Commit graph

369 commits

Author SHA1 Message Date
Derek McGowan
4bf6791328 Update auth client configuration to use proper tls config
Currently the http clients used by auth use the default tls config.  The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-18 14:52:49 -07:00
Zhang Wei
7d4c1d1e97 print detailed error info for docker pull
When docker push get response with unknown HTTP status, docker daemon
print:
"Error: Status XXX trying to push repository XXX: XXX"
But when docker pull meets response with unknown status code, it gives:
"HTTP code: XXX"

This commit helps docker pull print more detailed error info like push
does, so push and pull can behave consistently when error happens.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2015-03-18 11:35:44 +08:00
Arnaud Porterie
606d538448 Merge pull request #11118 from shishir-a412ed/restriction_username_length
Docker Tag command: Relax the restriction on namespace (username) length from 30 to 255 characters.
2015-03-17 09:41:12 -07:00
Andy Goldstein
4b813b3847 Add ability to refer to image by name + digest
Add ability to refer to an image by repository name and digest using the
format repository@digest. Works for pull, push, run, build, and rmi.

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2015-03-17 10:10:42 +00:00
Derek McGowan
1d6ccc1b72 Quote registry error strings
Currently when registry error strings contain new line characters only the last line is displayed to the client. Quote the string to ensure the client can see the entire body value.

fixes #11346

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-16 15:32:47 -07:00
Derek McGowan
9879aefa81 Use request factory for registry ping
Currently when the registry ping is sent, it creates the request directly from http.NewRequest instead of from the http request factory. The request factory adds useful header information such as user agent which is needed by the registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-16 14:21:00 -07:00
Shishir Mahajan
dc4e9c6e90 Docker Tag command: Relax the restriction on namespace (username) length from 30 to 255 characters.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-03-14 16:45:44 -04:00
Tibor Vass
c5c507bb14 Merge pull request #10423 from dmcgowan/v2-registry-fix-single-names
Allow single name component repository names
2015-03-09 15:40:22 -04:00
Arnaud Porterie
7a35d98c5e Remove subdirectories MAINTAINERS files
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-03-06 18:21:51 -08:00
Derek McGowan
99401d7290 Allow single name component repository names
Private registries should support having images pushed with only a single name component (e.g. localhost:5000/myapp).
The public registry currently requires two name components, but this is already enforced in the registry code.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-03-06 18:18:53 -08:00
Arnaud Porterie
ea431d9e40 Merge pull request #10425 from dmcgowan/registry-maintainers
Add distribution maintainers to maintainers files
2015-03-06 17:37:12 -08:00
Rik Nijessen
d3ad1c3cbb Rename package timeout to timeoutconn.
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 20:52:37 +01:00
Rik Nijessen
ec7ed3eefd Move TimeoutConn to seperate pkg dir.
Fixes #10965
Signed-off-by: Rik Nijessen <riknijessen@gmail.com>
2015-02-25 17:09:47 +01:00
Srini Brahmaroutu
2867d39cd9 Removing -X flag option and autogenerated code to create Dockerversion.go functionality
Addresses #9207

Signed-off-by: Srini Brahmaroutu <srbrahma@us.ibm.com>
2015-02-20 05:40:12 +00:00
Doug Davis
92de07cee0 Pretty the help text
This modifies the "docker help" text so that it is no wider than 80 chars
and each description fits on one line. This will also try to use ~ when
possible

Added a test to make sure we don't go over 80 chars again.
Added a test to make sure we use ~

Applied rules/tests to all docker commands - not just main help text

Closes #10214

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-02-04 07:59:16 -08:00
Arnaud Porterie
c5cec5f439 Merge pull request #10477 from liusdu/liusdu_typo
delete duplicated word in registry/session.go
2015-02-03 14:38:47 -08:00
Alexander Morozov
3790b5d6b4 Fix some go vet errors
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-02-02 14:53:20 -08:00
Arnaud Porterie
bdbb90e01f Merge pull request #10472 from jlhawn/handle_mux_route_url_bug
Handle gorilla/mux route url bug
2015-01-31 19:52:51 -08:00
Josh Hawn
63af81b883 Fix token basic auth header issue
When requesting a token, the basic auth header is always being set even
if there is no username value. This patch corrects this and does not set
the basic auth header if the username is empty.

