2018-02-05 21:05:59 +00:00
|
|
|
package registry // import "github.com/docker/docker/registry"
|
2014-04-27 22:06:09 +00:00
|
|
|
|
2015-05-16 01:35:04 +00:00
|
|
|
import (
|
2018-04-19 22:30:59 +00:00
|
|
|
"context"
|
2015-02-12 18:23:22 +00:00
|
|
|
"crypto/tls"
|
2015-07-21 21:10:34 +00:00
|
|
|
"net/url"
|
2015-11-18 22:20:54 +00:00
|
|
|
"strings"
|
2016-04-25 02:51:28 +00:00
|
|
|
"sync"
|
2015-05-16 01:35:04 +00:00
|
|
|
|
2023-06-23 00:33:17 +00:00
|
|
|
"github.com/containerd/containerd/log"
|
2023-08-30 16:31:46 +00:00
|
|
|
"github.com/distribution/reference"
|
2022-02-26 18:13:43 +00:00
|
|
|
"github.com/docker/docker/api/types/registry"
|
2018-01-11 19:53:06 +00:00
|
|
|
"github.com/docker/docker/errdefs"
|
2015-05-16 01:35:04 +00:00
|
|
|
)
|
2015-04-22 12:06:58 +00:00
|
|
|
|
2023-03-01 00:25:15 +00:00
|
|
|
// Service is a registry service. It tracks configuration data such as a list
|
2015-07-21 19:40:36 +00:00
|
|
|
// of mirrors.
|
2023-03-01 00:25:15 +00:00
|
|
|
type Service struct {
|
2016-03-08 21:03:37 +00:00
|
|
|
config *serviceConfig
|
2022-02-26 13:52:12 +00:00
|
|
|
mu sync.RWMutex
|
2014-04-27 22:06:09 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-07 19:46:24 +00:00
|
|
|
// NewService returns a new instance of [Service] ready to be installed into
|
|
|
|
|
// an engine.
|
2023-03-01 00:25:15 +00:00
|
|
|
func NewService(options ServiceOptions) (*Service, error) {
|
2017-09-01 14:35:04 +00:00
|
|
|
config, err := newServiceConfig(options)
|
|
|
|
|
|
2023-03-01 00:25:15 +00:00
|
|
|
return &Service{config: config}, err
|
2014-04-27 22:06:09 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-26 15:14:50 +00:00
|
|
|
// ServiceConfig returns a copy of the public registry service's configuration.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) ServiceConfig() *registry.ServiceConfig {
|
2022-02-26 13:52:12 +00:00
|
|
|
s.mu.RLock()
|
|
|
|
|
defer s.mu.RUnlock()
|
2022-02-26 15:14:50 +00:00
|
|
|
return s.config.copy()
|
2016-04-25 02:51:28 +00:00
|
|
|
}
|
|
|
|
|
|
2022-08-17 17:33:21 +00:00
|
|
|
// ReplaceConfig prepares a transaction which will atomically replace the
|
|
|
|
|
// registry service's configuration when the returned commit function is called.
|
|
|
|
|
func (s *Service) ReplaceConfig(options ServiceOptions) (commit func(), err error) {
|
|
|
|
|
config, err := newServiceConfig(options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return func() {
|
|
|
|
|
s.mu.Lock()
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
s.config = config
|
|
|
|
|
}, nil
|
2016-03-08 21:03:37 +00:00
|
|
|
}
|
|
|
|
|
|
2014-04-27 22:06:09 +00:00
|
|
|
// Auth contacts the public registry with the provided credentials,
|
2015-08-07 22:24:18 +00:00
|
|
|
// and returns OK if authentication was successful.
|
2014-04-27 22:06:09 +00:00
|
|
|
// It can be used to verify the validity of a client's credentials.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) Auth(ctx context.Context, authConfig *registry.AuthConfig, userAgent string) (status, token string, err error) {
|
2016-05-21 14:00:28 +00:00
|
|
|
// TODO Use ctx when searching for repositories
|
2022-01-20 13:10:43 +00:00
|
|
|
registryHostName := IndexHostname
|
2020-10-28 11:30:48 +00:00
|
|
|
|
|
|
|
|
if authConfig.ServerAddress != "" {
|
|
|
|
|
serverAddress := authConfig.ServerAddress
|
|
|
|
|
if !strings.HasPrefix(serverAddress, "https://") && !strings.HasPrefix(serverAddress, "http://") {
|
|
|
|
|
serverAddress = "https://" + serverAddress
|
|
|
|
|
}
|
|
|
|
|
u, err := url.Parse(serverAddress)
|
|
|
|
|
if err != nil {
|
2022-02-26 12:45:12 +00:00
|
|
|
return "", "", invalidParamWrapf(err, "unable to parse server address")
|
2020-10-28 11:30:48 +00:00
|
|
|
}
|
|
|
|
|
registryHostName = u.Host
|
2016-02-23 23:18:04 +00:00
|
|
|
}
|
|
|
|
|
|
2020-10-28 11:05:40 +00:00
|
|
|
// Lookup endpoints for authentication using "LookupPushEndpoints", which
|
|
|
|
|
// excludes mirrors to prevent sending credentials of the upstream registry
|
|
|
|
|
// to a mirror.
