Commit graph

1265 commits

Author SHA1 Message Date
Tibor Vass
950cf586c8 remove pkg/transport and use the one from distribution
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:46 -04:00
Tibor Vass
45bd073e54 Fix issue where Search API endpoint would panic due to empty AuthConfig
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 12:38:44 -04:00
Richard
cd31d466e4 Allow Manifest Service to be configured with function arguments
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-15 12:25:16 -07:00
Stephen Day
b318e01f7d Merge pull request #651 from duglin/ErrArgs
Add ability to pass in substitution args into an Error
2015-07-15 11:22:59 -07:00
David Calavera
bd46d55919 Merge pull request #14332 from ankushagarwal/failedLogin
Add 500 check for registry api call
2015-07-15 11:19:31 -07:00
Doug Davis
db30d384e0 Add ability to pass in substitution args into an Error
Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-07-15 11:02:10 -07:00
Derek McGowan
01c8fb3665 Set canonical name correctly
Currently canonical name gets set to the local name and displayed in the errors.
Canonical name should be the unique and canonical name for an image.
Use docker.io as the canonical domain for images on the public registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-14 17:45:49 -07:00
Derek McGowan
c7d538aefa Merge pull request #699 from RichardScothern/client-manifest-etags-clean
Allow conditional fetching of manifests with the registry client.
2015-07-14 17:29:59 -07:00
Richard Scothern
caf989a572 Allow conditional fetching of manifests with the registry client.
Add a functional argument to pass a digest to (ManifestService).GetByTag().
If the digest matches an empty manifest and nil error are returned.

See 6bedf7d1cd for server implementation.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-14 16:52:52 -07:00
Stephen Day
b6c0f0505c Merge pull request #14521 from mattmoor/authenticated-search
Add the X-Docker-Token header to the /v1/search requests.
2015-07-14 15:43:28 -07:00
Richard Scothern
6f2f84996d Fix build when using build tag 'noresumabledigest'
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-14 11:14:09 -07:00
Stephen J Day
b425c402fb Allow one character repository name components
The docker/distribution dependency was updated in the previous commit to allow
repository name components to only consist of a single letter. The unit tests
have been updated to cement this change.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-07-10 14:06:15 -06:00
Stephen J Day
a58848a0b7 Allow single character repository names
The main goal of this changeset is to allow repository name components to
consist of a single character. The number of components allowed and the slash
separation requirements have also been clarified.

To go along with this simplification, errant constants and unneeded error types
have been removed.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-07-10 12:10:42 -06:00
Matt Moore
c82a9a817f Add the X-Docker-Token header to the /v1/search requests.
By adding this header AuthTransport will add Basic authentication to the request and allow 'docker search' results to include private images.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-07-09 20:56:23 -07:00
Derek McGowan
970efb6ba7 Fix typo in Version doc
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-08 11:02:47 -07:00
Ankush Agarwal
8e857d1147 Add 500 check for registry api call
Partially Addresses #14326

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
2015-07-02 12:41:24 -07:00
Derek McGowan
376cc5fe75 Add challenge manager interface
Challenger manager interface is used to handle getting authorization challenges from an endpoint as well as extracting challenges from responses.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-01 15:00:25 -07:00
Derek McGowan
5a3a9c6a77 Separate version and challenge parsing from ping
Replace ping logic with individual functions to extract API version and authorization challenges. The response from a ping operation can be passed into these function. If an error occurs in parsing, the version or challenge will not be used. Sending the ping request is the responsibility of the caller.
APIVersion has been converted from a string to a structure type. A parse function was added to convert from string to the structure type.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-01 15:00:25 -07:00
Derek McGowan
b66ee14e62 Refactor client auth
Move client auth into a separate package.
Separate ping from the authorizer and export Challenges type.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-01 15:00:25 -07:00
Stephen Day
940b865bc0 Merge pull request #670 from stevvooe/remove-ipc
Remove half-baked Storage Driver IPC support
2015-06-30 19:21:54 -07:00
Jon Poler
855ecb8440 Remove timeout for http.Client in registry/client/repository.go.
Timeouts should not be a discrete period of time, because they end
up being arbitrary and may be difficult to gauge correctly against
very large Docker layers. Rather, timeouts should be set at the
transport level using the SetDeadline attribute on a net.Conn
object.

Signed-off-by: Jon Poler <jonathan.poler@apcera.com>
2015-06-30 17:35:24 -07:00
Stephen Day
dc19b5496a Merge pull request #675 from RichardScothern/fix-ctx
Pass correct context into tracer
2015-06-30 11:18:51 -07:00
Richard Scothern
fa17f9254f Pass correct context into tracer
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-06-30 10:28:14 -07:00
Stephen J Day
6167220cdd Remove half-baked Storage Driver IPC support
This removes documentation and code related to IPC based storage driver
plugins. The existence of this functionality was an original feature goal but
is now not maintained and actively confusing incoming contributions. We will
likely explore some driver plugin mechanism in the future but we don't need
this laying around in the meantime.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-29 16:52:12 -07:00
Richard Scothern
6d46ae5fdb Prevent the ErrUnsupportedMethod error from being returned up the stack.
It eventually causes the go http library to do a double WriteHeader()
which is an error

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-06-29 16:44:09 -07:00
Eric Windisch
f432bcc925 Remove RC4 from the list of registry cipher suites
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.

Uses the tlsconfig package to define allowed ciphers.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-06-29 09:15:13 -04:00
Stephen Day
4cbdef4cee Merge pull request #14046 from mattmoor/token-investigation
Unconditionally use AuthTransport.
2015-06-25 19:07:10 -07:00
Stephen Day
d745c5a2c9 Merge pull request #645 from RichardScothern/manifest-cache-headers
Cache headers for manifests.
2015-06-25 13:20:39 -07:00
Antonio Murdaca
ebd569961d Remove dead code
Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-06-20 19:14:15 +02:00
Richard Scothern
6bedf7d1cd Add Etag header for manifests.
Return 304 (Not Modified) if retrieved with If-None-Match header

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-06-19 10:44:21 -07:00
Matt Moore
79661b8a7e Unconditionally add AuthTransport.
Today, endpoints implementing v2 cannot properly fallback to v1 because the underlying transport that deals with authentication (Basic / Token) doesn't get annotated.

This doesn't affect DockerHub because the DockerHub endpoint appears as 'https://index.docker.io/v1/' (in .dockercfg), and the 'v1' tricks this logic just long enough that the transport is always annotated for DockerHub accesses.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-19 10:12:52 -07:00
Doug Davis
805b135bcc Add 'message' back to BlobTest sample json
Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-06-18 18:24:54 -07:00
Doug Davis
365de1b215 Add back in the "errors" wrapper in the Errors serialization
See: https://github.com/docker/distribution/pull/548/files#r32794064

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-06-18 18:00:26 -07:00
Stephen Day
92e2636de0 Merge pull request #638 from duglin/MoveHTTPRC
Move challenge http status code logic
2015-06-18 12:03:29 -07:00
Doug Davis
cff1a5ffdc Move challenge http status code logic
See: d796729b6b/registry/handlers/app.go (L498)

Per the comment on line 498, this moves the logic of setting the http
status code into the serveJSON func, leaving the auth.Challenge.ServeHTTP()
func to just set the auth challenge header.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-06-17 18:23:55 -07:00
Sebastiaan van Stijn
fbec8ef772 Merge pull request #13070 from shishir-a412ed/cleanup_cmd_tag
Use distribution's ValidateRepositoryName for remote name validation.
2015-06-17 23:26:27 +02:00
Derek McGowan
8b69a38800 Merge pull request #13575 from mattmoor/consistent-push-fallback
Make v2 push have v1-fallback behavior consistent with pull.
2015-06-17 13:41:58 -07:00
Shishir Mahajan
d4c7ea4301 Use distribution's ValidateRepositoryName for remote name validation.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-06-17 15:15:16 -04:00
Stephen J Day
f9e152d912 Ensure that rados is disabled without build tag
This ensures that rados is not required when building the registry. This was
slightly tricky in that when the flags were applied, the rados package was
completely missing. This led to a problem where rados was basically unlistable
and untestable as a package. This was fixed by simply adding a doc.go file that
is included whether rados is built or not.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-16 20:00:02 -07:00
Stephen Day
d796729b6b Merge pull request #623 from ahmetalpbalkan/azure-vendor
storage/driver/azure: Update vendored Azure SDK
2015-06-16 17:41:38 -07:00
Ahmet Alp Balkan
5c372ded1b storage/driver/azure: Update vendored Azure SDK
This change refreshes the updated version of Azure SDK
for Go that has the latest changes.

I manually vendored the new SDK (github.com/Azure/azure-sdk-for-go)
and I removed `management/` `core/` packages manually simply because
they're not used here and they have a fork of `net/http` and `crypto/tls`
for a particular reason. It was introducing a 44k SLOC change otherwise...

This also undoes the `include_azure` flag (actually Steven removed the
driver from imports but forgot to add the build flag apparently, so the
flag wasn't really including azure. 😄 ). This also must be obsolete
now.

Fixes #620, #175.

Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-06-16 17:13:44 -07:00
Don Kjer
13b279f5b6 Only pulling single repository tag on pull for a specific tag. extending TestGetRemoteTags unit test
Splitting out GetRemoteTag from GetRemoteTags.  Adding registry.ErrRepoNotFound error

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-06-16 07:10:09 +00:00
Olivier Gambier
fa67bab1c7 Merge pull request #608 from dmcgowan/http-basic-auth
Implementation of a basic authentication scheme using standard .htpasswd
2015-06-15 17:40:58 -07:00
Stephen Day
728ca4b391 Merge pull request #548 from duglin/MoveErrors
Move ErrorCode logic to new errcode package
2015-06-15 14:33:28 -07:00
Doug Davis
56349665b7 Round 4
Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-06-11 21:33:35 -07:00
Stephen J Day
f6ee0f46af Minor formatting fixes related to htpasswd auth
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-11 17:06:35 -07:00
Olivier Gambier
280b9c50ac Saner default data location
Signed-off-by: Olivier Gambier <olivier@docker.com>
2015-06-10 20:54:24 -07:00
Stephen J Day
e667be389a Rename the basic access controller to htpasswd
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-10 19:41:35 -07:00
Stephen J Day
14f3b07db0 Harden basic auth implementation
After consideration, the basic authentication implementation has been
simplified to only support bcrypt entries in an htpasswd file. This greatly
increases the security of the implementation by reducing the possibility of
timing attacks and other problems trying to detect the password hash type.

Also, the htpasswd file is only parsed at startup, ensuring that the file can
be edited and not effect ongoing requests. Newly added passwords take effect on
restart. Subsequently, password hash entries are now stored in a map.

Test cases have been modified accordingly.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-10 19:38:56 -07:00
Stephen J Day
427c457801 Refactor Basic Authentication package
This change refactors the basic authentication implementation to better follow
Go coding standards. Many types are no longer exported. The parser is now a
separate function from the authentication code. The standard functions
(*http.Request).BasicAuth/SetBasicAuth are now used where appropriate.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
3504445680 Unexported function to comply with golint
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
fe9ca88946 Removed dashes from comments, unexported htpasswd struct
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
15bbde99c1 Fixed golint, gofmt warning advice.
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
ff67393b2b Added support for bcrypt, plaintext; extension points for other htpasswd hash methods.
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
d2b7988b7f Aligned formatting with gofmt
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
Dave Trombley
7733b6c892 Fixed WWW-Authenticate: header, added example config and import into main, fixed golint warnings
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:38 -07:00
BadZen
60262521bd Implementation of a basic authentication scheme using standard .htpasswd files
Signed-off-by: BadZen <dave.trombley@gmail.com>
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
2015-06-10 19:06:37 -07:00
Arnaud Porterie
aa8d3d2ca3 Merge pull request #13815 from tiborvass/do-not-send-basic-auth-on-302
Do not set auth headers for registry v1 if 302
2015-06-09 15:34:53 -07:00
xiekeyang
5b3e2c7dda Registry: remove unwanted return variable name
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
2015-06-09 10:58:33 +08:00
Stephen Day
f654e9a96e Merge pull request #599 from stevvooe/clarify-deletion-by-digest-constraint
Clarify digest in API specification
2015-06-08 19:04:53 -07:00
Tibor Vass
5a8f690426 Do not set auth headers if 302
This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.

This also ensures v2 does not use authTransport.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-08 19:59:39 -04:00
Stephen J Day
60967cbd6b Clarify that manifests can only be deleted by digest
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-04 18:59:08 -07:00
Stephen J Day
630334b304 Add more repository name validation test cases
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-06-04 16:12:35 -07:00
Antonio Murdaca
e527060df2 Merge pull request #13648 from tiborvass/print-debugtransport-to-test-output
registry: debugTransport should print with testing.T.Log
2015-06-05 00:42:22 +02:00
Matt Moore
c01c508ea1 Make the v2 logic fallback on v1 when v2 requests cannot be authorized.
Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-02 21:22:59 -07:00
Phil Estes
e2e22cb830 Merge pull request #13650 from jvgogh/master
Upon HTTP 302 redirect do not include "Authorization" header on 'untr…
2015-06-02 14:23:20 -04:00
Arnaud Porterie
3a96a9e039 Merge pull request #13576 from stevvooe/verify-digests
Properly verify manifests and layer digests on pull
2015-06-02 11:16:23 -07:00
Doug Davis
b8b16b78f4 Round 3 - Add Register function
Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-06-02 10:01:21 -07:00
Vincent Giersch
040d7038b8 doc: coherence between requests and parameters + typo
In the request parameters lists `tag` was used instead of
`reference` present in the HTTP requests paths

Signed-off-by: Vincent Giersch <vincent.giersch@ovh.net>
2015-06-02 14:36:55 +00:00
Jeffrey van Gogh
5418e3be0c Upon HTTP 302 redirect do not include "Authorization" header on 'untrusted' registries.
Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect.

This closes #13649

Signed-off-by: Jeffrey van Gogh <jvg@google.com>
2015-06-01 16:12:56 -07:00
Tibor Vass
6640f60cc5 registry: debugTransport should print with testing.T.Log
It should not print to STDOUT so that it only prints the debugTransport
output if there was an error in one of the registry tests.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-01 17:48:30 -04:00
Alexander Morozov
767c5283a2 Fix race condition in registry/session
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-01 13:25:18 -07:00
Stephen Day
c703b9318e Merge pull request #394 from xiekeyang/feature-panic-hook
Feature: Add Hook for Web Application Panic
2015-06-01 13:23:32 -07:00
Vincent Giersch
4bc53818cb Fix rados build, remove uuid dependency
Signed-off-by: Vincent Giersch <vincent.giersch@ovh.net>
2015-06-01 09:57:40 +00:00
xiekeyang
9d7c6923c1 Feature: Web Panic Reporting via hooks
This PR is for issue of "email after registry webapp panic" #41, improving my
previous design (closed).
It use self setting up hooks, to catch panic in web application.
And, send email in hooks handle directly, to no use new http server and
handler.