Also fixes an issue where pulling all tags from a v2 registry succeeds
when the image does not actually exist on the registry.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-31 15:12:34 -08:00
Josh Hawn
050337b257 Handle gorilla/mux route url bug
When getting the URL from a v2 registry url builder, it does not
honor the scheme from the endpoint object and will cause an https
endpoint to return urls starting with http.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-31 12:54:57 -08:00
Liu Hua
5589ce8b8a delete duplicated word in registry/session.go
Signed-off-by: Liu Hua <sdu.liu@huawei.com>
2015-01-31 20:15:59 +08:00
Derek McGowan
9dc3529dfe Add distribution maintainers to maintainers files
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-28 16:30:00 -08:00
Stephen J Day
0818476cb1 Open up v2 http status code checks for put and head checks
Under certain cases, such as when putting a manifest or check for the existence
of a layer, the status code checks in session_v2.go were too narrow for their
purpose. In the case of putting a manifest, the handler only cares that an
error is not returned. Whether it is a 304 or 202 does not matter, as long as
the server reports success. Having the client only accept specific http codes
inhibits future protocol evolution.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-27 18:09:53 -08:00
Jessie Frazelle
b7db855fc6 Merge pull request #10249 from jlhawn/distribution_version_header_10247
Split API Version header when checking for v2
2015-01-27 11:48:42 -08:00
Derek McGowan
d96d4aa9f0 Better error messaging and logging for v2 registry requests
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-26 14:00:51 -08:00
Derek McGowan
41703e2bb7 Fix write after close on http response
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-21 15:14:01 -08:00
Josh Hawn
6a736c20f0 Split API Version header when checking for v2
Since the Docker-Distribution-API-Version header value may contain multiple
space delimited versions as well as many instances of the header key, the
header value is now split on whitespace characters to iterate over all versions
that may be listed in one instance of the header.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-21 15:08:32 -08:00
Josh Hawn
1c7271129b Resolve ambiguity on registry v2 ping
v2 ping now checks for a Docker-Distribution-API-Version
header that identifies the endpoint as "registry/2.0"

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-20 19:52:08 -08:00
Jessie Frazelle
35bb812cee Merge pull request #9784 from dmcgowan/v2-registry
Client Support for Docker Registry HTTP API V2
2015-01-19 10:46:38 -08:00
Brian Goff
4eaf644321 Make .dockercfg with json.MarshallIndent
Fixes #10129
Makes the .dockercfg more human parsable.

Also cleaned up the (technically) racey login test.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-01-17 07:05:56 -05:00
Derek McGowan
9c24fc93ad Add token cache
Token cache prevents the need to get a new token for every registry interaction.
Since the tokens are short lived, the cache expires after only a minute.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
5bf94a6438 Cleanup v2 session to require endpoint
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
735a112415 Fix list tags
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Derek McGowan
e5744a3bad Refactor from feedback
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:06 -08:00
Josh Hawn
826bde851b Add Tarsum Calculation during v2 Pull operation
While the v2 pull operation is writing the body of the layer blob to disk
it now computes the tarsum checksum of the archive before extracting it to
the backend storage driver. If the checksum does not match that from the
image manifest an error is raised.

Also adds more debug logging to the pull operation and fixes existing test
cases which were failing. Adds a reverse lookup constructor to the tarsum
package so that you can get a tarsum object using a checksum label.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Stephen J Day
6f09abd5c9 Correctly check and propagate errors in v2 session
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Derek McGowan
22c7328529 Get token on each request
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
6f36ce3a01 Allow private V2 registry endpoints
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Derek McGowan
751a1a8dd0 Update push and pull to registry 2.1 specification
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2015-01-15 14:05:05 -08:00
Stephen J Day
ee1e1abb15 Remove dependencies on registry packages
Because docker core cannot vendor non-master Go dependencies, we need to remove
dependencies on registry package. The definition of digest.Digest has been
changed to a string and the regular expressions have been ported from
docker-registry/common library.

