Deprecating ResolveRepositoryName
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository Moving --registry-mirror configuration to registry config Created resolve_repository job Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name. Adding test for RepositoryInfo Adding tests for opts.StringSetOpts and registry.ValidateMirror Fixing search term use of repoInfo Adding integration tests for registry mirror configuration Normalizing LookupImage image name to match LocalName parsing rules Normalizing repository LocalName to avoid multiple references to an official image Removing errorOut use in tests Removing TODO comment gofmt changes golint comments cleanup. renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig Splitting out builtins.Registry and registry.NewService calls Stray whitespace cleanup Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test Factoring out ValidateRepositoryName from NewRepositoryInfo Removing unused IndexServerURL Allowing json marshaling of ServiceConfig. Exposing ServiceConfig in /info Switching to CamelCase for json marshaling PR cleanup; removing 'Is' prefix from boolean members. Removing unneeded json tags. Removing non-cleanup related fix for 'localhost:[port]' in splitReposName Merge fixes for gh9735 Fixing integration test Reapplying #9754 Adding comment on config.IndexConfigs use from isSecureIndex Remove unused error return value from isSecureIndex Signed-off-by: Don Kjer <don.kjer@gmail.com> Adding back comment in isSecureIndex Signed-off-by: Don Kjer <don.kjer@gmail.com>
This commit is contained in:
Don Kjer
parent
eb9ddb7b86
commit
64b000c3ea
11 changed files with 1179 additions and 156 deletions
|
|
@ -37,8 +37,9 @@ func scanForAPIVersion(hostname string) (string, APIVersion) {
|
|||
return hostname, DefaultAPIVersion
|
||||
}
|
||||
|
||||
func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
||||
endpoint, err := newEndpoint(hostname, insecureRegistries)
|
||||
func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
|
||||
// *TODO: Allow per-registry configuration of endpoints.
|
||||
endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -49,7 +50,7 @@ func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
|
|||
|
||||
//TODO: triggering highland build can be done there without "failing"
|
||||
|
||||
if endpoint.secure {
|
||||
if index.Secure {
|
||||
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
||||
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
||||
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
||||
|
|
@ -68,7 +69,7 @@ func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
|
|||
|
||||
return endpoint, nil
|
||||
}
|
||||
func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
||||
func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
|
||||
var (
|
||||
endpoint = Endpoint{}
|
||||
trimmedHostname string
|
||||
|
|
@ -82,13 +83,14 @@ func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
endpoint.secure = secure
|
||||
return &endpoint, nil
|
||||
}
|
||||
|
||||
func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {
|
||||
return NewEndpoint(repoInfo.Index)
|
||||
}
|
||||
|
||||
type Endpoint struct {
|
||||
URL *url.URL
|
||||
Version APIVersion
|
||||
|
|
@ -156,27 +158,30 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
|
|||
return info, nil
|
||||
}
|
||||
|
||||
// isSecure returns false if the provided hostname is part of the list of insecure registries.
|
||||
// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
|
||||
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
||||
//
|
||||
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
|
||||
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
|
||||
// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
|
||||
// insecure.
|
||||
//
|
||||
// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
|
||||
// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
|
||||
// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
|
||||
// in a subnet. If the resolving is not successful, isSecure will only try to match hostname to any element
|
||||
// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
|
||||
// of insecureRegistries.
|
||||
func isSecure(hostname string, insecureRegistries []string) (bool, error) {
|
||||
if hostname == IndexServerURL.Host {
|
||||
return true, nil
|
||||
func (config *ServiceConfig) isSecureIndex(indexName string) bool {
|
||||
// Check for configured index, first. This is needed in case isSecureIndex
|
||||
// is called from anything besides NewIndexInfo, in order to honor per-index configurations.
|
||||
if index, ok := config.IndexConfigs[indexName]; ok {
|
||||
return index.Secure
|
||||
}
|
||||
|
||||
host, _, err := net.SplitHostPort(hostname)
|
||||
host, _, err := net.SplitHostPort(indexName)
|
||||
if err != nil {
|
||||
// assume hostname is of the form `host` without the port and go on.
|
||||
host = hostname
|
||||
// assume indexName is of the form `host` without the port and go on.
|
||||
host = indexName
|
||||
}
|
||||
|
||||
addrs, err := lookupIP(host)
|
||||
if err != nil {
|
||||
ip := net.ParseIP(host)
|
||||
|
|
@ -189,29 +194,15 @@ func isSecure(hostname string, insecureRegistries []string) (bool, error) {
|
|||
// So, len(addrs) == 0 and we're not aborting.
|
||||
}
|
||||
|
||||
for _, r := range insecureRegistries {
|
||||
if hostname == r {
|
||||
// hostname matches insecure registry
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
|
||||
for _, addr := range addrs {
|
||||
|
||||
// now assume a CIDR was passed to --insecure-registry
|
||||
_, ipnet, err := net.ParseCIDR(r)
|
||||
if err != nil {
|
||||
// if we could not parse it as a CIDR, even after removing
|
||||
// assume it's not a CIDR and go on with the next candidate
|
||||
break
|
||||
}
|
||||
|
||||
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
|
||||
for _, addr := range addrs {
|
||||
for _, ipnet := range config.InsecureRegistryCIDRs {
|
||||
// check if the addr falls in the subnet
|
||||
if ipnet.Contains(addr) {
|
||||
return false, nil
|
||||
if (*net.IPNet)(ipnet).Contains(addr) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true, nil
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue