diff --git a/docs/Dockerfile b/docs/Dockerfile index 44128086..fcc63422 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -1,18 +1,9 @@ -FROM docs/base:latest -MAINTAINER Mary Anthony (@moxiegirl) - -RUN svn checkout https://github.com/docker/docker/trunk/docs /docs/content/engine -RUN svn checkout https://github.com/docker/compose/trunk/docs /docs/content/compose -RUN svn checkout https://github.com/docker/swarm/trunk/docs /docs/content/swarm -RUN svn checkout https://github.com/docker/machine/trunk/docs /docs/content/machine -RUN svn checkout https://github.com/docker/notary/trunk/docs /docs/content/notary -RUN svn checkout https://github.com/docker/kitematic/trunk/docs /docs/content/kitematic -RUN svn checkout https://github.com/docker/toolbox/trunk/docs /docs/content/toolbox -RUN svn checkout https://github.com/docker/opensource/trunk/docs /docs/content/opensource +FROM docs/base:oss +MAINTAINER Docker Docs ENV PROJECT=registry # To get the git info for this repo COPY . /src - +RUN rm -rf /docs/content/$PROJECT/ COPY . /docs/content/$PROJECT/ diff --git a/docs/Makefile b/docs/Makefile index 021e8f6e..585bc871 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -1,17 +1,4 @@ -.PHONY: all binary build cross default docs docs-build docs-shell shell test test-unit test-integration test-integration-cli test-docker-py validate - -# env vars passed through directly to Docker's build scripts -# to allow things like `make DOCKER_CLIENTONLY=1 binary` easily -# `docs/sources/contributing/devenvironment.md ` and `project/PACKAGERS.md` have some limited documentation of some of these -DOCKER_ENVS := \ - -e BUILDFLAGS \ - -e DOCKER_CLIENTONLY \ - -e DOCKER_EXECDRIVER \ - -e DOCKER_GRAPHDRIVER \ - -e TESTDIRS \ - -e TESTFLAGS \ - -e TIMEOUT -# note: we _cannot_ add "-e DOCKER_BUILDTAGS" here because even if it's unset in the shell, that would shadow the "ENV DOCKER_BUILDTAGS" set in our Dockerfile, which is very important for our official builds +.PHONY: all default docs docs-build docs-shell shell test # to allow `make DOCSDIR=docs docs-shell` (to create a bind mount in docs) DOCS_MOUNT := $(if $(DOCSDIR),-v $(CURDIR)/$(DOCSDIR):/$(DOCSDIR)) @@ -25,9 +12,8 @@ HUGO_BASE_URL=$(shell test -z "$(DOCKER_IP)" && echo localhost || echo "$(DOCKER HUGO_BIND_IP=0.0.0.0 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null) -DOCKER_IMAGE := docker$(if $(GIT_BRANCH),:$(GIT_BRANCH)) -DOCKER_DOCS_IMAGE := docs-base$(if $(GIT_BRANCH),:$(GIT_BRANCH)) - +GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g") +DOCKER_DOCS_IMAGE := registry-docs$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) DOCKER_RUN_DOCS := docker run --rm -it $(DOCS_MOUNT) -e AWS_S3_BUCKET -e NOCACHE @@ -42,14 +28,11 @@ docs: docs-build docs-draft: docs-build $(DOCKER_RUN_DOCS) -p $(if $(DOCSPORT),$(DOCSPORT):)8000 -e DOCKERHOST "$(DOCKER_DOCS_IMAGE)" hugo server --buildDrafts="true" --port=$(DOCSPORT) --baseUrl=$(HUGO_BASE_URL) --bind=$(HUGO_BIND_IP) - docs-shell: docs-build $(DOCKER_RUN_DOCS) -p $(if $(DOCSPORT),$(DOCSPORT):)8000 "$(DOCKER_DOCS_IMAGE)" bash - docs-build: -# ( git remote | grep -v upstream ) || git diff --name-status upstream/release..upstream/docs ./ > ./changed-files -# echo "$(GIT_BRANCH)" > GIT_BRANCH -# echo "$(AWS_S3_BUCKET)" > AWS_S3_BUCKET -# echo "$(GITCOMMIT)" > GITCOMMIT docker build -t "$(DOCKER_DOCS_IMAGE)" . + +test: docs-build + $(DOCKER_RUN_DOCS) "$(DOCKER_DOCS_IMAGE)" diff --git a/docs/compatibility.md b/docs/compatibility.md index 9a7bdd42..cba7e378 100644 --- a/docs/compatibility.md +++ b/docs/compatibility.md @@ -1,8 +1,11 @@ @@ -15,7 +18,7 @@ will cause the Engine to receive a manifest it cannot use and the pull will fail ## Registry Manifest Support -Historically, the registry has supported a [single manifest type](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-1.md) +Historically, the registry has supported a [single manifest type](./spec/manifest-v2-1.md) known as _Schema 1_. With the move toward multiple architecture images the distribution project @@ -78,4 +81,4 @@ constraints of CAS.* For this reason if a manifest is pulled by _digest_ from a registry 2.3 with Docker Engine 1.9 and older, and the manifest was pushed with Docker Engine 1.10, a security check will cause the Engine to receive a manifest it cannot use and the -pull will fail. \ No newline at end of file +pull will fail. diff --git a/docs/configuration.md b/docs/configuration.md index f9b89feb..4319417e 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -1667,7 +1667,7 @@ The TCP address to connect to, including a port number. username: [username] password: [password] -Proxy enables a registry to be configured as a pull through cache to the official Docker Hub. See [mirror](mirror.md) for more information. Pushing to a registry configured as a pull through cache is currently unsupported. +Proxy enables a registry to be configured as a pull through cache to the official Docker Hub. See [mirror](recipes/mirror.md) for more information. Pushing to a registry configured as a pull through cache is currently unsupported. diff --git a/docs/deploying.md b/docs/deploying.md index 1e7f5dd6..ceed44a6 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -11,7 +11,7 @@ weight=3 # Deploying a registry server -You need to [install Docker version 1.6.0 or newer](https://docs.docker.com/installation/). +You need to [install Docker version 1.6.0 or newer](/engine/installation/index.md). ## Running on localhost @@ -39,7 +39,7 @@ To stop your registry, you would: ## Storage -By default, your registry data is persisted as a [docker volume](https://docs.docker.com/userguide/dockervolumes/) on the host filesystem. Properly understanding volumes is essential if you want to stick with a local filesystem storage. +By default, your registry data is persisted as a [docker volume](/engine/userguide/containers/dockervolumes.md) on the host filesystem. Properly understanding volumes is essential if you want to stick with a local filesystem storage. Specifically, you might want to point your volume location to a specific place in order to more easily access your registry data. To do so you can: @@ -49,7 +49,7 @@ Specifically, you might want to point your volume location to a specific place i ### Alternatives -You should usually consider using [another storage backend](https://github.com/docker/distribution/blob/master/docs/storagedrivers.md) instead of the local filesystem. Use the [storage configuration options](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) to configure an alternate storage backend. +You should usually consider using [another storage backend](./storage-drivers/index.md) instead of the local filesystem. Use the [storage configuration options](./configuration.md#storage) to configure an alternate storage backend. Using one of these will allow you to more easily scale your registry, and leverage your storage redundancy and availability features. @@ -180,7 +180,7 @@ Seeing X509 errors is usually a sign you are trying to use self-signed certifica ### Alternatives -1. You may want to leverage more advanced basic auth implementations through a proxy design, in front of the registry. You will find examples of such patterns in the [recipes list](recipes.md). +1. You may want to leverage more advanced basic auth implementations through a proxy design, in front of the registry. You will find examples of such patterns in the [recipes list](recipes/index.md). 2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only makes sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems. @@ -192,7 +192,7 @@ Beware that you will have to implement your own authentication service for this As your registry configuration grows more complex, dealing with it can quickly become tedious. -It's highly recommended to use [Docker Compose](https://docs.docker.com/compose/) to facilitate operating your registry. +It's highly recommended to use [Docker Compose](/compose/index.md) to facilitate operating your registry. Here is a simple `docker-compose.yml` example that condenses everything explained so far: @@ -226,7 +226,7 @@ You will find more specific and advanced informations in the following sections: - [Configuration reference](configuration.md) - [Working with notifications](notifications.md) - - [Advanced "recipes"](recipes.md) + - [Advanced "recipes"](recipes/index.md) - [Registry API](spec/api.md) - - [Storage driver model](storagedrivers.md) + - [Storage driver model](storage-drivers/index.md) - [Token authentication](spec/auth/token.md) diff --git a/docs/garbage-collection.md b/docs/garbage-collection.md index 688bfb25..2d03e787 100644 --- a/docs/garbage-collection.md +++ b/docs/garbage-collection.md @@ -3,6 +3,9 @@ title = "Garbage Collection" description = "High level discussion of garbage collection" keywords = ["registry, garbage, images, tags, repository, distribution"] +[menu.main] +parent="smn_registry_ref" +weight=4 +++ diff --git a/docs/help.md b/docs/help.md index c6ac7ad9..77ec378f 100644 --- a/docs/help.md +++ b/docs/help.md @@ -21,4 +21,4 @@ If you want to report a bug: - be sure to first read about [how to contribute](https://github.com/docker/distribution/blob/master/CONTRIBUTING.md) - you can then do so on the [GitHub project bugtracker](https://github.com/docker/distribution/issues) -You can also find out more about the Docker's project [Getting Help resources](https://docs.docker.com/opensource/get-help/). +You can also find out more about the Docker's project [Getting Help resources](/opensource/get-help.md). diff --git a/docs/index.md b/docs/index.md index 0252fcb5..95922284 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,11 +1,12 @@ @@ -28,7 +29,7 @@ You should use the Registry if you want to: Users looking for a zero maintenance, ready-to-go solution are encouraged to head-over to the [Docker Hub](https://hub.docker.com), which provides a free-to-use, hosted Registry, plus additional features (organization accounts, automated builds, and more). -Users looking for a commercially supported version of the Registry should look into [Docker Trusted Registry](https://docs.docker.com/docker-trusted-registry/). +Users looking for a