|
2020-10-28 11:30:48 +00:00
|
|
|
endpoints, err := s.LookupPushEndpoints(registryHostName)
|
2015-03-31 23:21:37 +00:00
|
|
|
if err != nil {
|
2022-02-26 12:45:12 +00:00
|
|
|
return "", "", invalidParam(err)
|
2014-04-27 22:06:09 +00:00
|
|
|
}
|
2015-09-16 17:42:17 +00:00
|
|
|
|
2016-03-01 07:07:41 +00:00
|
|
|
for _, endpoint := range endpoints {
|
2020-12-07 15:09:05 +00:00
|
|
|
status, token, err = loginV2(authConfig, endpoint, userAgent)
|
|
|
|
|
if err == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if errdefs.IsUnauthorized(err) {
|
|
|
|
|
// Failed to authenticate; don't continue with (non-TLS) endpoints.
|
|
|
|
|
return status, token, err
|
|
|
|
|
}
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(ctx).WithError(err).Infof("Error logging in to endpoint, trying next endpoint")
|
2014-12-12 01:55:15 +00:00
|
|
|
}
|
2016-03-01 07:07:41 +00:00
|
|
|
|
2016-02-23 23:18:04 +00:00
|
|
|
return "", "", err
|
2014-04-27 22:06:09 +00:00
|
|
|
}
|
2014-04-27 22:21:42 +00:00
|
|
|
|
2015-11-18 22:20:54 +00:00
|
|
|
// ResolveRepository splits a repository name into its components
|
2015-09-22 11:44:40 +00:00
|
|
|
// and configuration of the associated registry.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) ResolveRepository(name reference.Named) (*RepositoryInfo, error) {
|
2022-02-26 13:52:12 +00:00
|
|
|
s.mu.RLock()
|
|
|
|
|
defer s.mu.RUnlock()
|
2016-03-08 21:03:37 +00:00
|
|
|
return newRepositoryInfo(s.config, name)
|
2014-10-07 01:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2015-07-21 19:40:36 +00:00
|
|
|
// APIEndpoint represents a remote API endpoint
|
2015-02-12 18:23:22 +00:00
|
|
|
type APIEndpoint struct {
|
2017-05-09 21:00:31 +00:00
|
|
|
Mirror bool
|
|
|
|
|
URL *url.URL
|
2023-08-29 10:47:07 +00:00
|
|
|
Version APIVersion // Deprecated: v1 registries are deprecated, and endpoints are always v2.
|
2017-05-09 21:00:31 +00:00
|
|
|
AllowNondistributableArtifacts bool
|
|
|
|
|
Official bool
|
|
|
|
|
TrimHostname bool
|
|
|
|
|
TLSConfig *tls.Config
|
2015-02-12 18:23:22 +00:00
|
|
|
}
|
|
|
|
|
|
2020-10-28 11:05:40 +00:00
|
|
|
// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference.
|
|
|
|
|
// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
|
2022-02-26 13:52:12 +00:00
|
|
|
s.mu.RLock()
|
|
|
|
|
defer s.mu.RUnlock()
|
2016-04-25 02:51:28 +00:00
|
|
|
|
2020-10-28 11:05:40 +00:00
|
|
|
return s.lookupV2Endpoints(hostname)
|
2015-08-06 21:41:59 +00:00
|
|
|
}
|
|
|
|
|
|
2020-10-28 11:05:40 +00:00
|
|
|
// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
|
|
|
|
|
// It gives preference to HTTPS over plain HTTP. Mirrors are not included.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
|
2022-02-26 13:52:12 +00:00
|
|
|
s.mu.RLock()
|
|
|
|
|
defer s.mu.RUnlock()
|
2016-04-25 02:51:28 +00:00
|
|
|
|
2020-10-28 11:05:40 +00:00
|
|
|
allEndpoints, err := s.lookupV2Endpoints(hostname)
|
2015-08-07 01:21:02 +00:00
|
|
|
if err == nil {
|
|
|
|
|
for _, endpoint := range allEndpoints {
|
|
|
|
|
if !endpoint.Mirror {
|
|
|
|
|
endpoints = append(endpoints, endpoint)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return endpoints, err
|
2015-08-06 21:41:59 +00:00
|
|
|
}
|
2022-09-01 15:03:10 +00:00
|
|
|
|
|
|
|
|
// IsInsecureRegistry returns true if the registry at given host is configured as
|
|
|
|
|
// insecure registry.
|
2023-03-01 00:25:15 +00:00
|
|
|
func (s *Service) IsInsecureRegistry(host string) bool {
|
2023-03-01 00:42:49 +00:00
|
|
|
s.mu.RLock()
|
|
|
|
|
defer s.mu.RUnlock()
|
2022-09-01 15:03:10 +00:00
|
|
|
return !s.config.isSecureIndex(host)
|
|
|
|
|
}
|
