Commit graph

399 commits

Author SHA1 Message Date
Tonis Tiigi
805223982c Generalize content addressable and reference storage
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-15 18:08:19 -07:00
John Howard
8437d0a329 Windows: Fix regression pulling linux images
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-09-09 11:40:34 -07:00
Michael Crosby
91e197d614 Add engine-api types to docker
This moves the types for the `engine-api` repo to the existing types
package.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-07 11:05:58 -07:00
Qiang Huang
cec0e2dfbd Cleanup pullSchema2
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-05 15:02:14 +08:00
Anusha Ragunathan
9b6dcc8b9d Make docker pull detect plugin content and error out.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-08-20 12:54:35 -07:00
Alexander Morozov
6c07fbd455 Merge pull request #25090 from swernli/rootfs-cleanup
Removing old custom RootFS behavior on Windows.
2016-08-05 10:55:44 -07:00
John Howard
0eb1323fba Merge pull request #24822 from swernli/skipV1push
Fixing v2 registry restriction for non-linux platforms.
2016-07-29 14:18:47 -07:00
Stefan J. Wernli
f342b27145 Removing old custom RootFS behavior on Windows.
Windows base layers are no longer the special "layers+base" type, so we can remove all the special handling for that.

Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
2016-07-29 14:15:59 -07:00
Sebastiaan van Stijn
350c0281c5 Merge pull request #24819 from Microsoft/jjh/fix24766
Windows: Block (v2) pulling Linux images
2016-07-29 19:48:38 +02:00
Stephen J Day
d99c6b837f
swarm/controller: allow cancellation to propagate
Ensure that cancellation of a pull propagates rather than continuing to
container creation. This ensures that the `Prepare` method is properly
re-entrant.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2016-07-25 18:31:24 -07:00
Stefan J. Wernli
adee28458c Fixing v2 registry restriction for non-linux platforms.
This fixes the hard coded restriction for non-linux platforms to v2 registries.  Previously, the check was above the flag parsing, which would overwrite the hard coded value and prevent correct operation.  This change also removes the related daemon flag from Windows to avoid confusion, as it has no meaning when the value is going to always be hard coded to true.

Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
2016-07-20 16:14:40 -07:00
John Howard
4e3d7ca4ae Windows: Block (v2) pulling Linux images
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-07-19 14:34:41 -07:00
Sebastiaan van Stijn
56fb100140 Merge pull request #24568 from dmcgowan/search-v2-auth
Allow v1 search to use v2 auth with identity token
2016-07-14 19:11:33 +02:00
Derek McGowan
19d48f0b8b Allow v1 search to use v2 auth with identity token
Updates the v1 search endpoint to also support v2 auth when an identity token is given.
Only search v1 endpoint is supported since there is not v2 search currently defined to replace it.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2016-07-13 13:30:24 -07:00
Aaron Lehmann
a12ab28e0a Don't retry push on an unknown repository
If the remote registry responds with a NAME_UNKNOWN error, treat this as
a fatal error and don't retry the push.

Tested against an ECR registry.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-07-11 18:06:23 -06:00
Derek McGowan
33984f256b Always store the image digest when pulling and pushing an image.
Always attempt to add digest even when tag already exists.
Ensure digest does not currently exist.
When image id is mismatched, output an error log.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-06-27 10:09:57 -07:00
Aaron Lehmann
1333ef3ca3 Fix parallel push of the same image to different registries
Layer uploads are deduplicated by a "key" made up of the layer DiffID
and the repository name. The repository name being used to form this key
was a remote version of the name that didn't include the name of the
registry. Consequently, pushes of the same layer in a repository with
the same remote name to different registries would wrongly be
deduplicated.

Correct the key by using the full name of the repository, which includes
the registry hostname as well as the image's name.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-06-17 22:27:03 -07:00
Tibor Vass
f37117045c plugins: experimental support for new plugin management
This patch introduces a new experimental engine-level plugin management
with a new API and command line. Plugins can be distributed via a Docker
registry, and their lifecycle is managed by the engine.
This makes plugins a first-class construct.

For more background, have a look at issue #20363.

Documentation is in a separate commit. If you want to understand how the
new plugin system works, you can start by reading the documentation.

Note: backwards compatibility with existing plugins is maintained,
albeit they won't benefit from the advantages of the new system.

Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-06-14 14:20:27 -07:00
Yong Tang
a72b45dbec Fix logrus formatting
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.

This fix fixes #23459.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-06-11 13:16:55 -07:00
Antonio Murdaca
f6ff9acc63 Merge pull request #23327 from dmcgowan/refactor-foreign-layer
Refactor foreign sources to describable interfaces
2016-06-08 00:02:23 +02:00
Brian Goff
afc3cb03f4 Merge pull request #23323 from tiborvass/debug-ci
Cleanup
2016-06-06 21:03:30 -04:00
Derek McGowan
2c60430a3d Use describable interfaces
Replace use of foreign sources with descriptors and describable

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-06-06 17:49:34 -07:00
Arnaud Porterie
7d08f3a5ad Merge pull request #22866 from jstarks/foreign_layers
Support layers from external URLs
2016-06-07 00:27:40 +00:00
Tibor Vass
ccaea227e0 Cleanup
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-06-06 15:57:51 -07:00
allencloud
c1be45fa38 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-06-02 17:17:22 +08:00
John Starks
05bd04350b Support layers from external URLs
This is used to support downloading Windows base images from Microsoft
servers.