We'll likely change this be dependent on the registry in the future when the
API stabilizies and use of the master branch becomes the norm.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Stephen J Day
2fcad2a10f Registry V2 HTTP route and error code definitions
This package, ported from next-generation docker regsitry, includes route and
error definitions. These facilitate compliant V2 client implementation. The
portions of the HTTP API that are included in this package are considered to be
locked down and should only be changed through a careful change proposal.
Descriptor definitions package layout may change without affecting API behavior
until the exported Go API is ready to be locked down.

When the new registry stabilizes and becomes the master branch, this package
can be vendored from the registry.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-15 14:05:05 -08:00
Josh Hawn
e256a0e0bc Update token response handling
Registry authorization token is now taken from the response body rather than
the repsonse header.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:05:05 -08:00
Derek McGowan
24895820bd Update push to use mount blob endpoint
Using mount blob prevents repushing images which have already been uploaded

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Derek McGowan
06d0ef4179 Push flow
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-01-15 14:05:05 -08:00
Josh Hawn
6b400cd63c Adds support for v2 registry login
summary of changes:

registry/auth.go
  - More logging around the login functions
  - split Login() out to handle different code paths for v1 (unchanged logic)
    and v2 (does not currently do account creation)
  - handling for either basic or token based login attempts
registry/authchallenge.go
  - New File
  - credit to Brian Bland <brian.bland@docker.com> (github: BrianBland)
  - handles parsing of WWW-Authenticate response headers
registry/endpoint.go
  - EVEN MOAR LOGGING
  - Many edits throught to make the coad less dense. Sparse code is more
    readable code.
  - slit Ping() out to handle different code paths for v1 (unchanged logic)
    and v2.
  - Updated Endpoint struct type to include an entry for authorization
    challenges discovered during ping of a v2 registry.
  - If registry endpoint version is unknown, v2 code path is first attempted,
    then fallback to v1 upon failure.
registry/service.go
  - STILL MOAR LOGGING
  - simplified the logic around starting the 'auth' job.
registry/session.go
  - updated use of a registry.Endpoint struct field.
registry/token.go
  - New File
  - Handles getting token from the parameters of a token auth challenge.
  - Modified from function written by Brian Bland (see above credit).
registry/types.go
  - Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'`

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2015-01-15 14:04:14 -08:00
Alexander Morozov
1f98347924 Fix format calls as suggested by vet
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-14 14:12:03 -08:00
Qiang Huang
23f9f8c3f4 registry: fix minor type
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-09 09:06:27 +08:00
Don Kjer
c899a49a95 Moving NewIndexInfo, NewRepositoryInfo and associated helpers into config.go
Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:15:00 +00:00
Don Kjer
64b000c3ea Deprecating ResolveRepositoryName
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository

Moving --registry-mirror configuration to registry config

Created resolve_repository job

Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.

Adding test for RepositoryInfo

Adding tests for opts.StringSetOpts and registry.ValidateMirror

Fixing search term use of repoInfo

Adding integration tests for registry mirror configuration

Normalizing LookupImage image name to match LocalName parsing rules

Normalizing repository LocalName to avoid multiple references to an official image

Removing errorOut use in tests

Removing TODO comment

gofmt changes

golint comments cleanup.  renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig

Splitting out builtins.Registry and registry.NewService calls

Stray whitespace cleanup

Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test

Factoring out ValidateRepositoryName from NewRepositoryInfo

Removing unused IndexServerURL

Allowing json marshaling of ServiceConfig.  Exposing ServiceConfig in /info

Switching to CamelCase for json marshaling

PR cleanup; removing 'Is' prefix from boolean members.  Removing unneeded json tags.

Removing non-cleanup related fix for 'localhost:[port]' in splitReposName

Merge fixes for gh9735

Fixing integration test

Reapplying #9754

Adding comment on config.IndexConfigs use from isSecureIndex

Remove unused error return value from isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

Adding back comment in isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-01-08 20:14:58 +00:00
Matthew Riley
eb9ddb7b86 Allow hyphens in namespaces.
Signed-off-by: Matthew Riley <mattdr@google.com>
2015-01-05 11:06:16 -08:00
Tibor Vass
4170effd5a registry: remove accidentally added --insecure-registry feature
If `--insecure-registry mydomain.com` was specified, it would match a registry at mydomain.com on any port.
This was accidentally added in #9735 and is now being reverted.

