Configure public registry since mirrors may have changed.
- config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{
- Name: IndexName,
- Mirrors: config.Mirrors,
- Secure: true,
- Official: true,
- }
- return nil
- }
- // LoadInsecureRegistries loads insecure registries to config
- func (config *serviceConfig) LoadInsecureRegistries(registries []string) error {
- // Localhost is by default considered as an insecure registry
- // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
- //
- // TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
- // daemon flags on boot2docker?
- registries = append(registries, "127.0.0.0/8")
- // Store original InsecureRegistryCIDRs and IndexConfigs
- // Clean InsecureRegistryCIDRs and IndexConfigs in config, as passed registries has all insecure registry info.
- originalCIDRs := config.ServiceConfig.InsecureRegistryCIDRs
- originalIndexInfos := config.ServiceConfig.IndexConfigs
- config.ServiceConfig.InsecureRegistryCIDRs = make([]*registrytypes.NetIPNet, 0)
- config.ServiceConfig.IndexConfigs = make(map[string]*registrytypes.IndexInfo, 0)
- skip:
- for _, r := range registries {
- // validate insecure registry
- if _, err := ValidateIndexName(r); err != nil {
- // before returning err, roll back to original data
- config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
- config.ServiceConfig.IndexConfigs = originalIndexInfos
- return err
- }
- if strings.HasPrefix(strings.ToLower(r), "http://") {
- logrus.Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r)
- r = r[7:]
- } else if strings.HasPrefix(strings.ToLower(r), "https://") {
- logrus.Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r)
- r = r[8:]
- } else if validateNoScheme(r) != nil {
- // Insecure registry should not contain '://'
- // before returning err, roll back to original data
- config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
- config.ServiceConfig.IndexConfigs = originalIndexInfos
- return fmt.Errorf("insecure registry %s should not contain '://'", r)
- }
- // Check if CIDR was passed to --insecure-registry
- _, ipnet, err := net.ParseCIDR(r)
- if err == nil {
- // Valid CIDR. If ipnet is already in config.InsecureRegistryCIDRs, skip.
- data := (*registrytypes.NetIPNet)(ipnet)
- for _, value := range config.InsecureRegistryCIDRs {
- if value.IP.String() == data.IP.String() && value.Mask.String() == data.Mask.String() {
- continue skip
- }
- }
- // ipnet is not found, add it in config.InsecureRegistryCIDRs
- config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, data)
- } else {
- if err := validateHostPort(r); err != nil {
- config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
- config.ServiceConfig.IndexConfigs = originalIndexInfos
- return fmt.Errorf("insecure registry %s is not valid: %v", r, err)
- }
- // Assume `host:port` if not CIDR.
- config.IndexConfigs[r] = ®istrytypes.IndexInfo{
- Name: r,
- Mirrors: make([]string, 0),
- Secure: false,
- Official: false,
- }
- }
- }
- // Configure public registry.
- config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{
- Name: IndexName,
- Mirrors: config.Mirrors,
- Secure: true,
- Official: true,
- }
- return nil
- }
- // allowNondistributableArtifacts returns true if the provided hostname is part of the list of regsitries
- // that allow push of nondistributable artifacts.
- //
- // The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP
- // of the registry specified by hostname, true is returned.
- //
- // hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
- // or an IP address. If it is a domain name, then it will be resolved to IP addresses for matching. If
- // resolution fails, CIDR matching is not performed.
- func allowNondistributableArtifacts(config *serviceConfig, hostname string) bool {
- for _, h := range config.AllowNondistributableArtifactsHostnames {
- if h == hostname {
- return true
- }
- }
- return isCIDRMatch(config.AllowNondistributableArtifactsCIDRs, hostname)
- }
- // isSecureIndex returns false if the provided indexName is part of the list of insecure registries
- // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
- //
- // The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
- // If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
- // insecure.
- //
- // indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
- // or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
- // in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
- // of insecureRegistries.
- func isSecureIndex(config *serviceConfig, indexName string) bool {
- // Check for configured index, first. This is needed in case isSecureIndex
- // is called from anything besides newIndexInfo, in order to honor per-index configurations.
- if index, ok := config.IndexConfigs[indexName]; ok {
- return index.Secure
- }
- return !isCIDRMatch(config.InsecureRegistryCIDRs, indexName)
- }
- // isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`)
- // where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be
- // resolved to IP addresses for matching. If resolution fails, false is returned.
- func isCIDRMatch(cidrs []*registrytypes.NetIPNet, URLHost string) bool {
- host, _, err := net.SplitHostPort(URLHost)
- if err != nil {
- // Assume URLHost is of the form `host` without the port and go on.