Signed-off-by: xiekeyang <keyangxie@126.com>
2015-05-31 14:21:22 +00:00
Philip Misiowiec
589123441b fixed typos
Signed-off-by: Phil Misiowiec <phil.misiowiec@atlashealth.com>
2015-05-30 18:22:41 -07:00
Stephen Day
af987fd3dc Merge pull request #443 from gierschv/driver-rados
Storage Driver: Ceph Object Storage (RADOS)
2015-05-29 18:10:49 -07:00
Stephen J Day
0ecc759684 Properly verify manifests and layer digests on pull
To ensure manifest integrity when pulling by digest, this changeset ensures
that not only the remote digest provided by the registry is verified but also
that the digest provided on the command line is checked, as well. If this check
fails, the pull is cancelled as with an error. Inspection also should that
while layers were being verified against their digests, the error was being
treated as tech preview image signing verification error. This, in fact, is not
a tech preview and opens up the docker daemon to man in the middle attacks that
can be avoided with the v2 registry protocol.

As a matter of cleanliness, the digest package from the distribution project
has been updated to latest version. There were some recent improvements in the
digest package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-29 15:20:28 -07:00
Antonio Murdaca
7d11fc6e5c Remove PortSpecs from Config
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-29 22:38:09 +02:00
Alexander Morozov
acdf61c7fd Merge pull request #13430 from runcom/fix-race-modify-request
Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
2015-05-28 11:31:04 -07:00
Doug Davis
00b1e8fca0 Round 2
Make Errors a []Error

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-05-26 17:18:32 -07:00
Doug Davis
f565d6abb7 Move ErrorCode logic to new errcode package
Make HTTP status codes match the ErrorCode by looking it up in the Descriptors

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-05-26 13:18:54 -07:00
Richard
287cf41118 Registry v2 mirror support.
The v2 registry will act as a pull-through cache, and needs to be
handled differently by the client to the v1 registry mirror.

See docker/distribution#459 for details

Configuration

Only one v2 registry can be configured as a mirror. Acceptable configurations
in this chanage are: 0...n v1 mirrors or 1 v2 mirror. A mixture of v1 and v2
mirrors is considered an error.

Pull

If a v2 mirror is configured, all pulls are redirected to that mirror. The
mirror will serve the content locally or attempt a pull from the upstream mirror,
cache it locally, and then serve to the client.

Push

If an image is tagged to a mirror, it will be pushed to the mirror and be
stored locally there. Otherwise, images are pushed to the hub. This is
unchanged behavior.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-26 11:08:19 -07:00
Stephen Day
5f553b3cfc Merge pull request #556 from stevvooe/remove-uuid-dependency
Replace uuid dependency with internal library
2015-05-26 10:39:35 -07:00
Antonio Murdaca
8fc7d769ab Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-23 23:50:08 +02:00
Stephen J Day
f8c0086e93 Replace uuid dependency with internal library
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-22 18:59:41 -07:00
Stephen Day
601960573d Merge pull request #546 from stevvooe/resumable-digest-refactor
Remove digest package's dependency on external sha implementation
2015-05-22 18:15:37 -07:00
Stephen J Day
bdaed4c789 Refactor specification of supported digests
To make the definition of supported digests more clear, we have refactored the
digest package to have a special Algorithm type. This represents the digest's
prefix and we associated various supported hash implementations through
function calls.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-22 18:08:23 -07:00
Stephen J Day
d4c50637f9 Better error message when failing to get AWS auth
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-22 16:45:45 -07:00
Tibor Vass
a1ade52bb6 registry: fix auth bug
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-21 16:53:22 -04:00
Stephen J Day
a0d242d9df Remove digest package's dependency on external sha implementation
The change relies on a refactor of the upstream resumable sha256/sha512 package
that opts to register implementations with the standard library. This allows
the resumable support to be detected where it matters, avoiding unnecessary and
complex code. It also ensures that consumers of the digest package don't need
to depend on the forked sha implementations.

We also get an optimization with this change. If the size of data written to a
digester is the same as the file size, we check to see if the digest has been
verified. This works if the blob is written and committed in a single request.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-20 23:44:08 -07:00
Stephen J Day
812c8099a6 Decouple redis dependency from blob descriptor cache
Ensure that clients can use the blob descriptor cache provider without needing
the redis package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-20 18:58:10 -07:00
Tibor Vass
cd5430916f client: fix a typo preventing compilation
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2015-05-20 21:06:13 -04:00
Stephen Day
e2596ca75e Merge pull request #387 from dmcgowan/registry-client-update
Add client implementation of distribution interface
2015-05-20 15:55:20 -07:00
Derek McGowan
754a8e80f2 Remove error message shortening
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-20 14:55:59 -07:00
Derek McGowan
aac3ce46c7 Only do auth checks for endpoints starting with v2
Changes behavior so ping doesn't happen if /v2/ is anywhere in a request path, but instead only at the beginning. This fixes attempts to ping on redirected URLs.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-20 13:35:23 -07:00
Derek McGowan
7e4d5eafae Update transport package to sever distribution dependency
The transport package no longer requires importing distribution for the ReadSeekCloser, instead declares its own.
Added comments on the Authenication handler in session.
Added todo on http seek reader to highlight its lack of belonging to the client transport.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-20 10:09:37 -07:00
Derek McGowan
3b5a2bbebc Add unauthorized error check
Add check for unauthorized error code and explicitly set the error code if the content could not be parsed.
Updated repository test for unauthorized tests and nit feedback.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-20 10:05:44 -07:00
Jacob Atzen
07e5885de1 Fix wording in comment
Signed-off-by: Jacob Atzen <jatzen@gmail.com>
2015-05-20 18:03:46 +02:00
Derek McGowan
b4972a6bab Break down type dependencies
Each type no longer requires holding a reference to repository.
Added implementation for signatures get.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-19 19:56:27 -07:00
Derek McGowan
8db2145b81 Feedback update
Update comments and TODOs
Fix switch style
Updated parse http response to take in reader
Add Cancel implementation
Update blobstore variable name

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-19 19:18:30 -07:00
Vincent Giersch
2c1a83f940 Storage Driver: Ceph Object Storage (RADOS)
This driver implements the storagedriver.StorageDriver interface and
uses Ceph Object Storage as storage backend.

Since RADOS is an object storage and no hierarchy notion, the
following convention is used to keep the filesystem notions stored in
this backend:

* All the objects data are stored with opaque UUID names prefixed
  (e.g. "blob:d3d232ff-ab3a-4046-9ab7-930228d4c164).
* All the hierarchy information are stored in rados omaps, where the
  omap object identifier is the virtual directory name, the keys in
  a specific are the relative filenames and the values the blob
  object identifier (or empty value for a sub directory).

  e.g. For the following hierarchy:

     /directory1
     /directory1/object1
     /directory1/object2
     /directory1/directory2/object3

  The omap "/directory1" will contains the following key / values:
    - "object1" "blob:d3d232ff-ab3a-4046-9ab7-930228d4c164"
    - "object2" "blob:db2e359d-4af0-4bfb-ba1d-d2fd029866a0"
    - "directory2" ""

  The omap "/directory1/directory2" will contains:
    - "object3" "blob:9ae2371c-81fc-4945-80ac-8bf7f566a5d9"

* The MOVE is implemented by changing the reference to a specific
  blob in its parent virtual directory omap.

This driver stripes rados objects to a fixed size (e.g. 4M). The idea
is to keep small objects (as done by RBD on the top of RADOS) that
will be easily synchronized accross OSDs. The information of the
original object (i.e total size of the chunks) is stored as a Xattr
in the first chunk object.

Signed-off-by: Vincent Giersch <vincent.giersch@ovh.net>
2015-05-20 01:44:34 +00:00
Arnaud Porterie
38f0c6fa8a Windows: fix registry filepath and location
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-05-19 10:58:45 -07:00
Jordan Liggitt
ea39e34804 Fix typo: respository->repository
Signed-off-by: Jordan Liggitt <jliggitt@redhat.com>
2015-05-19 13:25:39 -04:00
Tibor Vass
808c87ce27 Add transport package to support CancelRequest
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 23:31:42 -04:00
Tibor Vass
9e6affc364 requestdecorator: repurpose the package and rename to useragent
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:54 -04:00
Tibor Vass
89bd48481c registry: Refactor requestfactory to use http.RoundTrippers
This patch removes the need for requestFactories and decorators
by implementing http.RoundTripper transports instead.

It refactors some challenging-to-read code.

NewSession now takes an *http.Client that can already have a
custom Transport, it will add its own auth transport by wrapping
it.

The idea is that callers of http.Client should not bother
setting custom headers for every handler but instead it should
be transparent to the callers of a same context.

This patch is needed for future refactorings of registry,
namely refactoring of the v1 client code.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-18 21:51:53 -04:00
James Lal
3c34b3c87e Increase default connection timeout to 30s
Closes #13307
Signed-off-by: James Lal <jlal@mozilla.com>
2015-05-18 13:26:33 -07:00
Derek McGowan
eb2ac4301f Lint and documentation fixes
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
131b608aeb Create client transport package
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
e0e13209d8 Remove unused and duplicate error types
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
296a8415b9 Update to track refactor updates
Added use of cache blob statter

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
568df315ff Open cache interface
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
60b314ade5 Rename layer files to blob
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
67e2e83434 Update to use blob interfaces
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
6bf4c45e52 Add missing defer on Tags
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
89c396e0f5 Simplify configuration and transport
Repository creation now just takes in an http.RoundTripper. Authenticated requests or requests which require additional headers should use the NewTransport function along with a request modifier (such an an authentication handler).

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
8b0ea19d39 Add base transport to interface
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
a9b0f49c8b Removed unused mirror flags
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:28 -07:00
Derek McGowan
17cbbf648f Update ReadFrom to wrap reader in NopCloser
Wrapping the reader in a NopCloser is necessary to prevent the http library from closing the input reader.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
ecaa643cb2 Create authentication handler
Refactory authorizer to take a set of authentication handlers for different authentication schemes returned by an unauthorized HTTP requst.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
7d630192dd Add tags implementation
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
2eb9b286ed Use distribution context instead of google
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
b78727cbf9 Cleanup session and config interface
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
07cee840a4 Split layer and upload from repository
Layer upload moved to its own file with its own unit tests

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
03e0873125 Add unit tests for auth challenge and endpoint
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
837a12db15 Remove deprecated client interface
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Derek McGowan
4c8e4dc373 Add client implementation of distribution interface
Adds functionality to create a Repository client which connects to a remote endpoint.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-15 17:56:27 -07:00
Stephen J Day
08401cfdd6 Refactor Blob Service API
This PR refactors the blob service API to be oriented around blob descriptors.
Identified by digests, blobs become an abstract entity that can be read and
written using a descriptor as a handle. This allows blobs to take many forms,
such as a ReadSeekCloser or a simple byte buffer, allowing blob oriented
operations to better integrate with blob agnostic APIs (such as the `io`
package). The error definitions are now better organized to reflect conditions
that can only be seen when interacting with the blob API.

The main benefit of this is to separate the much smaller metadata from large
file storage. Many benefits also follow from this. Reading and writing has
been separated into discrete services. Backend implementation is also
simplified, by reducing the amount of metadata that needs to be picked up to
simply serve a read. This also improves cacheability.

"Opening" a blob simply consists of an access check (Stat) and a path
calculation. Caching is greatly simplified and we've made the mapping of
provisional to canonical hashes a first-class concept. BlobDescriptorService
and BlobProvider can be combined in different ways to achieve varying effects.

Recommend Review Approach
-------------------------

This is a very large patch. While apologies are in order, we are getting a
considerable amount of refactoring. Most changes follow from the changes to
the root package (distribution), so start there. From there, the main changes
are in storage. Looking at (*repository).Blobs will help to understand the how
the linkedBlobStore is wired. One can explore the internals within and also
branch out into understanding the changes to the caching layer. Following the
descriptions below will also help to guide you.

To reduce the chances for regressions, it was critical that major changes to
unit tests were avoided. Where possible, they are left untouched and where
not, the spirit is hopefully captured. Pay particular attention to where
behavior may have changed.

Storage
-------

The primary changes to the `storage` package, other than the interface
updates, were to merge the layerstore and blobstore. Blob access is now
layered even further. The first layer, blobStore, exposes a global
`BlobStatter` and `BlobProvider`. Operations here provide a fast path for most
read operations that don't take access control into account. The
`linkedBlobStore` layers on top of the `blobStore`, providing repository-
scoped blob link management in the backend. The `linkedBlobStore` implements
the full `BlobStore` suite, providing access-controlled, repository-local blob
writers. The abstraction between the two is slightly broken in that
`linkedBlobStore` is the only channel under which one can write into the global
blob store. The `linkedBlobStore` also provides flexibility in that it can act
over different link sets depending on configuration. This allows us to use the
same code for signature links, manifest links and blob links.  Eventually, we
will fully consolidate this storage.

The improved cache flow comes from the `linkedBlobStatter` component
of `linkedBlobStore`. Using a `cachedBlobStatter`, these combine together to
provide a simple cache hierarchy that should streamline access checks on read
and write operations, or at least provide a single path to optimize. The
metrics have been changed in a slightly incompatible way since the former
operations, Fetch and Exists, are no longer relevant.

The fileWriter and fileReader have been slightly modified to support the rest
of the changes. The most interesting is the removal of the `Stat` call from
`newFileReader`. This was the source of unnecessary round trips that were only
present to look up the size of the resulting reader. Now, one must simply pass
in the size, requiring the caller to decide whether or not the `Stat` call is
appropriate. In several cases, it turned out the caller already had the size
already. The `WriterAt` implementation has been removed from `fileWriter`,
since it is no longer required for `BlobWriter`, reducing the number of paths
which writes may take.

Cache
-----

Unfortunately, the `cache` package required a near full rewrite. It was pretty
mechanical in that the cache is oriented around the `BlobDescriptorService`
slightly modified to include the ability to set the values for individual
digests. While the implementation is oriented towards caching, it can act as a
primary store. Provisions are in place to have repository local metadata, in
addition to global metadata. Fallback is implemented as a part of the storage
package to maintain this flexibility.