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-19 16:46:29 -05:00
Tibor Vass
d1fcbd9028 registry: handle unresolvable domain names in isSecure
to allow HTTP proxies to work as expected.

Fixes #9708

Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Tibor Vass
807bb5eb18 registry: add tests for unresolvable domain names in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-12-18 19:16:55 -05:00
Daehyeok Mun
b11b1e06e9 Chnage LookupRemoteImage to return error
This commit is patch for following comment
// TODO: This method should return the errors instead of masking them and returning false

Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-16 16:23:19 -08:00
unclejack
fdd4f4f2d1 validate image ID properly & before load
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>

Conflicts:
	graph/load.go
2014-12-11 16:29:27 -05:00
Michael Crosby
6ad54e3df6 Refactor put image function's redirect loop
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 18:11:27 -08:00
Michael Crosby
3911c8b8dc Prevent loop with var overshadowing
Incase of a 3xx redirect the var was being overshowed and ever changed
causing an infinite loop.

Fixes #9480

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-12-10 17:43:21 -08:00
Vaidas Jablonskis
df85a0f700 registry: fix ServerAddress setting
This ensures that ServerAddress is set, while previously it was getting
set after configFile.Configs.

Signed-off-by: Vaidas Jablonskis <jablonskis@gmail.com>
2014-11-24 18:26:41 +00:00
Tibor Vass
ae0ebb9d07 Add the possibility of specifying a subnet for --insecure-registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-14 12:31:11 -08:00
Tibor Vass
f0920e61bf registry: parse INDEXSERVERADDRESS into a URL for easier check in isSecure
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-13 07:02:24 -08:00
Tibor Vass
cca910e878 Put mock registry address in insecureRegistries for unit tests
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Tibor Vass
80255ff224 registry: refactor registry.IsSecure calls into registry.NewEndpoint
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-11-12 20:34:03 -06:00
Erik Hollensbe
524aa8b1a6 registry: always treat 127.0.0.1 as insecure for all cases anytime anywhere
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-11-12 12:14:43 -08:00
Johan Euphrosine
8582d04393 registry: default --insecure-registry to localhost and 127.0.0.1
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-12 09:12:42 -08:00
Tibor Vass
c00cd583e9 Merge pull request #9095 from proppy/is-secure-test
registry: add tests for IsSecure
2014-11-11 16:52:36 -05:00
Johan Euphrosine
cd246befe2 registry: add tests for IsSecure
Signed-off-by: Johan Euphrosine <proppy@google.com>
2014-11-11 11:02:32 -08:00
Vincent Batts
7dd4199fe8 registry: don't iterate through certs
the golang tls.Conn does a fine job of that.
http://golang.org/src/pkg/crypto/tls/handshake_client.go?#L334

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-11-04 16:12:23 -05:00
Tibor Vass
47a494e0fd Fix login command
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-10-30 19:44:44 -04:00
Tibor Vass
1b72e0234e Do not verify certificate when using --insecure-registry on an HTTPS registry
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Conflicts:
	registry/registry.go
	registry/registry_test.go
	registry/service.go
	registry/session.go

Conflicts:
	registry/endpoint.go
	registry/registry.go
2014-10-30 19:44:09 -04:00
Michael Crosby
552c17d618 Don't hard code true for auth job
Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	registry/service.go
2014-10-30 19:41:55 -04:00
Michael Crosby
50e11c9d8e Refactor IsSecure change
Fix issue with restoring the tag store and setting static configuration
from the daemon. i.e. the field on the TagStore struct must be made
internal or the json.Unmarshal in restore will overwrite the insecure
registries to be an empty struct.

Signed-off-by: Michael Crosby <michael@docker.com>

Conflicts:
	graph/pull.go
	graph/push.go
	graph/tags.go
2014-10-30 19:41:55 -04:00
unclejack
034c1cfb9d make http usage for registry explicit
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)

Conflicts:
	daemon/config.go
	daemon/daemon.go
	graph/pull.go
	graph/push.go
	graph/tags.go
	registry/registry.go
	registry/service.go
2014-10-30 19:41:55 -04:00
Victor Vieux
5685221c5f Merge pull request #8387 from vbatts/vbatts-registry_test_enpoint
registry/endpoint: make it testable
2014-10-29 13:36:17 -07:00
Jessie Frazelle
21ba3078b6 Merge pull request #8669 from monsterzz/8668-dualstack-registry
Use dual-stack Dialer when talking to registy
2014-10-29 12:03:12 -07:00
Jessica Frazelle
22f87eb9be Fix error on successful login.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-28 17:42:03 -07:00
Igor Dolzhikov
1a8edd0d55 excluding unused transformation to []byte
Signed-off-by: Igor Dolzhikov <bluesriverz@gmail.com>
2014-10-28 01:04:36 +06:00
Alexandr Morozov
0827b71157 Mass gofmt
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:11:48 -07:00
Alexandr Morozov
32654af8b6 Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Vincent Batts
bcbb7e0c41 registry/endpoint: make it testable
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-24 16:27:17 -04:00
Tibor Vass
d81951fffa Merge pull request #8423 from unclejack/lint_changes
lint changes part 1
2014-10-21 12:15:58 -04:00
Gleb M Borisov
ef57ab120c Use dual-stack Dialer when talking to registy
Signed-off-by: Gleb M. Borisov <borisov.gleb@gmail.com>
2014-10-21 03:59:11 +04:00
Dan Walsh
3a6fe4c5c9 On Red Hat Registry Servers we return 404 on certification errors.
We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.

According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."

https://www.ietf.org/rfc/rfc2616.txt

10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
   If the request method was not HEAD and the server wishes to make
   public why the request has not been fulfilled, it SHOULD describe the
   reason for the refusal in the entity.  If the server does not wish to
   make this information available to the client, the status code 404
   (Not Found) can be used instead.

10.4.5 404 Not Found

   The server has not found anything matching the Request-URI. No
   indication is given of whether the condition is temporary or
   permanent. The 410 (Gone) status code SHOULD be used if the server
   knows, through some internally configurable mechanism, that an old
   resource is permanently unavailable and has no forwarding address.
   This status code is commonly used when the server does not wish to
   reveal exactly why the request has been refused, or when no other
   response is applicable.

When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-10-20 13:20:48 -04:00
Daniel, Dao Quang Minh
20867c3b1f Avoid fallback to SSL protocols < TLS1.0
Signed-off-by: Tibor Vass <teabee89@gmail.com>

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-10-15 22:39:51 -04:00
Derek McGowan
479ed10e61 Support tarsum dev version to fix issue with mtime
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
1538e42d56 Update manifest format to rename blobsums and use arrays of dictionaries
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:29 -07:00
Derek McGowan
f290f44632 Use direct registry url
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-10 16:04:28 -07:00
unclejack
7bfdb6d495 registry: lint
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-10-06 22:34:39 +03:00
Derek McGowan
c47aa21c35 Add comment for permission and fix wrong format variable
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-02 17:41:57 -07:00
Derek McGowan
b7f7b0a2c9 Add provenance pull flow for official images
Add support for pulling signed images from a version 2 registry.
Only official images within the library namespace will be pull from the
new registry and check the build signature.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2014-10-01 18:26:06 -07:00
Vincent Batts
d629bebce2 registry: getting Endpoint ironned out
Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-10-01 13:19:40 -07:00
Tibor Vass
48b43c2645 Replace get.docker.io -> get.docker.com and test.docker.io -> test.docker.com
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-09-24 18:53:27 -04:00
Phil Estes
b7da79fd14 Refactor all pre-compiled regexp to package level vars
Addresses #8057

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2014-09-16 12:57:44 -04:00
Vincent Batts
898bcf0f5d TarSum: versioning
This introduces Versions for TarSum checksums.
Fixes: https://github.com/docker/docker/issues/7526

It preserves current functionality and abstracts the interface for
future flexibility of hashing algorithms. As a POC, the VersionDev
Tarsum does not include the mtime in the checksum calculation, and would
solve https://github.com/docker/docker/issues/7387 though this is not a
settled Version is subject to change until a version number is assigned.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-09-10 15:41:52 -04:00
Jessie Frazelle
8440052689 Merge pull request #7862 from Gandi/bugfixes/segfault-registry-session
Fix SEGFAULT if dns resolv error
2014-09-08 11:38:34 -07:00
Michael Crosby
5e47333091 Merge pull request #7609 from ewindisch/max_imgname
Restrict length of repository names
2014-09-08 11:06:54 -07:00
Arthur Gautier
eaf57e8f55 Fix SEGFAULT if dns resolv error
Per registry.doRequest, res and client might be nil in case of error
For example, dns resolution errors, /etc/docker/certs.d perms, failed
loading of x509 cert ...
This will make res.StatusCode and res.Body SEGFAULT.

Signed-off-by: Arthur Gautier <baloo@gandi.net>
2014-09-05 13:40:06 +02:00
unclejack
2c78019539 registry/session: fix panic in GetRemoteImageLayer
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-09-03 17:26:56 +03:00
Eric Windisch
307e253d33 Restrict repository names from matching hexadecimal strings
To avoid conflicting with layer IDs, repository names must
not be tagged with names that collide with hexadecimal strings.

Signed-off-by: Eric Windisch <eric@windisch.us>
2014-08-27 13:46:10 -04:00
Michael Crosby
48096dad19 Merge pull request #7740 from LK4D4/registry_style
Style fixes for registry/registry.go
2014-08-26 18:02:11 -07:00
Alexandr Morozov
27e0ec3d58 Style fixes for registry/registry.go
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-26 12:28:40 +04:00
Erik Hollensbe
4d8f45a94d fix return values in registry mock service
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-25 10:29:38 -07:00
Daniel Menet
283fba4821 Expand hostname before passing it to NewRegistry()
Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:25:46 +02:00
Daniel Menet
744919be3d Enable docker search on private docker registry.
The cli interface works similar to other registry related commands:

  docker search foo

... searches for foo on the official hub

  docker search localhost:5000/foo

... does the same for the private reg at localhost:5000

Signed-off-by: Daniel Menet <membership@sontags.ch>
2014-08-16 14:24:32 +02:00
Erik Hollensbe
94ff3f3e4d move utils.Fataler to pkg/log.Fataler
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-13 15:32:41 -07:00
Josiah Kiehl
2a7cf96c8f Extract log utils into pkg/log
Docker-DCO-1.1-Signed-off-by: Josiah Kiehl <josiah@capoferro.net> (github: capoferro)
2014-08-13 15:18:15 -07:00
Vincent Batts
7ef3a5bc73 registry.Registry -> registry.Session
renaming this struct to more clearly be session, as that is what it
handles.

Splitting out files for easier readability.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-08-13 09:27:43 -04:00
Tibor Vass
2ccfaf1484 Merge pull request #7324 from erikh/move_tarsum
Move tarsum to pkg/
2014-07-31 16:56:24 -04:00
Erik Hollensbe
47261aa8cf Remove CheckSum from utils; replace with a TeeReader
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 11:23:43 -07:00
Erik Hollensbe
7f2dca77d4 utils/tarsum* -> pkg/tarsum
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-30 06:42:12 -07:00
Erik Hollensbe
052128c4fc Move parsing functions to pkg/parsers and the specific kernel handling
functions to pkg/parsers/kernel, and parsing filters to
pkg/parsers/filter. Adjust imports and package references.

Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-07-29 13:09:10 -07:00
unclejack
775ca3caa3 move resumablerequestreader to pkg
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-29 16:30:45 +03:00
Victor Vieux
822f8c1b52 update go import path and libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:19:50 +00:00
2ff0ef4407 Merge pull request #6727 from unclejack/improve_bytes_range
Improve layer downloading
2014-07-23 15:31:25 -04:00
Michael Crosby
f946208721 Merge pull request #7146 from dmp42/master
Joining registry maintainers
2014-07-21 17:02:52 -07:00
Olivier Gambier
6365d94ef4 Joining registry maintainers
Docker-DCO-1.1-Signed-off-by: Olivier Gambier <olivier@docker.com> (github: dmp42)
2014-07-22 01:50:32 +02:00
c9bcc63cc7 Merge pull request #7050 from Aigeruth/fix/push_image_layer_registry_content_type
Add Content-Type header in PushImageLayerRegistry
2014-07-21 15:07:01 -04:00
unclejack
78a499ac67 get layer: remove HEAD req & pass down response
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-21 20:21:18 +03:00
Solomon Hykes
bc35ac4afd Merge pull request #3070 from alexlarsson/certificates 2014-07-18 18:27:00 -07:00
Gabor Nagy
19b4616baa Add Content-Type header in PushImageLayerRegistry
Docker-DCO-1.1-Signed-off-by: Gabor Nagy <mail@aigeruth.hu> (github: Aigeruth)
2014-07-16 12:23:25 +02:00
LK4D4
7cd8de1329 Fix go vet errors
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-18 17:39:57 +00:00
Alexander Larsson
d95235cc50 Add support for client certificates for registries
This lets you specify custom client TLS certificates and CA root for a
specific registry hostname. Docker will then verify the registry
against the CA and present the client cert when talking to that
registry.  This allows the registry to verify that the client has a
proper key, indicating that the client is allowed to access the
images.