commercially supported version of the Registry should look into [Docker Trusted Registry](/docker-trusted-registry/overview.md). ## Requirements diff --git a/docs/insecure.md b/docs/insecure.md index 88055d51..38b3a355 100644 --- a/docs/insecure.md +++ b/docs/insecure.md @@ -3,6 +3,9 @@ title = "Testing an insecure registry" description = "Deploying a Registry in an insecure fashion" keywords = ["registry, on-prem, images, tags, repository, distribution, insecure"] +[menu.main] +parent="smn_registry_ref" +weight=5 +++ @@ -60,7 +63,7 @@ This is more secure than the insecure registry solution. You must configure eve 2. Be sure to use the name `myregistrydomain.com` as a CN. -3. Use the result to [start your registry with TLS enabled](https://github.com/docker/distribution/blob/master/docs/deploying.md#get-a-certificate) +3. Use the result to [start your registry with TLS enabled](./deploying.md#get-a-certificate) 4. Instruct every docker daemon to trust that certificate. diff --git a/docs/introduction.md b/docs/introduction.md index e8b05d8c..eceb5ffc 100644 --- a/docs/introduction.md +++ b/docs/introduction.md @@ -19,7 +19,7 @@ Users interact with a registry by using docker push and pull commands. > Example: `docker pull registry-1.docker.io/distribution/registry:2.1`. -Storage itself is delegated to drivers. The default storage driver is the local posix filesystem, which is suitable for development or small deployments. Additional cloud-based storage drivers like S3, Microsoft Azure, OpenStack Swift and Aliyun OSS are also supported. People looking into using other storage backends may do so by writing their own driver implementing the [Storage API](storagedrivers.md). +Storage itself is delegated to drivers. The default storage driver is the local posix filesystem, which is suitable for development or small deployments. Additional cloud-based storage drivers like S3, Microsoft Azure, OpenStack Swift and Aliyun OSS are also supported. People looking into using other storage backends may do so by writing their own driver implementing the [Storage API](storage-drivers/index.md). Since securing access to your hosted images is paramount, the Registry natively supports TLS and basic authentication. @@ -34,7 +34,7 @@ Image names as used in typical docker commands reflect their origin: * `docker pull ubuntu` instructs docker to pull an image named `ubuntu` from the official Docker Hub. This is simply a shortcut for the longer `docker pull docker.io/library/ubuntu` command * `docker pull myregistrydomain:port/foo/bar` instructs docker to contact the registry located at `myregistrydomain:port` to find the image `foo/bar` -You can find out more about the various Docker commands dealing with images in the [official Docker engine documentation](https://docs.docker.com/reference/commandline/cli/). +You can find out more about the various Docker commands dealing with images in the [official Docker engine documentation](/engine/reference/commandline/cli.md). ## Use cases diff --git a/docs/overview.md b/docs/menu.md similarity index 82% rename from docs/overview.md rename to docs/menu.md index d3532b62..7e24a690 100644 --- a/docs/overview.md +++ b/docs/menu.md @@ -1,10 +1,12 @@ @@ -17,5 +19,5 @@ The Docker Registry documentation includes the following topics: * [Deploying a registry server](deploying.md) * [Registry Configuration Reference](configuration.md) * [Notifications](notifications.md) -* [Recipes](recipes.md) +* [Recipes](recipes/index.md) * [Getting help](help.md) diff --git a/docs/apache.md b/docs/recipes/apache.md similarity index 97% rename from docs/apache.md rename to docs/recipes/apache.md index f694ca3e..ac24113b 100644 --- a/docs/apache.md +++ b/docs/recipes/apache.md @@ -3,6 +3,8 @@ title = "Authenticating proxy with apache" description = "Restricting access to your registry using an apache proxy" keywords = ["registry, on-prem, images, tags, repository, distribution, authentication, proxy, apache, httpd, TLS, recipe, advanced"] +[menu.main] +parent="smn_recipes" +++ @@ -16,7 +18,7 @@ Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO ### Alternatives -If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](deploying.md#native-basic-auth). +If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth). ### Solution @@ -34,7 +36,7 @@ Furthermore, introducing an extra http layer in your communication pipeline will ## Setting things up -Read again [the requirements](recipes.md#requirements). +Read again [the requirements](index.md#requirements). Ready? diff --git a/docs/building.md b/docs/recipes/building.md similarity index 99% rename from docs/building.md rename to docs/recipes/building.md index 126a455a..4d67593a 100644 --- a/docs/building.md +++ b/docs/recipes/building.md @@ -3,6 +3,8 @@ title = "Build instructions" description = "Explains how to build & hack on the registry" keywords = ["registry, on-prem, images, tags, repository, distribution, build, recipe, advanced"] +[menu.main] +parent="smn_recipes" +++ diff --git a/docs/recipes.md b/docs/recipes/index.md similarity index 89% rename from