Commit graph

563 commits

Author SHA1 Message Date
Sebastiaan van Stijn
128280013f
Disable legacy (v1) registries by default
Deprecation of interacting with v1 registries was
started in docker 1.8.3, which added a `--disable-legacy-registry`
flag.

This option was anounced to be the default starting
with docker 17.06, and v1 registries completely
removed in docker 17.12.

This patch updates the default, and disables
interaction with v1 registres by default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-12 11:04:28 +02:00
root
02a759fa96 Remove dead code: GetAuthConfig
Signed-off-by: Shishir Mahajan <shishir.mahajan3@gmail.com>
2017-06-05 00:40:47 +00:00
Daniel Nephin
a6ac5495e1 Move an error helper to registry/session.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-02 16:10:40 -04:00
Daniel Nephin
65515af075 Move httputils/reasumablerequestreader to the single consumer.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-02 16:10:39 -04:00
Noah Treuhaft
67fdf574d5 Add daemon option to push foreign layers
The --allow-nondistributable-artifacts daemon option specifies
registries to which foreign layers should be pushed.  (By default,
foreign layers are not pushed to registries.)

Additionally, to make this option effective, foreign layers are now
pulled from the registry if possible, falling back to the URLs in the
image manifest otherwise.

This option is useful when pushing images containing foreign layers to a
registry on an air-gapped network so hosts on that network can pull the
images without connecting to another server.

Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2017-05-16 14:36:36 -07:00
Yong Tang
e49589505a Validate insecure registry (--insecure-registry) values
This fix is based on:
https://github.com/docker/docker/issues/29936#issuecomment-277494885

Currently the insecure registry is only checked to see if it contains
scheme (`http(s)://`) or not. No fully validation is done and this
caused many confusions like in #29936.

This fix tries to address the issue.

This fix adds additional validation so that an insecure registry
is validated to make sure it is in `host:port` format where host
could be IPv4/IPv6 or a host name, and port could be an integer
between 0-65535.

Additional unit tests have been added.

This fix is related to #29936.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-02-14 13:13:23 -08:00
Derek McGowan
3a1279393f
Use distribution reference
Remove forked reference package. Use normalized named values
everywhere and familiar functions to convert back to familiar
strings for UX and storage compatibility.

Enforce that the source repository in the distribution metadata
is always a normalized string, ignore invalid values which are not.
Update distribution tests to use normalized values.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-02-07 11:08:37 -08:00
Derek McGowan
0421f5173d
Remove use of forked reference package for cli
Use resolving to repo info as the split point between the
legitimate reference package and forked reference package.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-01-19 16:04:50 -08:00
Sebastiaan van Stijn
af90d50647 Merge pull request #29988 from yongtang/29936-insecure-registries
Return error when insecure registry contains scheme
2017-01-19 21:49:06 +01:00
Yong Tang
8dadeaf8ea Return error when insecure registry contains scheme
While investigating 29936 I noticed one potential issue
in `LoadInsecureRegistries`.

The implementation of the func assumes that the format
of insecure registry should be `host:port` if not CIDR.
However, it is very common that user may incorrectly
provide a registry with a scheme (e.g, `http://myregistry.com:5000`)
Such a registry format with a scheme will cause docker pull to
always try https endpoint.

The reason is that the func of `isSecureIndex()` actually will
check for the map of the index server for `myregistry.com:5000`
while the insecure registry only has a record of `http://myregistry.com:5000`.
As a consequence, docker assumes that `myregistry.com:5000` is not
a insecure registry and will go ahead with https endpoint.

This fix addresses the issue by error out insecure registries with scheme.

A unit test has been added.

This fix is related to 29936.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-13 19:19:30 -08:00
Daehyeok Mun
6306019d0b Refactoring ineffectual assignments
This patch fixed below 4 types of code line
1. Remove unnecessary variable assignment
2. Use variables declaration instead of explicit initial zero value
3. Change variable name to underbar when variable not used
4. Add erro check and return for ignored error

Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
2017-01-13 00:27:01 -07:00
allencloud
5b9348c553 support registry mirror config reload
Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-04 11:04:00 +08:00
yuexiao-wang
3ed06f9670 Remove unuse slice in registry
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2016-12-16 00:51:10 +08:00
Victor Vieux
c1a1b381f9 Merge pull request #28459 from dmcgowan/plugin-repository-pinning
Plugin repository pinning
2016-12-08 11:28:52 -08:00
Aaron Lehmann
d91ed88365 registry: Remove reference.go
This removes some very old vestigial code that really should have been
removed during the content addressability transition. It implements
something called "reference" but it behaves differently from the actual
reference package. This was only used by client-side content trust code,
and is relatively easy to extricate.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-12-06 15:53:21 -08:00
Derek McGowan
a12b466183
Add class to repository scope
Expose registry error translation for plugin distribution

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-11-21 22:18:50 -08:00
Felipe Oliveira
271b1f2756 fix infinite recursion
Signed-off-by: Felipe Oliveira <felipeweb.programador@gmail.com>
2016-11-18 10:57:50 -02:00
Noah Treuhaft
7ffb4ad81a
Disable v1 protocol for the default registry
All images in the default registry (AKA docker.io, index.docker.io, and
registry-1.docker.io) are available via the v2 protocol, so there's no
reason to use the v1 protocol.  Disabling it prevents useless fallbacks.

Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2016-11-11 00:23:25 -08:00
Derek McGowan
c85eb00841
Update for distribution vendor
Handle updates to reference package.
Updates for refactoring of challenge manager.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-11-10 17:34:12 -08:00
Amit Krishnan
934328d8ea Add functional support for Docker sub commands on Solaris
Signed-off-by: Amit Krishnan <krish.amit@gmail.com>

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-11-07 09:06:34 -08:00
Derek McGowan
66a5e34cc4
Use system ca pool from tlsconfig
Remove deprecated config from local pkg/tlsconfig.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-10-31 14:52:07 -07:00
allencloud
582803f00a support insecure registry in configuration reload
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-10-20 07:54:31 +08:00
Aaron Lehmann
19858ff1b1 registry: Remove unused method ResolveIndex
This does not appear to be used.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-10-18 12:04:10 -07:00
Michael Crosby
91e197d614 Add engine-api types to docker
This moves the types for the `engine-api` repo to the existing types
package.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-07 11:05:58 -07:00
Antonio Murdaca
67d752ac55
support legacy registries in exernal stores
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-07 09:45:42 +02:00
Tonis Tiigi
7a8c7b47cf Fix govet for go1.7
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 19:07:54 -07:00
Daniel Nephin
14712f9ff0 Remove old cli framework.
Also consolidate the leftover packages under cli.
Remove pkg/mflag.
Make manpage generation work with new cobra layout.
Remove remaining mflag and fix tests after rebase with master.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-08-25 13:09:04 -04:00
Daniel Nephin
fb83394714 Convert dockerd to use cobra and pflag
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-08-25 13:09:03 -04:00
Stefan J. Wernli
adee28458c Fixing v2 registry restriction for non-linux platforms.
This fixes the hard coded restriction for non-linux platforms to v2 registries.  Previously, the check was above the flag parsing, which would overwrite the hard coded value and prevent correct operation.  This change also removes the related daemon flag from Windows to avoid confusion, as it has no meaning when the value is going to always be hard coded to true.

Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
2016-07-20 16:14:40 -07:00
Sebastiaan van Stijn
64a8317a5a Improve flag help consistency, and update docs
This adds the `--live-restore` option to the documentation.

Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-07-16 01:58:01 +02:00
Derek McGowan
19d48f0b8b Allow v1 search to use v2 auth with identity token
Updates the v1 search endpoint to also support v2 auth when an identity token is given.
Only search v1 endpoint is supported since there is not v2 search currently defined to replace it.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2016-07-13 13:30:24 -07:00
Yong Tang
a72b45dbec Fix logrus formatting
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.

This fix fixes #23459.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-06-11 13:16:55 -07:00
Yong Tang
92f10fe228 Add --limit option to docker search
This fix tries to address the issue raised in #23055.
Currently `docker search` result caps at 25 and there is
no way to allow getting more results (if exist).

This fix adds the flag `--limit` so that it is possible
to return more results from the `docker search`.

Related documentation has been updated.

Additional tests have been added to cover the changes.

This fix fixes #23055.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-06-02 19:12:20 -07:00
allencloud
c1be45fa38 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-06-02 17:17:22 +08:00
Vincent Demeester
636c276f67
Add Unit test to daemon.SearchRegistryForImages…
… and refactor a little bit some daemon on the way.

- Move `SearchRegistryForImages` to a new file (`daemon/search.go`) as
  `daemon.go` is getting pretty big.
- `registry.Service` is now an interface (allowing us to decouple it a
  little bit and thus unit test easily).
- Add some unit test for `SearchRegistryForImages`.
- Use UniqueExactMatch for search filters
- And use empty restore id for now in client.ContainerStart.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-05-24 11:07:11 +02:00
Brett Higgins
207027087e Respect ALL_PROXY during registry operations
Use sockets.DialerFromEnvironment, as is done in other places,
to transparently support SOCKS proxy config from ALL_PROXY
environment variable.

Requires the *engine* have the ALL_PROXY env var set, which
doesn't seem ideal. Maybe it should be a CLI option somehow?

Only tested with push and a v2 registry so far. I'm happy to look
further into testing more broadly, but I wanted to get feedback on
the general idea first.