Signed-off-by: John Starks <jostarks@microsoft.com>
2016-05-25 19:23:02 -07:00
Vincent Demeester
636c276f67
Add Unit test to daemon.SearchRegistryForImages…
… and refactor a little bit some daemon on the way.

- Move `SearchRegistryForImages` to a new file (`daemon/search.go`) as
  `daemon.go` is getting pretty big.
- `registry.Service` is now an interface (allowing us to decouple it a
  little bit and thus unit test easily).
- Add some unit test for `SearchRegistryForImages`.
- Use UniqueExactMatch for search filters
- And use empty restore id for now in client.ContainerStart.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-05-24 11:07:11 +02:00
Michael Crosby
8bb4d31b10 Remove mountedLayer Mount and Unmount
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-05-23 16:52:58 -07:00
Yong Tang
7368e41c07 Docker pull/push with max concurrency limits.
This fix tries to address issues raised in #20936 and #22443
where `docker pull` or `docker push` fails because of the
concurrent connection failing.
Currently, the number of maximum concurrent connections is
controlled by `maxDownloadConcurrency` and `maxUploadConcurrency`
which are hardcoded to 3 and 5 respectively. Therefore, in
situations where network connections don't support multiple
downloads/uploads, failures may encounter for `docker push`
or `docker pull`.

This fix tries changes `maxDownloadConcurrency` and
`maxUploadConcurrency` to adjustable by passing
`--max-concurrent-uploads` and `--max-concurrent-downloads` to
`docker daemon` command.

The documentation related to docker daemon has been updated.

Additional test case have been added to cover the changes in this fix.

This fix fixes #20936. This fix fixes #22443.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-05-11 19:44:54 -07:00
Aaron Lehmann
b16fac959b Merge pull request #22316 from brettdh/registry-socks-proxy
Respect ALL_PROXY during registry operations
2016-05-06 11:29:01 -07:00
Antonio Murdaca
66fbc0c2a3 distribution: errors: do not retry on too many requests from registry
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-05-04 18:57:55 +02:00
allencloud
1ac4c61c10 fix typos in CHANGELOG.md and pull.go
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-04-29 23:33:15 +08:00
Brett Higgins
207027087e Respect ALL_PROXY during registry operations
Use sockets.DialerFromEnvironment, as is done in other places,
to transparently support SOCKS proxy config from ALL_PROXY
environment variable.

Requires the *engine* have the ALL_PROXY env var set, which
doesn't seem ideal. Maybe it should be a CLI option somehow?

Only tested with push and a v2 registry so far. I'm happy to look
further into testing more broadly, but I wanted to get feedback on
the general idea first.

Signed-off-by: Brett Higgins <brhiggins@arbor.net>
2016-04-25 15:08:30 -04:00
Tonis Tiigi
ea3cbd3274 Safer file io for configuration files
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-04-21 11:31:15 -07:00
Aaron Lehmann
c18d03a778 Vendor distribution to correct config blob media type in schema2 manifest
@nwt noticed that the media type specified in the config section of a
schema2 manifest is application/octet-stream, instead of the correct
value application/vnd.docker.container.image.v1+json.

This brings in https://github.com/docker/distribution/pull/1622 to fix
this.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-04-11 17:29:17 -07:00
Sebastiaan van Stijn
3f39035f18 Merge pull request #21819 from tophj-ibm/fix-ensure-emptyfs-other-architectures
Fix .ensure-emptyfs on non-x86_64 architectures
2016-04-09 13:40:45 -07:00
John Howard
f2ed337ac9 Merge pull request #21740 from mindlapse/fixErrorMsg
Improved message when pushing a non-existant image
2016-04-08 20:53:25 -07:00
Christopher Jones
1f59bc8c03 Fix .ensure-emptyfs on non-x86_64 architectures
Now that we are checking if the image and host have the same architectures
via #21272, this value should be null so that the test passes on non-x86
machines

Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2016-04-08 17:38:13 -04:00
John Starks
d45a26d7e2 Windows: Support non-base-layered images
Previously, Windows only supported running with a OS-managed base image.
With this change, Windows supports normal, Linux-like layered images, too.

Signed-off-by: John Starks <jostarks@microsoft.com>
2016-04-07 17:52:26 -07:00
Alexander Morozov
5ee8652a21 all: remove some unused funcs and variables
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-04-06 10:40:01 -07:00
John Howard
fc9912fd00 Merge pull request #21272 from Microsoft/jstarks/manifest_updates
Add os_version and os_features to Image
2016-04-05 16:16:25 -07:00
John Starks
194eaa5c0f Add os_version and os_features to Image
These fields are needed to specify the exact version of Windows that an
image can run on. They may be useful for other platforms in the future.

This also changes image.store.Create to validate that the loaded image is
supported on the current machine. This change affects Linux as well, since
it now validates the architecture and OS fields.

