2015-06-22 21:37:13 +00:00
|
|
|
import logging
|
|
|
|
|
2016-02-09 19:16:39 +00:00
|
|
|
from functools import wraps
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2016-08-09 16:28:00 +00:00
|
|
|
from flask import request, url_for, Response
|
2016-03-09 21:20:28 +00:00
|
|
|
|
|
|
|
import features
|
|
|
|
|
2018-12-06 17:40:34 +00:00
|
|
|
from app import app, metric_queue, storage
|
2015-12-09 20:07:37 +00:00
|
|
|
from auth.registry_jwt_auth import process_registry_jwt_auth
|
2016-07-25 22:56:25 +00:00
|
|
|
from digest import digest_tools
|
2018-08-27 19:01:27 +00:00
|
|
|
from data.registry_model import registry_model
|
2017-07-20 15:31:22 +00:00
|
|
|
from endpoints.decorators import anon_protect, parse_repository_name
|
2017-06-26 22:10:39 +00:00
|
|
|
from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
|
2018-12-06 17:40:34 +00:00
|
|
|
from endpoints.v2.errors import (ManifestInvalid, ManifestUnknown, NameInvalid, TagExpired,
|
|
|
|
NameUnknown)
|
2016-08-02 22:45:30 +00:00
|
|
|
from image.docker import ManifestException
|
2019-01-11 21:37:23 +00:00
|
|
|
from image.docker.schema1 import DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE, DOCKER_SCHEMA1_CONTENT_TYPES
|
2017-12-20 16:02:34 +00:00
|
|
|
from image.docker.schema2 import DOCKER_SCHEMA2_CONTENT_TYPES, OCI_CONTENT_TYPES
|
2018-11-13 09:49:12 +00:00
|
|
|
from image.docker.schemas import parse_manifest_from_bytes
|
2017-07-14 13:29:59 +00:00
|
|
|
from notifications import spawn_notification
|
2017-05-11 17:33:18 +00:00
|
|
|
from util.audit import track_and_log
|
2019-01-09 01:49:00 +00:00
|
|
|
from util.bytes import Bytes
|
2016-07-26 00:50:35 +00:00
|
|
|
from util.names import VALID_TAG_PATTERN
|
2016-12-21 17:54:50 +00:00
|
|
|
from util.registry.replication import queue_replication_batch
|
2018-10-05 21:30:47 +00:00
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2016-01-21 20:40:51 +00:00
|
|
|
BASE_MANIFEST_ROUTE = '/<repopath:repository>/manifests/<regex("{0}"):manifest_ref>'
|
2015-08-12 20:39:32 +00:00
|
|
|
MANIFEST_DIGEST_ROUTE = BASE_MANIFEST_ROUTE.format(digest_tools.DIGEST_PATTERN)
|
|
|
|
MANIFEST_TAGNAME_ROUTE = BASE_MANIFEST_ROUTE.format(VALID_TAG_PATTERN)
|
|
|
|
|
2017-06-26 22:16:15 +00:00
|
|
|
|
2015-08-12 20:39:32 +00:00
|
|
|
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET'])
|
2016-03-09 21:20:28 +00:00
|
|
|
@parse_repository_name()
|
2016-03-09 23:09:20 +00:00
|
|
|
@process_registry_jwt_auth(scopes=['pull'])
|
2015-08-12 20:39:32 +00:00
|
|
|
@require_repo_read
|
|
|
|
@anon_protect
|
2016-08-16 19:23:00 +00:00
|
|
|
def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
2018-10-05 21:30:47 +00:00
|
|
|
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
|
|
|
if repository_ref is None:
|
|
|
|
raise NameUnknown()
|
|
|
|
|
|
|
|
tag = registry_model.get_repo_tag(repository_ref, manifest_ref)
|
|
|
|
if tag is None:
|
|
|
|
if registry_model.has_expired_tag(repository_ref, manifest_ref):
|
|
|
|
logger.debug('Found expired tag %s for repository %s/%s', manifest_ref, namespace_name,
|
2018-10-08 15:32:09 +00:00
|
|
|
repo_name)
|
2018-10-05 21:30:47 +00:00
|
|
|
msg = 'Tag %s was deleted or has expired. To pull, revive via time machine' % manifest_ref
|
|
|
|
raise TagExpired(msg)
|
|
|
|
|
|
|
|
raise ManifestUnknown()
|
|
|
|
|
|
|
|
manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
|
2016-07-25 22:56:25 +00:00
|
|
|
if manifest is None:
|
2018-10-05 21:30:47 +00:00
|
|
|
# Something went wrong.
|
|
|
|
raise ManifestInvalid()
|
|
|
|
|
2019-01-11 20:24:21 +00:00
|
|
|
manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
|
|
|
|
namespace_name, repo_name, manifest_ref, manifest)
|
|
|
|
if manifest_bytes is None:
|
2018-11-13 09:49:12 +00:00
|
|
|
raise ManifestUnknown()
|
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
track_and_log('pull_repo', repository_ref, analytics_name='pull_repo_100x', analytics_sample=0.01,
|
|
|
|
tag=manifest_ref)
|
|
|
|
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
2015-11-21 02:29:57 +00:00
|
|
|
|
2016-08-09 16:28:00 +00:00
|
|
|
return Response(
|
2019-01-11 20:24:21 +00:00
|
|
|
manifest_bytes.as_unicode(),
|
2016-08-09 16:28:00 +00:00
|
|
|
status=200,
|
2018-10-05 21:30:47 +00:00
|
|
|
headers={
|
2019-01-12 21:06:11 +00:00
|
|
|
'Content-Type': manifest_media_type,
|
2019-01-11 20:24:21 +00:00
|
|
|
'Docker-Content-Digest': manifest_digest,
|
2018-10-05 21:30:47 +00:00
|
|
|
},
|
|
|
|
)
|
2015-08-12 20:39:32 +00:00
|
|
|
|
|
|
|
|
|
|
|
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET'])
|
2016-03-09 21:20:28 +00:00
|
|
|
@parse_repository_name()
|
2016-03-09 23:09:20 +00:00
|
|
|
@process_registry_jwt_auth(scopes=['pull'])
|
2015-06-22 21:37:13 +00:00
|
|
|
@require_repo_read
|
|
|
|
@anon_protect
|
2016-03-09 21:20:28 +00:00
|
|
|
def fetch_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
2018-10-05 21:30:47 +00:00
|
|
|
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
|
|
|
if repository_ref is None:
|
|
|
|
raise NameUnknown()
|
|
|
|
|
|
|
|
manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
|
2016-07-25 22:56:25 +00:00
|
|
|
if manifest is None:
|
2015-08-12 20:39:32 +00:00
|
|
|
raise ManifestUnknown()
|
|
|
|
|
2019-01-11 20:24:21 +00:00
|
|
|
manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
|
|
|
|
namespace_name, repo_name, '$digest', manifest)
|
|
|
|
if manifest_digest is None:
|
2018-11-13 09:49:12 +00:00
|
|
|
raise ManifestUnknown()
|
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
track_and_log('pull_repo', repository_ref, manifest_digest=manifest_ref)
|
|
|
|
metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
2015-11-21 02:29:57 +00:00
|
|
|
|
2019-01-11 20:24:21 +00:00
|
|
|
return Response(manifest_bytes.as_unicode(), status=200, headers={
|
2019-01-12 21:06:11 +00:00
|
|
|
'Content-Type': manifest_media_type,
|
2019-01-11 20:24:21 +00:00
|
|
|
'Docker-Content-Digest': manifest_digest,
|
2018-10-05 21:30:47 +00:00
|
|
|
})
|
2015-08-12 20:39:32 +00:00
|
|
|
|
|
|
|
|
2019-01-11 20:24:21 +00:00
|
|
|
def _rewrite_schema_if_necessary(namespace_name, repo_name, tag_name, manifest):
