Commit graph

203 commits

Author SHA1 Message Date
Derek McGowan
66a5e34cc4
Use system ca pool from tlsconfig
Remove deprecated config from local pkg/tlsconfig.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-10-31 14:52:07 -07:00
Tonis Tiigi
7a8c7b47cf Fix govet for go1.7
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 19:07:54 -07:00
allencloud
c1be45fa38 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-06-02 17:17:22 +08:00
Brett Higgins
207027087e Respect ALL_PROXY during registry operations
Use sockets.DialerFromEnvironment, as is done in other places,
to transparently support SOCKS proxy config from ALL_PROXY
environment variable.

Requires the *engine* have the ALL_PROXY env var set, which
doesn't seem ideal. Maybe it should be a CLI option somehow?

Only tested with push and a v2 registry so far. I'm happy to look
further into testing more broadly, but I wanted to get feedback on
the general idea first.

Signed-off-by: Brett Higgins <brhiggins@arbor.net>
2016-04-25 15:08:30 -04:00
David Calavera
59586d02b1 Move registry service options to the daemon configuration.
Allowing to set their values in the daemon configuration file.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-10 11:53:11 -05:00
Aaron Lehmann
8f26fe4f59 Push/pull errors improvement and cleanup
Several improvements to error handling:

- Introduce ImageConfigPullError type, wrapping errors related to
  downloading the image configuration blob in schema2. This allows for a
  more descriptive error message to be seen by the end user.

- Change some logrus.Debugf calls that display errors to logrus.Errorf.
  Add log lines in the push/pull fallback cases to make sure the errors
  leading to the fallback are shown.

- Move error-related types and functions which are only used by the
  distribution package out of the registry package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-11 16:28:56 -08:00
David Calavera
7bca932182 Respond with 401 when there is an unauthorized error from the registry.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-01-27 13:55:33 -05:00
Tibor Vass
07e2dedecb Merge pull request #19057 from dnephin/remove_version_from_registry_pkg
Remove dockerversion from registry package
2016-01-25 22:45:06 -08:00
Aaron Lehmann
d5e2802eae Clarify error message when a .cert file is missing a corresponding key
The daemon uses two similar filename extensions to identify different
kinds of certificates. ".crt" files are interpreted as CA certificates,
and ".cert" files are interprted as client certificates. If a CA
certificate is accidentally given the extension ".cert", it will lead to
the following error message:

    Missing key ca.key for certificate ca.cert

To make this slightly less confusing, clarify the error message with a
note that CA certificates should use the extension ".crt".

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-20 11:34:59 -08:00
Daniel Nephin
61a49bb6ba Remove the use of dockerversion from the registry package
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-01-15 12:43:54 -05:00
Phil Estes
6c30931b06 Merge pull request #18889 from aaronlehmann/v1-fallback-pull-all-tags
Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
2016-01-05 16:20:04 -05:00
David Calavera
8e034802b7 Remove usage of pkg sockets and tlsconfig.
- Use the ones provided by docker/go-connections, they are a drop in replacement.
- Remove pkg/sockets from docker.
- Keep pkg/tlsconfig because libnetwork still needs it and there is a
  circular dependency issue.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-29 19:27:12 -05:00
Aaron Lehmann
589a5226e7 Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
This is a followup to #18839. That PR relaxed the fallback logic so that
if a manifest doesn't exist on v2, or the user is unauthorized to access
it, we try again with the v1 protocol. A similar special case is needed
for "pull all tags" (docker pull -a). If the v2 registry doesn't
recognize the repository, or doesn't allow the user to access it, we
should fall back to v1 and try to pull all tags from the v1 registry.
Conversely, if the v2 registry does allow us to list the tags, there
should be no fallback, even if there are errors pulling those tags.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-23 15:21:43 -08:00
Aaron Lehmann
9d6acbee92 When a manifest is not found, allow fallback to v1
PR #18590 caused compatibility issues with registries such as gcr.io
which support both the v1 and v2 protocols, but do not provide the same
set of images over both protocols. After #18590, pulls from these
registries would never use the v1 protocol, because of the
Docker-Distribution-Api-Version header indicating that v2 was supported.

Fix the problem by making an exception for the case where a manifest is
not found. This should allow fallback to v1 in case that image is
exposed over the v1 protocol but not the v2 protocol.

This avoids the overly aggressive fallback behavior before #18590 which
would allow protocol fallback after almost any error, but restores
interoperability with mixed v1/v2 registry setups.

Fixes #18832

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-21 18:19:38 -08:00
Aaron Lehmann
1ebfa29954 Add missing bounds in ContinueOnError
ContinueOnError assumes that something of type errcode.Errors contains
at least one error. This is generally true, but might not be true if the
remote registry returns an empty error body or invalid JSON. Add the
bounds check, and in the case where it fails, allow fallbacks to v1.