Signed-off-by: Brett Higgins <brhiggins@arbor.net>
2016-04-25 15:08:30 -04:00
Yong Tang
93973196f4 Add default serveraddress value in remote API /auth
This fix tries to address the issue in #22244 where the remote
API `/auth` will not set the default value of `serveraddress`
if not provided. This behavior happens after only in 1.11.0
and is a regression as in 1.10.3 `serveraddress` will be assigned
with `IndexServer` if no value is provided.

The default value `IndexServer` is assigned to `serveraddress` if
no value provided in this fix.

An integration test `TestAuthApi` has been added to cover this change

This fix fixes #22244.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-22 20:00:47 -07:00
Vincent Demeester
e6f2429e01 Merge pull request #21607 from allencloud/change-validateNoSchema-to-validateNoScheme
change validateNoSchema to validateNoScheme
2016-03-31 10:14:23 +02:00
allencloud
28d3c22e55 1.change validateNoSchema into validateNoScheme
2.change schema into scheme in docs and some annotations.

Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-03-31 12:29:15 +08:00
Aaron Lehmann
e42f85080b Correct login debug log message
I noticed the following message in a daemon log:

```
attempting v2 login to registry endpoint {%!s(bool=false) https://registry:5000 v2 %!s(bool=false) %!s(bool=true) %!s(*tls.Config=&{<nil> <nil> [] map[] <nil> 0xc82075c030 []  0 <nil> false [49196 49200 49195 49199 49162 49161 49172 49171 53 47] true false [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] <nil> 769 0 [] {{0 0} 0} {{0 0} 0 0 0 0} []})}
```

loginV2 tries to log an APIEndpoint as a string, but this struct does
not have a String method. Log the actual URL that will be used as the
endpoint, instead.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-28 18:22:24 -07:00
David Calavera
b1e9a5eaf1 Merge pull request #21258 from runcom/res.body.leaks
*: fix response body leaks
2016-03-16 19:20:10 -07:00
Antonio Murdaca
f0d83c4cdb *: fix response body leaks
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-16 17:15:42 +01:00
Antonio Murdaca
137c8601a8 registry: endpoint_v1: fix outdated comment
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-16 12:53:11 +01:00
Antonio Murdaca
bb05c18892 daemon: update: check len inside public function
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-15 17:24:25 +01:00
Vincent Demeester
b9361f02da Merge pull request #20970 from dmcgowan/login-oauth
OAuth support for registries
2016-03-14 15:49:44 +01:00
David Calavera
12c67f42d8 Merge pull request #21100 from aaronlehmann/remove-windows-specific-registry
Remove Windows-specific default registry definitions
2016-03-11 09:31:55 -08:00
Aaron Lehmann
87535ca2e9 Remove Windows-specific default registry definitions
Going forward, Docker won't use a different default registry on Windows.
This changes Windows to use the standard Docker Hub registry as the
default registry.

There is a plan in place to migrate existing images from the Windows
registry to Hub's normal registry, in advance of the 1.11 release. In
the mean time, images on the Windows registry can be accessed by
prefixing them with `registry-win-tp3.docker.io/`.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-10 18:33:14 -08:00
Sebastiaan van Stijn
1d094255d5 Merge pull request #21045 from calavera/registry_config_options
Move registry service options to the daemon configuration.
2016-03-11 00:48:55 +01:00
David Calavera
59586d02b1 Move registry service options to the daemon configuration.
Allowing to set their values in the daemon configuration file.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-10 11:53:11 -05:00
allencloud
34b82a69b9 fix some typos.
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-03-10 10:09:27 +08:00
Derek McGowan
e896d1d7c4 Add support for identity token with token handler
Use token handler options for initialization.
Update auth endpoint to set identity token in response.
Update credential store to match distribution interface changes.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-03-09 13:47:57 -08:00
Derek McGowan
f2d481a299 Login update and endpoint refactor
Further differentiate the APIEndpoint used with V2 with the endpoint type which is only used for v1 registry interactions
Rename Endpoint to V1Endpoint and remove version ambiguity
Use distribution token handler for login

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-03-01 11:52:32 -08:00
Ken Cochrane
aee260d4eb Remove email address field from login
This removes the email prompt when you use docker login, and also removes the ability to register via the docker cli. Docker login, will strictly be used for logging into a registry server.

Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
2016-02-29 17:53:27 -08:00
Aaron Lehmann
79db131a35 Change APIEndpoint to contain the URL in a parsed format
This allows easier URL handling in code that uses APIEndpoint.
If we continued to store the URL unparsed, it would require redundant
parsing whenver we want to extract information from it. Also, parsing
the URL earlier should give improve validation.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-17 17:48:15 -08:00
Aaron Lehmann
8f26fe4f59 Push/pull errors improvement and cleanup
Several improvements to error handling:

- Introduce ImageConfigPullError type, wrapping errors related to
  downloading the image configuration blob in schema2. This allows for a
  more descriptive error message to be seen by the end user.