- host = URLHost
- }
- addrs, err := lookupIP(host)
- if err != nil {
- ip := net.ParseIP(host)
- if ip != nil {
- addrs = []net.IP{ip}
- }
- // if ip == nil, then `host` is neither an IP nor it could be looked up,
- // either because the index is unreachable, or because the index is behind an HTTP proxy.
- // So, len(addrs) == 0 and we're not aborting.
- }
- // Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
- for _, addr := range addrs {
- for _, ipnet := range cidrs {
- // check if the addr falls in the subnet
- if (*net.IPNet)(ipnet).Contains(addr) {
- return true
- }
- }
- }
- return false
- }
- // ValidateMirror validates an HTTP(S) registry mirror
- func ValidateMirror(val string) (string, error) {
- uri, err := url.Parse(val)
- if err != nil {
- return "", fmt.Errorf("invalid mirror: %q is not a valid URI", val)
- }
- if uri.Scheme != "http" && uri.Scheme != "https" {
- return "", fmt.Errorf("invalid mirror: unsupported scheme %q in %q", uri.Scheme, uri)
- }
- if (uri.Path != "" && uri.Path != "/") || uri.RawQuery != "" || uri.Fragment != "" {
- return "", fmt.Errorf("invalid mirror: path, query, or fragment at end of the URI %q", uri)
- }
- if uri.User != nil {
- // strip password from output
- uri.User = url.UserPassword(uri.User.Username(), "xxxxx")
- return "", fmt.Errorf("invalid mirror: username/password not allowed in URI %q", uri)
- }
- return strings.TrimSuffix(val, "/") + "/", nil
- }
- // ValidateIndexName validates an index name.
- func ValidateIndexName(val string) (string, error) {
- // TODO: upstream this to check to reference package
- if val == "index.docker.io" {
- val = "docker.io"
- }
- if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
- return "", fmt.Errorf("Invalid index name (%s). Cannot begin or end with a hyphen.", val)
- }
- return val, nil
- }
- func validateNoScheme(reposName string) error {
- if strings.Contains(reposName, "://") {
- // It cannot contain a scheme!
- return ErrInvalidRepositoryName
- }
- return nil
- }
- func validateHostPort(s string) error {
- // Split host and port, and in case s can not be splitted, assume host only
- host, port, err := net.SplitHostPort(s)
- if err != nil {
- host = s
- port = ""
- }
- // If match against the `host:port` pattern fails,
- // it might be `IPv6:port`, which will be captured by net.ParseIP(host)
- if !validHostPortRegex.MatchString(s) && net.ParseIP(host) == nil {
- return fmt.Errorf("invalid host %q", host)
- }
- if port != "" {
- v, err := strconv.Atoi(port)
- if err != nil {
- return err
- }
- if v < 0 || v > 65535 {
- return fmt.Errorf("invalid port %q", port)
- }
- }
- return nil
- }
- // newIndexInfo returns IndexInfo configuration from indexName
- func newIndexInfo(config *serviceConfig, indexName string) (*registrytypes.IndexInfo, error) {
- var err error
- indexName, err = ValidateIndexName(indexName)
- if err != nil {
- return nil, err
- }
- // Return any configured index info, first.
- if index, ok := config.IndexConfigs[indexName]; ok {
- return index, nil
- }
- // Construct a non-configured index info.
- index := ®istrytypes.IndexInfo{
- Name: indexName,
- Mirrors: make([]string, 0),
- Official: false,
- }
- index.Secure = isSecureIndex(config, indexName)
- return index, nil
- }
- // GetAuthConfigKey special-cases using the full index address of the official
- // index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
- func GetAuthConfigKey(index *registrytypes.IndexInfo) string {
- if index.Official {
- return IndexServer
- }
- return index.Name
- }
- // newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
- func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) {
- index, err := newIndexInfo(config, reference.Domain(name))
- if err != nil {
- return nil, err
- }
- official := !strings.ContainsRune(reference.FamiliarName(name), '/')
- return &RepositoryInfo{
- Name: reference.TrimNamed(name),
- Index: index,
- Official: official,
- }, nil
- }
- // ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
- // lacks registry configuration.
- func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) {
- return newRepositoryInfo(emptyServiceConfig, reposName)
- }
- // ParseSearchIndexInfo will use repository name to get back an indexInfo.
- func ParseSearchIndexInfo(reposName string) (*registrytypes.IndexInfo, error) {
- indexName, _ := splitReposSearchTerm(reposName)
- indexInfo, err := newIndexInfo(emptyServiceConfig, indexName)
- if err != nil {
- return nil, err
- }
- return indexInfo, nil
- }
|