Signed-off-by: John Starks <jostarks@microsoft.com>
2016-04-04 13:14:57 -07:00
Dave MacDonald
e57900a269
Improved message when pushing a non-existant image
The prior error message caused confusion.  If a user attempts to push an
image up to a registry, but they misspelled (or forgot to properly tag
their image) they would see the message 'Repository does not exist', which
is not very clear and causes some to think that there might be a problem
with the registry or connectivity to it, when the problem was simply just
that an image with that tag specified does not exist locally.

Signed-off-by: Dave MacDonald <mindlapse@gmail.com>
2016-04-03 16:25:07 -04:00
Vincent Demeester
3d4b3cb424 Merge pull request #21676 from aaronlehmann/tmpfile-close
Pull: only close temporary file once
2016-03-31 11:49:37 +02:00
Sebastiaan van Stijn
ffee5588cd Merge pull request #21372 from anusha-ragunathan/ctrd-rebase
Update mount state of live containers after a daemon crash.
2016-03-30 23:10:04 -07:00
Aaron Lehmann
930ae3dbcb Pull: only close temporary file once
Close could be called twice on a temporary download file, which could
have bad side effects.

This fixes the problem by setting to ld.tmpFile to nil when the download
completes sucessfully. Then the call to ld.Close will have no effect,
and only the download manager will close the temporary file when it's
done extracting the layer from it. ld.Close will be responsible for
closing the file if we hit the retry limit and there is still a partial
download present.

Fixes #21675

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-30 22:44:54 -07:00
Alexander Morozov
d02e24f27d Merge pull request #21603 from aaronlehmann/testtransfer-flakiness-2
Fix flaky test TestTransfer (take 2)
2016-03-29 21:40:38 -07:00
Sebastiaan van Stijn
eaf138af1f Merge pull request #21598 from aaronlehmann/not-found-error
Change v1 pull 404 message to include tag
2016-03-29 17:28:12 -07:00
Anusha Ragunathan
511a70583f Update mount state of live containers after a daemon crash.
Fix unmount issues in the daemon crash and restart lifecycle, w.r.t
graph drivers. This change sets a live container RWLayer's activity
count to 1, so that the RWLayer is aware of the mount. Note that
containerd has experimental support for restore live containers.

Added/updated corresponding tests.

Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-03-29 14:42:43 -07:00
Aaron Lehmann
745892a7b2 Change v1 pull 404 message to include tag
The current error message is "Error: image [name] not found". This makes
sense from the perspective of the v1 pull, since we found the repository
doesn't exist over the v1 protocol. However, in the vast majority of
cases, this error will be produced by fallback situations, where we
first try to pull the tag with the v2 protocol, and then fall back the
v1 protocol, which probably isn't even supported by the server.
Including the tag in the error message makes a lot more sense since the
actual repository may exist on v2, but not the tag.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-29 10:04:59 -07:00
Aaron Lehmann
0dea21f446 Fix flaky test TestTransfer (take 2)
TestTransfer failed in CI:
https://jenkins.dockerproject.org/job/Docker-PRs-experimental/17103/console

This is the same issue as https://github.com/docker/docker/pull/21233,
but only one of the code paths was fixed in that PR. The one which
handles the first progress update was not - it still assumed that the
progress indication should be 0/10.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-28 18:27:29 -07:00
Shishir Mahajan
b16decfccf CLI flag for docker create(run) to change block device size.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2016-03-28 10:05:18 -04:00
Aaron Lehmann
c44e7a3e63 Pass upstream client's user agent through to registry on operations beyond pulls
This adds support for the passthrough on build, push, login, and search.

Revamp the integration test to cover these cases and make it more
robust.

Use backticks instead of quoted strings for backslash-heavy string
contstands.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-21 14:31:47 -07:00
Arnaud Porterie
278d3962a8 Merge pull request #21306 from mgoelzer/issue20001-nodeps
Pass upstream client's user agent through to registry on image pulls
2016-03-21 14:26:59 -07:00
Alexander Morozov
a05fdd6806 Merge pull request #21283 from runcom/update-test
vendor docker/distribution d06d6d3b093302c02a93153ac7b06ebc0ffd1793
2016-03-21 09:46:28 -07:00
Mike Goelzer
d1502afb63 Pass upstream client's user agent through to registry on image pulls
Changes how the Engine interacts with Registry servers on image pull.
Previously, Engine sent a User-Agent string to the Registry server
that included only the Engine's version information.  This commit
appends to that string the fields from the User-Agent sent by the
client (e.g., Compose) of the Engine.  This allows Registry server
operators to understand what tools are actually generating pulls on
their registries.