- Change some logrus.Debugf calls that display errors to logrus.Errorf.
  Add log lines in the push/pull fallback cases to make sure the errors
  leading to the fallback are shown.

- Move error-related types and functions which are only used by the
  distribution package out of the registry package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-02-11 16:28:56 -08:00
David Calavera
7bca932182 Respond with 401 when there is an unauthorized error from the registry.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-01-27 13:55:33 -05:00
Tibor Vass
07e2dedecb Merge pull request #19057 from dnephin/remove_version_from_registry_pkg
Remove dockerversion from registry package
2016-01-25 22:45:06 -08:00
Aaron Lehmann
d5e2802eae Clarify error message when a .cert file is missing a corresponding key
The daemon uses two similar filename extensions to identify different
kinds of certificates. ".crt" files are interpreted as CA certificates,
and ".cert" files are interprted as client certificates. If a CA
certificate is accidentally given the extension ".cert", it will lead to
the following error message:

    Missing key ca.key for certificate ca.cert

To make this slightly less confusing, clarify the error message with a
note that CA certificates should use the extension ".crt".

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-01-20 11:34:59 -08:00
Daniel Nephin
61a49bb6ba Remove the use of dockerversion from the registry package
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-01-15 12:43:54 -05:00
David Calavera
907407d0b2 Modify import paths to point to the new engine-api package.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-01-06 19:48:59 -05:00
Phil Estes
6c30931b06 Merge pull request #18889 from aaronlehmann/v1-fallback-pull-all-tags
Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
2016-01-05 16:20:04 -05:00
Richard Scothern
b18fadd115 Show the legacy registry flag only in the daemon arguments
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2016-01-04 14:52:39 -08:00
David Calavera
8e034802b7 Remove usage of pkg sockets and tlsconfig.
- Use the ones provided by docker/go-connections, they are a drop in replacement.
- Remove pkg/sockets from docker.
- Keep pkg/tlsconfig because libnetwork still needs it and there is a
  circular dependency issue.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-29 19:27:12 -05:00
Aaron Lehmann
589a5226e7 Allow v1 protocol fallback when pulling all tags from a repository unknown to v2 registry
This is a followup to #18839. That PR relaxed the fallback logic so that
if a manifest doesn't exist on v2, or the user is unauthorized to access
it, we try again with the v1 protocol. A similar special case is needed
for "pull all tags" (docker pull -a). If the v2 registry doesn't
recognize the repository, or doesn't allow the user to access it, we
should fall back to v1 and try to pull all tags from the v1 registry.
Conversely, if the v2 registry does allow us to list the tags, there
should be no fallback, even if there are errors pulling those tags.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-23 15:21:43 -08:00
Aaron Lehmann
9d6acbee92 When a manifest is not found, allow fallback to v1
PR #18590 caused compatibility issues with registries such as gcr.io
which support both the v1 and v2 protocols, but do not provide the same
set of images over both protocols. After #18590, pulls from these
registries would never use the v1 protocol, because of the
Docker-Distribution-Api-Version header indicating that v2 was supported.

Fix the problem by making an exception for the case where a manifest is
not found. This should allow fallback to v1 in case that image is
exposed over the v1 protocol but not the v2 protocol.

This avoids the overly aggressive fallback behavior before #18590 which
would allow protocol fallback after almost any error, but restores
interoperability with mixed v1/v2 registry setups.

Fixes #18832

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-21 18:19:38 -08:00
Aaron Lehmann
a57478d65f Do not fall back to the V1 protocol when we know we are talking to a V2 registry
If we detect a Docker-Distribution-Api-Version header indicating that
the registry speaks the V2 protocol, no fallback to V1 should take
place.

