package client // import "github.com/docker/docker/client" import ( "context" "io" "net/url" "strings" "github.com/distribution/reference" "github.com/docker/docker/api/types/image" "github.com/docker/docker/errdefs" ) // ImagePull requests the docker host to pull an image from a remote registry. // It executes the privileged function if the operation is unauthorized // and it tries one more time. // It's up to the caller to handle the io.ReadCloser and close it properly. // // FIXME(vdemeester): there is currently used in a few way in docker/docker // - if not in trusted content, ref is used to pass the whole reference, and tag is empty // - if in trusted content, ref is used to pass the reference name, and tag for the digest func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.PullOptions) (io.ReadCloser, error) { ref, err := reference.ParseNormalizedNamed(refStr) if err != nil { return nil, err } query := url.Values{} query.Set("fromImage", reference.FamiliarName(ref)) if !options.All { query.Set("tag", getAPITagFromNamedRef(ref)) } if options.Platform != "" { query.Set("platform", strings.ToLower(options.Platform)) } resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth) if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil { newAuthHeader, privilegeErr := options.PrivilegeFunc() if privilegeErr != nil { return nil, privilegeErr } resp, err = cli.tryImageCreate(ctx, query, newAuthHeader) } if err != nil { return nil, err } return resp.body, nil } // getAPITagFromNamedRef returns a tag from the specified reference. // This function is necessary as long as the docker "server" api expects // digests to be sent as tags and makes a distinction between the name // and tag/digest part of a reference. func getAPITagFromNamedRef(ref reference.Named) string { if digested, ok := ref.(reference.Digested); ok { return digested.Digest().String() } ref = reference.TagNameOnly(ref) if tagged, ok := ref.(reference.Tagged); ok { return tagged.Tag() } return "" }