Signed-off-by: Mike Goelzer <mgoelzer@docker.com>
2016-03-20 04:30:09 -07:00
Antonio Murdaca
264b5b6083 distribution: errors: do not retry if no token in response
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-19 12:20:14 +01:00
Tonis Tiigi
9c4570a958 Replace execdrivers with containerd implementation
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-03-18 13:38:32 -07:00
Antonio Murdaca
1b5c2e1d72 distribution: errors: do not access the errors slice if it's empty
- cherry-pick from 1.10.3 branch: 0186f4d422
- add token service test suite
- add integration test (missing in 1.10.3 branch)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-16 09:00:39 +01:00
Phil Estes
2b1b235acf Merge pull request #21222 from aaronlehmann/pull-with-no-layers
Fix pulling images that contain no layers at all
2016-03-15 23:03:42 -07:00
Aaron Lehmann
2f4aa96584 Fix flaky test TestTransfer
This test was checking that it received every progress update that was
produced. But delivery of these intermediate progress updates is not
guaranteed. A new update can overwrite the previous one if the previous
one hasn't been sent to the channel yet.

The call to t.Fatalf exited the current goroutine which was consuming
the channel, which caused a deadlock and eventual test timeout rather
than a proper failure message.

Failure seen here:
https://jenkins.dockerproject.org/job/Docker-PRs-experimental/16400/console

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-15 16:26:16 -07:00
Aaron Lehmann
7cf894ce10 Fix pulling images that contain no layers at all
The download manager assumed there was at least one layer involved in
all images. This can be false if the image is essentially a copy of
`scratch`.

Fix a nil pointer dereference that happened in this case. Add
integration tests that involve schema1 and schema2 manifests.

Fixes #21213

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-15 11:10:03 -07:00
Vincent Demeester
90ce409e35 Merge pull request #20949 from imjching/master
Fix typo for download and upload retry messages
2016-03-14 21:08:49 +01:00
Jay
f8d14bd4c6 Fix typo for download and upload retry messages
Signed-off-by: Jay <jay@imjching.com>
2016-03-15 00:56:19 +08:00
Aaron Lehmann
0b962f72a9 Merge pull request #21159 from runcom/fix-retry-push-bug
distribution: errors: do not retry if no credentials provided
2016-03-14 09:47:13 -07:00
Antonio Murdaca
497d545093 distribution: errors: do not retry if no credentials provided
Fix and add test for case c) in #21054

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-12 20:41:47 +01:00
Derek McGowan
e896d1d7c4 Add support for identity token with token handler
Use token handler options for initialization.
Update auth endpoint to set identity token in response.
Update credential store to match distribution interface changes.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-03-09 13:47:57 -08:00
Sebastiaan van Stijn
17156ba98f Merge pull request #20832 from aaronlehmann/login-endpoint-refactor
Update login to use token handling code from distribution
2016-03-03 19:04:42 +01:00
Aaron Lehmann
613d364e23 Merge pull request #20868 from LK4D4/unused_ctx
Remove unused ctx from v1Pusher
2016-03-02 10:05:46 -08:00
Alexander Morozov
a4dbbe7d89 Remove unused ctx from v1Pusher
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-03-02 07:59:12 -08:00
Derek McGowan
f2d481a299 Login update and endpoint refactor
Further differentiate the APIEndpoint used with V2 with the endpoint type which is only used for v1 registry interactions
Rename Endpoint to V1Endpoint and remove version ambiguity
Use distribution token handler for login

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-01 11:52:32 -08:00
Aaron Lehmann
5c99eebe81 Fix concurrent uploads that share layers
Concurrent uploads which share layers worked correctly as of #18353,
but unfortunately #18785 caused a regression. This PR removed the logic
that shares digests between different push sessions. This overlooked the
case where one session was waiting for another session to upload a
layer.

This commit adds back the ability to propagate this digest information,
using the distribution.Descriptor type because this is what is received
from stats and uploads, and also what is ultimately needed for building
the manifest.

Surprisingly, there was no test covering this case. This commit adds
one. It fails without the fix.

See recent comments on #9132.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-01 11:14:44 -08:00
Tibor Vass
8ffec1fca5 Merge pull request #20772 from Microsoft/jjh/testunitdistribution-xfer
Windows CI Unit Test: Distribution\xfer turn off failing tests
2016-02-29 10:45:57 -05:00
Sebastiaan van Stijn
da4f2ce629 Merge pull request #20771 from Microsoft/jjh/disableunittestsdistribution
Windows CI Unit Test: Distribution turn off failing tests
2016-02-29 12:56:10 +01:00
John Howard
dd2ff281bf Windows CI Unit Test: Distribution\xfer turn off failing tests
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-28 20:08:34 -08:00
John Howard
621a1b9aca Windows CI Unit Test: Distribution turn off failing tests
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-28 20:02:51 -08:00
Brian Bland
1d3480f9ba Improve fallback behavior for cross-repository push
Attempt layer mounts from up to 3 source repositories, possibly
falling back to a standard blob upload for cross repository pushes.
Addresses compatiblity issues with token servers which do not grant
multiple repository scopes, resulting in an authentication failure for
layer mounts, which would otherwise cause the push to terminate with an
error.