One unfortunate side-effect is that caching is now repository-scoped, rather
than global. This should have little effect on performance but may increase
memory usage.

Handlers
--------

The `handlers` package has been updated to leverage the new API. For the most
part, the changes are superficial or mechanical based on the API changes. This
did expose a bug in the handling of provisional vs canonical digests that was
fixed in the unit tests.

Configuration
-------------

One user-facing change has been made to the configuration and is updated in
the associated documentation. The `layerinfo` cache parameter has been
deprecated by the `blobdescriptor` cache parameter. Both are equivalent and
configuration files should be backward compatible.

Notifications
-------------

Changes the `notification` package are simply to support the interface
changes.

Context
-------

A small change has been made to the tracing log-level. Traces have been moved
from "info" to "debug" level to reduce output when not needed.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-15 17:05:18 -07:00
Lei Jitang
351babbf07 Fix invalid tag name
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-05-13 14:28:52 +08:00
Stephen Day
dc348d720b Merge pull request #518 from RichardScothern/cache-headers
Set cache headers for layers.
2015-05-12 18:32:16 -07:00
Richard
2db0327dc1 Set cache headers for layers.
- Set an Etag header
     - Check If-None-Match and respond appropriately
     - Set a Cache-Control header with a default of 1 week

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-12 17:49:18 -07:00
Anton Tiurin
b292f31d38 [Server] Listen and serve on a unix socket
Allow to use a unix socket as a listener.
To specify an endpoint type we use an optional configuration
field 'net', as there's no way to distinguish a relative
socket path from a hostname.

Signed-off-by: Anton Tiurin <noxiouz@yandex.ru>
2015-05-11 16:00:14 +03:00
Derek McGowan
123546212c Modify blob upload API
- Ensures new uploads and resumed upload statuses always return an offset of 0. This allows future clients which support resumable upload to not attempt resumable upload on this version which does not support it.
- Add PATCH support for streaming data on upload.
- Add messaging to specification that PATCH with content range is currently not supported.
- Update PUT blob to only support full data or no data, no more last chunk messaging as it was not supported.

closes #470

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-06 15:43:23 -07:00
Richard
7f3a57fdbb Ensure the instrumentedResponseWriter correctly sets the http
status in the context.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-05 16:46:33 -07:00
Stephen Day
3a0d6faba1 Merge pull request #410 from RichardScothern/driver-context
Add golang/x/net/context.Context to storage driver method calls
2015-05-04 19:18:30 -07:00
Derek McGowan
6fbda8fa26 Update API spec to reference digest instead of tarsum
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-05-01 17:14:38 -07:00
Stephen J Day
80abf9fce0 Use done channel to avoid goroutine leak
This deals with a memory leak, caused by goroutines, experienced when using the
s3 driver. Unfortunately, this section of the code leaks goroutines like a
sieve. There is probably some refactoring that could be done to avoid this but
instead, we have a done channel that will cause waiting goroutines to exit.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-28 14:40:20 -07:00
Richard
5d9105bd25 Make Storage Driver API calls context aware.
- Change driver interface to take a context as its first argument
     - Make newFileReader take a context as its first argument
     - Make newFileWriter take a context as its first argument
     - Make blobstore exists and delete take a context as a first argument
     - Pass the layerreader's context to the storage layer
     - Pass the app's context to purgeuploads
     - Store the app's context into the blobstore (was previously null)
     - Pass the trace'd context to the storage drivers

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-04-27 15:58:58 -07:00
Stephen Day
c0d297c011 Merge pull request #381 from RichardScothern/purge-config
Add configuration for upload purging
2015-04-27 14:33:34 -07:00
Phil Estes
eea521cfe4 Merge pull request #12828 from tdmackey/trivial-spelling
trivial: typo cleanup
2015-04-27 17:05:46 -04:00
David Mackey
bb93129df4 trivial: typo cleanup
Signed-off-by: David Mackey <tdmackey@booleanhaiku.com>
2015-04-27 13:35:08 -07:00
Antonio Murdaca
9a26753d41 Small if err cleaning
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-27 21:50:33 +02:00
Richard
5caa1fe3b0 Add configuration for upload purging
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-04-27 11:06:15 -07:00
xiekeyang
10f32bfcd5 simplify the embedded method expression of repository
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
2015-04-27 16:33:58 +08:00
Josh Hawn
2c7489e6b2 Updated urlbuilder X-Forwarded-Host logic
According to the Apache mod_proxy docs, X-Forwarded-Host can be a
comma-separated list of hosts, to which each proxy appends the requested
host. We want to grab only the first from this comma-separated list
to get the original requested Host when building URLs.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-04-24 14:16:49 -07:00
Olivier Gambier
ecdf1f6daa Merge pull request #430 from stevvooe/address-s3-timeout-error
Attempt to address intermittent s3 RequestTimeout error
2015-04-24 11:20:30 -07:00
Stephen Day
12a8fd49c7 Merge pull request #420 from stevvooe/expose-drivernames
Expose storage driver names for tracing
2015-04-24 10:53:40 -07:00
Stephen J Day
0f897aea8f Attempt to address intermittent s3 RequestTimeout error
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-23 20:07:32 -07:00
Stephen J Day
0d8cb4dca8 Correctly check s3 chunksize parameter
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-23 16:31:41 -07:00
Jessie Frazelle
54aab2e9b8 Merge pull request #12417 from hashneo/patch-1
What if authConfig or factory is Nill?
2015-04-23 13:54:47 -07:00
Stephen J Day
8d4b636a60 Return after error in handler
This adds a missing return statement. It is not strictly needed since if the
io.Copy fails, the Finish operation will fail. Currently, the client reports
both errors where this new code will correctly only report the io.Copy error.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-23 13:13:13 -07:00
Doug Davis
a8b9bec104 Move CLI config processing out from under registry dir
No logic changes should be in here, just moving things around.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-23 10:18:38 -07:00
Stephen J Day
ecda1f4eff Include driver name in trace messsages
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-22 17:30:31 -07:00
Stephen J Day
b361b4811b Require storage drivers to report their name
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-22 17:30:01 -07:00
Stephen Day
0281f4dce5 Merge pull request #419 from stevvooe/pool-buffers-s3
Pool buffers used in S3.WriteStream
2015-04-22 16:41:28 -07:00
Stephen J Day
c49f7cd015 Pool buffers used in S3.WriteStream
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-22 16:25:53 -07:00
Olivier Gambier
0da2c631db Merge pull request #418 from stevvooe/accept-chunksize-parameter
Allow configuration of chunksize parameter
2015-04-22 14:46:40 -07:00
Stephen J Day
e4794ff73d Allow configuration of chunksize parameter
The code using values from the yaml package wasn't careful enought with the
possible incoming types. Turns out, it is just an int but we've made this
section somewhat bulletproof in case that package changes the behavior.

This code likely never worked. The configuration system should be decoupled
from the object instantiation.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-22 14:31:34 -07:00
Stephen J Day
f1ea982e82 Check error returned from io.Copy
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-22 12:35:08 -07:00
Stephen Day
06fcc9213a Merge pull request #408 from stevvooe/increase-retry-backoff
Backoff retry on verification to give s3 time to propagate
2015-04-21 13:19:28 -07:00
Stephen J Day
36ffe0c134 Backoff retry on verification to give s3 time to propagate
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-21 13:04:46 -07:00
Stephen J Day
77b30cfb25 log canonical digest on verification error
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-21 11:34:18 -07:00
Olivier Gambier
4f41f0be06 Merge pull request #405 from stevvooe/eventual-consistency
Attempt to deal with eventual consistency by retrying
2015-04-20 18:59:01 -07:00
Stephen J Day
d4ce8f5ef8 Attempt to deal with eventual consistency by retrying
Rather than accept the resulting of a layer validation, we retry up to three
times, backing off 100ms after each try. The thought is that we allow s3 files
to make their way into the correct location increasing the liklihood the
verification can proceed, if possible.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-20 18:49:22 -07:00
Richard
431811056b Add logging for generic handler errors.
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-04-20 17:47:52 -07:00
Doug Davis
34d1494c7f Make .docker dir have 0700 perms not 0600
Thanks to @dmcgowan for noticing.

Added a testcase to make sure Save() can create the dir and then
read from it.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-20 14:16:50 -07:00
Doug Davis
7b8b61bda1 Add .docker/config.json and support for HTTP Headers
This PR does the following:
- migrated ~/.dockerfg to ~/.docker/config.json. The data is migrated
  but the old file remains in case its needed
- moves the auth json in that fie into an "auth" property so we can add new
  top-level properties w/o messing with the auth stuff
- adds support for an HttpHeaders property in ~/.docker/config.json
  which adds these http headers to all msgs from the cli

In a follow-on PR I'll move the config file process out from under
"registry" since it not specific to that any more. I didn't do it here
because I wanted the diff to be smaller so people can make sure I didn't
break/miss any auth code during my edits.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-20 13:05:24 -07:00
Rick Wieman
4778468202 Removes redundant else in registry/session.go
Fixes #12523

Signed-off-by: Rick Wieman <git@rickw.nl>
2015-04-19 23:58:55 +02:00
Antonio Murdaca
742cf000d3 Refactor else branches
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-19 15:32:54 +02:00
Stephen Day
3802701cdc Merge pull request #375 from RichardScothern/path-logging
registry/storage/driver: add path and other info to filesytem trace methods.
2015-04-17 14:09:23 -07:00
Richard
bc2b6efaa6 Add path and other info to filesytem trace methods.
Also fix Delete (was 'Move').
2015-04-17 13:55:18 -07:00
bin liu
f3f46307f2 fix some typos in source comments
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-17 12:39:52 +00:00
Stephen Day
3bf989585c Merge pull request #333 from RichardScothern/purgeuploads
registry/storage: automatically purge old upload files
2015-04-16 11:16:51 -07:00
Richard
0b2feaf611 Automatically purge old upload files.
When the registry starts a background timer will periodically
scan the upload directories on the file system every 24 hours
and delete any files older than 1 week. An initial jitter
intends to avoid contention on the filesystem where multiple
registries with the same storage driver are started
simultaneously.
2015-04-16 10:57:34 -07:00
Stephen Day
10d875d50d Merge pull request #369 from stevvooe/http-request-status-context-manager
context, registry/handlers: instantiate http context before dispatch
2015-04-15 23:23:40 -07:00
Stephen Day
78baf3f2e1 Merge pull request #364 from ncdc/resumable-digest-optional
Use a build flag to disable resumable digests
2015-04-15 23:22:25 -07:00
Stephen J Day
136f0ed8bb Instantiate http context before dispatch
Ensure that the status is logged in the context by instantiating before the
request is routed to handlers. While this requires some level of hacking to
acheive, the result is that the context value of "http.request.status" is as
accurate as possible for each request.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-15 19:53:36 -07:00
Andy Goldstein
480d864fc4 Use a build flag to disable resumable digests.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-04-16 01:19:57 +00:00
Derek McGowan
16174241d1 Update final upload chunk api doc
Updates description about content length and location

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-04-15 17:55:15 -07:00
Steven Taylor
2bd5eb9d7c What if authConfig or factory is Null?
Signed-off-by: Steven Taylor <steven.taylor@me.com>
2015-04-15 15:35:18 -07:00
Richard
9898552656 Add auth.user.name to logging context 2015-04-15 10:34:24 -07:00
Antonio Murdaca
ad3d879929 Refactor utils/utils, fixes #11923
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 01:37:36 +02:00
Richard Scothern
e5eddbc762 Merge pull request #343 from stevvooe/tracing-driver
context, storagedriver: trace function calls to Base storage driver
2015-04-10 16:55:57 -07:00
Stephen J Day
12bf470b2f Trace function calls to Base storage driver
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-10 16:42:36 -07:00
Stephen Day
65f19a7e02 Merge pull request #349 from RichardScothern/348
Prevent Close() from being called after Finish()
2015-04-10 16:21:01 -07:00
Richard
4ac515fde4 Prevent Close() from being called after Finish() 2015-04-10 16:00:05 -07:00
Tibor Vass
0120d1c7db Merge pull request #11478 from dmcgowan/v2-vendored-api
Use v2 api from distribution
2015-04-10 17:22:38 -04:00
Derek McGowan
e83e37618f Rename top level registry interface to namespace
Registry is intended to be used as a repository service than an abstract collection of repositories. Namespace better describes a collection of repositories retrievable by name.
The registry service serves any repository in the global scope.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-04-09 19:21:33 -07:00
Stephen J Day
36a076995b Disassociate instance id from application
This moves the instance id out of the app so that it is associated with an
instantiation of the runtime. The instance id is stored on the background
context. This allows allow contexts using the main background context to
include an instance id for log messages. It also simplifies the application
slightly.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-09 18:45:39 -07:00
Stephen J Day
250e61e2a1 Prevent false sharing in signature fetch
The original implementation wrote to different locations in a shared slice.
While this is theoretically okay, we end up thrashing the cpu cache since
multiple slice members may be on the same cache line. So, even though each
thread has its own memory location, there may be contention over the cache
line. This changes the code to aggregate to a slice in a single goroutine.

In reality, this change likely won't have any performance impact. The theory
proposed above hasn't really even been tested. Either way, we can consider it
and possibly go forward.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-09 14:35:10 -07:00
Olivier Gambier
44fa39e4ad Merge pull request #332 from stevvooe/case-sensitive-backend
registry/storage/driver: defer case-sensitive support to storage backend
2015-04-07 16:24:38 -07:00
Stephen J Day
2b4ad94cee Defer case-sensitive support to storage backend
Rather than enforce lowercase paths for all drivers, support for
case-sensitivity has been deferred to the driver. There are a few caveats to
this approach:

1. There are possible security implications for tags that only differ in their
case. For instance, a tag "A" may be equivalent to tag "a" on certain file
system backends.
2. All system paths should not use case-sensitive identifiers where possible.
This might be problematic in a blob store that uses case-sensitive ids. For
now, since digest hex ids are all case-insensitive, this will not be an issue.

The recommend workaround is to not run the registry on a case-insensitive
filesystem driver in security sensitive applications.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-07 14:14:45 -07:00
Olivier Gambier
7721fe5a65 Merge pull request #330 from stevvooe/parallelize-signature-fetch
registry/storage: parallelize signature fetch in signature store
2015-04-06 22:30:35 -07:00
Josh Hawn
8c0859e39c Handle cloudFront bucket prefix issue
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-04-06 19:46:05 -07:00
Stephen J Day
def60f3426 Parallelize signature fetch in signature store
To avoid compounded round trips leading to slow retrieval of manifests with a
large number of signatures, the fetch of signatures has been parallelized. This
simply spawns a goroutine for each path, coordinated with a sync.WaitGroup.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-06 19:13:15 -07:00
Olivier Gambier
e56124d343 Merge pull request #312 from stevvooe/add-layer-info-cache
registry: integrate layer info cache with registry and storage
2015-04-03 13:53:27 -07:00
Doug Davis
e5408bd911 Remove engine.Table from docker search and fix missing field
registry/SearchResults was missing the "is_automated" field.
I added it back in.

Pull this 'table' removal one from the others because it fixed
a bug too

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-04-03 11:27:30 -07:00
Stephen J Day
6b748a74ef Move expvar under the registry section
For consistency with other systems, the redis and caching monitoring data has
been moved under the "registry" section in expvar. This ensures the entire
registry state is kept to a single section.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-02 21:30:27 -07:00
Stephen J Day
4e1ecad6cc Allow control over which storage cache to use
This allows one to better control the usage of the cache and turn it off
completely. The storage configuration module was modified to allow parameters
to be passed to just the storage implementation, rather than to the driver.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-02 20:15:16 -07:00
Stephen J Day
6ab228f798 Integrate layer info cache with registry and storage
This changeset integrates the layer info cache with the registry webapp and
storage backend. The main benefit is to cache immutable layer meta data,
reducing backend roundtrips. The cache can be configured to use either redis or
an inmemory cache.

This provides massive performance benefits for HEAD http checks on layer blobs
and manifest verification.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-02 20:15:16 -07:00
Stephen J Day
a7c2dceea5 Define and implement layer info cache
This changeset defines the interface for layer info caches. Layer info caches
speed up access to layer meta data accessed in storage driver backends. The
two main operations are tests for repository membership and resolving path and
size information for backend blobs.

Two implementations are available. The main implementation leverages redis to
store layer info. An alternative implementation simply caches layer info in
maps, which should speed up resolution for less sophisticated implementations.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-02 20:15:09 -07:00
Stephen Day
dff57726f9 Merge pull request #295 from jlhawn/use_resumable_digest
digest, registry/storage: use resumable digest
2015-04-02 20:12:57 -07:00
Stephen Day
721b39d0cb Merge pull request #314 from stevvooe/lockdown-uuid-route
registry/api/v2: stronger validation for uuid field in urls
2015-04-02 13:57:17 -07:00
Josh Hawn
b96de45be8 Use resumable digest for efficient upload finish
By using a resumable digester and storing the state of upload digests between
subsequent upload chunks, finalizing an upload no longer requires reading back
all of the uploaded data to verify the client's expected digest.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-04-02 11:20:31 -07:00
Stephen J Day
06acde06cb Avoid crash on invalid Move arguments
This chnage prevents a crash when moving from a non-existent directory that has
a file as a parent. To prevent this, we simply check that the node is a
directory and throws an error if it is not.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-01 19:03:02 -07:00
Stephen J Day
6eb804a1ec Stronger validation for uuid field in urls
This change adds strong validation for the uuid variable for v2 routes. This is
a minor specification change but is okay since the uuid field is controlled by
the server. The character set is restricted to avoid path traversal, allowing
for alphanumeric values and urlsafe base64 encoding.

This change has no effect on client implementations.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-01 18:57:59 -07:00
Stephen J Day
38ae1cb461 Add redis pool to registry webapp
Redis has been integrated with the web application for use with various
services. The configuraiton exposes connection details, timeouts and pool
parameters. Documentation has been updated accordingly.

A few convenience methods have been added to the context package to get loggers
with certain fields, exposing some missing functionality from logrus.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-04-01 16:27:24 -07:00
Michael Crosby
638ccff564 Remove jobs from registry.Service
This makes `registry.Service` a first class type and does not use jobs
to interact with this type.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-03-31 16:38:04 -07:00
Derek McGowan
67e5c940c4 Use vendored v2 registry api
Update registry package to use the v2 registry api from distribution. Update interfaces to directly take in digests.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-31 15:02:27 -07:00
Antonio Murdaca
5fa2d814f8 Refactor utils/http.go, fixes #11899
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-30 17:59:57 +02:00
Brian Goff
9e9a8add19 Merge pull request #11788 from reikani/pchoi
Changed snake case naming to camelCase.
2015-03-26 23:55:50 -07:00
Antonio Murdaca
d5045d054b Replace aliased imports of logrus, fixes #11762
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-26 23:22:04 +01:00
Peter Choi
b085d5556e Changed snake case naming to camelCase
Signed-off-by: Peter Choi <phkchoi89@gmail.com>
2015-03-26 15:05:45 -06:00
Don Kjer
eff5278d12 Fix for issue 9922: private registry search with auth returns 401
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-03-26 18:59:16 +00:00
Antonio Murdaca
9c08a43624 Remove engine.Status and replace it with standard go error
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-25 22:32:08 +01:00
Stephen Day
9ee35877e3 Merge pull request #294 from fkautz/pr_out_updating_msopentech_azure_sdk_for_go_to_latest_master
Updating MSOpenTech/azure-sdk-for-go to latest master
2015-03-24 13:27:19 -07:00
Frederick F. Kautz IV
dffd1babd2 Updating MSOpenTech/azure-sdk-for-go to latest master
Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
2015-03-23 21:59:21 -07:00
Ahmet Alp Balkan
594f733e03 storage/driver/azure: Allow non-default realms
This enables Azure storage driver to be used with non-default
cloud endpoints like Azure China or Azure Government that does
not use `.blob.core.windows.net` FQDN suffix.

Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-03-23 20:41:16 -07:00
Derek McGowan
10128f6e8c Add struct tags on v2 remote tags struct
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-23 14:33:52 -07:00
Meaglith Ma
0e7650f958 Fix decode tags value error when call get /v2/<name>/tags/list in registry api v2.
Signed-off-by: Meaglith Ma <genedna@gmail.com>
2015-03-23 14:33:52 -07:00
Derek McGowan
9f5184c111 Add check for 404 on get repository data
No longer add the body to the error when a 404 is received on get repository data.

closes #11510

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-22 18:15:18 -07:00
Michael Crosby
50b10850bb Merge pull request #11528 from jlhawn/separate_init_blob_upload
Separate init blob upload
2015-03-20 16:39:31 -07:00
Josh Hawn
bcccf35bb2 Separate init blob upload
Pushing a v2 image layer has two steps:

- POST to get a new upload URL
- PUT to that upload URL

We were previously not checking the response code of
the POST request and the PUT would fail in weird ways.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-20 13:11:05 -07:00
Josh Hawn
11d08c3065 Add verification of image manifest digests
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-20 09:34:39 -07:00
Arnaud Porterie
4377a9a3bc Merge pull request #11477 from dmcgowan/fix-auth-http-client
Update auth client configuration to use proper tls config
2015-03-19 14:17:47 -07:00
Derek McGowan
4bf6791328 Update auth client configuration to use proper tls config
Currently the http clients used by auth use the default tls config.  The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-18 14:52:49 -07:00
Zhang Wei
7d4c1d1e97 print detailed error info for docker pull
When docker push get response with unknown HTTP status, docker daemon
print:
"Error: Status XXX trying to push repository XXX: XXX"
But when docker pull meets response with unknown status code, it gives:
"HTTP code: XXX"

This commit helps docker pull print more detailed error info like push
does, so push and pull can behave consistently when error happens.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2015-03-18 11:35:44 +08:00
Arnaud Porterie
606d538448 Merge pull request #11118 from shishir-a412ed/restriction_username_length
Docker Tag command: Relax the restriction on namespace (username) length from 30 to 255 characters.
2015-03-17 09:41:12 -07:00
Andy Goldstein
4b813b3847 Add ability to refer to image by name + digest
Add ability to refer to an image by repository name and digest using the
format repository@digest. Works for pull, push, run, build, and rmi.

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-17 10:10:42 +00:00
Derek McGowan
1d6ccc1b72 Quote registry error strings
Currently when registry error strings contain new line characters only the last line is displayed to the client. Quote the string to ensure the client can see the entire body value.

fixes #11346

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-16 15:32:47 -07:00
Derek McGowan
9879aefa81 Use request factory for registry ping
Currently when the registry ping is sent, it creates the request directly from http.NewRequest instead of from the http request factory. The request factory adds useful header information such as user agent which is needed by the registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-16 14:21:00 -07:00
Shishir Mahajan
dc4e9c6e90 Docker Tag command: Relax the restriction on namespace (username) length from 30 to 255 characters.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-03-14 16:45:44 -04:00
Josh Hawn
6d14019368 Refactor Layer interface to return a Handler
... Rather than ServeHTTP directly.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-12 21:59:07 -07:00
Josh Hawn
fdd6314776 Insert request method option storage driver URLFor
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-12 17:06:40 -07:00
Stephen Day
efb24490c7 Merge pull request #256 from ncdc/master
Send WWW-Authenticate header for silly auth
2015-03-11 19:01:23 -07:00
Andy Goldstein
4b5af16fdc Send WWW-Authenticate header for silly auth
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-11 15:20:15 -04:00
David Lawrence
83571e574c don't panic during a request when configuring repository middleware. Return a 500 with an appropriate error
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-11 08:59:02 -07:00
Andy Goldstein
5c3f53b70f Fix Godoc typos
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-11 08:56:29 -07:00
David Lawrence
6a72d1aefb Final polish to cloudfront and larger middleware refactor
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-11 08:56:29 -07:00
Andy Goldstein
30bcc17b85 Middleware!
Convert middleware in the config to be a map of type->[]Middleware

Add support for registry & repository middleware.

Some naming updates as well.

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-11 08:56:28 -07:00
David Lawrence
952f39edff Refactoring cloudfactory layer handler into a more generic storage
middleware concept.

This also breaks the dependency the storage package had on goamz
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-11 08:56:28 -07:00
Josh Hawn
3e658d29a6 digest: Minor refactoring
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-10 16:44:19 -07:00
David Lawrence
eccae81c9e minor refactor + tests for app.go just to improve test coverage.
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-09 16:31:30 -07:00
Tibor Vass
c5c507bb14 Merge pull request #10423 from dmcgowan/v2-registry-fix-single-names
Allow single name component repository names
2015-03-09 15:40:22 -04:00
Arnaud Porterie
7a35d98c5e Remove subdirectories MAINTAINERS files
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-03-06 18:21:51 -08:00
Derek McGowan
99401d7290 Allow single name component repository names
Private registries should support having images pushed with only a single name component (e.g. localhost:5000/myapp).
The public registry currently requires two name components, but this is already enforced in the registry code.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-06 18:18:53 -08:00
Arnaud Porterie
ea431d9e40 Merge pull request #10425 from dmcgowan/registry-maintainers
Add distribution maintainers to maintainers files
2015-03-06 17:37:12 -08:00
Andy Goldstein
ccfadc93aa Remove max repository component length restriction
Fixes #241

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-06 19:55:33 -05:00
Stephen Day
27baf9eb73 Merge pull request #239 from jlhawn/event_target_update
notifications: update notification event Target fields
2015-03-06 16:45:06 -08:00
Stephen Day
5a8bedcc9f Merge pull request #238 from endophage/canonical_sha256
digest, registry/storage, registry/handlers: switch to SHA256 as canonical digest
2015-03-06 15:27:14 -08:00
David Lawrence
2a786bfc23 fixing up tests to work with for non-tarsum future
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-06 14:54:23 -08:00
Stephen Day
48bf33c038 Merge pull request #243 from stevvooe/storagedriver-docs
doc: move storage driver readmes into docs
2015-03-06 11:25:42 -08:00
Josh Hawn
98daae176a Switch to SHA256 as canonical digest
Also support client digests linking to canonical digest.
2015-03-06 09:49:05 -08:00
Josh Hawn
4e3bf4bad4 Update notification event Target fields
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-03-05 18:01:50 -08:00
Stephen J Day
19061f347e doc: move storage driver readmes into docs
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-03-05 17:23:33 -08:00
Stephen J Day
008236cfef Implement immutable manifest reference support
This changeset implements immutable manifest references via the HTTP API. Most
of the changes follow from modifications to ManifestService. Once updates were
made across the repo to implement these changes, the http handlers were change
accordingly. The new methods on ManifestService will be broken out into a
tagging service in a later PR.

Unfortunately, due to complexities around managing the manifest tag index in an
eventually consistent manner, direct deletes of manifests have been disabled.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-03-04 21:40:55 -08:00
Stephen J Day
f46a1b73e8 spec: fetch manifests by tag or digest
Manifests are now fetched by a field called "reference", which may be a tag or
a digest. When using digests to reference a manifest, the data is immutable.
The routes and specification have been updated to allow this.

There are a few caveats to this approach:

1. It may be problematic to rely on data format to differentiate between a tag
   and a digest. Currently, they are disjoint but there may modifications on
   either side that break this guarantee.
2. The caching characteristics of returned content are very different for
   digest versus tag-based references. Digest urls can be cached forever while tag
   urls cannot.

Both of these are minimal caveats that we can live with in the future.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-03-04 21:39:36 -08:00
Stephen Day
0ecb468a33 Merge pull request #234 from ncdc/signature-service
Expose Signatures() on Repository
2015-03-04 18:24:36 -08:00
Josh Hawn
f258df6e6b Merge pull request #231 from stevvooe/remove-unnecessary-close
Remove unnecessary close in client
2015-03-04 18:19:35 -08:00
Andy Goldstein
a65662c10f Expose Signatures() on Repository
Add a SignatureService and expose it via Signatures() on Repository so
external integrations wrapping the registry can access signatures.

Move signature related code from revisionstore.go to signaturestore.go.

