vbatts/registry
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #1722 from SvenDowideit/cherry-pick-fixes

Browse source 
Cherry pick fixes
This commit is contained in:
Sven Dowideit 2016-05-18 09:35:53 +10:00
commit 4f20717da9
7 changed files with 36 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

13
docs/Dockerfile
View file

@ -1,18 +1,9 @@
FROM docs/base:latest FROM docs/base:oss
MAINTAINER Mary Anthony <mary@docker.com> (@moxiegirl) MAINTAINER Mary Anthony <mary@docker.com> (@moxiegirl)
RUN svn checkout https://github.com/docker/docker/trunk/docs /docs/content/engine
RUN svn checkout https://github.com/docker/compose/trunk/docs /docs/content/compose
RUN svn checkout https://github.com/docker/swarm/trunk/docs /docs/content/swarm
RUN svn checkout https://github.com/docker/machine/trunk/docs /docs/content/machine
RUN svn checkout https://github.com/docker/notary/trunk/docs /docs/content/notary
RUN svn checkout https://github.com/docker/kitematic/trunk/docs /docs/content/kitematic
RUN svn checkout https://github.com/docker/toolbox/trunk/docs /docs/content/toolbox
RUN svn checkout https://github.com/docker/opensource/trunk/docs /docs/content/opensource
ENV PROJECT=registry ENV PROJECT=registry
# To get the git info for this repo # To get the git info for this repo
COPY . /src COPY . /src
RUN rm -r /docs/content/$PROJECT/
COPY . /docs/content/$PROJECT/ COPY . /docs/content/$PROJECT/

18
docs/nginx.md
View file

@ -76,7 +76,7 @@ events {
} }
http { http {
upstream docker-registry { upstream docker-registry {
server registry:5000; server registry:5000;
} }
@ -98,34 +98,34 @@ http {
# SSL # SSL
ssl_certificate /etc/nginx/conf.d/domain.crt; ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key; ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads # disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0; client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on; chunked_transfer_encoding on;
location /v2/ { location /v2/ {
# Do not allow connections from docker 1.5 and earlier # Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) { if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
return 404; return 404;
} }
# To add basic authentication to v2 use auth_basic setting. # To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm"; auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
## If $docker_distribution_api_version is empty, the header will not be added. ## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined. ## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' \$docker_distribution_api_version always; add_header 'Docker-Distribution-Api-Version' \$docker_distribution_api_version always;
proxy_pass http://docker-registry; proxy_pass http://docker-registry;
proxy_set_header Host \$http_host; # required for docker client's sake proxy_set_header Host \$http_host; # required for docker client's sake
proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP
@ -182,7 +182,7 @@ Now, start your stack:
Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image: Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image:
docker login -p=testuser -u=testpassword -e=root@example.ch myregistrydomain.com:5043 docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
docker tag ubuntu myregistrydomain.com:5043/test docker tag ubuntu myregistrydomain.com:5043/test
docker push myregistrydomain.com:5043/test docker push myregistrydomain.com:5043/test
docker pull myregistrydomain.com:5043/test docker pull myregistrydomain.com:5043/test

20
docs/spec/api.md
View file

@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the
[_Completed Upload_](#completed-upload) section for details on the parameters [_Completed Upload_](#completed-upload) section for details on the parameters
and expected responses. and expected responses.
Additionally, the upload can be completed with a single `POST` request to
the uploads endpoint, including the "size" and "digest" parameters:
```
POST /v2/<name>/blobs/uploads/?digest=<digest>
Content-Length: <size of layer>
Content-Type: application/octet-stream
<Layer Binary Data>
```
On the registry service, this should allocate a download, accept and verify
the data and return the same response as the final chunk of an upload. If the
POST request fails collecting the data in any way, the registry should attempt
to return an error response to the client with the `Location` header providing
a place to continue the download.
The single `POST` method is provided for convenience and most clients should
implement `POST` + `PUT` to support reliable resume of uploads.
##### Chunked Upload ##### Chunked Upload
To carry out an upload of a chunk, the client can specify a range header and To carry out an upload of a chunk, the client can specify a range header and

20
docs/spec/api.md.tmpl
View file

@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the
[_Completed Upload_](#completed-upload) section for details on the parameters [_Completed Upload_](#completed-upload) section for details on the parameters
and expected responses. and expected responses.
Additionally, the upload can be completed with a single `POST` request to
the uploads endpoint, including the "size" and "digest" parameters:
```
POST /v2/<name>/blobs/uploads/?digest=<digest>
Content-Length: <size of layer>
Content-Type: application/octet-stream
<Layer Binary Data>
```
On the registry service, this should allocate a download, accept and verify
the data and return the same response as the final chunk of an upload. If the
POST request fails collecting the data in any way, the registry should attempt
to return an error response to the client with the `Location` header providing
a place to continue the download.
The single `POST` method is provided for convenience and most clients should
implement `POST` + `PUT` to support reliable resume of uploads.
##### Chunked Upload ##### Chunked Upload
To carry out an upload of a chunk, the client can specify a range header and To carry out an upload of a chunk, the client can specify a range header and

13
docs/spec/auth/jwt.md
View file

@ -69,8 +69,17 @@ Token has 3 main parts:
The header of a JSON Web Token is a standard JOSE header. The "typ" field The header of a JSON Web Token is a standard JOSE header. The "typ" field
will be "JWT" and it will also contain the "alg" which identifies the will be "JWT" and it will also contain the "alg" which identifies the
signing algorithm used to produce the signature. It will also usually have signing algorithm used to produce the signature. It also must have a "kid"
a "kid" field, the ID of the key which was used to sign the token. field, representing the ID of the key which was used to sign the token.
The "kid" field has to be in a libtrust fingerprint compatible format.
Such a format can be generated by following steps:
1. Take the DER encoded public key which the JWT token was signed against.
2. Create a SHA256 hash out of it and truncate to 240bits.
3. Split the result into 12 base32 encoded groups with `:` as delimiter.
Here is an example JOSE Header for a JSON Web Token (formatted with Here is an example JOSE Header for a JSON Web Token (formatted with
whitespace for readability): whitespace for readability):

18
docs/spec/auth/scope.md
View file

@ -56,7 +56,7 @@ it.
The resource name represent the name which identifies a resource for a resource The resource name represent the name which identifies a resource for a resource
provider. A resource is identified by this name and the provided resource type. provider. A resource is identified by this name and the provided resource type.
An example of a resource name would be the name component of an image tag, such An example of a resource name would be the name component of an image tag, such
as "samalba/myapp". as "samalba/myapp" or "hostname/samalba/myapp".
### Resource Actions ### Resource Actions
@ -83,16 +83,24 @@ scopes.
scope := resourcescope [ ' ' resourcescope ]* scope := resourcescope [ ' ' resourcescope ]*
resourcescope := resourcetype ":" resourcename ":" action [ ',' action ]* resourcescope := resourcetype ":" resourcename ":" action [ ',' action ]*
resourcetype := /[a-z]*/ resourcetype := /[a-z]*/
resourcename := component [ '/' component ]* resourcename := [ hostname '/' ] component [ '/' component ]*
hostname := hostcomponent ['.' hostcomponent]* [':' port-number]
hostcomponent := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
port-number := /[0-9]+/
action := /[a-z]*/ action := /[a-z]*/
component := alpha-numeric [ separator alpha-numeric ]* component := alpha-numeric [ separator alpha-numeric ]*
alpha-numeric := /[a-z0-9]+/ alpha-numeric := /[a-z0-9]+/
separator := /[_.]|__|[-]*/ separator := /[_.]|__|[-]*/
``` ```
Full reference grammar is defined Full reference grammar is defined
(here)[https://godoc.org/github.com/docker/distribution/reference]. Currently [here](https://godoc.org/github.com/docker/distribution/reference). Currently
the scope name grammar is a subset of the reference grammar without support the scope name grammar is a subset of the reference grammar.
for hostnames.
> **NOTE:** that the `resourcename` may contain one `:` due to a possible port
> number in the hostname component of the `resourcename`, so a naive
> implementation that interprets the first three `:`-delimited tokens of a
> `scope` to be the `resourcetype`, `resourcename`, and a list of `action`
> would be insufficient.
## Resource Provider Use ## Resource Provider Use

2
docs/storage-drivers/s3.md
View file

@ -198,7 +198,7 @@ The following IAM permissions are required by the registry for push and pull. S
"Action": [ "Action": [
"s3:ListBucket", "s3:ListBucket",
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:ListBucketMultipartUploads", "s3:ListBucketMultipartUploads"
], ],
"Resource": "arn:aws:s3:::mybucket" "Resource": "arn:aws:s3:::mybucket"
}, },