Signed-off-by: Brian Bland <brian.bland@docker.com>
2016-02-24 19:13:35 -08:00
Aaron Lehmann
79db131a35 Change APIEndpoint to contain the URL in a parsed format
This allows easier URL handling in code that uses APIEndpoint.
If we continued to store the URL unparsed, it would require redundant
parsing whenver we want to extract information from it. Also, parsing
the URL earlier should give improve validation.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-17 17:48:15 -08:00
Aaron Lehmann
5e8af46fda Smarter push/pull TLS fallback
With the --insecure-registry daemon option (or talking to a registry on
a local IP), the daemon will first try TLS, and then try plaintext if
something goes wrong with the push or pull. It doesn't make sense to try
plaintext if a HTTP request went through while using TLS. This commit
changes the logic to keep track of host/port combinations where a TLS
attempt managed to do at least one HTTP request (whether the response
code indicated success or not). If the host/port responded to a HTTP
using TLS, we won't try to make plaintext HTTP requests to it.

This will result in better error messages, which sometimes ended up
showing the result of the plaintext attempt, like this:

    Error response from daemon: Get
    http://myregistrydomain.com:5000/v2/: malformed HTTP response
    "\x15\x03\x01\x00\x02\x02"

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-12 13:47:48 -08:00
Vincent Demeester
e17afedfe0 Merge pull request #20247 from aaronlehmann/distribution-errors
Push/pull errors improvement and cleanup
2016-02-12 11:57:25 +01:00
David Calavera
5ca6d3bafd Merge pull request #20250 from vieux/fix_misspell
fix common misspells
2016-02-11 17:22:06 -08:00
Aaron Lehmann
8f26fe4f59 Push/pull errors improvement and cleanup
Several improvements to error handling:

- Introduce ImageConfigPullError type, wrapping errors related to
  downloading the image configuration blob in schema2. This allows for a
  more descriptive error message to be seen by the end user.

- Change some logrus.Debugf calls that display errors to logrus.Errorf.
  Add log lines in the push/pull fallback cases to make sure the errors
  leading to the fallback are shown.

- Move error-related types and functions which are only used by the
  distribution package out of the registry package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-11 16:28:56 -08:00
Victor Vieux
99a396902f fix common misspell
Signed-off-by: Victor Vieux <vieux@docker.com>
2016-02-11 15:49:36 -08:00
Aaron Lehmann
7b81bc147c Fall back to V1 when there are no basic auth credentials
This makes the behavior consistent with having incorrect credentials.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-11 10:48:11 -08:00
Aaron Lehmann
056bf9f25e Attempt to resume downloads after certain errors
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-09 14:12:28 -08:00
Aaron Lehmann
f425529e7e Move temporary download file to download descriptor scope
This will allow it to be reused between download attempts in a
subsequent commit.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-09 14:12:28 -08:00
Alexander Morozov
9f0095f14a Merge pull request #19887 from aaronlehmann/vendor-resumable-downloads
Vendor updated distribution for resumable downloads
2016-02-05 12:58:53 -08:00
Aaron Lehmann
4d437a29d2 Vendor updated distribution for resumable downloads
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-04 17:33:37 -08:00
Tibor Vass
66a4e557f9 Merge pull request #19702 from tiborvass/host-specific-passthru-token
Add test to make sure the new registry pass-thru token is only sent to the intended hosts
2016-02-03 21:57:32 -05:00
Tibor Vass
3fa0d09e74 Merge pull request #19971 from aaronlehmann/revert-19743
Revert "Set idle timeouts for HTTP reads and writes in communications with the registry"
2016-02-03 15:33:29 -05:00
Alexander Morozov
bce70cdc2c Merge pull request #18680 from aaronlehmann/duplicate-pull-complete-message
Avoid outputting last progress item twice
2016-02-03 11:01:45 -08:00
Aaron Lehmann
cbda80aaff Revert "Set idle timeouts for HTTP reads and writes in communications with the registry"
This reverts commit 84b2162c1a.

The intent of this commit was to set an idle timeout on a HTTP
connection. If a read took more than 60 seconds to complete, or a write
took more than 60 seconds to complete, the connection would be
considered dead.

This doesn't work properly, because the HTTP internals apparently read
from the connection concurrently while writing. An upload that doesn't
complete in 60 seconds leads to a timeout.

Fixes #19967

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-03 09:59:56 -08:00
Aaron Lehmann
e273445dd4 Fix panic on network timeout during push
`Upload` already closes the reader returned by `compress` and the
progressreader passed into it, before returning. But even so, the
io.Copy inside compress' goroutine needs to attempt a read from the
progressreader to notice that it's closed, and this read has a side
effect of outputting a progress message. If this happens after `Upload`
returns, it can result in a write to a closed channel. Change `compress`
to return a channel that allows the caller to wait for its goroutine to
finish before freeing any resources connected to the reader that was
passed to it.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-29 14:34:50 -08:00
Tibor Vass
f3df50d115 distribution: add test to ensure pass-thru registry token is host-bound
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-01-28 16:23:06 -08:00
Aaron Lehmann
84b2162c1a Set idle timeouts for HTTP reads and writes in communications with the registry
Otherwise, some operations can get stuck indefinitely when the remote
side is unresponsive.