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-04 20:56:11 -05:00
Stephen J Day
0b34048fe3 Remove unnecessary close in client
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-03-03 19:29:12 -08:00
Stephen Day
29d2414366 Merge pull request #218 from endophage/DIST-148
registry/storage: buffered wrapper for fileWriter
2015-03-03 18:08:28 -08:00
Stephen Day
bd6b150c4a Merge pull request #212 from stevvooe/add-documentation-name-validator
documentation for name validation grammar
2015-03-03 17:32:54 -08:00
David Lawrence
b870e3fdfb wrap buffered writer around filewriter
benchmarks added to filewriter_test, demonstrate buffered
version is ~5x faster on my hardware.
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-03 16:23:21 -08:00
Stephen J Day
ac7af800fb documentation for name validation grammar
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-03-02 10:55:31 -08:00
Stephen Day
b1c8952c1a Merge pull request #213 from stevvooe/docker-upload-uuid
doc/spec, registry/handlers: specify and implement Docker-Upload-UUID
2015-03-02 10:51:15 -08:00
David Lawrence
3bf768a588 Adding test cases to confirm path traversal attempts are mitigated and
bad characters in URI return 404
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-03-02 09:15:49 -08:00
Stephen J Day
32f5965c06 Specify and implement Docker-Upload-UUID
This changeset adds support for a header to identify docker upload uuids. This
id can be used as a key to manage local state for resumable uploads. The goal
is remove the necessity for a client to parse the url to get an upload uuid.
The restrictions for clients to use the location header are still strongly in
place.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-26 16:43:47 -08:00
David Lawrence
871cf9dd01 Path prefix support for running registry somewhere other than root of server
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-02-26 16:04:43 -08:00
Rik Nijessen
d3ad1c3cbb Rename package timeout to timeoutconn.
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 20:52:37 +01:00
Rik Nijessen
ec7ed3eefd Move TimeoutConn to seperate pkg dir.
Fixes #10965
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 17:09:47 +01:00
Srini Brahmaroutu
2867d39cd9 Removing -X flag option and autogenerated code to create Dockerversion.go functionality
Addresses #9207

Signed-off-by: Srini Brahmaroutu <srbrahma@us.ibm.com>
2015-02-20 05:40:12 +00:00
Stephen Day
00ce453315 Merge pull request #189 from donhcd/rootcertbundle
Rename auth.token.{rootCertBundle -> rootcertbundle}
2015-02-19 19:31:55 -08:00
Stephen Day
3725bda8ea Merge pull request #191 from stevvooe/missing-digest-bad-request
A digest missing parameter should result in a bad request
2015-02-19 18:30:58 -08:00
Stephen J Day
606c5c8c57 A digest missing parameter should result in a bad request
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-19 17:14:25 -08:00
Donald Huang
b87459b363 Rename auth.token.rootCertBundle yml field
Renames auth.token.rootCertBundle field in registry config to rootcertbundle so
that the REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE environment variable will override it.

See
()[https://github.com/docker/distribution/blob/master/configuration/parser.go#L155]

Signed-off-by: Donald Huang <don.hcd@gmail.com>
2015-02-20 00:46:24 +00:00
Andrey Kostov
58269e73fc Fix S3 driver's list when the root directory is either "" or "/" 2015-02-19 16:31:34 -08:00
Andrey Kostov
02718ee277 Add an empty root directory s3 driver specific test 2015-02-19 16:28:32 -08:00
Stephen J Day
3e906311c6 Add error return to Repository method on Registry
The method (Registry).Repository may now return an error. This is too allow
certain implementationt to validate the name or opt to not return a repository
under certain conditions.

In conjunction with this change, error declarations have been moved into a
single file in the distribution package. Several error declarations that had
remained in the storage package have been moved into distribution, as well. The
declarations for Layer and LayerUpload have also been moved into the main
registry file, as a result.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-13 16:27:33 -08:00
Stephen J Day
ed8827c3c2 Move notifications package to distribution
Since the notifications package is now decoupled from storage, we are moving it
to the root package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-12 14:40:35 -08:00
Stephen J Day
09bf752234 Remove Name from Layer and LayerUpload interface
A Layer or LayerUpload should not be coupled with the containing repository.
Remove the Name method and correctly reference from the repository where
appropriate.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-12 14:27:05 -08:00
Stephen J Day
553d48d618 Move layer interface definitions to distribution package
After consideration, it has been decided that the interfaces defined in the
storage package provide a good base for interacting with various registry
instances. Whether interacting with a remote API or a local, on-disk registry,
these types have proved flexible. By moving them here, they can become the
central components of interacting with distribution components.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-12 14:26:46 -08:00
Ahmet Alp Balkan
8728074d65 storagedriver/azure: Add README
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-02-11 14:40:51 -08:00
Stephen J Day
fac0f5412d Run goimports/gofmt on previous changes
After all of the perl refactoring, some import orderings were left asunder.
This commit corrects that.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-11 12:43:04 -08:00
Stephen J Day
6e4f9a2e3e Move storagedriver package to registry/storage/driver
This change is slightly more complex than previous package maves in that the
package name changed. To address this, we simply always reference the package
driver as storagedriver to avoid compatbility issues with existing code. While
unfortunate, this can be cleaned up over time.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-11 12:43:04 -08:00
Stephen J Day
71e7ac33ca Move storage package under registry package
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-11 12:43:04 -08:00
Stephen J Day
d6308bc62b Move client package under registry package
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-11 12:42:56 -08:00
Stephen J Day
c3b07952ad Move auth package under registry package
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-10 17:34:04 -08:00
Stephen J Day
3822e685a0 Move registry api definitions under registry package
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-10 17:32:22 -08:00
Stephen J Day
54ae545ed3 Move registry package into handler package
The goal is to free up the distribution/registry package to include common
registry types. This moves the webapp definitions out of the way to allow for
this change in the future.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-10 17:25:40 -08:00
Stephen J Day
287e11e1d4 Correctly return when repo name is not available
The branch that executes after a failed request authorization due to a missing
repo name now correctly returns an error. This is somewhat superficial since
the response would have already been executed. Although, unintended repository
operations may have occurred.

Documentations and comments have also been updated to be in line with
surrounding changes.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-10 15:19:02 -08:00
Stephen J Day
9bde7d9835 Integrate context with storage package
This changeset integrates context with the storage package. Debug messages have
been added to exported methods. Existing log messages will now include
contextual details through logger fields to aid in debugging. This integration
focuses on logging and may be followed up with a metric-oriented change in the
future.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-09 14:44:58 -08:00
Stephen J Day
3e84069959 Integrate contextual logging with regsitry app
This changeset integrates contextual logging into the registry web application.
Idiomatic context use is attempted within the current webapp layout. The
functionality is centered around making lifecycle objects (application and
request context) into contexts themselves. Relevant data has been moved into
the context where appropriate.  We still have some work to do to factor out the
registry.Context object and the dispatching functionality to remove some
awkward portions.

The api tests were slightly refactored to use a test environment to eliminate
common code.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-06 16:51:53 -08:00
Stephen Day
d5b7c41ada Merge pull request #140 from jlhawn/137_auth_context
Use context for auth access controllers
2015-02-04 19:25:10 -08:00
Josh Hawn
904b35a24f Use context for auth access controllers
The auth package has been updated to use "golang.org/x/net/context" for
passing information between the application and the auth backend.

AccessControllers should now set a "auth.user" context value to a AuthUser
struct containing a single "Name" field for now with possible, optional, values
in the future.

The "silly" auth backend always sets the name to "silly", while the "token" auth
backend will set the name to match the "subject" claim of the JWT.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-02-04 19:17:33 -08:00
Doug Davis
92de07cee0 Pretty the help text
This modifies the "docker help" text so that it is no wider than 80 chars
and each description fits on one line. This will also try to use ~ when
possible

Added a test to make sure we don't go over 80 chars again.
Added a test to make sure we use ~

Applied rules/tests to all docker commands - not just main help text

Closes #10214

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-02-04 07:59:16 -08:00
Stephen J Day
1f06e4f816 Manifest PUT should return 202 Accepted status
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-03 18:27:40 -08:00
Arnaud Porterie
c5cec5f439 Merge pull request #10477 from liusdu/liusdu_typo
delete duplicated word in registry/session.go
2015-02-03 14:38:47 -08:00
Stephen J Day
1089cae282 Separate request data from actor in Event
To clarify the role of actor, the request data that initiates an event has been
separated. The ActorRecord is pared down to just the username. This eliminates
confusion about where event related data should be added.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-03 13:32:37 -08:00
Stephen J Day
2aed7c2d0c Webhook notification support in registry webapp
Endpoints are now created at applications startup time, using notification
configuration. The instances are then added to a Broadcaster instance, which
becomes the main event sink for the application. At request time, an event
bridge is configured to listen to repository method calls. The actor and source
of the eventBridge are created from the requeest context and application,
respectively. The result is notifications are dispatched with calls to the
context's Repository instance and are queued to each endpoint via the
broadcaster.

This commit also adds the concept of a RequestID and App.InstanceID. The
request id uniquely identifies each request and the InstanceID uniquely
identifies a run of the registry. These identifiers can be used in the future
to correlate log messages with generated events to support rich debugging.

The fields of the app were slightly reorganized for clarity and a few horrid
util functions have been removed.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-03 13:32:37 -08:00
Alexander Morozov
3790b5d6b4 Fix some go vet errors
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-02-02 14:53:20 -08:00
Stephen J Day
b6270d9c14 Handle empty blob files more appropriately
Several API tests were added to ensure correct acceptance of zero-size and
empty tar files. This led to several changes in the storage backend around the
guarantees of remote file reading, which backs the layer and layer upload type.

In support of these changes, zero-length and empty checks have been added to
the digest package. These provide a sanity check against upstream tarsum
changes. The fileReader has been modified to be more robust when reading and
seeking on zero-length or non-existent files. The file no longer needs to exist
for the reader to be created. Seeks can now move beyond the end of the file,
causing reads to issue an io.EOF. This eliminates errors during certain race
conditions for reading files which should be detected by stat calls. As a part
of this, a few error types were factored out and the read buffer size was
increased to something more reasonable.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-02-02 13:01:49 -08:00
Arnaud Porterie
bdbb90e01f Merge pull request #10472 from jlhawn/handle_mux_route_url_bug
Handle gorilla/mux route url bug
2015-01-31 19:52:51 -08:00
Josh Hawn
63af81b883 Fix token basic auth header issue
When requesting a token, the basic auth header is always being set even
if there is no username value. This patch corrects this and does not set
the basic auth header if the username is empty.

Also fixes an issue where pulling all tags from a v2 registry succeeds
when the image does not actually exist on the registry.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-31 15:12:34 -08:00
Josh Hawn
050337b257 Handle gorilla/mux route url bug
When getting the URL from a v2 registry url builder, it does not
honor the scheme from the endpoint object and will cause an https
endpoint to return urls starting with http.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-31 12:54:57 -08:00
Liu Hua
5589ce8b8a delete duplicated word in registry/session.go
Signed-off-by: Liu Hua <sdu.liu@huawei.com>
2015-01-31 20:15:59 +08:00
Stephen J Day
33a1f4ef7d Address server errors received during layer upload
This changeset addresses intermittent internal server errors encountered during
pushes.  The root cause has been isolated to layers that result in identical,
empty filesystems but may have some path declarations (imaginge "./"),
resulting in different tarsums. The main error message reported during these
upload problems was a 500 error, which was not correct.  Further investigation
showed the errors to be rooted in digest verification when finishing uploads.

Inspection of the surrounding code also identified a few issues. PutLayerChunk
was slightly refactered into PutLayerUploadComplete. Helper methods were
avoided to make handler less confusing. This simplification leveraged an
earlier change in the spec that moved non-complete chunk uploads to the PATCH
method. Simple logging was also added in the unknown error case that should
help to avoid mysterious 500 errors in the future.

At the same time, the glaring omission of a proper layer upload cancel method
was rectified. This has been added in this change so it is not missed in the
future.

In the future, we may want to refactor the handler code to be more
straightforward, hopefully letting us avoid these problems in the future.

Added test cases that reproduce these errors and drove these changes include
the following:

1. Push a layer with an empty body results in invalid blob upload.
2. Push a layer with a different tarsum (in this case, empty tar)
3. Deleting a layer upload works.
4. Getting status on a deleted layer upload returns 404.

Common functionality was grouped into shared functions to remove repitition.
The API tests will still require future love.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-29 21:26:35 -08:00
Derek McGowan
9dc3529dfe Add distribution maintainers to maintainers files
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-28 16:30:00 -08:00
Stephen J Day
0818476cb1 Open up v2 http status code checks for put and head checks
Under certain cases, such as when putting a manifest or check for the existence
of a layer, the status code checks in session_v2.go were too narrow for their
purpose. In the case of putting a manifest, the handler only cares that an
error is not returned. Whether it is a 304 or 202 does not matter, as long as
the server reports success. Having the client only accept specific http codes
inhibits future protocol evolution.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-27 18:09:53 -08:00
Jessie Frazelle
b7db855fc6 Merge pull request #10249 from jlhawn/distribution_version_header_10247
Split API Version header when checking for v2
2015-01-27 11:48:42 -08:00
Derek McGowan
d96d4aa9f0 Better error messaging and logging for v2 registry requests
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-26 14:00:51 -08:00
Derek McGowan
41703e2bb7 Fix write after close on http response
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-21 15:14:01 -08:00
Josh Hawn
6a736c20f0 Split API Version header when checking for v2
Since the Docker-Distribution-API-Version header value may contain multiple
space delimited versions as well as many instances of the header key, the
header value is now split on whitespace characters to iterate over all versions
that may be listed in one instance of the header.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-21 15:08:32 -08:00
Josh Hawn
1c7271129b Resolve ambiguity on registry v2 ping
v2 ping now checks for a Docker-Distribution-API-Version
header that identifies the endpoint as "registry/2.0"

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-20 19:52:08 -08:00
Stephen Day
cd647beb1d Merge pull request #89 from jlhawn/version_header
Add Docker Distribution API Version header
2015-01-20 13:42:12 -08:00
Josh Hawn
acfcc955de Add Docker Distribution API Version header
Setting a header for all responses can help clients better determine
if the server speaks the legacy v1 API or the v2 API. It is important
that the header be set *BEFORE* routing the request.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-20 13:26:05 -08:00
Jessie Frazelle
35bb812cee Merge pull request #9784 from dmcgowan/v2-registry
Client Support for Docker Registry HTTP API V2
2015-01-19 10:46:38 -08:00
Brian Goff
4eaf644321 Make .dockercfg with json.MarshallIndent
Fixes #10129
Makes the .dockercfg more human parsable.

Also cleaned up the (technically) racey login test.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-01-17 07:05:56 -05:00
Stephen J Day
825da388a4 Update the registry app to use the new storage interfaces
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-16 18:33:28 -08:00
Derek McGowan
9c24fc93ad Add token cache
Token cache prevents the need to get a new token for every registry interaction.
Since the tokens are short lived, the cache expires after only a minute.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
5bf94a6438 Cleanup v2 session to require endpoint
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
735a112415 Fix list tags
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
e5744a3bad Refactor from feedback
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Josh Hawn
826bde851b Add Tarsum Calculation during v2 Pull operation
While the v2 pull operation is writing the body of the layer blob to disk
it now computes the tarsum checksum of the archive before extracting it to
the backend storage driver. If the checksum does not match that from the
image manifest an error is raised.