|
2018-11-13 09:49:12 +00:00
|
|
|
# As per the Docker protocol, if the manifest is not schema version 1 and the manifest's
|
|
|
|
# media type is not in the Accept header, we return a schema 1 version of the manifest for
|
|
|
|
# the amd64+linux platform, if any, or None if none.
|
|
|
|
# See: https://docs.docker.com/registry/spec/manifest-v2-2
|
2018-11-13 15:13:51 +00:00
|
|
|
mimetypes = [mimetype for mimetype, _ in request.accept_mimetypes]
|
2019-01-11 20:24:21 +00:00
|
|
|
if manifest.media_type in mimetypes:
|
|
|
|
return manifest.internal_manifest_bytes, manifest.digest, manifest.media_type
|
2018-11-13 09:49:12 +00:00
|
|
|
|
2019-01-11 21:37:23 +00:00
|
|
|
# Short-circuit check: If the mimetypes is empty or just `application/json`, verify we have
|
|
|
|
# a schema 1 manifest and return it.
|
|
|
|
if not mimetypes or mimetypes == ['application/json']:
|
|
|
|
if manifest.media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
|
|
|
|
return manifest.internal_manifest_bytes, manifest.digest, manifest.media_type
|
|
|
|
|
2019-01-11 20:24:21 +00:00
|
|
|
logger.debug('Manifest `%s` not compatible against %s; checking for conversion', manifest.digest,
|
|
|
|
request.accept_mimetypes)
|
2018-12-06 17:40:34 +00:00
|
|
|
converted = registry_model.convert_manifest(manifest, namespace_name, repo_name, tag_name,
|
|
|
|
mimetypes, storage)
|
|
|
|
if converted is not None:
|
2019-01-11 20:24:21 +00:00
|
|
|
return converted.bytes, converted.digest, converted.media_type
|
2018-12-06 17:40:34 +00:00
|
|
|
|
|
|
|
# For back-compat, we always default to schema 1 if the manifest could not be converted.
|
2019-01-11 20:24:21 +00:00
|
|
|
schema1 = registry_model.get_schema1_parsed_manifest(manifest, namespace_name, repo_name,
|
|
|
|
tag_name, storage)
|
|
|
|
if schema1 is None:
|
|
|
|
return None, None, None
|
|
|
|
|
|
|
|
return schema1.bytes, schema1.digest, schema1.media_type
|
2018-11-13 09:49:12 +00:00
|
|
|
|
|
|
|
|
2016-02-09 19:16:39 +00:00
|
|
|
def _reject_manifest2_schema2(func):
|
|
|
|
@wraps(func)
|
|
|
|
def wrapped(*args, **kwargs):
|
2018-11-13 09:49:12 +00:00
|
|
|
namespace_name = kwargs['namespace_name']
|
|
|
|
if registry_model.supports_schema2(namespace_name):
|
|
|
|
return func(*args, **kwargs)
|
|
|
|
|
2018-08-09 02:23:52 +00:00
|
|
|
if _doesnt_accept_schema_v1() or \
|
|
|
|
request.content_type in DOCKER_SCHEMA2_CONTENT_TYPES | OCI_CONTENT_TYPES:
|
2016-02-09 19:16:39 +00:00
|
|
|
raise ManifestInvalid(detail={'message': 'manifest schema version not supported'},
|
|
|
|
http_status_code=415)
|
|
|
|
return func(*args, **kwargs)
|
2017-06-26 22:16:15 +00:00
|
|
|
|
2016-02-09 19:16:39 +00:00
|
|
|
return wrapped
|
|
|
|
|
|
|
|
|
2018-08-09 02:23:52 +00:00
|
|
|
def _doesnt_accept_schema_v1():