Fixes #18481

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-08 09:54:20 -08:00
Michal Gebauer
bcd0f0cdc4 Check if CertsDir is not empty
Signed-off-by: Michal Gebauer <mishak@mishak.net>
2015-11-25 18:12:19 +01:00
Alexander Morozov
90e2459ecb registry/registry.go: simplify logical expression
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-17 16:12:11 -08:00
Anil Belur
31cdc63419 Fix for #17168 misleading pull error
This fix avoids overwritting the previous error messages, ensures the client gets the correct error messages and not just the most recent message during the pull request.
For this `var lastErr` replaced with a slice which acts as a temp place holder for the list of returned error messages for every attempt.
The slice is later joined and returned to the caller function after searching for the image with diffirent versions(v2,v1,v0).

Updated the code with check for no space left on device error occurance and prevent the
daemon on falling back to v1,v0.

Incorporated the comments from @calavera, @RichardScothern, @cpuguy83

Signed-off-by: Anil Belur <askb23@gmail.com>
2015-11-14 16:24:45 +05:30
Vincent Demeester
8054a30387 dockerversion placeholder for library import
- Add a *version* file placeholder.
- Update autogen and builds to use it and an autogen build flag

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-11-09 19:32:46 +01:00
Jess Frazelle
e704182c9c Merge pull request #17614 from LK4D4/fix_golint
Update linting tools to latest versions
2015-11-03 15:32:12 -08:00
Aaron Lehmann
257c59251b Vendor updated version of docker/distribution
This updates the vendored docker/distribution to the current master
branch.

Note the following changes:

- The manifest package was split into manifest/schema1. Most references
  to the manifest package in the engine needed to be updated to use
  schema1 instead.

- Validation functions in api/v2 were replaced by the
  distribution/reference package. The engine code has been updated to
  use the reference package for validation where necessary. A future PR
  will change the engine to use the types defined in
  distribution/reference more comprehensively.

- The reference package explicitly allows double _ characters in
  repository names. registry_test.go was updated for this.

- TestPullFailsWithAlteredManifest was corrupting the manifest JSON, now
  that the schema1 package unmarshals the correct payload. The test is
  being changed to modify the JSON without affecting its length, which
  allows the pull to succeed to the point where digest validation
  happens.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-11-02 12:40:18 -08:00
Alexander Morozov
7aa28b6bdd Fix go vet warnings
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-02 08:28:34 -08:00
Brian Goff
b78ca243d9 Revert "dockerversion placeholder for library-import"
This reverts commit d5cd032a86.

Commit caused issues on systems with case-insensitive filesystems.
Revert for now

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-10-27 21:23:53 -04:00
Vincent Demeester
d5cd032a86 dockerversion placeholder for library-import
- Move autogen/dockerversion to version
- Update autogen and "builds" to use this package and a build flag

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-10-27 20:36:07 +01:00
Richard Scothern
39f2f15a35 Prevent push and pull to v1 registries by filtering the available endpoints.
Add a daemon flag to control this behaviour.  Add a warning message when pulling
an image from a v1 registry.  The default order of pull is slightly altered
with this changset.

Previously it was:
https v2, https v1, http v2, http v1

now it is:
https v2, http v2, https v1, http v1

Prevent login to v1 registries by explicitly setting the version before ping to
prevent fallback to v1.

Add unit tests for v2 only mode.  Create a mock server that can register
handlers for various endpoints.  Assert no v1 endpoints are hit with legacy
registries disabled for the following commands:  pull, push, build, run and
login.  Assert the opposite when legacy registries are not disabled.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-09-25 15:59:42 -07:00
John Howard
831b00303f Windows: Fix certificate directory for registry
Signed-off-by: John Howard <jhoward@microsoft.com>
2015-08-05 13:25:41 -07:00
Tibor Vass
ad96fc310b Merge pull request #14970 from tiborvass/windows-registry-endpoint
registry: Change default endpoint on windows to a windows-specific one
2015-07-30 22:41:34 -04:00
Tibor Vass
a21ba12f4e registry: allow fallback on unknown errors
This patch fixes a bug where a user specifies a v1 mirror for
--registry-mirror and pull an image from the Hub.

It used to not fallback because of an unexpected error returned when
trying to JSON marshal nginx output.

We now ensure that any unexpected error falls back to the next endpoint
in the list.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 19:03:38 -04:00
Tibor Vass
4a92b8a0ef registry: Change default endpoint on windows to a windows-specific one
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 14:52:41 -04:00
Derek McGowan
e863a07b89 Fix login and search TLS configuration
Currently login and search do not load per registry certificates.
This is a regression caused by the last refactor since this was recently fixed.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 10:36:57 -07:00
Derek McGowan
ed13c3abfb Use notary library for trusted image fetch and signing
Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest.
On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server.
If a tag is given, the cli will resolve the tag into a digest and pull by digest.
After pulling, if a tag is given the cli makes a request to tag the image.