docs/recipes.md rename to docs/recipes/index.md index c9f64d53..df74ca2b 100644 --- a/docs/recipes.md +++ b/docs/recipes/index.md @@ -1,11 +1,11 @@ @@ -17,7 +17,7 @@ Most users are not expected to have a use for these. ## Requirements -You should have followed entirely the basic [deployment guide](deploying.md). +You should have followed entirely the basic [deployment guide](../deploying.md). If you have not, please take the time to do so. diff --git a/docs/recipes/menu.md b/docs/recipes/menu.md new file mode 100644 index 00000000..5fdbec5b --- /dev/null +++ b/docs/recipes/menu.md @@ -0,0 +1,22 @@ + + +# Recipes + +## The List + + * [using Apache as an authenticating proxy](apache.md) + * [using Nginx as an authenticating proxy](nginx.md) + * [running a Registry on OS X](osx-setup-guide.md) + * [hacking the registry: build instructions](building.md) + * [mirror the Docker Hub](mirror.md) diff --git a/docs/mirror.md b/docs/recipes/mirror.md similarity index 99% rename from docs/mirror.md rename to docs/recipes/mirror.md index feb2630c..ff437ba4 100644 --- a/docs/mirror.md +++ b/docs/recipes/mirror.md @@ -3,6 +3,8 @@ title = "Mirroring Docker Hub" description = "Setting-up a local mirror for Docker Hub images" keywords = ["registry, on-prem, images, tags, repository, distribution, mirror, Hub, recipe, advanced"] +[menu.main] +parent="smn_recipes" +++ diff --git a/docs/nginx.md b/docs/recipes/nginx.md similarity index 95% rename from docs/nginx.md rename to docs/recipes/nginx.md index 17b92f44..f4a67679 100644 --- a/docs/nginx.md +++ b/docs/recipes/nginx.md @@ -3,6 +3,8 @@ title = "Authenticating proxy with nginx" description = "Restricting access to your registry using a nginx proxy" keywords = ["registry, on-prem, images, tags, repository, distribution, nginx, proxy, authentication, TLS, recipe, advanced"] +[menu.main] +parent="smn_recipes" +++ @@ -17,7 +19,7 @@ Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO ### Alternatives -If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](deploying.md#native-basic-auth). +If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth). ### Solution @@ -53,7 +55,7 @@ Otherwise nginx will reset the ELB's values, and the requests will not be routed ## Setting things up -Read again [the requirements](recipes.md#requirements). +Read again [the requirements](index.md#requirements). Ready? @@ -76,7 +78,7 @@ events { } http { - + upstream docker-registry { server registry:5000; } @@ -98,34 +100,34 @@ http { # SSL ssl_certificate /etc/nginx/conf.d/domain.crt; ssl_certificate_key /etc/nginx/conf.d/domain.key; - + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; - + # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; - + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; - + location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) { return 404; } - + # To add basic authentication to v2 use auth_basic setting. auth_basic "Registry realm"; auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; - + ## If $docker_distribution_api_version is empty, the header will not be added. ## See the map directive above where this variable is defined. add_header 'Docker-Distribution-Api-Version' \$docker_distribution_api_version always; - + proxy_pass http://docker-registry; proxy_set_header Host \$http_host; # required for docker client's sake proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP @@ -182,7 +184,7 @@ Now, start your stack: Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image: - docker login -p=testuser -u=testpassword -e=root@example.ch myregistrydomain.com:5043 + docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043 docker tag ubuntu myregistrydomain.com:5043/test docker push myregistrydomain.com:5043/test docker pull myregistrydomain.com:5043/test diff --git a/docs/osx-setup-guide.md b/docs/recipes/osx-setup-guide.md similarity index 94% rename from docs/osx-setup-guide.md rename to docs/recipes/osx-setup-guide.md index 15a26ff4..d47d31c1 100644 --- a/docs/osx-setup-guide.md +++ b/docs/recipes/osx-setup-guide.md @@ -3,6 +3,8 @@ title = "Running on OS X" description = "Explains how to run a registry on OS X" keywords = ["registry, on-prem, images, tags, repository, distribution, OS X, recipe, advanced"] +[menu.main] +parent="smn_recipes" +++ @@ -16,7 +18,7 @@ This is useful if you intend to run a registry server natively on OS X. You can start a VM on OS X, and deploy your registry normally as a container using Docker inside that VM. -The simplest road to get there is traditionally to use the [docker Toolbox](https://www.docker.com/toolbox), or [docker-machine](https://docs.docker.com/machine/), which usually relies on the [boot2docker](http://boot2docker.io/) iso inside a VirtualBox VM. +The simplest road to get there is traditionally to use the [docker Toolbox](https://www.docker.com/toolbox), or [docker-machine](/machine/index.md), which usually relies on the [boot2docker](http://boot2docker.io/) iso inside a VirtualBox VM. ### Solution diff --git a/docs/osx/com.docker.registry.plist b/docs/recipes/osx/com.docker.registry.plist similarity