Also adds more debug logging to the pull operation and fixes existing test
cases which were failing. Adds a reverse lookup constructor to the tarsum
package so that you can get a tarsum object using a checksum label.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Stephen J Day
6f09abd5c9 Correctly check and propagate errors in v2 session
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Derek McGowan
22c7328529 Get token on each request
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
6f36ce3a01 Allow private V2 registry endpoints
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
751a1a8dd0 Update push and pull to registry 2.1 specification
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Stephen J Day
ee1e1abb15 Remove dependencies on registry packages
Because docker core cannot vendor non-master Go dependencies, we need to remove
dependencies on registry package. The definition of digest.Digest has been
changed to a string and the regular expressions have been ported from
docker-registry/common library.

We'll likely change this be dependent on the registry in the future when the
API stabilizies and use of the master branch becomes the norm.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Stephen J Day
2fcad2a10f Registry V2 HTTP route and error code definitions
This package, ported from next-generation docker regsitry, includes route and
error definitions. These facilitate compliant V2 client implementation. The
portions of the HTTP API that are included in this package are considered to be
locked down and should only be changed through a careful change proposal.
Descriptor definitions package layout may change without affecting API behavior
until the exported Go API is ready to be locked down.

When the new registry stabilizes and becomes the master branch, this package
can be vendored from the registry.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Josh Hawn
e256a0e0bc Update token response handling
Registry authorization token is now taken from the response body rather than
the repsonse header.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Derek McGowan
24895820bd Update push to use mount blob endpoint
Using mount blob prevents repushing images which have already been uploaded

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Derek McGowan
06d0ef4179 Push flow
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Josh Hawn
6b400cd63c Adds support for v2 registry login
summary of changes:

registry/auth.go
  - More logging around the login functions
  - split Login() out to handle different code paths for v1 (unchanged logic)
    and v2 (does not currently do account creation)
  - handling for either basic or token based login attempts
registry/authchallenge.go
  - New File
  - credit to Brian Bland <brian.bland@docker.com> (github: BrianBland)
  - handles parsing of WWW-Authenticate response headers
registry/endpoint.go
  - EVEN MOAR LOGGING
  - Many edits throught to make the coad less dense. Sparse code is more
    readable code.
  - slit Ping() out to handle different code paths for v1 (unchanged logic)
    and v2.
  - Updated Endpoint struct type to include an entry for authorization
    challenges discovered during ping of a v2 registry.
  - If registry endpoint version is unknown, v2 code path is first attempted,
    then fallback to v1 upon failure.
registry/service.go
  - STILL MOAR LOGGING
  - simplified the logic around starting the 'auth' job.
registry/session.go
  - updated use of a registry.Endpoint struct field.
registry/token.go
  - New File
  - Handles getting token from the parameters of a token auth challenge.
  - Modified from function written by Brian Bland (see above credit).
registry/types.go
  - Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'`

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:04:14 -08:00
Alexander Morozov
1f98347924 Fix format calls as suggested by vet
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-14 14:12:03 -08:00
Stephen J Day
594263a3f5 Correctly handle missing layer upload
Because we guarded the error check, nil Upload on the handler was getting
through to unexpected branches. This directly handles the missing upload
ensuring its set as expected.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-09 16:09:45 -08:00
Stephen J Day
cd92071caa Directly manage layerUploadState in webapp
Most of this change follows from the modifications to the storage api. The
driving factor is the separation of layerUploadState from the storage backend,
leaving it to the web application to store and update it. As part of the
updates to meet changes in the storage api, support for the size parameter has
been completely removed.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-09 14:51:13 -08:00
Stephen J Day
fdcfc56f7b Refactor handling of hmac state packing
This refactors the hmac state token to take control of the layerUploadState
json message, which has been removed from the storage backend. It also moves
away from the concept of a LayerUploadStateStore callback object, which was
short-lived. This allows for upload offset to be managed by the web application
logic in the face of an inconsistent backend. By controlling the upload offset
externally, we reduce the possibility of misreporting upload state to a client.

We may still want to modify the way this works after getting production
experience.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-09 14:50:39 -08:00
Brian Bland
9d3436c18e Fixes tests, moves layerhandler in config file 2015-01-08 17:29:22 -08:00
Qiang Huang
23f9f8c3f4 registry: fix minor type
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-09 09:06:27 +08:00
Brian Bland
b11d549fd0 Adds support for content redirects for layer downloads
Includes a delegate implementation which redirects to the URL generated
by the storagedriver, and a cloudfront implementation.
Satisfies proposal #49
2015-01-08 17:01:28 -08:00
Don Kjer
c899a49a95 Moving NewIndexInfo, NewRepositoryInfo and associated helpers into config.go
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:15:00 +00:00
Don Kjer
64b000c3ea Deprecating ResolveRepositoryName
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository

Moving --registry-mirror configuration to registry config

Created resolve_repository job

Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.

Adding test for RepositoryInfo

Adding tests for opts.StringSetOpts and registry.ValidateMirror

Fixing search term use of repoInfo

Adding integration tests for registry mirror configuration

Normalizing LookupImage image name to match LocalName parsing rules

Normalizing repository LocalName to avoid multiple references to an official image

Removing errorOut use in tests

Removing TODO comment

gofmt changes

golint comments cleanup.  renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig

Splitting out builtins.Registry and registry.NewService calls

Stray whitespace cleanup

Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test

Factoring out ValidateRepositoryName from NewRepositoryInfo

Removing unused IndexServerURL

Allowing json marshaling of ServiceConfig.  Exposing ServiceConfig in /info

Switching to CamelCase for json marshaling

PR cleanup; removing 'Is' prefix from boolean members.  Removing unneeded json tags.

Removing non-cleanup related fix for 'localhost:[port]' in splitReposName

Merge fixes for gh9735

Fixing integration test

Reapplying #9754

Adding comment on config.IndexConfigs use from isSecureIndex

Remove unused error return value from isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

Adding back comment in isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:14:58 +00:00
Stephen J Day
c02f1a5507 Move registry package out of repo root
Since the repo is no longer just the registry, we are moving the registry web
application package out of the repo root into a sub-package. We may break down
the registry package further to separate webapp components and bring the client
package under it. This change accomplishes the task of freeing up the repo root
for a distribution-oriented package. A stub doc.go file is left in place to
declare intent.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-06 10:40:22 -08:00
Matthew Riley
eb9ddb7b86 Allow hyphens in namespaces.
Signed-off-by: Matthew Riley <mattdr@google.com>
2015-01-05 11:06:16 -08:00
Tibor Vass
4170effd5a registry: remove accidentally added --insecure-registry feature
If `--insecure-registry mydomain.com` was specified, it would match a registry at mydomain.com on any port.
This was accidentally added in #9735 and is now being reverted.

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-19 16:46:29 -05:00
Tibor Vass
d1fcbd9028 registry: handle unresolvable domain names in isSecure
to allow HTTP proxies to work as expected.

Fixes #9708

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Tibor Vass
807bb5eb18 registry: add tests for unresolvable domain names in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Daehyeok Mun
b11b1e06e9 Chnage LookupRemoteImage to return error
This commit is patch for following comment
// TODO: This method should return the errors instead of masking them and returning false

Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-16 16:23:19 -08:00
unclejack
fdd4f4f2d1 validate image ID properly & before load
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

Conflicts:
	graph/load.go
2014-12-11 16:29:27 -05:00
Michael Crosby
6ad54e3df6 Refactor put image function's redirect loop
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 18:11:27 -08:00
Michael Crosby
3911c8b8dc Prevent loop with var overshadowing
Incase of a 3xx redirect the var was being overshowed and ever changed
causing an infinite loop.

Fixes #9480

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 17:43:21 -08:00
Vaidas Jablonskis
df85a0f700 registry: fix ServerAddress setting
This ensures that ServerAddress is set, while previously it was getting
set after configFile.Configs.

Signed-off-by: Vaidas Jablonskis <jablonskis@gmail.com>
2014-11-24 18:26:41 +00:00
Tibor Vass
ae0ebb9d07 Add the possibility of specifying a subnet for --insecure-registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-14 12:31:11 -08:00
Tibor Vass
f0920e61bf registry: parse INDEXSERVERADDRESS into a URL for easier check in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-13 07:02:24 -08:00
Tibor Vass
cca910e878 Put mock registry address in insecureRegistries for unit tests
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Tibor Vass
80255ff224 registry: refactor registry.IsSecure calls into registry.NewEndpoint
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Erik Hollensbe
524aa8b1a6 registry: always treat 127.0.0.1 as insecure for all cases anytime anywhere
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-11-12 12:14:43 -08:00
Johan Euphrosine
8582d04393 registry: default --insecure-registry to localhost and 127.0.0.1
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-12 09:12:42 -08:00
Tibor Vass
c00cd583e9 Merge pull request #9095 from proppy/is-secure-test
registry: add tests for IsSecure
2014-11-11 16:52:36 -05:00
Johan Euphrosine
cd246befe2 registry: add tests for IsSecure
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-11 11:02:32 -08:00
Vincent Batts
7dd4199fe8 registry: don't iterate through certs
the golang tls.Conn does a fine job of that.
http://golang.org/src/pkg/crypto/tls/handshake_client.go?#L334

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-11-04 16:12:23 -05:00
Tibor Vass
47a494e0fd Fix login command
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-10-30 19:44:44 -04:00
Tibor Vass
1b72e0234e Do not verify certificate when using --insecure-registry on an HTTPS registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Conflicts:
	registry/registry.go
	registry/registry_test.go
	registry/service.go
	registry/session.go

Conflicts:
	registry/endpoint.go
	registry/registry.go
2014-10-30 19:44:09 -04:00
Michael Crosby
552c17d618 Don't hard code true for auth job
Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	registry/service.go
2014-10-30 19:41:55 -04:00
Michael Crosby
50e11c9d8e Refactor IsSecure change
Fix issue with restoring the tag store and setting static configuration
from the daemon. i.e. the field on the TagStore struct must be made
internal or the json.Unmarshal in restore will overwrite the insecure
registries to be an empty struct.

Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	graph/pull.go
	graph/push.go
	graph/tags.go
2014-10-30 19:41:55 -04:00
unclejack
034c1cfb9d make http usage for registry explicit
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)

Conflicts:
	daemon/config.go
	daemon/daemon.go
	graph/pull.go
	graph/push.go
	graph/tags.go
	registry/registry.go
	registry/service.go
2014-10-30 19:41:55 -04:00
Victor Vieux
5685221c5f Merge pull request #8387 from vbatts/vbatts-registry_test_enpoint
registry/endpoint: make it testable
2014-10-29 13:36:17 -07:00
Jessie Frazelle
21ba3078b6 Merge pull request #8669 from monsterzz/8668-dualstack-registry
Use dual-stack Dialer when talking to registy
2014-10-29 12:03:12 -07:00
Jessica Frazelle
22f87eb9be Fix error on successful login.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-28 17:42:03 -07:00
Igor Dolzhikov
1a8edd0d55 excluding unused transformation to []byte
Signed-off-by: Igor Dolzhikov <bluesriverz@gmail.com>
2014-10-28 01:04:36 +06:00
Alexandr Morozov
0827b71157 Mass gofmt
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:11:48 -07:00
Alexandr Morozov
32654af8b6 Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Vincent Batts
bcbb7e0c41 registry/endpoint: make it testable
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-24 16:27:17 -04:00
Tibor Vass
d81951fffa Merge pull request #8423 from unclejack/lint_changes
lint changes part 1
2014-10-21 12:15:58 -04:00
Gleb M Borisov
ef57ab120c Use dual-stack Dialer when talking to registy
Signed-off-by: Gleb M. Borisov <borisov.gleb@gmail.com>
2014-10-21 03:59:11 +04:00
Dan Walsh
3a6fe4c5c9 On Red Hat Registry Servers we return 404 on certification errors.
We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.

According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."

https://www.ietf.org/rfc/rfc2616.txt

10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
   If the request method was not HEAD and the server wishes to make
   public why the request has not been fulfilled, it SHOULD describe the
   reason for the refusal in the entity.  If the server does not wish to
   make this information available to the client, the status code 404
   (Not Found) can be used instead.

10.4.5 404 Not Found

   The server has not found anything matching the Request-URI. No
   indication is given of whether the condition is temporary or
   permanent. The 410 (Gone) status code SHOULD be used if the server
   knows, through some internally configurable mechanism, that an old
   resource is permanently unavailable and has no forwarding address.
   This status code is commonly used when the server does not wish to
   reveal exactly why the request has been refused, or when no other
   response is applicable.

When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-10-20 13:20:48 -04:00
Daniel, Dao Quang Minh
20867c3b1f Avoid fallback to SSL protocols < TLS1.0
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-10-15 22:39:51 -04:00
Derek McGowan
479ed10e61 Support tarsum dev version to fix issue with mtime
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
1538e42d56 Update manifest format to rename blobsums and use arrays of dictionaries
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
f290f44632 Use direct registry url
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:28 -07:00
unclejack
7bfdb6d495 registry: lint
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-10-06 22:34:39 +03:00
Derek McGowan
c47aa21c35 Add comment for permission and fix wrong format variable
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-02 17:41:57 -07:00
Derek McGowan
b7f7b0a2c9 Add provenance pull flow for official images
Add support for pulling signed images from a version 2 registry.
Only official images within the library namespace will be pull from the
new registry and check the build signature.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-01 18:26:06 -07:00
Vincent Batts
d629bebce2 registry: getting Endpoint ironned out
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-01 13:19:40 -07:00
Tibor Vass
48b43c2645 Replace get.docker.io -> get.docker.com and test.docker.io -> test.docker.com
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-09-24 18:53:27 -04:00
Phil Estes
b7da79fd14 Refactor all pre-compiled regexp to package level vars
Addresses #8057

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2014-09-16 12:57:44 -04:00
Vincent Batts
898bcf0f5d TarSum: versioning
This introduces Versions for TarSum checksums.
Fixes: https://github.com/docker/docker/issues/7526

It preserves current functionality and abstracts the interface for
future flexibility of hashing algorithms. As a POC, the VersionDev
Tarsum does not include the mtime in the checksum calculation, and would
solve https://github.com/docker/docker/issues/7387 though this is not a
settled Version is subject to change until a version number is assigned.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-09-10 15:41:52 -04:00
Jessie Frazelle
8440052689 Merge pull request #7862 from Gandi/bugfixes/segfault-registry-session
Fix SEGFAULT if dns resolv error
2014-09-08 11:38:34 -07:00
Michael Crosby
5e47333091 Merge pull request #7609 from ewindisch/max_imgname
Restrict length of repository names
2014-09-08 11:06:54 -07:00
Arthur Gautier
eaf57e8f55 Fix SEGFAULT if dns resolv error
Per registry.doRequest, res and client might be nil in case of error
For example, dns resolution errors, /etc/docker/certs.d perms, failed
loading of x509 cert ...
This will make res.StatusCode and res.Body SEGFAULT.