The same applies if a V2 registry operation succeeds while attempting a
push or pull.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-16 15:02:03 -08:00
Tonis Tiigi
ffded61dad Update Named reference with validation of conversions
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-12-16 11:58:52 -08:00
Tonis Tiigi
2655954c2d Add own reference package wrapper
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-12-16 11:58:52 -08:00
David Calavera
c0c5c00337 Merge pull request #18681 from dnephin/move_cliconfig_test
Move the TestEncodeAuth test to the correct package
2015-12-15 12:42:38 -08:00
Daniel Nephin
e226383614 Move the TestEncodeAuth test to the correct package.
Also make EncodeAuth and DecodeAuth private because they're only used by cliconfig.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2015-12-15 13:36:52 -05:00
Daniel Nephin
c4472b389d Move registry.SearchResult types to api/types/registry.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2015-12-15 11:44:20 -05:00
Vincent Demeester
87740d001c Merge pull request #18644 from calavera/remove_timeout_func_dependency_from_api_lib
Remove timeout shared function.
2015-12-14 23:05:29 +01:00
David Calavera
9dc7d07fc1 Remove timeout shared function.
Handle timeouts when it's necessary based on a Timeout interface.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-14 14:24:21 -05:00
Daniel Nephin
96c10098ac Move IndexInfo and ServiceConfig types to api/types/registry/registry.go
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2015-12-14 11:28:02 -05:00
Daniel Nephin
5b321e3287 Move AuthConfig to api/types
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2015-12-14 11:22:01 -05:00
Vincent Demeester
5e0283effa Merge pull request #18618 from dnephin/refactor_resolve_auth_config
Refactor ResolveAuthConfig to remove the builder dependency on cli code
2015-12-14 15:23:36 +01:00
Justas Brazauskas
927b334ebf Fix typos found across repository
Signed-off-by: Justas Brazauskas <brazauskasjustas@gmail.com>
2015-12-13 18:04:12 +02:00
Daniel Nephin
920ea13516 Refactor ResolveAuthConfig to remove the builder dependency on cli code.
registry.ResolveAuthConfig() only needs the AuthConfigs from the ConfigFile, so
this change passed just the AuthConfigs.

Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2015-12-11 19:31:24 -08:00
Aaron Lehmann
572ce80230 Improved push and pull with upload manager and download manager
This commit adds a transfer manager which deduplicates and schedules
transfers, and also an upload manager and download manager that build on
top of the transfer manager to provide high-level interfaces for uploads
and downloads. The push and pull code is modified to use these building
blocks.

Some benefits of the changes:

- Simplification of push/pull code
- Pushes can upload layers concurrently
- Failed downloads and uploads are retried after backoff delays
- Cancellation is supported, but individual transfers will only be
  cancelled if all pushes or pulls using them are cancelled.
- The distribution code is decoupled from Docker Engine packages and API
  conventions (i.e. streamformatter), which will make it easier to split
  out.

This commit also includes unit tests for the new distribution/xfer
package. The tests cover 87.8% of the statements in the package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-09 19:13:35 -08:00
Aaron Lehmann
1ebfa29954 Add missing bounds in ContinueOnError
ContinueOnError assumes that something of type errcode.Errors contains
at least one error. This is generally true, but might not be true if the
remote registry returns an empty error body or invalid JSON. Add the
bounds check, and in the case where it fails, allow fallbacks to v1.

Fixes #18481

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-08 09:54:20 -08:00
Tibor Vass
f7c0d0ec50 Merge pull request #18105 from mishak87/registry-improvements
Registry tiny code improvements
2015-12-07 13:35:02 +01:00
mqliang
519236b478 rename req to resp
Signed-off-by: mqliang <mqliang.zju@gmail.com>
2015-12-02 20:38:54 +08:00
Michal Gebauer
bcd0f0cdc4 Check if CertsDir is not empty
Signed-off-by: Michal Gebauer <mishak@mishak.net>
2015-11-25 18:12:19 +01:00
mqliang
302325a3aa move defer statement for readability
Signed-off-by: mqliang <mqliang.zju@gmail.com>
2015-11-25 22:33:15 +08:00
Tonis Tiigi
4352da7803 Update daemon and docker core to use new content addressable storage
Add distribution package for managing pulls and pushes. This is based on
the old code in the graph package, with major changes to work with the
new image/layer model.

Add v1 migration code.

Update registry, api/*, and daemon packages to use the reference
package's types where applicable.

Update daemon package to use image/layer/tag stores instead of the graph
package

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-11-24 09:40:25 -08:00
Alexander Morozov
90e2459ecb registry/registry.go: simplify logical expression
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-17 16:12:11 -08:00
Alexander Morozov
e2417e3e92 Merge pull request #17617 from askb/17168_pull_error_fix
Fix for #17168 issue
2015-11-17 16:10:44 -08:00
David Calavera
b665730d2c Make NormalizeLocalName to not reach the network to normalize names.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-11-17 03:31:32 -05:00
Anil Belur
31cdc63419 Fix for #17168 misleading pull error
This fix avoids overwritting the previous error messages, ensures the client gets the correct error messages and not just the most recent message during the pull request.
For this `var lastErr` replaced with a slice which acts as a temp place holder for the list of returned error messages for every attempt.
The slice is later joined and returned to the caller function after searching for the image with diffirent versions(v2,v1,v0).

Updated the code with check for no space left on device error occurance and prevent the
daemon on falling back to v1,v0.

Incorporated the comments from @calavera, @RichardScothern, @cpuguy83

Signed-off-by: Anil Belur <askb23@gmail.com>
2015-11-14 16:24:45 +05:30
Vincent Demeester
8054a30387 dockerversion placeholder for library import
- Add a *version* file placeholder.
- Update autogen and builds to use it and an autogen build flag

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-11-09 19:32:46 +01:00
Jess Frazelle
e704182c9c Merge pull request #17614 from LK4D4/fix_golint
Update linting tools to latest versions
2015-11-03 15:32:12 -08:00
Aaron Lehmann
257c59251b Vendor updated version of docker/distribution
This updates the vendored docker/distribution to the current master
branch.

