Commit graph

509 commits

Author SHA1 Message Date
Tibor Vass
549e64205f Merge pull request #14829 from RichardScothern/registry-tls
Configure TLS for private v2 registry mirrors.
2015-07-21 19:23:39 -04:00
Richard Scothern
2b7788f2e8 Remove v1 registry mirror configuration from LookupEndpoints.
V1 mirrors do not mirror the index and those endpoints should
only be indexes.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:41 -07:00
Richard Scothern
00edb3bbce Configure TLS for private registry mirrors.
If a registry mirror is using TLS, ensure that certs for it
are picked up from /etc/docker/certs.d

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:25 -07:00
Aaron Lehmann
5280103cc4 Remove unused types in registry package
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:53:57 -07:00
Aaron Lehmann
4c255a0d41 Remove dead code in registry package
The only uses of RequestAuthorization and its associated functions were
removed in 7fed379d95 ("Update graph to
use vendored distribution client for the v2 codepath")

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:45:53 -07:00
Morgan Bauer
138ba39260 golint for cliconfig
- fully capitalize HTTP in HTTPHeaders
 - comment for CONFIGFILE
 - camelcase and privatize oldConfigfile, defaultIndexserver
 - remove unused var errConfigFileMissing
 - comments for methods and functions throughout
 - external references to renamed variables changed

Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
2015-07-20 16:48:58 -07:00
Ma Shimiao
3552960ef8 fix 8926: rmi dangling is unsafe when pulling
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-17 11:39:57 -04:00
David Calavera
0920d8e1e2 Merge pull request #13375 from tiborvass/distribution-refactor
Vendor distribution client v2
2015-07-16 11:54:08 -07:00
Derek McGowan
7fed379d95 Update graph to use vendored distribution client for the v2 codepath
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:47 -04:00
Tibor Vass
950cf586c8 remove pkg/transport and use the one from distribution
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:46 -04:00
Tibor Vass
45bd073e54 Fix issue where Search API endpoint would panic due to empty AuthConfig
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 12:38:44 -04:00
David Calavera
bd46d55919 Merge pull request #14332 from ankushagarwal/failedLogin
Add 500 check for registry api call
2015-07-15 11:19:31 -07:00
Derek McGowan
01c8fb3665 Set canonical name correctly
Currently canonical name gets set to the local name and displayed in the errors.
Canonical name should be the unique and canonical name for an image.
Use docker.io as the canonical domain for images on the public registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-14 17:45:49 -07:00
Stephen Day
b6c0f0505c Merge pull request #14521 from mattmoor/authenticated-search
Add the X-Docker-Token header to the /v1/search requests.
2015-07-14 15:43:28 -07:00
Stephen J Day
b425c402fb Allow one character repository name components
The docker/distribution dependency was updated in the previous commit to allow
repository name components to only consist of a single letter. The unit tests
have been updated to cement this change.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-07-10 14:06:15 -06:00
Matt Moore
c82a9a817f Add the X-Docker-Token header to the /v1/search requests.
By adding this header AuthTransport will add Basic authentication to the request and allow 'docker search' results to include private images.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-07-09 20:56:23 -07:00
Ankush Agarwal
8e857d1147 Add 500 check for registry api call
Partially Addresses #14326

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
2015-07-02 12:41:24 -07:00
Eric Windisch
f432bcc925 Remove RC4 from the list of registry cipher suites
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.

Uses the tlsconfig package to define allowed ciphers.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-06-29 09:15:13 -04:00
Stephen Day
4cbdef4cee Merge pull request #14046 from mattmoor/token-investigation
Unconditionally use AuthTransport.
2015-06-25 19:07:10 -07:00
Antonio Murdaca
ebd569961d Remove dead code
Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-06-20 19:14:15 +02:00
Matt Moore
79661b8a7e Unconditionally add AuthTransport.
Today, endpoints implementing v2 cannot properly fallback to v1 because the underlying transport that deals with authentication (Basic / Token) doesn't get annotated.

This doesn't affect DockerHub because the DockerHub endpoint appears as 'https://index.docker.io/v1/' (in .dockercfg), and the 'v1' tricks this logic just long enough that the transport is always annotated for DockerHub accesses.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-19 10:12:52 -07:00
Sebastiaan van Stijn
fbec8ef772 Merge pull request #13070 from shishir-a412ed/cleanup_cmd_tag
Use distribution's ValidateRepositoryName for remote name validation.
2015-06-17 23:26:27 +02:00
Derek McGowan
8b69a38800 Merge pull request #13575 from mattmoor/consistent-push-fallback
Make v2 push have v1-fallback behavior consistent with pull.
2015-06-17 13:41:58 -07:00
Shishir Mahajan
d4c7ea4301 Use distribution's ValidateRepositoryName for remote name validation.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-06-17 15:15:16 -04:00
Don Kjer
13b279f5b6 Only pulling single repository tag on pull for a specific tag. extending TestGetRemoteTags unit test
Splitting out GetRemoteTag from GetRemoteTags.  Adding registry.ErrRepoNotFound error

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-06-16 07:10:09 +00:00
Arnaud Porterie
aa8d3d2ca3 Merge pull request #13815 from tiborvass/do-not-send-basic-auth-on-302
Do not set auth headers for registry v1 if 302
2015-06-09 15:34:53 -07:00
Alexander Morozov
84b7bd6dba Merge pull request #13816 from xiekeyang/remove
Registry: remove unwanted return variable name
2015-06-08 20:38:30 -07:00
xiekeyang
5b3e2c7dda Registry: remove unwanted return variable name
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
2015-06-09 10:58:33 +08:00
Tibor Vass
5a8f690426 Do not set auth headers if 302
This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.

