Instead of having the misconfigured token server test
fail after maxing out retries, only retry a few times
then return an error which will not retry.
Referenced by #19425
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Always attempt to add digest even when tag already exists.
Ensure digest does not currently exist.
When image id is mismatched, output an error log.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
from a docker push output digest.DigestRegexp.FindString(output) does
not retrive the sha256: prefixed digest but just a string - in many
cases it's the registry host. The checks in the code are completely
wrong then. Fix this by using the DigestRegexp from the
distribution/reference package which correctly retrieves the digest
from the output.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Before, the TCP handshake had to time out (approx 30s) before
this test completed. If you use a hostname that doesn't resolve,
then it fails faster.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Since 1.9, Docker Content Trust Offline key has been renamed to
Root key and the Tagging key has been renamed to Repository key.
The corresponding environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE`
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE`
have also been deprecated and renamed to
`DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
`DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`
This fix removed the deprecated ENV passphrase variables for
1.12 and updated the docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The prior error message caused confusion. If a user attempts to push an
image up to a registry, but they misspelled (or forgot to properly tag
their image) they would see the message 'Repository does not exist', which
is not very clear and causes some to think that there might be a problem
with the registry or connectivity to it, when the problem was simply just
that an image with that tag specified does not exist locally.
Signed-off-by: Dave MacDonald <mindlapse@gmail.com>
The error message was changed from "unauthorized: access to the
requested resource is not authorized" to "unauthorized: authentication
required".
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
- cherry-pick from 1.10.3 branch: 0186f4d422
- add token service test suite
- add integration test (missing in 1.10.3 branch)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
- add test for pull from private registry with no credentials
- add test for push to docker hub with no credentials
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Antonio Murdaca <amurdaca@localhost.localdomain>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This PR adds the "notary" binary requirement for tests.
Previously, NotaryHosting was checking for the "notary-server"
binary under the name notaryBinary. This renames that reference to
notaryServerBinary, so that notaryBinary can rightly refer
to the actual "notary" binary.
Currently only one test actually uses the notary binary, so it's been
updated accordingly.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Concurrent uploads which share layers worked correctly as of #18353,
but unfortunately #18785 caused a regression. This PR removed the logic
that shares digests between different push sessions. This overlooked the
case where one session was waiting for another session to upload a
layer.
This commit adds back the ability to propagate this digest information,
using the distribution.Descriptor type because this is what is received
from stats and uploads, and also what is ultimately needed for building
the manifest.
Surprisingly, there was no test covering this case. This commit adds
one. It fails without the fix.
See recent comments on #9132.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Attempt layer mounts from up to 3 source repositories, possibly
falling back to a standard blob upload for cross repository pushes.
Addresses compatiblity issues with token servers which do not grant
multiple repository scopes, resulting in an authentication failure for
layer mounts, which would otherwise cause the push to terminate with an
error.
Signed-off-by: Brian Bland <brian.bland@docker.com>
Tracks source repository information for each blob in the blobsum
service, which is then used to attempt to mount blobs from another
repository when pushing instead of having to re-push blobs to the same
registry.
Signed-off-by: Brian Bland <brian.bland@docker.com>
Add DockerSchema1RegistrySuite which uses this registry, and make
applicable integration tests run as part of this suite.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Add distribution package for managing pulls and pushes. This is based on
the old code in the graph package, with major changes to work with the
new image/layer model.
Add v1 migration code.
Update registry, api/*, and daemon packages to use the reference
package's types where applicable.
Update daemon package to use image/layer/tag stores instead of the graph
package
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This fixes an issue where two images with the same filesystem contents
and configuration but different remote IDs could share a v1Compatibility
file, resulting in corrupted manifests.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Notary is capable of acting in offline mode, making use of cache TUF data.
When ping is not successful, notary should still be attempted without error.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The practice of buffering to a tempfile during a pushing contributes massively
to slow V2 push performance perception. The protocol was actually designed to
avoid precalculation, supporting cut-through data push. This means we can
assemble the layer, calculate its digest and push to the remote endpoint, all
at the same time.
This should increase performance massively on systems with slow disks or IO
bottlenecks.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Currently some notary tests change the system clock to check for expiration.
Skip these tests until the code can be refactored to not rely on updating the system clock.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Update help line to allow 90 characters instead of 80
The trust flag pushes out the help description column wider, requiring more room to display help messages.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Clean up tests to remove duplicate code
Add tests which run pull and create in an isolated configuration directory.
Add build test for untrusted tag
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
