From e70eed209028f431df6202bf9f1fcb5bb7bf091c Mon Sep 17 00:00:00 2001 From: Richard Scothern Date: Fri, 15 Apr 2016 09:52:20 -0700 Subject: [PATCH 1/6] Merge pull request #1641 from RichardScothern/ifollowtherules Correction for JSON example. (cherry picked from commit 9d491698ccf3eba4e87213350518dbaacf8e9650) Signed-off-by: Sven Dowideit --- docs/storage-drivers/s3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md index 2a7aa9f5..d78fc988 100644 --- a/docs/storage-drivers/s3.md +++ b/docs/storage-drivers/s3.md @@ -198,7 +198,7 @@ The following IAM permissions are required by the registry for push and pull. S "Action": [ "s3:ListBucket", "s3:GetBucketLocation", - "s3:ListBucketMultipartUploads", + "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::mybucket" }, From 338d3ad6b6c5318d0bcaf7588d8f838e4dd6486a Mon Sep 17 00:00:00 2001 From: Richard Scothern Date: Mon, 25 Apr 2016 17:01:15 -0700 Subject: [PATCH 2/6] Merge pull request #1644 from fh1ch/clarify-kid-format Clarify kid format for JWT token auth in docs (cherry picked from commit 47d14555c02463c062e920198f3aeb2fcd6bcdb4) Signed-off-by: Sven Dowideit --- docs/spec/auth/jwt.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/spec/auth/jwt.md b/docs/spec/auth/jwt.md index f627b17a..87de62af 100644 --- a/docs/spec/auth/jwt.md +++ b/docs/spec/auth/jwt.md @@ -69,8 +69,17 @@ Token has 3 main parts: The header of a JSON Web Token is a standard JOSE header. The "typ" field will be "JWT" and it will also contain the "alg" which identifies the - signing algorithm used to produce the signature. It will also usually have - a "kid" field, the ID of the key which was used to sign the token. + signing algorithm used to produce the signature. It also must have a "kid" + field, representing the ID of the key which was used to sign the token. + + The "kid" field has to be in a libtrust fingerprint compatible format. + Such a format can be generated by following steps: + + 1. Take the DER encoded public key which the JWT token was signed against. + + 2. Create a SHA256 hash out of it and truncate to 240bits. + + 3. Split the result into 12 base32 encoded groups with `:` as delimiter. Here is an example JOSE Header for a JSON Web Token (formatted with whitespace for readability): From 901abf95d54f3ad705c8e5c170f8956d7b0a3d2b Mon Sep 17 00:00:00 2001 From: Sven Dowideit Date: Tue, 3 May 2016 10:48:11 +1000 Subject: [PATCH 3/6] Merge pull request #1680 from SvenDowideit/use-docs-base-oss convert docs Dockerfiles to use docs/base:oss (cherry picked from commit b7088d29c6ee508881153aed3bb46290f521e15d) Signed-off-by: Sven Dowideit --- docs/Dockerfile | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/docs/Dockerfile b/docs/Dockerfile index 44128086..8fa63a33 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -1,18 +1,9 @@ -FROM docs/base:latest +FROM docs/base:oss MAINTAINER Mary Anthony (@moxiegirl) -RUN svn checkout https://github.com/docker/docker/trunk/docs /docs/content/engine -RUN svn checkout https://github.com/docker/compose/trunk/docs /docs/content/compose -RUN svn checkout https://github.com/docker/swarm/trunk/docs /docs/content/swarm -RUN svn checkout https://github.com/docker/machine/trunk/docs /docs/content/machine -RUN svn checkout https://github.com/docker/notary/trunk/docs /docs/content/notary -RUN svn checkout https://github.com/docker/kitematic/trunk/docs /docs/content/kitematic -RUN svn checkout https://github.com/docker/toolbox/trunk/docs /docs/content/toolbox -RUN svn checkout https://github.com/docker/opensource/trunk/docs /docs/content/opensource - ENV PROJECT=registry # To get the git info for this repo COPY . /src - +RUN rm -r /docs/content/$PROJECT/ COPY . /docs/content/$PROJECT/ From d15375897b95efbcd396cb220488463cfe3a4fa3 Mon Sep 17 00:00:00 2001 From: Olivier Gambier Date: Wed, 4 May 2016 13:52:21 -0700 Subject: [PATCH 4/6] Merge pull request #1663 from moxiegirl/fix-flags Fixing nginx flag issue identified by customer (cherry picked from commit 4ecea4b311d968fb789e30a78c8c6510996a9183) Signed-off-by: Sven Dowideit --- docs/nginx.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/nginx.md b/docs/nginx.md index 17b92f44..361a1063 100644 --- a/docs/nginx.md +++ b/docs/nginx.md @@ -76,7 +76,7 @@ events { } http { - + upstream docker-registry { server registry:5000; } @@ -98,34 +98,34 @@ http { # SSL ssl_certificate /etc/nginx/conf.d/domain.crt; ssl_certificate_key /etc/nginx/conf.d/domain.key; - + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; - + # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; - + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; - + location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) { return 404; } - + # To add basic authentication to v2 use auth_basic setting. auth_basic "Registry realm"; auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; - + ## If $docker_distribution_api_version is empty, the header will not be added. ## See the map directive above where this variable is defined. add_header 'Docker-Distribution-Api-Version' \$docker_distribution_api_version always; - + proxy_pass http://docker-registry; proxy_set_header Host \$http_host; # required for docker client's sake proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP @@ -182,7 +182,7 @@ Now, start your stack: Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image: - docker login -p=testuser -u=testpassword -e=root@example.ch myregistrydomain.com:5043 + docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043 docker tag ubuntu myregistrydomain.com:5043/test docker push myregistrydomain.com:5043/test docker pull myregistrydomain.com:5043/test From 354d7351ffc9b95bb3a7028257c13e626f007329 Mon Sep 17 00:00:00 2001 From: Richard Scothern Date: Tue, 10 May 2016 13:43:25 +0100 Subject: [PATCH 5/6] Merge pull request #1702 from RichardScothern/api.md Remove the unimplemented monolithic upload section from the API (cherry picked from commit 050a30eac04cc83894e80f3e4525db0b14f474bb) Signed-off-by: Sven Dowideit --- docs/spec/api.md | 20 -------------------- docs/spec/api.md.tmpl | 20 -------------------- 2 files changed, 40 deletions(-) diff --git a/docs/spec/api.md b/docs/spec/api.md index fc074ffb..56e9242c 100644 --- a/docs/spec/api.md +++ b/docs/spec/api.md @@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the [_Completed Upload_](#completed-upload) section for details on the parameters and expected responses. -Additionally, the upload can be completed with a single `POST` request to -the uploads endpoint, including the "size" and "digest" parameters: - -``` -POST /v2//blobs/uploads/?digest= -Content-Length: -Content-Type: application/octet-stream - - -``` - -On the registry service, this should allocate a download, accept and verify -the data and return the same response as the final chunk of an upload. If the -POST request fails collecting the data in any way, the registry should attempt -to return an error response to the client with the `Location` header providing -a place to continue the download. - -The single `POST` method is provided for convenience and most clients should -implement `POST` + `PUT` to support reliable resume of uploads. - ##### Chunked Upload To carry out an upload of a chunk, the client can specify a range header and diff --git a/docs/spec/api.md.tmpl b/docs/spec/api.md.tmpl index 1a879ba0..1a9e9f89 100644 --- a/docs/spec/api.md.tmpl +++ b/docs/spec/api.md.tmpl @@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the [_Completed Upload_](#completed-upload) section for details on the parameters and expected responses. -Additionally, the upload can be completed with a single `POST` request to -the uploads endpoint, including the "size" and "digest" parameters: - -``` -POST /v2//blobs/uploads/?digest= -Content-Length: -Content-Type: application/octet-stream - - -``` - -On the registry service, this should allocate a download, accept and verify -the data and return the same response as the final chunk of an upload. If the -POST request fails collecting the data in any way, the registry should attempt -to return an error response to the client with the `Location` header providing -a place to continue the download. - -The single `POST` method is provided for convenience and most clients should -implement `POST` + `PUT` to support reliable resume of uploads. - ##### Chunked Upload To carry out an upload of a chunk, the client can specify a range header and From be3289bfe10ea4ac554e764ddfc236b8868ab2e6 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Wed, 11 May 2016 16:30:28 -0700 Subject: [PATCH 6/6] Merge pull request #1721 from cyli/change-auth-scope-grammar Hostnames can be optionally supported by the auth spec scope grammar (cherry picked from commit 4a915d6efdea23f437cb4144211aaf2faed27774) Signed-off-by: Sven Dowideit --- docs/spec/auth/scope.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/spec/auth/scope.md b/docs/spec/auth/scope.md index 76e6f8cf..e626b6e1 100644 --- a/docs/spec/auth/scope.md +++ b/docs/spec/auth/scope.md @@ -56,7 +56,7 @@ it. The resource name represent the name which identifies a resource for a resource provider. A resource is identified by this name and the provided resource type. An example of a resource name would be the name component of an image tag, such -as "samalba/myapp". +as "samalba/myapp" or "hostname/samalba/myapp". ### Resource Actions @@ -83,16 +83,24 @@ scopes. scope := resourcescope [ ' ' resourcescope ]* resourcescope := resourcetype ":" resourcename ":" action [ ',' action ]* resourcetype := /[a-z]*/ -resourcename := component [ '/' component ]* +resourcename := [ hostname '/' ] component [ '/' component ]* +hostname := hostcomponent ['.' hostcomponent]* [':' port-number] +hostcomponent := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/ +port-number := /[0-9]+/ action := /[a-z]*/ component := alpha-numeric [ separator alpha-numeric ]* alpha-numeric := /[a-z0-9]+/ separator := /[_.]|__|[-]*/ ``` Full reference grammar is defined -(here)[https://godoc.org/github.com/docker/distribution/reference]. Currently -the scope name grammar is a subset of the reference grammar without support -for hostnames. +[here](https://godoc.org/github.com/docker/distribution/reference). Currently +the scope name grammar is a subset of the reference grammar. + +> **NOTE:** that the `resourcename` may contain one `:` due to a possible port +> number in the hostname component of the `resourcename`, so a naive +> implementation that interprets the first three `:`-delimited tokens of a +> `scope` to be the `resourcetype`, `resourcename`, and a list of `action` +> would be insufficient. ## Resource Provider Use