A custom cert is configured by creating a directory in
/etc/docker/certs.d with the same name as the registry hostname. Inside
this directory all *.crt files are added as CA Roots (if none exists,
the system default is used) and pair of files <filename>.key and
<filename>.cert indicate a custom certificate to present to the registry.

If there are multiple certificates each one will be tried in
alphabetical order, proceeding to the next if we get a 403 of 5xx
response.

So, an example setup would be:
/etc/docker/certs.d/
└── localhost
    ├── client.cert
    ├── client.key
    └── localhost.crt

A simple way to test this setup is to use an apache server to host a
registry. Just copy a registry tree into the apache root, here is an
example one containing the busybox image:
  http://people.gnome.org/~alexl/v1.tar.gz

Then add this conf file as /etc/httpd/conf.d/registry.conf:

 # This must be in the root context, otherwise it causes a re-negotiation
 # which is not supported by the tls implementation in go
 SSLVerifyClient optional_no_ca

 <Location /v1>
 Action cert-protected /cgi-bin/cert.cgi
 SetHandler cert-protected

 Header set x-docker-registry-version "0.6.2"
 SetEnvIf Host (.*) custom_host=$1
 Header set X-Docker-Endpoints "%{custom_host}e"
 </Location>

And this as /var/www/cgi-bin/cert.cgi

 #!/bin/bash
 if [ "$HTTPS" != "on" ]; then
     echo "Status: 403 Not using SSL"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then
     echo "Status: 403 Client certificate invalid"
     echo "x-docker-registry-version: 0.6.2"
     echo
     exit 0
 fi
 echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)"
 echo "x-docker-registry-version: 0.6.2"
 echo "X-Docker-Endpoints: $SERVER_NAME"
 echo "X-Docker-Size: 0"
 echo

 cat $PATH_TRANSLATED

This will return 403 for all accessed to /v1 unless *any* client cert
is presented. Obviously a real implementation would verify more details
about the certificate.

Example client certs can be generated with:

openssl genrsa -out client.key 1024
openssl req -new -x509 -text -key client.key -out client.cert

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-06-13 11:13:18 +02:00
Brandon Philips
46cc7603d4 registry: remove unneeded time.Duration()
These constants don't need to use time.Duration(). Fixup this file since
it seems to be the only one using this style.

Docker-DCO-1.1-Signed-off-by: Brandon Philips <brandon.philips@coreos.com> (github: philips)
2014-06-08 11:04:06 -07:00
Victor Vieux
4ec6e68e04 Disable timeout for push
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 23:48:25 +00:00
Victor Vieux
5cef006c5a improve trusted location detection
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 21:17:56 +00:00
Victor Vieux
8e8ffacf49 only forward auth to trusted locations
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 19:47:33 +00:00
Victor Vieux
0ac3b3981f Add redirect and env proxy support to docker login
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-03 00:46:06 +00:00
unclejack
96412d40fd resume pulling the layer on disconnect
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-06-02 21:41:22 +03:00
Derek
3a21f339f1 Use Timeout Conn wrapper to set read deadline for downloading layer
Docker-DCO-1.1-Signed-off-by: Derek <crq@kernel.org> (github: crquan)
2014-05-27 22:50:04 -07:00
Vincent Batts
a9a754dad1 registry: adding vbatts to the MAINTAINERS
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-05-06 14:31:47 -04:00
Victor Vieux
335cdaba6f Merge pull request #5600 from unclejack/sha512_registry_support
import sha512 to make sha512 ssl certs work
2014-05-05 15:27:11 -07:00
unclejack
f293adf7f9 import sha512 to make sha512 ssl certs work
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-05-05 20:29:20 +03:00
Solomon Hykes
bbebff75b6 Move 'search' to the registry subsystem
This continues the effort to separate all registry logic from the
deprecated `Server` object.