Fixes #12823

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-26 12:40:39 -08:00
Aaron Lehmann
fde2329eaa Avoid outputting last progress item twice
A watcher would output the current progress item when it was detached,
in case it missed that item earlier, which would leave the user seeing
some intermediate step of the operation. This commit changes it to only
output it on detach if it didn't already output the same item.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-26 10:03:28 -08:00
Vincent Demeester
4158b671f3 Merge pull request #19701 from aaronlehmann/remove-downloads-on-error
Remove temporary layer download file on error
2016-01-26 10:55:43 +01:00
Tibor Vass
07e2dedecb Merge pull request #19057 from dnephin/remove_version_from_registry_pkg
Remove dockerversion from registry package
2016-01-25 22:45:06 -08:00
Aaron Lehmann
5a363ce60b Remove temporary layer download file on error
Currently, the temporary file storing downloaded layer data is only
removed after a successful download or a digest verification error. A
transport-level error does not cause it to be removed. This is a
regression from 1.9 that could cause disk usage to grow until the Docker
daemon is restarted.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-25 18:20:18 -08:00
Aaron Lehmann
3e2b50ccaa Fix watching a released transfer
Things could go wrong if Watch was called after the last existing
watcher was released. The call to Watch would succeed even though it was
not really adding a watcher, and the corresponding call to Release would
close hasWatchers a second time.

The fix for this is twofold:

1. We allow transfers to gain new watchers after the watcher count has
touched zero. This means that the channel returned by Released should
not be closed until all watchers have been released AND the transfer is
no longer tracked by the transfer manager, meaning it won't be possible
for additional calls to Watch to race with closing the channel returned
by Released.

The Transfer interface has a new method called Close so the transfer can
know when the transfer manager no longer references it.

Remove the Cancel method. It's not used and should not be exported.

2. Even though (1) makes it possible to add watchers after all the
previous watchers have been released, we want to avoid doing this in
practice. A transfer that has had all its watchers released is in the
process of being cancelled, and attaching to one of these will never be
the correct behavior. Add a check if a watcher is attaching to a
cancelled transfer.  In this case, wait for the transfer to be removed
from the map and try again. This will ensure correct behavior when a
watcher tries to attach during the race window.

Either (1) or (2) should be sufficient to fix the race involved here,
but the combination is the most correct approach. (1) fixes the
low-level plumbing to be resilient to the race condition, and (2) avoids
using it in a racy way.

Fixes #19606

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-25 13:28:02 -08:00
Tibor Vass
2731dbc797 Merge pull request #19509 from BrianBland/master
Fixes layer MediaTypes in manifests created from a cross-repository push
2016-01-22 14:27:47 -05:00
Tibor Vass
26334b7a7d Merge pull request #19551 from aaronlehmann/fix-retry-on-enospc
Don't retry downloads when disk is full
2016-01-21 15:37:50 -05:00
Aaron Lehmann
4f13ec5551 Don't retry downloads when disk is full
There was already a check that prevented protocol-level fallback in this
situation, but retries within a specific protocol will still happen.
This makes it take a long time for the pull to finally error out.

This fixes slowness in TestDaemonNoSpaceleftOnDeviceError, which used to
take a long time due to the backoff between retry attempts:

PASS: docker_cli_daemon_test.go:1868: DockerDaemonSuite.TestDaemonNoSpaceleftOnDeviceError	5.882s

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-21 10:01:51 -08:00
Derek McGowan
e9d5292b0c Unwrap URL errors on retry
When authorization errors are returned by the token process the error will be wrapped in url.Error.
In order to check the underlying error for retry this error message should be unwrapped.
Unwrapping this error allows failure to push due to an unauthorized response to keep from retrying, possibly resulting in later 429 responses.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-01-20 14:29:38 -08:00
Brian Bland
06e9a056ca Fixes layer MediaTypes in manifests created from a cross-repository push
Signed-off-by: Brian Bland <brian.bland@docker.com>
2016-01-20 12:23:16 -08:00
Aaron Lehmann
87338bf0fa Revert reporting of multiple pull errors
Revert the portions of #17617 that report all errors when a pull
falls back, and go back to just reporting the last error. This was nice
to have, but causes some UX issues because nonexistent images show
additional "unauthorized" errors.

Keep the part of the PR that handled ENOSPC, as this appears to work
even without tracking multiple errors.

Fixes #19419

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-18 15:49:08 -08:00
Daniel Nephin
61a49bb6ba Remove the use of dockerversion from the registry package
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-01-15 12:43:54 -05:00
Brian Bland
6309947718 Changes cross-repository blob mounting to a blob Create option
Also renames BlobSumService to V2MetadataService, BlobSum to
V2Metadata

Signed-off-by: Brian Bland <brian.bland@docker.com>
2016-01-14 14:26:03 -08:00
Brian Bland
7289c7218e Adds cross-repository blob pushing behavior
Tracks source repository information for each blob in the blobsum
service, which is then used to attempt to mount blobs from another
repository when pushing instead of having to re-push blobs to the same
registry.

