4170effd5a
If `--insecure-registry mydomain.com` was specified, it would match a registry at mydomain.com on any port. This was accidentally added in #9735 and is now being reverted. Signed-off-by: Tibor Vass <teabee89@gmail.com>
217 lines
6.8 KiB
Go
217 lines
6.8 KiB
Go
package registry
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
log "github.com/Sirupsen/logrus"
|
|
)
|
|
|
|
// for mocking in unit tests
|
|
var lookupIP = net.LookupIP
|
|
|
|
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
|
|
func scanForAPIVersion(hostname string) (string, APIVersion) {
|
|
var (
|
|
chunks []string
|
|
apiVersionStr string
|
|
)
|
|
if strings.HasSuffix(hostname, "/") {
|
|
chunks = strings.Split(hostname[:len(hostname)-1], "/")
|
|
apiVersionStr = chunks[len(chunks)-1]
|
|
} else {
|
|
chunks = strings.Split(hostname, "/")
|
|
apiVersionStr = chunks[len(chunks)-1]
|
|
}
|
|
for k, v := range apiVersions {
|
|
if apiVersionStr == v {
|
|
hostname = strings.Join(chunks[:len(chunks)-1], "/")
|
|
return hostname, k
|
|
}
|
|
}
|
|
return hostname, DefaultAPIVersion
|
|
}
|
|
|
|
func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
|
endpoint, err := newEndpoint(hostname, insecureRegistries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Try HTTPS ping to registry
|
|
endpoint.URL.Scheme = "https"
|
|
if _, err := endpoint.Ping(); err != nil {
|
|
|
|
//TODO: triggering highland build can be done there without "failing"
|
|
|
|
if endpoint.secure {
|
|
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
|
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
|
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
|
}
|
|
|
|
// If registry is insecure and HTTPS failed, fallback to HTTP.
|
|
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
|
|
endpoint.URL.Scheme = "http"
|
|
_, err2 := endpoint.Ping()
|
|
if err2 == nil {
|
|
return endpoint, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
|
|
}
|
|
|
|
return endpoint, nil
|
|
}
|
|
func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
|
var (
|
|
endpoint = Endpoint{}
|
|
trimmedHostname string
|
|
err error
|
|
)
|
|
if !strings.HasPrefix(hostname, "http") {
|
|
hostname = "https://" + hostname
|
|
}
|
|
trimmedHostname, endpoint.Version = scanForAPIVersion(hostname)
|
|
endpoint.URL, err = url.Parse(trimmedHostname)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &endpoint, nil
|
|
}
|
|
|
|
type Endpoint struct {
|
|
URL *url.URL
|
|
Version APIVersion
|
|
secure bool
|
|
}
|
|
|
|
// Get the formated URL for the root of this registry Endpoint
|
|
func (e Endpoint) String() string {
|
|
return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
|
|
}
|
|
|
|
func (e Endpoint) VersionString(version APIVersion) string {
|
|
return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
|
|
}
|
|
|
|
func (e Endpoint) Ping() (RegistryInfo, error) {
|
|
if e.String() == IndexServerAddress() {
|
|
// Skip the check, we now this one is valid
|
|
// (and we never want to fallback to http in case of error)
|
|
return RegistryInfo{Standalone: false}, nil
|
|
}
|
|
|
|
req, err := http.NewRequest("GET", e.String()+"_ping", nil)
|
|
if err != nil {
|
|
return RegistryInfo{Standalone: false}, err
|
|
}
|
|
|
|
resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
|
|
if err != nil {
|
|
return RegistryInfo{Standalone: false}, err
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
jsonString, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
|
|
}
|
|
|
|
// If the header is absent, we assume true for compatibility with earlier
|
|
// versions of the registry. default to true
|
|
info := RegistryInfo{
|
|
Standalone: true,
|
|
}
|
|
if err := json.Unmarshal(jsonString, &info); err != nil {
|
|
log.Debugf("Error unmarshalling the _ping RegistryInfo: %s", err)
|
|
// don't stop here. Just assume sane defaults
|
|
}
|
|
if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
|
|
log.Debugf("Registry version header: '%s'", hdr)
|
|
info.Version = hdr
|
|
}
|
|
log.Debugf("RegistryInfo.Version: %q", info.Version)
|
|
|
|
standalone := resp.Header.Get("X-Docker-Registry-Standalone")
|
|
log.Debugf("Registry standalone header: '%s'", standalone)
|
|
// Accepted values are "true" (case-insensitive) and "1".
|
|
if strings.EqualFold(standalone, "true") || standalone == "1" {
|
|
info.Standalone = true
|
|
} else if len(standalone) > 0 {
|
|
// there is a header set, and it is not "true" or "1", so assume fails
|
|
info.Standalone = false
|
|
}
|
|
log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
|
|
return info, nil
|
|
}
|
|
|
|
// isSecure returns false if the provided hostname is part of the list of insecure registries.
|
|
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
|
//
|
|
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
|
|
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
|
|
// insecure.
|
|
//
|
|
// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
|
|
// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
|
|
// in a subnet. If the resolving is not successful, isSecure will only try to match hostname to any element
|
|
// of insecureRegistries.
|
|
func isSecure(hostname string, insecureRegistries []string) (bool, error) {
|
|
if hostname == IndexServerURL.Host {
|
|
return true, nil
|
|
}
|
|
|
|
host, _, err := net.SplitHostPort(hostname)
|
|
if err != nil {
|
|
// assume hostname is of the form `host` without the port and go on.
|
|
host = hostname
|
|
}
|
|
addrs, err := lookupIP(host)
|
|
if err != nil {
|
|
ip := net.ParseIP(host)
|
|
if ip != nil {
|
|
addrs = []net.IP{ip}
|
|
}
|
|
|
|
// if ip == nil, then `host` is neither an IP nor it could be looked up,
|
|
// either because the index is unreachable, or because the index is behind an HTTP proxy.
|
|
// So, len(addrs) == 0 and we're not aborting.
|
|
}
|
|
|
|
for _, r := range insecureRegistries {
|
|
if hostname == r {
|
|
// hostname matches insecure registry
|
|
return false, nil
|
|
}
|
|
|
|
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
|
|
for _, addr := range addrs {
|
|
|
|
// now assume a CIDR was passed to --insecure-registry
|
|
_, ipnet, err := net.ParseCIDR(r)
|
|
if err != nil {
|
|
// if we could not parse it as a CIDR, even after removing
|
|
// assume it's not a CIDR and go on with the next candidate
|
|
break
|
|
}
|
|
|
|
// check if the addr falls in the subnet
|
|
if ipnet.Contains(addr) {
|
|
return false, nil
|
|
}
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|