Note the following changes:

- The manifest package was split into manifest/schema1. Most references
  to the manifest package in the engine needed to be updated to use
  schema1 instead.

- Validation functions in api/v2 were replaced by the
  distribution/reference package. The engine code has been updated to
  use the reference package for validation where necessary. A future PR
  will change the engine to use the types defined in
  distribution/reference more comprehensively.

- The reference package explicitly allows double _ characters in
  repository names. registry_test.go was updated for this.

- TestPullFailsWithAlteredManifest was corrupting the manifest JSON, now
  that the schema1 package unmarshals the correct payload. The test is
  being changed to modify the JSON without affecting its length, which
  allows the pull to succeed to the point where digest validation
  happens.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-11-02 12:40:18 -08:00
Alexander Morozov
7aa28b6bdd Fix go vet warnings
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-02 08:28:34 -08:00
Brian Goff
b78ca243d9 Revert "dockerversion placeholder for library-import"
This reverts commit d5cd032a86.

Commit caused issues on systems with case-insensitive filesystems.
Revert for now

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-10-27 21:23:53 -04:00
Vincent Demeester
d5cd032a86 dockerversion placeholder for library-import
- Move autogen/dockerversion to version
- Update autogen and "builds" to use this package and a build flag

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-10-27 20:36:07 +01:00
Derek McGowan
b5b0da5fec Update distribution package
Pick up name regexp change in distribution to allow matching of hostnames as a valid component of a repository.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-10-08 17:16:43 -07:00
Jessica Frazelle
c559d8ebf7
change flag name to better follow the other flags that start with disable;
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-10-07 10:16:37 -07:00
Vincent Demeester
b78f66c472 Merge pull request #16509 from HuKeping/search-problem
Fix docker search problem
2015-10-04 18:21:32 +02:00
Hu Keping
f04e8fdb9b Fix docker search problem
Search terms shouldn't be restricted to only full valid repository
names. It should be perfectly valid to search using a part of a name,
even if it ends with a period, dash or underscore.

Signed-off-by: Hu Keping <hukeping@huawei.com>
2015-10-04 23:23:43 +08:00
Richard Scothern
39f2f15a35 Prevent push and pull to v1 registries by filtering the available endpoints.
Add a daemon flag to control this behaviour.  Add a warning message when pulling
an image from a v1 registry.  The default order of pull is slightly altered
with this changset.

Previously it was:
https v2, https v1, http v2, http v1

now it is:
https v2, http v2, https v1, http v1

Prevent login to v1 registries by explicitly setting the version before ping to
prevent fallback to v1.

Add unit tests for v2 only mode.  Create a mock server that can register
handlers for various endpoints.  Assert no v1 endpoints are hit with legacy
registries disabled for the following commands:  pull, push, build, run and
login.  Assert the opposite when legacy registries are not disabled.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-09-25 15:59:42 -07:00
David Calavera
719886d435 Make RegistryConfig a typed value in the api.
Remove possible circular dependency that prevented us from using a real
type.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-09-07 19:29:33 -04:00
Alexander Morozov
137df3048c Merge pull request #15389 from aidanhs/aphs-simpler-pull-codepath
Remove unnecessary function parameter, add mirror endpoint test
2015-08-24 11:03:01 -07:00
Jessie Frazelle
3dc30d47e1 Merge pull request #15417 from icecrime/update_windows_registry_endpoint
Update Windows TP3 registry endpoints
2015-08-18 20:35:02 -07:00
Veres Lajos
5146232723 typofix - https://github.com/vlajos/misspell_fixer
Signed-off-by: Veres Lajos <vlajos@gmail.com>
2015-08-07 23:25:49 +01:00
Arnaud Porterie
c7e1f91a9e Update Windows TP3 registry endpoints
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-08-07 14:03:46 -07:00
David Calavera
0262d40ba7 Merge pull request #15370 from cpuguy83/better_error_on_client_connect
Better/more specific error messages on connect
2015-08-07 13:00:44 -07:00
Aidan Hobson Sayers
c016d2defd Remove unnecessary func parameter, add mirror endpoint test
Signed-off-by: Aidan Hobson Sayers <aidanhs@cantab.net>
2015-08-07 02:25:41 +01:00
Tibor Vass
b899977ee2 registry: Do not push to mirrors
This patch splits LookupEndpoints into LookupPullEndpoints and
LookupPushEndpoints so that mirrors added with --registry-mirror are
skipped in the list returned by LookupPushEndpoints.