|
|
|
|
# If the client doesn't specify anything, still give them Schema v1.
|
|
|
|
return len(request.accept_mimetypes) != 0 and \
|
|
|
|
DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE not in request.accept_mimetypes
|
|
|
|
|
|
|
|
|
2015-08-12 20:39:32 +00:00
|
|
|
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT'])
|
2016-03-09 21:20:28 +00:00
|
|
|
@parse_repository_name()
|
2018-11-13 09:49:12 +00:00
|
|
|
@_reject_manifest2_schema2
|
2016-03-09 23:09:20 +00:00
|
|
|
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
2015-08-12 20:39:32 +00:00
|
|
|
@require_repo_write
|
|
|
|
@anon_protect
|
2016-08-16 19:23:00 +00:00
|
|
|
def write_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
2018-11-19 11:23:29 +00:00
|
|
|
parsed = _parse_manifest()
|
|
|
|
return _write_manifest_and_log(namespace_name, repo_name, manifest_ref, parsed)
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
|
2015-08-12 20:39:32 +00:00
|
|
|
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT'])
|
2016-03-09 21:20:28 +00:00
|
|
|
@parse_repository_name()
|
2018-11-13 09:49:12 +00:00
|
|
|
@_reject_manifest2_schema2
|
2016-03-09 23:09:20 +00:00
|
|
|
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
2015-06-22 21:37:13 +00:00
|
|
|
@require_repo_write
|
|
|
|
@anon_protect
|
2016-09-01 23:00:11 +00:00
|
|
|
def write_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
2018-11-19 11:23:29 +00:00
|
|
|
parsed = _parse_manifest()
|
|
|
|
if parsed.digest != manifest_ref:
|
|
|
|
raise ManifestInvalid(detail={'message': 'manifest digest mismatch'})
|
|
|
|
|
|
|
|
if parsed.schema_version != 2:
|
|
|
|
return _write_manifest_and_log(namespace_name, repo_name, parsed.tag, parsed)
|
|
|
|
|
|
|
|
# If the manifest is schema version 2, then this cannot be a normal tag-based push, as the
|
|
|
|
# manifest does not contain the tag and this call was not given a tag name. Instead, we write the
|
|
|
|
# manifest with a temporary tag, as it is being pushed as part of a call for a manifest list.
|
|
|
|
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
|
|
|
if repository_ref is None:
|
|
|
|
raise NameUnknown()
|
|
|
|
|
|
|
|
expiration_sec = app.config['PUSH_TEMP_TAG_EXPIRATION_SEC']
|
|
|
|
manifest = registry_model.create_manifest_with_temp_tag(repository_ref, parsed, expiration_sec,
|
|
|
|
storage)
|
|
|
|
if manifest is None:
|
|
|
|
raise ManifestInvalid()
|
|
|
|
|
|
|
|
return Response(
|
|
|
|
'OK',
|
|
|
|
status=202,
|
|
|
|
headers={
|
|
|
|
'Docker-Content-Digest': manifest.digest,
|
|
|
|
'Location':
|
|
|
|
url_for('v2.fetch_manifest_by_digest',
|
|
|
|
repository='%s/%s' % (namespace_name, repo_name),
|
|
|
|
manifest_ref=manifest.digest),
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
def _parse_manifest():
|
|
|
|
content_type = request.content_type or DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
|
|
|
|
if content_type == 'application/json':
|
|
|
|
# For back-compat.
|
|
|
|
content_type = DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
|
|
|
|
|
2015-10-02 18:01:12 +00:00
|
|
|
try:
|
2019-01-09 01:49:00 +00:00
|
|
|
return parse_manifest_from_bytes(Bytes.for_string_or_unicode(request.data), content_type)
|
2016-07-25 22:56:25 +00:00
|
|
|
except ManifestException as me:
|
2018-11-19 11:23:29 +00:00
|
|
|
logger.exception("failed to parse manifest when writing by tagname")
|
2016-10-03 14:13:39 +00:00
|
|
|
raise ManifestInvalid(detail={'message': 'failed to parse manifest: %s' % me.message})
|
2015-10-02 18:01:12 +00:00
|
|
|
|
2015-08-12 20:39:32 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE'])
|
|
|
|
@parse_repository_name()
|
|
|
|
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
|
|
|
@require_repo_write
|
|
|
|
@anon_protect
|
|
|
|
def delete_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
|
|
|
"""
|
|
|
|
Delete the manifest specified by the digest.
|
2015-09-29 21:53:39 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
Note: there is no equivalent method for deleting by tag name because it is
|
|
|
|
forbidden by the spec.
|
|
|
|
"""
|
|
|
|
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
|
|
|
if repository_ref is None:
|
|
|
|
raise NameUnknown()
|
2016-08-29 15:58:18 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
|
|
|
|
if manifest is None:
|
|
|
|
raise ManifestUnknown()
|
2016-07-25 22:56:25 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
tags = registry_model.delete_tags_for_manifest(manifest)
|
|
|
|
if not tags:
|
|
|
|
raise ManifestUnknown()
|
2017-06-19 23:03:10 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
for tag in tags:
|
|
|
|
track_and_log('delete_tag', repository_ref, tag=tag.name, digest=manifest_ref)
|
2016-05-31 20:43:49 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
return Response(status=202)
|
2016-09-01 23:00:11 +00:00
|
|
|
|
|
|
|
|
2018-11-13 09:49:12 +00:00
|
|
|
def _write_manifest_and_log(namespace_name, repo_name, tag_name, manifest_impl):
|
|
|
|
repository_ref, manifest, tag = _write_manifest(namespace_name, repo_name, tag_name,
|
|
|
|
manifest_impl)