Use certificate directory for notary requests

Read certificates using same logic used by daemon for registry requests.

Catch JSON syntax errors from Notary client

When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user.
Provide a generic error when a JSON syntax error occurs.

Catch expiration errors and wrap in additional context.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-24 14:08:20 -07:00
Aaron Lehmann
4fcb9ac40c Improve documentation and golint compliance of registry package
* Add godoc documentation where it was missing

* Change identifier names that don't match Go style, such as INDEX_NAME

* Rename RegistryInfo to PingResult, which more accurately describes
  what this structure is for. It also has the benefit of making the name
  not stutter if used outside the package.

Updates #14756

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-24 11:55:07 -07:00
Derek McGowan
19515a7ad8 Update graph to use vendored distribution client for the v2 codepath
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:47 -04:00
Tibor Vass
276c640be4 remove pkg/transport and use the one from distribution
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:46 -04:00
Eric Windisch
37846bff58 Remove RC4 from the list of registry cipher suites
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.

Uses the tlsconfig package to define allowed ciphers.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-06-29 09:15:13 -04:00
Antonio Murdaca
927d13bc3c Remove dead code
Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-06-20 19:14:15 +02:00
Tibor Vass
78bc233a01 registry: debugTransport should print with testing.T.Log
It should not print to STDOUT so that it only prints the debugTransport
output if there was an error in one of the registry tests.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-01 17:48:30 -04:00
Antonio Murdaca
a27395e6df Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-23 23:50:08 +02:00
Arnaud Porterie
81e7d3571b Windows: fix registry filepath and location
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-05-19 10:58:45 -07:00
Tibor Vass
73823e5e56 Add transport package to support CancelRequest
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 23:31:42 -04:00
Tibor Vass
cf8c0d0f56 requestdecorator: repurpose the package and rename to useragent
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:54 -04:00
Tibor Vass
a01cc3ca77 registry: Refactor requestfactory to use http.RoundTrippers
This patch removes the need for requestFactories and decorators
by implementing http.RoundTripper transports instead.

It refactors some challenging-to-read code.

NewSession now takes an *http.Client that can already have a
custom Transport, it will add its own auth transport by wrapping
it.

The idea is that callers of http.Client should not bother
setting custom headers for every handler but instead it should
be transparent to the callers of a same context.

This patch is needed for future refactorings of registry,
namely refactoring of the v1 client code.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:53 -04:00
James Lal
f5e6f50a1e Increase default connection timeout to 30s
Closes #13307
Signed-off-by: James Lal <jlal@mozilla.com>
2015-05-18 13:26:33 -07:00
Antonio Murdaca
6f4d847046 Replace aliased imports of logrus, fixes #11762
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-26 23:22:04 +01:00
Rik Nijessen
7e7646c28a Rename package timeout to timeoutconn.
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 20:52:37 +01:00
Rik Nijessen
690a85797e Move TimeoutConn to seperate pkg dir.
Fixes #10965
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 17:09:47 +01:00
Don Kjer
6f0068f273 Moving NewIndexInfo, NewRepositoryInfo and associated helpers into config.go
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:15:00 +00:00
Don Kjer
568f86eb18 Deprecating ResolveRepositoryName
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository

Moving --registry-mirror configuration to registry config

Created resolve_repository job

Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.

Adding test for RepositoryInfo

Adding tests for opts.StringSetOpts and registry.ValidateMirror

Fixing search term use of repoInfo

Adding integration tests for registry mirror configuration

Normalizing LookupImage image name to match LocalName parsing rules

Normalizing repository LocalName to avoid multiple references to an official image

Removing errorOut use in tests

Removing TODO comment

gofmt changes

golint comments cleanup.  renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig

Splitting out builtins.Registry and registry.NewService calls

Stray whitespace cleanup

Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test

Factoring out ValidateRepositoryName from NewRepositoryInfo

Removing unused IndexServerURL

Allowing json marshaling of ServiceConfig.  Exposing ServiceConfig in /info

Switching to CamelCase for json marshaling

PR cleanup; removing 'Is' prefix from boolean members.  Removing unneeded json tags.

Removing non-cleanup related fix for 'localhost:[port]' in splitReposName

Merge fixes for gh9735

Fixing integration test

Reapplying #9754

Adding comment on config.IndexConfigs use from isSecureIndex

Remove unused error return value from isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

Adding back comment in isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:14:58 +00:00
Matthew Riley
6c126d443b Allow hyphens in namespaces.
Signed-off-by: Matthew Riley <mattdr@google.com>
2015-01-05 11:06:16 -08:00
unclejack
bff1d9dbce validate image ID properly & before load
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

Conflicts:
	graph/load.go
2014-12-11 16:29:27 -05:00