5e8af46fda
With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
212 lines
7.4 KiB
Go
212 lines
7.4 KiB
Go
package distribution
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
"github.com/docker/docker/api"
|
|
"github.com/docker/docker/distribution/metadata"
|
|
"github.com/docker/docker/distribution/xfer"
|
|
"github.com/docker/docker/image"
|
|
"github.com/docker/docker/pkg/progress"
|
|
"github.com/docker/docker/reference"
|
|
"github.com/docker/docker/registry"
|
|
"github.com/docker/engine-api/types"
|
|
"golang.org/x/net/context"
|
|
)
|
|
|
|
// ImagePullConfig stores pull configuration.
|
|
type ImagePullConfig struct {
|
|
// MetaHeaders stores HTTP headers with metadata about the image
|
|
MetaHeaders map[string][]string
|
|
// AuthConfig holds authentication credentials for authenticating with
|
|
// the registry.
|
|
AuthConfig *types.AuthConfig
|
|
// ProgressOutput is the interface for showing the status of the pull
|
|
// operation.
|
|
ProgressOutput progress.Output
|
|
// RegistryService is the registry service to use for TLS configuration
|
|
// and endpoint lookup.
|
|
RegistryService *registry.Service
|
|
// ImageEventLogger notifies events for a given image
|
|
ImageEventLogger func(id, name, action string)
|
|
// MetadataStore is the storage backend for distribution-specific
|
|
// metadata.
|
|
MetadataStore metadata.Store
|
|
// ImageStore manages images.
|
|
ImageStore image.Store
|
|
// ReferenceStore manages tags.
|
|
ReferenceStore reference.Store
|
|
// DownloadManager manages concurrent pulls.
|
|
DownloadManager *xfer.LayerDownloadManager
|
|
}
|
|
|
|
// Puller is an interface that abstracts pulling for different API versions.
|
|
type Puller interface {
|
|
// Pull tries to pull the image referenced by `tag`
|
|
// Pull returns an error if any, as well as a boolean that determines whether to retry Pull on the next configured endpoint.
|
|
//
|
|
Pull(ctx context.Context, ref reference.Named) error
|
|
}
|
|
|
|
// newPuller returns a Puller interface that will pull from either a v1 or v2
|
|
// registry. The endpoint argument contains a Version field that determines
|
|
// whether a v1 or v2 puller will be created. The other parameters are passed
|
|
// through to the underlying puller implementation for use during the actual
|
|
// pull operation.
|
|
func newPuller(endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, imagePullConfig *ImagePullConfig) (Puller, error) {
|
|
switch endpoint.Version {
|
|
case registry.APIVersion2:
|
|
return &v2Puller{
|
|
V2MetadataService: metadata.NewV2MetadataService(imagePullConfig.MetadataStore),
|
|
endpoint: endpoint,
|
|
config: imagePullConfig,
|
|
repoInfo: repoInfo,
|
|
}, nil
|
|
case registry.APIVersion1:
|
|
return &v1Puller{
|
|
v1IDService: metadata.NewV1IDService(imagePullConfig.MetadataStore),
|
|
endpoint: endpoint,
|
|
config: imagePullConfig,
|
|
repoInfo: repoInfo,
|
|
}, nil
|
|
}
|
|
return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
|
|
}
|
|
|
|
// Pull initiates a pull operation. image is the repository name to pull, and
|
|
// tag may be either empty, or indicate a specific tag to pull.
|
|
func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullConfig) error {
|
|
// Resolve the Repository name from fqn to RepositoryInfo
|
|
repoInfo, err := imagePullConfig.RegistryService.ResolveRepository(ref)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// makes sure name is not empty or `scratch`
|
|
if err := validateRepoName(repoInfo.Name()); err != nil {
|
|
return err
|
|
}
|
|
|
|
endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(repoInfo)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var (
|
|
lastErr error
|
|
|
|
// discardNoSupportErrors is used to track whether an endpoint encountered an error of type registry.ErrNoSupport
|
|
// By default it is false, which means that if a ErrNoSupport error is encountered, it will be saved in lastErr.
|
|
// As soon as another kind of error is encountered, discardNoSupportErrors is set to true, avoiding the saving of
|
|
// any subsequent ErrNoSupport errors in lastErr.
|
|
// It's needed for pull-by-digest on v1 endpoints: if there are only v1 endpoints configured, the error should be
|
|
// returned and displayed, but if there was a v2 endpoint which supports pull-by-digest, then the last relevant
|
|
// error is the ones from v2 endpoints not v1.
|
|
discardNoSupportErrors bool
|
|
|
|
// confirmedV2 is set to true if a pull attempt managed to
|
|
// confirm that it was talking to a v2 registry. This will
|
|
// prevent fallback to the v1 protocol.
|
|
confirmedV2 bool
|
|
|
|
// confirmedTLSRegistries is a map indicating which registries
|
|
// are known to be using TLS. There should never be a plaintext
|
|
// retry for any of these.
|
|
confirmedTLSRegistries = make(map[string]struct{})
|
|
)
|
|
for _, endpoint := range endpoints {
|
|
if confirmedV2 && endpoint.Version == registry.APIVersion1 {
|
|
logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
|
|
continue
|
|
}
|
|
|
|
parsedURL, urlErr := url.Parse(endpoint.URL)
|
|
if urlErr != nil {
|
|
logrus.Errorf("Failed to parse endpoint URL %s", endpoint.URL)
|
|
continue
|
|
}
|
|
|
|
if parsedURL.Scheme != "https" {
|
|
if _, confirmedTLS := confirmedTLSRegistries[parsedURL.Host]; confirmedTLS {
|
|
logrus.Debugf("Skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
|
|
continue
|
|
}
|
|
}
|
|
|
|
logrus.Debugf("Trying to pull %s from %s %s", repoInfo.Name(), endpoint.URL, endpoint.Version)
|
|
|
|
puller, err := newPuller(endpoint, repoInfo, imagePullConfig)
|
|
if err != nil {
|
|
lastErr = err
|
|
continue
|
|
}
|
|
if err := puller.Pull(ctx, ref); err != nil {
|
|
// Was this pull cancelled? If so, don't try to fall
|
|
// back.
|
|
fallback := false
|
|
select {
|
|
case <-ctx.Done():
|
|
default:
|
|
if fallbackErr, ok := err.(fallbackError); ok {
|
|
fallback = true
|
|
confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
|
|
if fallbackErr.transportOK && parsedURL.Scheme == "https" {
|
|
confirmedTLSRegistries[parsedURL.Host] = struct{}{}
|
|
}
|
|
err = fallbackErr.err
|
|
}
|
|
}
|
|
if fallback {
|
|
if _, ok := err.(ErrNoSupport); !ok {
|
|
// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.
|
|
discardNoSupportErrors = true
|
|
// append subsequent errors
|
|
lastErr = err
|
|
} else if !discardNoSupportErrors {
|
|
// Save the ErrNoSupport error, because it's either the first error or all encountered errors
|
|
// were also ErrNoSupport errors.
|
|
// append subsequent errors
|
|
lastErr = err
|
|
}
|
|
logrus.Errorf("Attempting next endpoint for pull after error: %v", err)
|
|
continue
|
|
}
|
|
logrus.Errorf("Not continuing with pull after error: %v", err)
|
|
return err
|
|
}
|
|
|
|
imagePullConfig.ImageEventLogger(ref.String(), repoInfo.Name(), "pull")
|
|
return nil
|
|
}
|
|
|
|
if lastErr == nil {
|
|
lastErr = fmt.Errorf("no endpoints found for %s", ref.String())
|
|
}
|
|
|
|
return lastErr
|
|
}
|
|
|
|
// writeStatus writes a status message to out. If layersDownloaded is true, the
|
|
// status message indicates that a newer image was downloaded. Otherwise, it
|
|
// indicates that the image is up to date. requestedTag is the tag the message
|
|
// will refer to.
|
|
func writeStatus(requestedTag string, out progress.Output, layersDownloaded bool) {
|
|
if layersDownloaded {
|
|
progress.Message(out, "", "Status: Downloaded newer image for "+requestedTag)
|
|
} else {
|
|
progress.Message(out, "", "Status: Image is up to date for "+requestedTag)
|
|
}
|
|
}
|
|
|
|
// validateRepoName validates the name of a repository.
|
|
func validateRepoName(name string) error {
|
|
if name == "" {
|
|
return fmt.Errorf("Repository name can't be empty")
|
|
}
|
|
if name == api.NoBaseImageSpecifier {
|
|
return fmt.Errorf("'%s' is a reserved name", api.NoBaseImageSpecifier)
|
|
}
|
|
return nil
|
|
}
|