Signed-off-by: Arthur Gautier <baloo@gandi.net>
2014-09-05 13:40:06 +02:00
unclejack
2c78019539 registry/session: fix panic in GetRemoteImageLayer
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-09-03 17:26:56 +03:00
Eric Windisch
307e253d33 Restrict repository names from matching hexadecimal strings
To avoid conflicting with layer IDs, repository names must
not be tagged with names that collide with hexadecimal strings.

Signed-off-by: Eric Windisch <eric@windisch.us>
2014-08-27 13:46:10 -04:00
Michael Crosby
48096dad19 Merge pull request #7740 from LK4D4/registry_style
Style fixes for registry/registry.go
2014-08-26 18:02:11 -07:00
Alexandr Morozov
27e0ec3d58 Style fixes for registry/registry.go
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-26 12:28:40 +04:00
Erik Hollensbe
4d8f45a94d fix return values in registry mock service
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-25 10:29:38 -07:00
Daniel Menet
283fba4821 Expand hostname before passing it to NewRegistry()
Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:25:46 +02:00
Daniel Menet
744919be3d Enable docker search on private docker registry.
The cli interface works similar to other registry related commands:

  docker search foo

... searches for foo on the official hub

  docker search localhost:5000/foo

... does the same for the private reg at localhost:5000

Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:24:32 +02:00
Erik Hollensbe
94ff3f3e4d move utils.Fataler to pkg/log.Fataler
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-13 15:32:41 -07:00
Josiah Kiehl
2a7cf96c8f Extract log utils into pkg/log
Docker-DCO-1.1-Signed-off-by: Josiah Kiehl <josiah@capoferro.net> (github: capoferro)
2014-08-13 15:18:15 -07:00
Vincent Batts
7ef3a5bc73 registry.Registry -> registry.Session
renaming this struct to more clearly be session, as that is what it
handles.

Splitting out files for easier readability.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-08-13 09:27:43 -04:00
Tibor Vass
2ccfaf1484 Merge pull request #7324 from erikh/move_tarsum
Move tarsum to pkg/
2014-07-31 16:56:24 -04:00
Erik Hollensbe
47261aa8cf Remove CheckSum from utils; replace with a TeeReader
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 11:23:43 -07:00
Erik Hollensbe
7f2dca77d4 utils/tarsum* -> pkg/tarsum
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 06:42:12 -07:00
Erik Hollensbe
052128c4fc Move parsing functions to pkg/parsers and the specific kernel handling
functions to pkg/parsers/kernel, and parsing filters to
pkg/parsers/filter. Adjust imports and package references.

Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-29 13:09:10 -07:00
unclejack
775ca3caa3 move resumablerequestreader to pkg
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-29 16:30:45 +03:00
Victor Vieux
822f8c1b52 update go import path and libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:19:50 +00:00
2ff0ef4407 Merge pull request #6727 from unclejack/improve_bytes_range
Improve layer downloading
2014-07-23 15:31:25 -04:00
Michael Crosby
f946208721 Merge pull request #7146 from dmp42/master
Joining registry maintainers
2014-07-21 17:02:52 -07:00
Olivier Gambier
6365d94ef4 Joining registry maintainers
Docker-DCO-1.1-Signed-off-by: Olivier Gambier <olivier@docker.com> (github: dmp42)
2014-07-22 01:50:32 +02:00
c9bcc63cc7 Merge pull request #7050 from Aigeruth/fix/push_image_layer_registry_content_type
Add Content-Type header in PushImageLayerRegistry
2014-07-21 15:07:01 -04:00
unclejack
78a499ac67 get layer: remove HEAD req & pass down response
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-21 20:21:18 +03:00
Solomon Hykes
bc35ac4afd Merge pull request #3070 from alexlarsson/certificates 2014-07-18 18:27:00 -07:00
Gabor Nagy
19b4616baa Add Content-Type header in PushImageLayerRegistry
Docker-DCO-1.1-Signed-off-by: Gabor Nagy <mail@aigeruth.hu> (github: Aigeruth)
2014-07-16 12:23:25 +02:00
LK4D4
7cd8de1329 Fix go vet errors
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-18 17:39:57 +00:00
Alexander Larsson
d95235cc50 Add support for client certificates for registries
This lets you specify custom client TLS certificates and CA root for a
specific registry hostname. Docker will then verify the registry
against the CA and present the client cert when talking to that
registry.  This allows the registry to verify that the client has a
proper key, indicating that the client is allowed to access the
images.

A custom cert is configured by creating a directory in
/etc/docker/certs.d with the same name as the registry hostname. Inside
this directory all *.crt files are added as CA Roots (if none exists,
the system default is used) and pair of files <filename>.key and
<filename>.cert indicate a custom certificate to present to the registry.

If there are multiple certificates each one will be tried in
alphabetical order, proceeding to the next if we get a 403 of 5xx
response.

So, an example setup would be:
/etc/docker/certs.d/
└── localhost
    ├── client.cert
    ├── client.key
    └── localhost.crt

A simple way to test this setup is to use an apache server to host a
registry. Just copy a registry tree into the apache root, here is an
example one containing the busybox image:
  http://people.gnome.org/~alexl/v1.tar.gz

Then add this conf file as /etc/httpd/conf.d/registry.conf:

 # This must be in the root context, otherwise it causes a re-negotiation
 # which is not supported by the tls implementation in go
 SSLVerifyClient optional_no_ca

 <Location /v1>
 Action cert-protected /cgi-bin/cert.cgi
 SetHandler cert-protected

 Header set x-docker-registry-version "0.6.2"
 SetEnvIf Host (.*) custom_host=$1
 Header set X-Docker-Endpoints "%{custom_host}e"
 </Location>

And this as /var/www/cgi-bin/cert.cgi

 #!/bin/bash
 if [ "$HTTPS" != "on" ]; then
     echo "Status: 403 Not using SSL"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then
     echo "Status: 403 Client certificate invalid"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)"
 echo "x-docker-registry-version: 0.6.2"
 echo "X-Docker-Endpoints: $SERVER_NAME"
 echo "X-Docker-Size: 0"
 echo

 cat $PATH_TRANSLATED

This will return 403 for all accessed to /v1 unless *any* client cert
is presented. Obviously a real implementation would verify more details
about the certificate.

Example client certs can be generated with:

openssl genrsa -out client.key 1024
openssl req -new -x509 -text -key client.key -out client.cert

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-06-13 11:13:18 +02:00
Brandon Philips
46cc7603d4 registry: remove unneeded time.Duration()
These constants don't need to use time.Duration(). Fixup this file since
it seems to be the only one using this style.

Docker-DCO-1.1-Signed-off-by: Brandon Philips <brandon.philips@coreos.com> (github: philips)
2014-06-08 11:04:06 -07:00
Victor Vieux
4ec6e68e04 Disable timeout for push
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 23:48:25 +00:00
Victor Vieux
5cef006c5a improve trusted location detection
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 21:17:56 +00:00
Victor Vieux
8e8ffacf49 only forward auth to trusted locations
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 19:47:33 +00:00
Victor Vieux
0ac3b3981f Add redirect and env proxy support to docker login
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-03 00:46:06 +00:00
unclejack
96412d40fd resume pulling the layer on disconnect
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-06-02 21:41:22 +03:00
Derek
3a21f339f1 Use Timeout Conn wrapper to set read deadline for downloading layer
Docker-DCO-1.1-Signed-off-by: Derek <crq@kernel.org> (github: crquan)
2014-05-27 22:50:04 -07:00
Vincent Batts
a9a754dad1 registry: adding vbatts to the MAINTAINERS
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-05-06 14:31:47 -04:00
Victor Vieux
335cdaba6f Merge pull request #5600 from unclejack/sha512_registry_support
import sha512 to make sha512 ssl certs work
2014-05-05 15:27:11 -07:00
unclejack
f293adf7f9 import sha512 to make sha512 ssl certs work
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-05-05 20:29:20 +03:00
Solomon Hykes
bbebff75b6 Move 'search' to the registry subsystem
This continues the effort to separate all registry logic from the
deprecated `Server` object.

* 'search' is exposed by `github.com/dotcloud/docker/registry/Service`
* Added proper documentation of Search while I was at it

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:32 +00:00
Solomon Hykes
8934560bbc Move 'auth' to the registry subsystem
This is the first step towards separating the registry subsystem from
the deprecated `Server` object.

* New service `github.com/dotcloud/docker/registry/Service`
* The service is installed by default in `builtins`
* The service only exposes `auth` for now...
* ...Soon to be followed by `pull`, `push` and `search`.

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:06 +00:00
Michael Crosby
3e064ac71c Use proper scheme with static registry
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 02:01:07 -07:00
Victor Vieux
c914523873 Merge pull request #4607 from vbatts/vbatts-static_registry
static registry support
2014-04-29 11:22:44 -07:00
unclejack
c9a32099ae Merge pull request #5199 from shin-/registry_mirrors_support
Added support for multiple endpoints in X-Docker-Endpoints header
2014-04-28 17:56:57 +03:00
Vincent Batts
2b89f57964 static_registry: update the test for the new struct
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-04-25 20:01:25 -04:00
shin-
52893cae73 Added support for multiple endpoints in X-Docker-Endpoints header
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-18 17:42:54 +02:00
Victor Vieux
4bc3522500 allow dot in repo name
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-04-14 23:15:38 +00:00
shin-
dbb9296531 Added specific error message when hitting 401 over HTTP on push
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-08 17:07:29 +02:00
Sam Alba
4f29181d9b Payload checksum now match the checksum simple
Backported for backward compatibility.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 18:31:15 -07:00
Sam Alba
d2b2bf0393 Inverted layer checksum and tarsum.
The checksum of the payload has to be computed on the Gzip'ed content.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 17:56:25 -07:00
Ryan Thomas
50ec0bbd4e Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-28 06:31:04 +11:00
Ryan Thomas
fffa920a89 Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-25 14:45:11 +11:00
Djibril Koné
9bad706a1f Harmonize / across all name-related commands/Validate images names
Docker-DCO-1.1-Signed-off-by: Djibril Koné <kone.djibril@gmail.com> (github: enokd)
2014-03-21 00:40:58 +01:00
Victor Vieux
47c4e542ba use mock for search
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-03-13 17:40:34 +00:00
Vincent Batts
c18c4b8d3c registry: Info collection
roll version and standalone information into the _ping. And to support
Headers they are checked after the JSON is loaded (if there is anything
to load). To stay backwards compatible, if the _ping contents are not
able to unmarshal to RegistryInfo, do not stop, but continue with the
same behavior.

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 23:36:51 -04:00
Vincent Batts
471d923b1b registry: make certain headers optional
For a pull-only, static registry, there only a couple of headers that
need to be optional (that are presently required.
* X-Docker-Registry-Version
* X-Docker-Size
* X-Docker-Endpoints

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 10:08:44 -04:00
Guillaume J. Charmes
f6fefb0bc1 Merge auth package within registry
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-03-10 17:16:58 -07:00
Fabio Falci
1c101d006b Remove manual http cookie management
Since docker uses cookiejar it doesn't need to manage cookies manually
anymore.
Managing cookie was duplicating it.

Docker-DCO-1.1-Signed-off-by: Fabio Falci <fabiofalci@gmail.com> (github: fabiofalci)
2014-03-09 02:25:19 +00:00
Guillaume J. Charmes
1278e74c26 Merge pull request #4270 from DevTable/fixregistryauth
Fix registry auth and remove other hidden ping commands from client code
2014-03-03 17:34:21 -08:00
Sam Alba
f29683f794 registry: Fixed unexported field
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-02-25 16:06:04 -08:00
Sam Alba
ba8dbe4b9b registry: Removed checksumPayload from exported fields
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-24 12:40:33 -08:00
Sam Alba
bae6dc35bc registry: Fixed tests
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-24 09:04:27 -08:00
Sam Alba
3bf0ee5e52 registry: Added simple checksums (sha256) for layers
Docker-DCO-1.1-Signed-off-by: Sam Alba <sam@docker.com> (github: samalba)
2014-02-23 18:50:04 -08:00
Jake Moshenko
bac83c7608 Fix registry auth by storing the string passed on the command line, and allowing for credential selection by normalizing on hostname. Also, remove remote ping calls from CmdPush and CmdPull.
Docker-DCO-1.1-Signed-off-by: Jake Moshenko <jake@devtable.com> (github: jakedt)
2014-02-20 18:32:33 -05:00
Michael Crosby
9274def67d Fix login prompt on push and pull because of error message
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-03 11:38:34 -08:00
Roberto G. Hashioka
4fe7a141bf Added missing attributes to api search calls:
- Added an argument to the call() method in order to control the auth sharing
- Enabled it only for search. Pulls and pushes were enabled already.
- Grouped a few variable declarations

Docker-DCO-1.1-Signed-off-by: Roberto Hashioka <roberto.hashioka@docker.com> (github: rogaha)
2014-01-21 04:06:19 +00:00
Michael Crosby
275109a6ad Make sure new repositories can be pushed with multiple tags
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-01-20 13:39:35 -08:00
Victor Vieux
78bc8d7377 move legacy stuff outside the job
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-01-13 16:20:05 -08:00
Michael Crosby
6fc5e50471 Merge pull request #3431 from shin-/ping_standalone_check
Check standalone header when pinging a registry server.
2014-01-07 10:33:07 -08:00
shin-
9bafa726be Fixed registry unit tests 2014-01-06 21:04:44 +01:00
shin-
79e0ed25db Check standalone header when pinging a registry server. Standalone has to be true to use basic auth (in addition to previous requirements) 2014-01-02 17:51:42 +01:00
Victor Vieux
10eeaec70c fix progressbar in docker push 2013-12-20 16:55:41 -08:00
shin-
d2f7d65d71 Don't return req as result of setTokenAuth 2013-12-03 16:32:13 +01:00
shin-
1ff180d1b4 missed one call to setTokenAuth 2013-12-03 16:32:13 +01:00
shin-
0fca0f12f6 Factorized auth token setting 2013-12-03 16:32:13 +01:00
shin-
d4a00ebecb gofmt 2013-12-03 16:32:13 +01:00
shin-
097f41245a Use basic auth for private registries when over HTTPS.
RequestFactory is no longer a singleton (can be different for different instances of Registry)
Registry now has an indexEndpoint member
Registry methods that needed the indexEndpoint parameter no longer do so
Registry methods will only use token auth where applicable if basic auth is not enabled.
2013-12-03 16:32:13 +01:00
Andrews Medina
52a0a052e8 go fmt.
result of `gofmt -w -s .` without vendors.
2013-11-29 22:20:59 -02:00
cressie176
c86cee210f Closing connection after ping 2013-11-29 12:07:20 +00:00
Victor Vieux
2c26420bc4 update docker search to reflect future changes of the api 2013-10-31 19:14:11 -07:00
Victor Vieux
77f6f32704 Removes \\n from debugf calls 2013-10-25 17:50:40 -07:00
Johan Euphrosine
2f94790d67 registry: fix content-type for PushImageJSONIndex 2013-10-22 11:56:48 -07:00
Jonathan Rudenberg
8d77082c92 Fix some error cases where a HTTP body might not be closed
Refs #2126
2013-10-08 15:35:00 -04:00
Ken Cochrane
cbb906e41f fix the error message so it is the same as the regex issue #1999 2013-09-25 11:33:09 -04:00
Michael Crosby
9c366e092d Modify repository name regex to match index 2013-09-19 20:25:00 -07:00
Guillaume J. Charmes
49736d5fc7 Prevent panic upon error pulling registry 2013-09-16 16:18:25 -07:00
Marco Hennings
ee38e49093 Login against private registry
To improve the use of docker with a private registry the login
command is extended with a parameter for the server address.