|
2016-09-01 23:00:11 +00:00
|
|
|
|
2016-05-31 20:43:49 +00:00
|
|
|
# Queue all blob manifests for replication.
|
|
|
|
if features.STORAGE_REPLICATION:
|
2018-11-26 14:15:48 +00:00
|
|
|
blobs = registry_model.get_manifest_local_blobs(manifest)
|
|
|
|
if blobs is None:
|
|
|
|
logger.error('Could not lookup blobs for manifest `%s`', manifest.digest)
|
|
|
|
else:
|
|
|
|
with queue_replication_batch(namespace_name) as queue_storage_replication:
|
|
|
|
for blob_digest in blobs:
|
|
|
|
queue_storage_replication(blob_digest)
|
2015-08-25 20:02:21 +00:00
|
|
|
|
2018-11-13 09:49:12 +00:00
|
|
|
track_and_log('push_repo', repository_ref, tag=tag_name)
|
|
|
|
spawn_notification(repository_ref, 'repo_push', {'updated_tags': [tag_name]})
|
2016-11-03 19:28:40 +00:00
|
|
|
metric_queue.repository_push.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
|
2015-08-25 20:02:21 +00:00
|
|
|
|
2016-08-09 16:28:00 +00:00
|
|
|
return Response(
|
|
|
|
'OK',
|
|
|
|
status=202,
|
|
|
|
headers={
|
2018-01-11 21:25:38 +00:00
|
|
|
'Docker-Content-Digest': manifest.digest,
|
2017-06-26 22:16:15 +00:00
|
|
|
'Location':
|
2018-10-05 21:30:47 +00:00
|
|
|
url_for('v2.fetch_manifest_by_digest',
|
|
|
|
repository='%s/%s' % (namespace_name, repo_name),
|
2018-01-11 21:25:38 +00:00
|
|
|
manifest_ref=manifest.digest),
|
|
|
|
},
|
|
|
|
)
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
|
2018-11-13 09:49:12 +00:00
|
|
|
def _write_manifest(namespace_name, repo_name, tag_name, manifest_impl):
|
|
|
|
# NOTE: These extra checks are needed for schema version 1 because the manifests
|
|
|
|
# contain the repo namespace, name and tag name.
|
|
|
|
if manifest_impl.schema_version == 1:
|
|
|
|
if (manifest_impl.namespace == '' and features.LIBRARY_SUPPORT and
|
|
|
|
namespace_name == app.config['LIBRARY_NAMESPACE']):
|
|
|
|
pass
|
|
|
|
elif manifest_impl.namespace != namespace_name:
|
|
|
|
raise NameInvalid()
|
2016-07-25 22:56:25 +00:00
|
|
|
|
2018-11-13 09:49:12 +00:00
|
|
|
if manifest_impl.repo_name != repo_name:
|
|
|
|
raise NameInvalid()
|
2015-08-12 20:39:32 +00:00
|
|
|
|
2018-11-13 09:49:12 +00:00
|
|
|
if not manifest_impl.layers:
|
|
|
|
raise ManifestInvalid(detail={'message': 'manifest does not reference any layers'})
|
2015-11-21 02:29:57 +00:00
|
|
|
|
2018-10-05 21:30:47 +00:00
|
|
|
# Ensure that the repository exists.
|
|
|
|
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
|
|
|
if repository_ref is None:
|
|
|
|
raise NameUnknown()
|
|
|
|
|
2018-11-13 17:05:45 +00:00
|
|
|
# Create the manifest(s) and retarget the tag to point to it.
|
2018-10-05 21:30:47 +00:00
|
|
|
manifest, tag = registry_model.create_manifest_and_retarget_tag(repository_ref, manifest_impl,
|
2018-11-13 09:49:12 +00:00
|
|
|
tag_name, storage)
|
2018-10-05 21:30:47 +00:00
|
|
|
if manifest is None:
|
|
|
|
raise ManifestInvalid()
|
|
|
|
|
|
|
|
return repository_ref, manifest, tag
|