This also ensures v2 does not use authTransport.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-08 19:59:39 -04:00
Antonio Murdaca
e527060df2 Merge pull request #13648 from tiborvass/print-debugtransport-to-test-output
registry: debugTransport should print with testing.T.Log
2015-06-05 00:42:22 +02:00
Matt Moore
c01c508ea1 Make the v2 logic fallback on v1 when v2 requests cannot be authorized.
Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-02 21:22:59 -07:00
Phil Estes
e2e22cb830 Merge pull request #13650 from jvgogh/master
Upon HTTP 302 redirect do not include "Authorization" header on 'untr…
2015-06-02 14:23:20 -04:00
Arnaud Porterie
3a96a9e039 Merge pull request #13576 from stevvooe/verify-digests
Properly verify manifests and layer digests on pull
2015-06-02 11:16:23 -07:00
Jeffrey van Gogh
5418e3be0c Upon HTTP 302 redirect do not include "Authorization" header on 'untrusted' registries.
Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect.

This closes #13649

Signed-off-by: Jeffrey van Gogh <jvg@google.com>
2015-06-01 16:12:56 -07:00
Tibor Vass
6640f60cc5 registry: debugTransport should print with testing.T.Log
It should not print to STDOUT so that it only prints the debugTransport
output if there was an error in one of the registry tests.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-01 17:48:30 -04:00
Alexander Morozov
767c5283a2 Fix race condition in registry/session
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-01 13:25:18 -07:00
Stephen J Day
0ecc759684 Properly verify manifests and layer digests on pull
To ensure manifest integrity when pulling by digest, this changeset ensures
that not only the remote digest provided by the registry is verified but also
that the digest provided on the command line is checked, as well. If this check
fails, the pull is cancelled as with an error. Inspection also should that
while layers were being verified against their digests, the error was being
treated as tech preview image signing verification error. This, in fact, is not
a tech preview and opens up the docker daemon to man in the middle attacks that
can be avoided with the v2 registry protocol.

As a matter of cleanliness, the digest package from the distribution project
has been updated to latest version. There were some recent improvements in the
digest package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-29 15:20:28 -07:00
Antonio Murdaca
7d11fc6e5c Remove PortSpecs from Config
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-29 22:38:09 +02:00
Alexander Morozov
acdf61c7fd Merge pull request #13430 from runcom/fix-race-modify-request
Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
2015-05-28 11:31:04 -07:00
Richard
287cf41118 Registry v2 mirror support.
The v2 registry will act as a pull-through cache, and needs to be
handled differently by the client to the v1 registry mirror.

See docker/distribution#459 for details

Configuration

Only one v2 registry can be configured as a mirror. Acceptable configurations
in this chanage are: 0...n v1 mirrors or 1 v2 mirror. A mixture of v1 and v2
mirrors is considered an error.

Pull

If a v2 mirror is configured, all pulls are redirected to that mirror. The
mirror will serve the content locally or attempt a pull from the upstream mirror,
cache it locally, and then serve to the client.

Push

If an image is tagged to a mirror, it will be pushed to the mirror and be
stored locally there. Otherwise, images are pushed to the hub. This is
unchanged behavior.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-26 11:08:19 -07:00
Antonio Murdaca
8fc7d769ab Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-23 23:50:08 +02:00
Tibor Vass
a1ade52bb6 registry: fix auth bug
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-21 16:53:22 -04:00
Jessie Frazelle
29dc5eef53 Merge pull request #13354 from jacobat/comment-fix
Fix wording in comment
2015-05-20 09:44:23 -07:00
Jacob Atzen
07e5885de1 Fix wording in comment
Signed-off-by: Jacob Atzen <jatzen@gmail.com>
2015-05-20 18:03:46 +02:00
Arnaud Porterie
38f0c6fa8a Windows: fix registry filepath and location
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-05-19 10:58:45 -07:00
Tibor Vass
808c87ce27 Add transport package to support CancelRequest
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 23:31:42 -04:00
Tibor Vass
9e6affc364 requestdecorator: repurpose the package and rename to useragent
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:54 -04:00
Tibor Vass
89bd48481c registry: Refactor requestfactory to use http.RoundTrippers
This patch removes the need for requestFactories and decorators
by implementing http.RoundTripper transports instead.

It refactors some challenging-to-read code.

NewSession now takes an *http.Client that can already have a
custom Transport, it will add its own auth transport by wrapping
it.

The idea is that callers of http.Client should not bother
setting custom headers for every handler but instead it should
be transparent to the callers of a same context.

This patch is needed for future refactorings of registry,
namely refactoring of the v1 client code.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:53 -04:00
Doug Davis
f13f3a774f Merge pull request #13308 from lightsofapollo/issue-13307
Increase default connection timeout to 30s
2015-05-18 18:01:00 -04:00
James Lal
3c34b3c87e Increase default connection timeout to 30s
Closes #13307
Signed-off-by: James Lal <jlal@mozilla.com>
2015-05-18 13:26:33 -07:00