Signed-off-by: Brian Bland <brian.bland@docker.com>
2016-01-13 14:26:30 -08:00
Arnaud Porterie
f11b6a2ab3 Merge pull request #18785 from aaronlehmann/new-manifest
New image manifest format
2016-01-11 12:01:46 -08:00
Aaron Lehmann
0757a52737 Fix flaky test TestSuccessfulDownload
One of the things this test checks is that the progress indicator
completes for each download. Some progress messages may be lost because
only one message is buffered for each download, but the last progress
message is guaranteed not to be lost. The test therefore checks for a
10/10 progress indication.

However, the assumption that this is the last progress message to be
sent is incorrect. The last message is actually "Pull complete". So
check for this instead.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-11 09:46:34 -08:00
Aaron Lehmann
7450c258ab Use RootFS from image config to register layers on Windows
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:27:31 -08:00
Aaron Lehmann
2bb8c85bc5 Add support for manifest lists ("fat manifests")
A manifest list refers to platform-specific manifests. This allows
for images that target more than one architecture to share the same tag.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:27:31 -08:00
Aaron Lehmann
c8d277d228 Add schema2 push support
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:27:31 -08:00
Aaron Lehmann
94726f7c73 Add schema2 pull support
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:24:21 -08:00
Aaron Lehmann
f33fa1b8d3 Change push to use manifest builder
Currently this always uses the schema1 manifest builder. Later, it will
be changed to attempt schema2 first, and fall back when necessary.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:24:21 -08:00
Aaron Lehmann
c168a0059f Update code to compile against new manifest interface
Also, digest.FromBytes no longer returns an error.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 17:24:20 -08:00
Aaron Lehmann
65370be888 Send push information to trust code out-of-band
The trust code used to parse the console output of `docker push` to
extract the digest, tag, and size information and determine what to
sign. This is fragile and might give an attacker control over what gets
signed if the attacker can find a way to influence what gets printed as
part of the push output.

This commit sends the push metadata out-of-band. It introduces an `Aux`
field in JSONMessage that can carry application-specific data alongside
progress updates. Instead of parsing formatted output, the client looks
in this field to get the digest, size, and tag from the push.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-08 10:57:50 -08:00
David Calavera
907407d0b2 Modify import paths to point to the new engine-api package.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-01-06 19:48:59 -05:00
Phil Estes
6c30931b06 Merge pull request #18889 from aaronlehmann/v1-fallback-pull-all-tags
Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
2016-01-05 16:20:04 -05:00
David Calavera
723be0a332 Merge pull request #18888 from calavera/event_types
Event all the things!
2016-01-04 13:07:33 -08:00
Doug Davis
e6806223e8 Use constant instead of "scratch"
Move NoBaseImageSpecifier to a common spot and then use it instead of
"scratch" in a couple of places.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-12-31 06:21:56 -08:00
David Calavera
72f1881df1 Add event types.
- Stop serializing JSONMessage in favor of events.Message.
- Keep backwards compatibility with JSONMessage for container events.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-30 17:39:33 -05:00
Arnaud Porterie
7b540ee653 Merge pull request #18877 from dnephin/move_graph_driver_to_layer_store
Move graph driver to layer store
2015-12-29 12:19:02 -08:00
Huanzhong Zhang
85e355605a print the registry name.
Signed-off-by: Huanzhong Zhang <zhanghuanzhong90@gmail.com>
2015-12-29 13:33:04 +08:00
Daniel Nephin
f5916b10ae Remove the graph driver from the daemon, move it into the layer store.
Support restoreCustomImage for windows with a new interface to extract
the graph driver from the LayerStore.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2015-12-28 12:55:48 -05:00
Aaron Lehmann
589a5226e7 Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
This is a followup to #18839. That PR relaxed the fallback logic so that
if a manifest doesn't exist on v2, or the user is unauthorized to access
it, we try again with the v1 protocol. A similar special case is needed
for "pull all tags" (docker pull -a). If the v2 registry doesn't
recognize the repository, or doesn't allow the user to access it, we
should fall back to v1 and try to pull all tags from the v1 registry.
Conversely, if the v2 registry does allow us to list the tags, there
should be no fallback, even if there are errors pulling those tags.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-23 15:21:43 -08:00
Derek McGowan
d04fa49a0d Refactor RWLayer to use referenced object instead of string
RWLayer will now have more operations and be protected through a referenced type rather than always looked up by string in the layer store.
Separates creation of RWLayer (write capture layer) from mounting of the layer.
This allows mount labels to be applied after creation and allowing RWLayer objects to have the same lifespan as a container without performance regressions from requiring mount.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-12-23 11:19:17 -08:00
Aaron Lehmann
9d6acbee92 When a manifest is not found, allow fallback to v1
PR #18590 caused compatibility issues with registries such as gcr.io
which support both the v1 and v2 protocols, but do not provide the same
set of images over both protocols. After #18590, pulls from these
registries would never use the v1 protocol, because of the
Docker-Distribution-Api-Version header indicating that v2 was supported.

Fix the problem by making an exception for the case where a manifest is
not found. This should allow fallback to v1 in case that image is
exposed over the v1 protocol but not the v2 protocol.

This avoids the overly aggressive fallback behavior before #18590 which
would allow protocol fallback after almost any error, but restores
interoperability with mixed v1/v2 registry setups.