While implementing i noticed that two problems hindered authentication to a
private registry:

1. the resolve of the authentication did not match during push
   because the looked up key was for example localhost:8080 but
   the stored one would have been https://localhost:8080

   Besides The lookup needs to still work if the https->http fallback
   is used

2. During pull of an image no authentication is sent, which
   means all repositories are expected to be private.

These points are fixed now. The changes are implemented in
a way to be compatible to existing behavior both in the
API as also with the private registry.

Update:

- login does not require the full url any more, you can login
  to the repository prefix:

  example:
  docker logon localhost:8080

Fixed corner corner cases:

- When login is done during pull and push the registry endpoint is used and
  not the central index

- When Remote sends a 401 during pull, it is now correctly delegating to
  CmdLogin

- After a Login is done pull and push are using the newly entered login data,
  and not the previous ones. This one seems to be also broken in master, too.

- Auth config is now transfered in a parameter instead of the body when
  /images/create is called.
2013-09-03 20:45:49 +02:00
shin-
a7b3e7eb78 registry: removing opaqueRequest 2013-08-16 19:33:59 +02:00
Victor Vieux
ecd70a1948 hot fix display in parallel pull and go fmt 2013-08-15 11:42:40 +00:00
Jonathan Rudenberg
e55267bc99 Add GitHub usernames to MAINTAINERS 2013-08-09 21:16:44 -04:00
Michael Crosby
856fce8c2c Merge pull request #1481 from titanous/fix-sprint
Fix typo: fmt.Sprint -> fmt.Sprintf
2013-08-09 17:28:59 -07:00
Jonathan Rudenberg
42b6e56d19 Fix typo: fmt.Sprint -> fmt.Sprintf 2013-08-09 19:52:05 -04:00
Guillaume J. Charmes
3fdac42b99 Merge pull request #1362 from dotcloud/registry_test
* Registry: Registry unit tests + mock registry
2013-08-07 15:30:07 -07:00
Victor Vieux
f1ead19f3f Merge pull request #1406 from dotcloud/1363-reduce_timeout-fix
Reduce connect and read timeout when pinging the registry (fixes issue #1363)
2013-08-06 04:22:44 -07:00
shin-
03c1bbbf65 Adapted tests to latest registry changes 2013-08-05 20:28:05 +02:00
shin-
5ea461f300 Cleanup 2013-08-05 19:07:23 +02:00
shin-
da046e945f Mock access logs don't show up in non-debug mode 2013-08-05 19:06:00 +02:00
shin-
7c3b31e5d4 gofmt 2013-08-05 19:06:00 +02:00
shin-
4d9dcc3cba New registry unit tests remade from scratch, using the mock registry 2013-08-05 19:06:00 +02:00
shin-
93877a859a Mock registry: Fixed a bug where the index validation path would return a 200 status code instead of the expected 204 2013-08-05 19:06:00 +02:00
shin-
04cbff8d35 registry: Fixed a bug where token and cookie info wouldn't be sent when using LookupRemoteImage(). Fixed a bug where no error would be reported when getting a non-200 status code in GetRemoteImageLayer() 2013-08-05 19:05:14 +02:00
Sam Alba
28f0f0ffb8 Disabled test server in the tests 2013-08-05 19:02:57 +02:00
Sam Alba
34fc4b8407 Mocked registry: Added X-Docker-Size when fetching the layer 2013-08-05 19:02:57 +02:00
Sam Alba
3ca4529fbe Fixed mocked registry 2013-08-05 19:02:57 +02:00
Sam Alba
14cc9fcfda Implemented a Mocked version of the Registry server 2013-08-05 19:02:57 +02:00
Victor Vieux
0e12ec253d Merge pull request #1408 from dotcloud/1407-localhost_is_a_domain-fix
Always consider localhost as a domain name when parsing the FQN repos name
2013-08-05 08:50:12 -07:00
Victor Vieux
67be3be855 Merge pull request #1382 from monnand/650-http-utils
650 http utils and user agent field
2013-08-05 08:49:12 -07:00
Sam Alba
fec63826b9 Always consider localhost as a domain name when parsing the FQN repos name 2013-08-04 17:59:12 -07:00
Sam Alba
1fe03a4bf7 Reduce connect and read timeout when pinging the registry (fixes issue #1363) 2013-08-04 17:42:24 -07:00
Michael Crosby
95b4a0c32a Return JSONError for HTTPResponse error 2013-08-03 00:27:58 +00:00
Nan Monnand Deng
762dfbfced reqFactory in Registry 2013-08-02 03:08:08 -04:00
Michael Crosby
11cd5760f9 Return registy status code in error
Added Details map to the JSONMessage
2013-07-30 23:24:31 +00:00
Guillaume J. Charmes
0b59dcfa2d Make sure the index also receives the checksums 2013-07-29 11:30:21 -07:00
Guillaume J. Charmes
1c62adeda7 Handle extra-paremeter within checksum calculations 2013-07-29 11:30:17 -07:00
Guillaume J. Charmes
4a818a5e73 Refactor checksum 2013-07-29 11:30:17 -07:00
Guillaume J. Charmes
64a8dea9d7 Make sure the cookie is used in all registry queries 2013-07-25 12:31:23 -07:00
Nan Monnand Deng
262838e069 Rename: VersionChecker->VersionInfo. 2013-07-23 17:05:13 -04:00
Nan Monnand Deng
5f13f19407 documentation. 2013-07-18 14:22:49 -04:00
Nan Monnand Deng
4b7dbfbcc3 reduce the number of string copy operations. 2013-07-10 18:59:43 -04:00
Nan Monnand Deng
14155d6031 format in the user agent header should follow RFC 2616 2013-07-10 18:59:43 -04:00
Nan Monnand Deng
e9e0d3c1c5 Removed an unnecessary nil assignment 2013-07-10 18:56:49 -04:00
Nan Monnand Deng
6a2aee3043 Removed an unnecessary error check. 2013-07-10 18:56:49 -04:00
Nan Monnand Deng
cf8afcf647 added client's kernel version 2013-07-10 18:56:49 -04:00
Nan Monnand Deng
342460ed9a inserted setUserAgent in each HTTP request 2013-07-10 18:49:01 -04:00
Nan Monnand Deng
2e95c379d1 Added version checker interface 2013-07-10 18:49:01 -04:00
Sam Alba
358574ab57 Hardened repos name validation 2013-07-09 16:46:55 -07:00
Sam Alba
bf8d59a1d4 Fixed potential security issue (never try http on official index when polling the endpoint). Also fixed local repos name when pulling index.docker.io/foo/bar 2013-07-09 11:30:12 -07:00
Sam Alba
67115ec479 fmt.Errorf instead of errors.New 2013-07-05 14:56:56 -07:00
Sam Alba
98060903a9 Fixed ping URL 2013-07-05 14:55:48 -07:00
Sam Alba
16fa043e34 Allowing namespaces in standalone registry 2013-07-05 14:30:43 -07:00
Sam Alba
c6068feffa Restoring old changeset lost by previous merge 2013-07-05 12:37:07 -07:00
Sam Alba
6549d83e08 Merging from master 2013-07-05 12:27:10 -07:00
Sam Alba
ec6d1d6020 Adding support for nicer URLs to support standalone registry (+ some registry code cleaning) 2013-07-05 12:20:58 -07:00
Caleb Spare
7df93a5ab3 Implement several golint suggestions, including:
* Removing type declarations where they're inferred
* Changing Url -> URL, Id -> ID in names
* Fixing snake-case names
2013-07-03 14:36:04 -07:00
Tobias Schwab
7e215123fe fix two obvious bugs??? 2013-07-02 22:11:03 +00:00
Sam Alba
258cbb06c9 Resolve conflict 2013-06-28 12:32:41 -07:00
shin-
03a77bd851 Fixed issue in registry.GetRemoteTags 2013-06-28 18:42:37 +02:00
Guillaume J. Charmes
259eeb382c Remove https prefix from registry 2013-06-28 18:19:58 +02:00
shin-
e1d8d0245f Rolled back of previous commit (skip cert verification) 2013-06-28 18:19:58 +02:00
shin-
dc97156c83 Skip certificate check (don't error out on self-signed certs) 2013-06-28 18:19:58 +02:00
shin-
7a664e6a5f Tentative support for independent registries 2013-06-28 18:19:58 +02:00
Sam Alba
0d85570c9b URL schemes of both Registry and Index are now consistent 2013-06-27 17:55:17 -07:00
Solomon Hykes
580d393d3c Merge branch 'master' into simpler-build-upload
Conflicts:
	api.go
	builder_client.go
	commands.go
2013-06-20 14:19:09 -07:00
Victor Vieux
f60888cc3b rebase master 2013-06-20 13:56:36 +00:00
shin-
3238f3ea49 Use opaque requests when we need to preserve urlencoding in registry requests 2013-06-19 13:49:45 -07:00
Guillaume J. Charmes
7e78627908 hotfix: nil pointer uppon some registry error 2013-06-19 11:08:19 -07:00
Victor Vieux
c7e86e5eab use go 1.1 cookiejar and revome ResetClient 2013-06-17 18:13:40 +00:00
Guillaume J. Charmes
508e152416 Merge branch 'master' into improve_progressbar_pull 2013-06-14 12:01:40 -07:00
Guillaume J. Charmes
95606a4363 Merge branch 'master' into postupload-endpoints-header
Conflicts:
	server.go
2013-06-14 11:50:58 -07:00
shin-
ca71aa4f8d Send X-Docker-Endpoints header when validating the images upload with the index at the end of a push 2013-06-10 11:21:56 -07:00
Guillaume J. Charmes
deddb3c757 Make the progressbar take the image size into consideration 2013-06-06 18:16:16 -07:00
Victor Vieux
55205e23b6 bump to master 2013-06-05 10:23:45 +00:00
Guillaume J. Charmes
e9ef3f43b7 Merge pull request #808 from dotcloud/795-lintify
Cleanup source
2013-06-04 14:20:38 -07:00
Victor Vieux
ead91d946e linted names 2013-06-04 18:00:22 +00:00
Victor Vieux
93c7079f89 fix proxy 2013-06-04 15:44:27 +00:00
Victor Vieux
f9d88d8246 bump to master 2013-06-04 14:00:18 +00:00
Victor Vieux
f085aa4adc drop/omit 2013-06-04 13:51:12 +00:00
Sam Alba
b9e67a8884 Disabled HTTP keep-alive in the default HTTP client for Registry calls 2013-06-03 14:42:21 -07:00
Guillaume J. Charmes
6189c3cb0b Minor changes in registry.go 2013-06-03 12:20:52 -07:00
Sam Alba
fc340ec966 Fixed missing Body.Close when doing some HTTP requests. It should improve some request issues. 2013-06-03 12:14:57 -07:00
Victor Vieux
e6cc4ff646 move auth to the client WIP 2013-05-30 15:39:43 +00:00
Guillaume J. Charmes
e742b3efb6 Merge pull request #739 from dotcloud/push_issue-1
- Registry: Cereate a new registry object for each request (~session)
2013-05-29 09:22:12 -07:00
Solomon Hykes
3e3a7c03ae Documented who decides what and how. 2013-05-28 19:39:09 -07:00
Guillaume J. Charmes
2312a0e491 Cereate a new registry object for each request (~session) 2013-05-28 17:12:24 -07:00
Victor Vieux
6bd45ee686 fix docker login when same username 2013-05-24 14:23:43 +00:00
Guillaume J. Charmes
9373c8e459 Update Push to reflect the correct API 2013-05-16 14:33:29 -07:00
Guillaume J. Charmes
40ccd26d82 Remove hijack from api when not necessary 2013-05-16 12:09:06 -07:00
Guillaume J. Charmes
c8c892fec4 Disable registry unit tests 2013-05-15 17:57:53 -07:00
Guillaume J. Charmes
5e6d1a0d56 Update tests to reflect new AuthConfig 2013-05-15 17:31:11 -07:00
Guillaume J. Charmes
0933aa4424 Move authConfig from runtime to registry 2013-05-15 17:17:33 -07:00
Guillaume J. Charmes
4a0228fd8e Allow to change login 2013-05-15 13:39:24 -07:00
Guillaume J. Charmes
a82a6bfdff Upload images only when necessary 2013-05-15 13:22:57 -07:00
Guillaume J. Charmes
ffa1e56748 Move httpClient within registry object 2013-05-15 19:22:08 +00:00
Guillaume J. Charmes
b5d8930631 Remove stdout from registry 2013-05-15 18:50:52 +00:00
Guillaume J. Charmes
a2e94b289c Refactor registry Push 2013-05-15 18:30:40 +00:00
Guillaume J. Charmes
1b23cb09da Begin to implement push with new project structure 2013-05-15 03:27:15 +00:00
Guillaume J. Charmes
36b58e5abf Split registry into subpackage 2013-05-15 01:41:39 +00:00