* 'search' is exposed by `github.com/dotcloud/docker/registry/Service`
* Added proper documentation of Search while I was at it

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:32 +00:00
Solomon Hykes
8934560bbc Move 'auth' to the registry subsystem
This is the first step towards separating the registry subsystem from
the deprecated `Server` object.

* New service `github.com/dotcloud/docker/registry/Service`
* The service is installed by default in `builtins`
* The service only exposes `auth` for now...
* ...Soon to be followed by `pull`, `push` and `search`.

Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-03 00:37:06 +00:00
Michael Crosby
3e064ac71c Use proper scheme with static registry
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 02:01:07 -07:00
Victor Vieux
c914523873 Merge pull request #4607 from vbatts/vbatts-static_registry
static registry support
2014-04-29 11:22:44 -07:00
unclejack
c9a32099ae Merge pull request #5199 from shin-/registry_mirrors_support
Added support for multiple endpoints in X-Docker-Endpoints header
2014-04-28 17:56:57 +03:00
Vincent Batts
2b89f57964 static_registry: update the test for the new struct
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-04-25 20:01:25 -04:00
shin-
52893cae73 Added support for multiple endpoints in X-Docker-Endpoints header
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-18 17:42:54 +02:00
Victor Vieux
4bc3522500 allow dot in repo name
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-04-14 23:15:38 +00:00
shin-
dbb9296531 Added specific error message when hitting 401 over HTTP on push
Docker-DCO-1.1-Signed-off-by: Joffrey F <joffrey@docker.com> (github: shin-)
2014-04-08 17:07:29 +02:00
Sam Alba
4f29181d9b Payload checksum now match the checksum simple
Backported for backward compatibility.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 18:31:15 -07:00
Sam Alba
d2b2bf0393 Inverted layer checksum and tarsum.
The checksum of the payload has to be computed on the Gzip'ed content.

Docker-DCO-1.1-Signed-off-by: Sam Alba <sam.alba@gmail.com> (github: samalba)
2014-03-31 17:56:25 -07:00
Ryan Thomas
50ec0bbd4e Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-28 06:31:04 +11:00
Ryan Thomas
fffa920a89 Docker-DCO-1.1-Signed-off-by: Ryan Thomas <rthomas@atlassian.com> (github: rthomas) 2014-03-25 14:45:11 +11:00
Djibril Koné
9bad706a1f Harmonize / across all name-related commands/Validate images names
Docker-DCO-1.1-Signed-off-by: Djibril Koné <kone.djibril@gmail.com> (github: enokd)
2014-03-21 00:40:58 +01:00
Victor Vieux
47c4e542ba use mock for search
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-03-13 17:40:34 +00:00
Vincent Batts
c18c4b8d3c registry: Info collection
roll version and standalone information into the _ping. And to support
Headers they are checked after the JSON is loaded (if there is anything
to load). To stay backwards compatible, if the _ping contents are not
able to unmarshal to RegistryInfo, do not stop, but continue with the
same behavior.

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 23:36:51 -04:00
Vincent Batts
471d923b1b registry: make certain headers optional
For a pull-only, static registry, there only a couple of headers that
need to be optional (that are presently required.
* X-Docker-Registry-Version
* X-Docker-Size
* X-Docker-Endpoints

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-11 10:08:44 -04:00
Guillaume J. Charmes
f6fefb0bc1 Merge auth package within registry
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-03-10 17:16:58 -07:00
Fabio Falci
1c101d006b Remove manual http cookie management
Since docker uses cookiejar it doesn't need to manage cookies manually
anymore.
Managing cookie was duplicating it.

Docker-DCO-1.1-Signed-off-by: Fabio Falci <fabiofalci@gmail.com> (github: fabiofalci)
2014-03-09 02:25:19 +00:00