index 100% rename from docs/osx/com.docker.registry.plist rename to docs/recipes/osx/com.docker.registry.plist diff --git a/docs/osx/config.yml b/docs/recipes/osx/config.yml similarity index 100% rename from docs/osx/config.yml rename to docs/recipes/osx/config.yml diff --git a/docs/spec/api.md b/docs/spec/api.md index fc074ffb..56e9242c 100644 --- a/docs/spec/api.md +++ b/docs/spec/api.md @@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the [_Completed Upload_](#completed-upload) section for details on the parameters and expected responses. -Additionally, the upload can be completed with a single `POST` request to -the uploads endpoint, including the "size" and "digest" parameters: - -``` -POST /v2//blobs/uploads/?digest= -Content-Length: -Content-Type: application/octet-stream - - -``` - -On the registry service, this should allocate a download, accept and verify -the data and return the same response as the final chunk of an upload. If the -POST request fails collecting the data in any way, the registry should attempt -to return an error response to the client with the `Location` header providing -a place to continue the download. - -The single `POST` method is provided for convenience and most clients should -implement `POST` + `PUT` to support reliable resume of uploads. - ##### Chunked Upload To carry out an upload of a chunk, the client can specify a range header and diff --git a/docs/spec/api.md.tmpl b/docs/spec/api.md.tmpl index 1a879ba0..1a9e9f89 100644 --- a/docs/spec/api.md.tmpl +++ b/docs/spec/api.md.tmpl @@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the [_Completed Upload_](#completed-upload) section for details on the parameters and expected responses. -Additionally, the upload can be completed with a single `POST` request to -the uploads endpoint, including the "size" and "digest" parameters: - -``` -POST /v2//blobs/uploads/?digest= -Content-Length: -Content-Type: application/octet-stream - - -``` - -On the registry service, this should allocate a download, accept and verify -the data and return the same response as the final chunk of an upload. If the -POST request fails collecting the data in any way, the registry should attempt -to return an error response to the client with the `Location` header providing -a place to continue the download. - -The single `POST` method is provided for convenience and most clients should -implement `POST` + `PUT` to support reliable resume of uploads. - ##### Chunked Upload To carry out an upload of a chunk, the client can specify a range header and diff --git a/docs/spec/auth/index.md b/docs/spec/auth/index.md index b123af1a..f6ee8e1f 100644 --- a/docs/spec/auth/index.md +++ b/docs/spec/auth/index.md @@ -3,6 +3,9 @@ title = "Docker Registry Token Authentication" description = "Docker Registry v2 authentication schema" keywords = ["registry, on-prem, images, tags, repository, distribution, authentication, advanced"] +[menu.main] +parent="smn_registry_ref" +weight=100 +++ diff --git a/docs/spec/auth/jwt.md b/docs/spec/auth/jwt.md index f627b17a..c90bd6e8 100644 --- a/docs/spec/auth/jwt.md +++ b/docs/spec/auth/jwt.md @@ -5,6 +5,7 @@ description = "Describe the reference implementation of the Docker Registry v2 a keywords = ["registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced"] [menu.main] parent="smn_registry_ref" +weight=101 +++ @@ -69,8 +70,17 @@ Token has 3 main parts: The header of a JSON Web Token is a standard JOSE header. The "typ" field will be "JWT" and it will also contain the "alg" which identifies the - signing algorithm used to produce the signature. It will also usually have - a "kid" field, the ID of the key which was used to sign the token. + signing algorithm used to produce the signature. It also must have a "kid" + field, representing the ID of the key which was used to sign the token. + + The "kid" field has to be in a libtrust fingerprint compatible format. + Such a format can be generated by following steps: + + 1. Take the DER encoded public key which the JWT token was signed against. + + 2. Create a SHA256 hash out of it and truncate to 240bits. + + 3. Split the result into 12 base32 encoded groups with `:` as delimiter. Here is an example JOSE Header for a JSON Web Token (formatted with whitespace for readability): diff --git a/docs/spec/auth/oauth.md b/docs/spec/auth/oauth.md index b0f9a13f..3d1ae0aa 100644 --- a/docs/spec/auth/oauth.md +++ b/docs/spec/auth/oauth.md @@ -5,6 +5,7 @@ description = "Specifies the Docker Registry v2 authentication" keywords = ["registry, on-prem, images, tags, repository, distribution, oauth2, advanced"] [menu.main] parent="smn_registry_ref" +weight=102 +++ @@ -170,12 +171,12 @@ grant_type=password&username=johndoe&password=A3ddj3w&service=hub.docker.io&clie HTTP/1.1 200 OK Content-Type: application/json -{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5","expires_in":"900","scope":""} -```` +{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5","expires_in":900,"scope":""} +``` #### Example refreshing an Access Token -```` +``` POST /token HTTP/1.1 Host: auth.docker.io Content-Type: application/x-www-form-urlencoded @@ -185,6 +186,6 @@ grant_type=refresh_token&refresh_token=kas9Da81Dfa8&service=registry-1.docker.io HTTP/1.1 200 OK Content-Type: application/json -{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5":"expires_in":"900","scope":"repository:samalba/my-app:pull,repository:samalba/my-app:push"} -```` +{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5":"expires_in":900,"scope":"repository:samalba/my-app:pull,repository:samalba/my-app:push"} +``` diff --git a/docs/spec/auth/scope.md b/docs/spec/auth/scope.md index 76e6f8cf..a8f6c062 100644 --- a/docs/spec/auth/scope.md +++ b/docs/spec/auth/scope.md @@ -5,6 +5,7 @@ description = "Describes the scope and access fields used for registry authoriza keywords = ["registry, on-prem, images, tags, repository, distribution, advanced, access, scope"] [menu.main] parent="smn_registry_ref" +weight=103 +++ @@ -56,7 +57,7 @@ it. The resource name represent the name which identifies a resource for a resource provider. A resource is identified by this name and the provided resource type. An example of a resource name would be the name component of an image tag, such -as "samalba/myapp". +as "samalba/myapp" or "hostname/samalba/myapp". ### Resource Actions @@ -83,16 +84,24 @@ scopes. scope := resourcescope [ ' ' resourcescope ]* resourcescope := resourcetype ":" resourcename ":" action [ ',' action ]* resourcetype := /[a-z]*/ -resourcename := component [ '/' component ]* +resourcename := [ hostname '/' ] component [ '/' component ]* +hostname := hostcomponent ['.' hostcomponent]* [':' port-number] +hostcomponent := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/ +port-number := /[0-9]+/ action := /[a-z]*/ component := alpha-numeric [ separator alpha-numeric ]* alpha-numeric := /[a-z0-9]+/ separator := /[_.]|__|[-]*/ ``` Full reference grammar is defined -(here)[https://godoc.org/github.com/docker/distribution/reference]. Currently -the scope name grammar is a subset of the reference grammar without support -for hostnames. +[here](https://godoc.org/github.com/docker/distribution/reference). Currently +the scope name grammar is a subset of the reference grammar. + +> **NOTE:** that the `resourcename` may contain one `:` due to a possible port +> number in the hostname component of the `resourcename`, so a naive +> implementation that interprets the first three `:`-delimited tokens of a +> `scope` to be the `resourcetype`, `resourcename`, and a list of `action` +> would be insufficient. ## Resource Provider Use diff --git a/docs/spec/auth/token.md b/docs/spec/auth/token.md index 9f3167be..12dfc685 100644 --- a/docs/spec/auth/token.md +++ b/docs/spec/auth/token.md @@ -5,6 +5,7 @@ description = "Specifies the Docker Registry v2 authentication" keywords = ["registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced"] [menu.main] parent="smn_registry_ref" +weight=104 +++ @@ -238,7 +239,7 @@ authenticate to the audience service (within the indicated window of time): HTTP/1.1 200 OK Content-Type: application/json -{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": "3600","issued_at": "2009-11-10T23:00:00Z"} +{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": 3600,"issued_at": "2009-11-10T23:00:00Z"} ``` diff --git a/docs/spec/index.md b/docs/spec/index.md index dddaa528..474bd455 100644 --- a/docs/spec/index.md +++ b/docs/spec/index.md @@ -1,18 +1,17 @@ # Docker Registry Reference * [HTTP API V2](api.md) -* [Storage Driver](../storagedrivers.md) +* [Storage Driver](../storage-drivers/index.md) * [Token Authentication Specification](auth/token.md) * [Token Authentication Implementation](auth/jwt.md) diff --git a/docs/spec/manifest-v2-2.md b/docs/spec/manifest-v2-2.md index 31631454..9f01974c 100644 --- a/docs/spec/manifest-v2-2.md +++ b/docs/spec/manifest-v2-2.md @@ -76,7 +76,7 @@ image manifest based on the Content-Type returned in the HTTP response. - **`digest`** *string* The digest of the content, as defined by the - [Registry V2 HTTP API Specificiation](https://docs.docker.com/registry/spec/api/#digest-parameter). + [Registry V2 HTTP API Specificiation](api.md#digest-parameter). - **`platform`** *object* @@ -191,7 +191,7 @@ image. It's the direct replacement for the schema-1 manifest. - **`digest`** *string* The digest of the content, as defined by the - [Registry V2 HTTP API Specificiation](https://docs.docker.com/registry/spec/api/#digest-parameter). + [Registry V2 HTTP API Specificiation](api.md#digest-parameter). - **`layers`** *array* @@ -214,7 +214,7 @@ image. It's the direct replacement for the schema-1 manifest. - **`digest`** *string* The digest of the content, as defined by the - [Registry V2 HTTP API Specificiation](https://docs.docker.com/registry/spec/api/#digest-parameter). + [Registry V2 HTTP API Specificiation](api.md#digest-parameter). ## Example Image Manifest diff --git a/docs/spec/menu.md b/docs/spec/menu.md new file mode 100644 index 00000000..ebc52327 --- /dev/null +++ b/docs/spec/menu.md @@ -0,0 +1,13 @@ + + diff --git a/docs/storage-drivers/azure.md b/docs/storage-drivers/azure.md index 2783c427..a84888de 100644 --- a/docs/storage-drivers/azure.md +++ b/docs/storage-drivers/azure.md @@ -3,6 +3,8 @@ title = "Microsoft Azure storage driver" description = "Explains how to use the Azure storage drivers" keywords = ["registry, service, driver, images, storage, azure"] +[menu.main] +parent = "smn_storagedrivers" +++ diff --git a/docs/storage-drivers/filesystem.md b/docs/storage-drivers/filesystem.md index 476edcf5..65d39bce 100644 --- a/docs/storage-drivers/filesystem.md +++ b/docs/storage-drivers/filesystem.md @@ -3,6 +3,8 @@ title = "Filesystem storage driver" description = "Explains how to use the filesystem storage drivers" keywords = ["registry, service, driver, images, storage, filesystem"] +[menu.main] +parent="smn_storagedrivers" +++ diff --git a/docs/storage-drivers/gcs.md b/docs/storage-drivers/gcs.md index 0aa9b30d..1bc67f9e 100644 --- a/docs/storage-drivers/gcs.md +++ b/docs/storage-drivers/gcs.md @@ -3,6 +3,8 @@ title = "GCS storage driver" description = "Explains how to use the Google Cloud Storage drivers" keywords = ["registry, service, driver, images, storage, gcs, google, cloud"] +[menu.main] +parent="smn_storagedrivers" +++ diff --git a/docs/storage-drivers/index.md b/docs/storage-drivers/index.md index 2de729ad..89635bd3 100644 --- a/docs/storage-drivers/index.md +++ b/docs/storage-drivers/index.md @@ -1,7 +1,66 @@ + + +# Docker Registry Storage Driver + +This document describes the registry storage driver model, implementation, and explains how to contribute new storage drivers. + +## Provided Drivers + +This storage driver package comes bundled with several drivers: + +- [inmemory](inmemory.md): A temporary storage driver using a local inmemory map. This exists solely for reference and testing. +- [filesystem](filesystem.md): A local storage driver configured to use a directory tree in the local filesystem. +- [s3](s3.md): A driver storing objects in an Amazon Simple Storage Solution (S3) bucket. +- [azure](azure.md): A driver storing objects in [Microsoft Azure Blob Storage](http://azure.microsoft.com/en-us/services/storage/). +- [swift](swift.md): A driver storing objects in [Openstack Swift](http://docs.openstack.org/developer/swift/). +- [oss](oss.md): A driver storing objects in [Aliyun OSS](http://www.aliyun.com/product/oss). +- [gcs](gcs.md): A driver storing objects in a [Google Cloud Storage](https://cloud.google.com/storage/) bucket. + +## Storage Driver API + +The storage driver API is designed to model a filesystem-like key/value storage in a manner abstract enough to support a range of drivers from the local filesystem to Amazon S3 or other distributed object storage systems. + +Storage drivers are required to implement the `storagedriver.StorageDriver` interface provided in `storagedriver.go`, which includes methods for reading, writing, and deleting content, as well as listing child objects of a specified prefix key. + +Storage drivers are intended to be written in Go, providing compile-time +validation of the `storagedriver.StorageDriver` interface. + +## Driver Selection and Configuration + +The preferred method of selecting a storage driver is using the `StorageDriverFactory` interface in the `storagedriver/factory` package. These factories provide a common interface for constructing storage drivers with a parameters map. The factory model is based off of the [Register](http://golang.org/pkg/database/sql/#Register) and [Open](http://golang.org/pkg/database/sql/#Open) methods in the builtin [database/sql](http://golang.org/pkg/database/sql) package. + +Storage driver factories may be registered by name using the +`factory.Register` method, and then later invoked by calling `factory.Create` +with a driver name and parameters map. If no such storage driver can be found, +`factory.Create` will return an `InvalidStorageDriverError`. + +## Driver Contribution + +### Writing new storage drivers + +To create a valid storage driver, one must implement the +`storagedriver.StorageDriver` interface and make sure to expose this driver +via the factory system. + +#### Registering + +Storage drivers should call `factory.Register` with their driver name in an `init` method, allowing callers of `factory.New` to construct instances of this driver without requiring modification of imports throughout the codebase. + +## Testing + +Storage driver test suites are provided in +`storagedriver/testsuites/testsuites.go` and may be used for any storage +driver written in Go. Tests can be registered using the `RegisterSuite` +function, which run the same set of tests for any registered drivers. diff --git a/docs/storage-drivers/inmemory.md b/docs/storage-drivers/inmemory.md index 3109891e..1a14e77a 100644 --- a/docs/storage-drivers/inmemory.md +++ b/docs/storage-drivers/inmemory.md @@ -3,6 +3,8 @@ title = "In-memory storage driver" description = "Explains how to use the in-memory storage drivers" keywords = ["registry, service, driver, images, storage, in-memory"] +[menu.main] +parent="smn_storagedrivers" +++ diff --git a/docs/storage-drivers/menu.md b/docs/storage-drivers/menu.md new file mode 100644 index 00000000..3638649f --- /dev/null +++ b/docs/storage-drivers/menu.md @@ -0,0 +1,13 @@ + + diff --git a/docs/storage-drivers/oss.md b/docs/storage-drivers/oss.md index 2087c98d..a85e315e 100644 --- a/docs/storage-drivers/oss.md +++ b/docs/storage-drivers/oss.md @@ -3,6 +3,8 @@ title = "Aliyun OSS storage driver" description = "Explains how to use the Aliyun OSS storage driver" keywords = ["registry, service, driver, images, storage, OSS, aliyun"] +[menu.main] +parent="smn_storagedrivers" +++ diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md index 2a7aa9f5..97cfbfc1 100644 --- a/docs/storage-drivers/s3.md +++ b/docs/storage-drivers/s3.md @@ -3,6 +3,8 @@ title = "S3 storage driver" description = "Explains how to use the S3 storage drivers" keywords = ["registry, service, driver, images, storage, S3"] +[menu.main] +parent="smn_storagedrivers" +++ @@ -198,7 +200,7 @@ The following IAM permissions are required by the registry for push and pull. S "Action": [ "s3:ListBucket", "s3:GetBucketLocation", - "s3:ListBucketMultipartUploads", + "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::mybucket" }, diff --git a/docs/storage-drivers/swift.md b/docs/storage-drivers/swift.md index cab0bbd2..0cf582d1 100644 --- a/docs/storage-drivers/swift.md +++ b/docs/storage-drivers/swift.md @@ -3,6 +3,8 @@ title = "Swift storage driver" description = "Explains how to use the OpenStack swift storage driver" keywords = ["registry, service, driver, images, storage, swift"] +[menu.main] +parent="smn_storagedrivers" +++ diff --git a/docs/storagedrivers.md b/docs/storagedrivers.md deleted file mode 100644 index ab475c32..00000000 --- a/docs/storagedrivers.md +++ /dev/null @@ -1,64 +0,0 @@ - - - -# Docker Registry Storage Driver - -This document describes the registry storage driver model, implementation, and explains how to contribute new storage drivers. - -## Provided Drivers - -This storage driver package comes bundled with several drivers: - -- [inmemory](storage-drivers/inmemory.md): A temporary storage driver using a local inmemory map. This exists solely for reference and testing. -- [filesystem](storage-drivers/filesystem.md): A local storage driver configured to use a directory tree in the local filesystem. -- [s3](storage-drivers/s3.md): A driver storing objects in an Amazon Simple Storage Solution (S3) bucket. -- [azure](storage-drivers/azure.md): A driver storing objects in [Microsoft Azure Blob Storage](http://azure.microsoft.com/en-us/services/storage/). -- [swift](storage-drivers/swift.md): A driver storing objects in [Openstack Swift](http://docs.openstack.org/developer/swift/). -- [oss](storage-drivers/oss.md): A driver storing objects in [Aliyun OSS](http://www.aliyun.com/product/oss). -- [gcs](storage-drivers/gcs.md): A driver storing objects in a [Google Cloud Storage](https://cloud.google.com/storage/) bucket. - -## Storage Driver API - -The storage driver API is designed to model a filesystem-like key/value storage in a manner abstract enough to support a range of drivers from the local filesystem to Amazon S3 or other distributed object storage systems. - -Storage drivers are required to implement the `storagedriver.StorageDriver` interface provided in `storagedriver.go`, which includes methods for reading, writing, and deleting content, as well as listing child objects of a specified prefix key. - -Storage drivers are intended to be written in Go, providing compile-time -validation of the `storagedriver.StorageDriver` interface. - -## Driver Selection and Configuration - -The preferred method of selecting a storage driver is using the `StorageDriverFactory` interface in the `storagedriver/factory` package. These factories provide a common interface for constructing storage drivers with a parameters map. The factory model is based off of the [Register](http://golang.org/pkg/database/sql/#Register) and [Open](http://golang.org/pkg/database/sql/#Open) methods in the builtin [database/sql](http://golang.org/pkg/database/sql) package. - -Storage driver factories may be registered by name using the -`factory.Register` method, and then later invoked by calling `factory.Create` -with a driver name and parameters map. If no such storage driver can be found, -`factory.Create` will return an `InvalidStorageDriverError`. - -## Driver Contribution - -### Writing new storage drivers - -To create a valid storage driver, one must implement the -`storagedriver.StorageDriver` interface and make sure to expose this driver -via the factory system. - -#### Registering - -Storage drivers should call `factory.Register` with their driver name in an `init` method, allowing callers of `factory.New` to construct instances of this driver without requiring modification of imports throughout the codebase. - -## Testing - -Storage driver test suites are provided in -`storagedriver/testsuites/testsuites.go` and may be used for any storage -driver written in Go. Tests can be registered using the `RegisterSuite` -function, which run the same set of tests for any registered drivers.