Fixes #18832

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-21 18:19:38 -08:00
Aaron Lehmann
891bbc17ec Make v1 pull/push output consistent with v2
- Use layer DiffIDs for progress output in v1 push. This makes the
  output consistent with v2 pushes, which means that a fallback to v1
  won't start progress bars for a different set of IDs.

- Change wording used in v1 status updates to be consistent with v2.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-16 15:02:24 -08:00
Aaron Lehmann
a57478d65f Do not fall back to the V1 protocol when we know we are talking to a V2 registry
If we detect a Docker-Distribution-Api-Version header indicating that
the registry speaks the V2 protocol, no fallback to V1 should take
place.

The same applies if a V2 registry operation succeeds while attempting a
push or pull.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-16 15:02:03 -08:00
Tonis Tiigi
eeb2d4c1ad Clean up reference type switches
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-12-16 11:58:53 -08:00
Tonis Tiigi
ffded61dad Update Named reference with validation of conversions
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-12-16 11:58:52 -08:00
Tonis Tiigi
2655954c2d Add own reference package wrapper
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-12-16 11:58:52 -08:00
Antonio Murdaca
bb2c92355c Merge pull request #18655 from dmcgowan/fix-docker-inspect-container
Add metadata function to layer store
2015-12-16 12:23:41 +01:00
huanzhong zhang
badfc7e10f The logName is confused here, it's a localName actually.
Signed-off-by: huanzhong zhang <zhanghuanzhong90@gmail.com>
2015-12-15 15:21:28 +08:00
Derek McGowan
a7e0968321 Add metadata function to layer store
Add function to get metadata from layer store for a mutable layer

fixes #18614

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-12-14 16:52:15 -08:00
Daniel Nephin
96c10098ac Move IndexInfo and ServiceConfig types to api/types/registry/registry.go
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2015-12-14 11:28:02 -05:00
Daniel Nephin
5b321e3287 Move AuthConfig to api/types
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2015-12-14 11:22:01 -05:00
Justas Brazauskas
927b334ebf Fix typos found across repository
Signed-off-by: Justas Brazauskas <brazauskasjustas@gmail.com>
2015-12-13 18:04:12 +02:00
Aaron Lehmann
572ce80230 Improved push and pull with upload manager and download manager
This commit adds a transfer manager which deduplicates and schedules
transfers, and also an upload manager and download manager that build on
top of the transfer manager to provide high-level interfaces for uploads
and downloads. The push and pull code is modified to use these building
blocks.

Some benefits of the changes:

- Simplification of push/pull code
- Pushes can upload layers concurrently
- Failed downloads and uploads are retried after backoff delays
- Cancellation is supported, but individual transfers will only be
  cancelled if all pushes or pulls using them are cancelled.
- The distribution code is decoupled from Docker Engine packages and API
  conventions (i.e. streamformatter), which will make it easier to split
  out.

This commit also includes unit tests for the new distribution/xfer
package. The tests cover 87.8% of the statements in the package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-09 19:13:35 -08:00
Aaron Lehmann
741924384e Use DiffSize instead of Size in v1 push
The v1 push code was querying the size of the layer chain up to the
layer it was pushing, rather than just that layer. This made the
progress indicator inaccurate.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-07 11:30:05 -08:00
Sebastiaan van Stijn
715f6a135c Merge pull request #17741 from dhiltgen/pull_token
Add token pass-thru for AuthConfig
2015-12-06 16:40:06 +01:00
Aaron Lehmann
39589800b4 Avoid a HEAD request for each layer in a v2 pull
We were calling Stat for each layer to get the size so we could indicate
progress, but https://github.com/docker/distribution/pull/1226 made it
possible to get the length from the GET request that Open initiates.

Saving one round-trip per layer should make pull operations slightly
faster and more robust.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-04 09:32:16 -08:00
Daniel Hiltgen
8dce8e9901 Add token pass-thru for AuthConfig
This change allows API clients to retrieve an authentication token from
a registry, and then pass that token directly to the API.

Example usage:

    REPO_USER=dhiltgen
    read -s PASSWORD
    REPO=privateorg/repo
    AUTH_URL=https://auth.docker.io/token
    TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" |
        jq -r ".token")

    HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"|base64 -w 0 )
    curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}"

Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
2015-12-03 11:40:27 -08:00
Brian Goff
9ebf7dfae3 Merge pull request #18252 from aaronlehmann/tarstream-readcloser
Make TarStream return an io.ReadCloser
2015-11-25 21:35:21 -05:00
Aaron Lehmann
21278efaee Make TarStream return an io.ReadCloser
Currently, the resources associated with the io.Reader returned by
TarStream are only freed when it is read until EOF. This means that
partial uploads or exports (for example, in the case of a full disk or
severed connection) can leak a goroutine and open file. This commit
changes TarStream to return an io.ReadCloser. Resources are freed when
Close is called.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-11-25 16:39:54 -08:00
Tonis Tiigi
20e759ab56 Validate adding digests to tagstore with go types
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-11-25 15:06:51 -08:00
Aaron Lehmann
694df3ff9f Add distribution package
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-11-24 09:40:24 -08:00