Fixes https://github.com/docker/distribution/issues/823

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-08-06 17:41:59 -04:00
Brian Goff
9994a35b5d Better/more specific error messages on connect
Closes #15309

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-08-06 16:41:37 -04:00
John Howard
831b00303f Windows: Fix certificate directory for registry
Signed-off-by: John Howard <jhoward@microsoft.com>
2015-08-05 13:25:41 -07:00
Aaron Lehmann
1f61084d83 Fix uses of "int" where "int64" should be used instead
Some structures use int for sizes and UNIX timestamps. On some
platforms, int is 32 bits, so this can lead to the year 2038 issues and
overflows when dealing with large containers or layers.

Consistently use int64 to store sizes and UNIX timestamps in
api/types/types.go. Update related to code accordingly (i.e.
strconv.FormatInt instead of strconv.Itoa).

Use int64 in progressreader package to avoid integer overflow when
dealing with large quantities. Update related code accordingly.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-31 16:31:40 -07:00
Tibor Vass
ad96fc310b Merge pull request #14970 from tiborvass/windows-registry-endpoint
registry: Change default endpoint on windows to a windows-specific one
2015-07-30 22:41:34 -04:00
Tibor Vass
a21ba12f4e registry: allow fallback on unknown errors
This patch fixes a bug where a user specifies a v1 mirror for
--registry-mirror and pull an image from the Hub.

It used to not fallback because of an unexpected error returned when
trying to JSON marshal nginx output.

We now ensure that any unexpected error falls back to the next endpoint
in the list.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 19:03:38 -04:00
Tibor Vass
4a92b8a0ef registry: Change default endpoint on windows to a windows-specific one
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 14:52:41 -04:00
Derek McGowan
e863a07b89 Fix login and search TLS configuration
Currently login and search do not load per registry certificates.
This is a regression caused by the last refactor since this was recently fixed.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 10:36:57 -07:00
Derek McGowan
ed13c3abfb Use notary library for trusted image fetch and signing
Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest.
On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server.
If a tag is given, the cli will resolve the tag into a digest and pull by digest.
After pulling, if a tag is given the cli makes a request to tag the image.

Use certificate directory for notary requests

Read certificates using same logic used by daemon for registry requests.

Catch JSON syntax errors from Notary client

When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user.
Provide a generic error when a JSON syntax error occurs.

Catch expiration errors and wrap in additional context.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-24 14:08:20 -07:00
Aaron Lehmann
4fcb9ac40c Improve documentation and golint compliance of registry package
* Add godoc documentation where it was missing

* Change identifier names that don't match Go style, such as INDEX_NAME

* Rename RegistryInfo to PingResult, which more accurately describes
  what this structure is for. It also has the benefit of making the name
  not stutter if used outside the package.

Updates #14756

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-24 11:55:07 -07:00
Tibor Vass
96ce3a194a cli: new daemon command and new cli package
This patch creates a new cli package that allows to combine both client
and daemon commands (there is only one daemon command: docker daemon).

The `-d` and `--daemon` top-level flags are deprecated and a special
message is added to prompt the user to use `docker daemon`.

Providing top-level daemon-specific flags for client commands result
in an error message prompting the user to use `docker daemon`.

This patch does not break any old but correct usages.

This also makes `-d` and `--daemon` flags, as well as the `daemon`
command illegal in client-only binaries.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-23 19:44:46 -04:00
Jessica Frazelle
ca3dae523b better i/o timeout error on pull
Signed-off-by: Jessica Frazelle <princess@docker.com>
2015-07-21 19:08:15 -07:00
Tibor Vass
42533e323c Merge pull request #14829 from RichardScothern/registry-tls
Configure TLS for private v2 registry mirrors.
2015-07-21 19:23:39 -04:00
Richard Scothern
6b36a488e7 Remove v1 registry mirror configuration from LookupEndpoints.
V1 mirrors do not mirror the index and those endpoints should
only be indexes.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:41 -07:00
Richard Scothern
cb57b25689 Configure TLS for private registry mirrors.
If a registry mirror is using TLS, ensure that certs for it
are picked up from /etc/docker/certs.d

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:25 -07:00
Aaron Lehmann
9e76e184e4 Remove unused types in registry package
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:53:57 -07:00
Aaron Lehmann
962dc622d9 Remove dead code in registry package
The only uses of RequestAuthorization and its associated functions were
removed in 19515a7ad8 ("Update graph to
use vendored distribution client for the v2 codepath")

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:45:53 -07:00
Morgan Bauer
dea49b7474
golint for cliconfig
- fully capitalize HTTP in HTTPHeaders
 - comment for CONFIGFILE
 - camelcase and privatize oldConfigfile, defaultIndexserver
 - remove unused var errConfigFileMissing
 - comments for methods and functions throughout
 - external references to renamed variables changed

Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
2015-07-20 16:48:58 -07:00
Ma Shimiao
1b67c38f6f fix 8926: rmi dangling is unsafe when pulling
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-17 11:39:57 -04:00
Derek McGowan
19515a7ad8 Update graph to use vendored distribution client for the v2 codepath
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:47 -04:00
Tibor Vass
276c640be4 remove pkg/transport and use the one from distribution
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:46 -04:00
Tibor Vass
b32c4cb459 Fix issue where Search API endpoint would panic due to empty AuthConfig
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 12:38:44 -04:00
David Calavera
46aea60fb0 Merge pull request #14332 from ankushagarwal/failedLogin
Add 500 check for registry api call
2015-07-15 11:19:31 -07:00
Derek McGowan
7f48cd7dce Set canonical name correctly
Currently canonical name gets set to the local name and displayed in the errors.
Canonical name should be the unique and canonical name for an image.
Use docker.io as the canonical domain for images on the public registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-14 17:45:49 -07:00
Stephen Day
c7d4a4b2b4 Merge pull request #14521 from mattmoor/authenticated-search
Add the X-Docker-Token header to the /v1/search requests.
2015-07-14 15:43:28 -07:00
Stephen J Day
451789cf88 Allow one character repository name components
The docker/distribution dependency was updated in the previous commit to allow
repository name components to only consist of a single letter. The unit tests
have been updated to cement this change.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-07-10 14:06:15 -06:00
Matt Moore
5a170484d1 Add the X-Docker-Token header to the /v1/search requests.
By adding this header AuthTransport will add Basic authentication to the request and allow 'docker search' results to include private images.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-07-09 20:56:23 -07:00
Ankush Agarwal
88f02c2f33 Add 500 check for registry api call
Partially Addresses #14326

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
2015-07-02 12:41:24 -07:00
Eric Windisch
37846bff58 Remove RC4 from the list of registry cipher suites
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.

Uses the tlsconfig package to define allowed ciphers.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-06-29 09:15:13 -04:00
Stephen Day
c7ece73fa4 Merge pull request #14046 from mattmoor/token-investigation
Unconditionally use AuthTransport.
2015-06-25 19:07:10 -07:00
Antonio Murdaca
927d13bc3c Remove dead code
Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-06-20 19:14:15 +02:00
Matt Moore
c2315102ff Unconditionally add AuthTransport.
Today, endpoints implementing v2 cannot properly fallback to v1 because the underlying transport that deals with authentication (Basic / Token) doesn't get annotated.

This doesn't affect DockerHub because the DockerHub endpoint appears as 'https://index.docker.io/v1/' (in .dockercfg), and the 'v1' tricks this logic just long enough that the transport is always annotated for DockerHub accesses.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-19 10:12:52 -07:00
Sebastiaan van Stijn
206acbcf89 Merge pull request #13070 from shishir-a412ed/cleanup_cmd_tag
Use distribution's ValidateRepositoryName for remote name validation.
2015-06-17 23:26:27 +02:00
Derek McGowan
d86345b9f7 Merge pull request #13575 from mattmoor/consistent-push-fallback
Make v2 push have v1-fallback behavior consistent with pull.
2015-06-17 13:41:58 -07:00
Shishir Mahajan
b8301005ff Use distribution's ValidateRepositoryName for remote name validation.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-06-17 15:15:16 -04:00
Don Kjer
b349a74c71 Only pulling single repository tag on pull for a specific tag. extending TestGetRemoteTags unit test
Splitting out GetRemoteTag from GetRemoteTags.  Adding registry.ErrRepoNotFound error

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-06-16 07:10:09 +00:00
Arnaud Porterie
13baeb3b70 Merge pull request #13815 from tiborvass/do-not-send-basic-auth-on-302
Do not set auth headers for registry v1 if 302
2015-06-09 15:34:53 -07:00
xiekeyang
a31be25121 Registry: remove unwanted return variable name
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
2015-06-09 10:58:33 +08:00
Tibor Vass
123a0582b2 Do not set auth headers if 302
This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.

This also ensures v2 does not use authTransport.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-08 19:59:39 -04:00
Antonio Murdaca
a06e0bb8b4 Merge pull request #13648 from tiborvass/print-debugtransport-to-test-output
registry: debugTransport should print with testing.T.Log
2015-06-05 00:42:22 +02:00
Matt Moore
bd2575cc4f Make the v2 logic fallback on v1 when v2 requests cannot be authorized.
Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-02 21:22:59 -07:00
Phil Estes
278798236b Merge pull request #13650 from jvgogh/master
Upon HTTP 302 redirect do not include "Authorization" header on 'untr…
2015-06-02 14:23:20 -04:00
Arnaud Porterie
274baf70bf Merge pull request #13576 from stevvooe/verify-digests
Properly verify manifests and layer digests on pull
2015-06-02 11:16:23 -07:00