Граф коммитов

353 Коммитов

Автор SHA1 Сообщение Дата
Aaron Lehmann 1f61084d83 Fix uses of "int" where "int64" should be used instead
Some structures use int for sizes and UNIX timestamps. On some
platforms, int is 32 bits, so this can lead to the year 2038 issues and
overflows when dealing with large containers or layers.

Consistently use int64 to store sizes and UNIX timestamps in
api/types/types.go. Update related to code accordingly (i.e.
strconv.FormatInt instead of strconv.Itoa).

Use int64 in progressreader package to avoid integer overflow when
dealing with large quantities. Update related code accordingly.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-31 16:31:40 -07:00
Tibor Vass ad96fc310b Merge pull request #14970 from tiborvass/windows-registry-endpoint
registry: Change default endpoint on windows to a windows-specific one
2015-07-30 22:41:34 -04:00
Tibor Vass a21ba12f4e registry: allow fallback on unknown errors
This patch fixes a bug where a user specifies a v1 mirror for
--registry-mirror and pull an image from the Hub.

It used to not fallback because of an unexpected error returned when
trying to JSON marshal nginx output.

We now ensure that any unexpected error falls back to the next endpoint
in the list.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 19:03:38 -04:00
Tibor Vass 4a92b8a0ef registry: Change default endpoint on windows to a windows-specific one
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 14:52:41 -04:00
Derek McGowan e863a07b89 Fix login and search TLS configuration
Currently login and search do not load per registry certificates.
This is a regression caused by the last refactor since this was recently fixed.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 10:36:57 -07:00
Derek McGowan ed13c3abfb Use notary library for trusted image fetch and signing
Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest.
On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server.
If a tag is given, the cli will resolve the tag into a digest and pull by digest.
After pulling, if a tag is given the cli makes a request to tag the image.

Use certificate directory for notary requests

Read certificates using same logic used by daemon for registry requests.

Catch JSON syntax errors from Notary client

When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user.
Provide a generic error when a JSON syntax error occurs.

Catch expiration errors and wrap in additional context.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-24 14:08:20 -07:00
Aaron Lehmann 4fcb9ac40c Improve documentation and golint compliance of registry package
* Add godoc documentation where it was missing

* Change identifier names that don't match Go style, such as INDEX_NAME

* Rename RegistryInfo to PingResult, which more accurately describes
  what this structure is for. It also has the benefit of making the name
  not stutter if used outside the package.

Updates #14756

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-24 11:55:07 -07:00
Tibor Vass 96ce3a194a cli: new daemon command and new cli package
This patch creates a new cli package that allows to combine both client
and daemon commands (there is only one daemon command: docker daemon).

The `-d` and `--daemon` top-level flags are deprecated and a special
message is added to prompt the user to use `docker daemon`.

Providing top-level daemon-specific flags for client commands result
in an error message prompting the user to use `docker daemon`.

This patch does not break any old but correct usages.

This also makes `-d` and `--daemon` flags, as well as the `daemon`
command illegal in client-only binaries.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-23 19:44:46 -04:00
Jessica Frazelle ca3dae523b better i/o timeout error on pull
Signed-off-by: Jessica Frazelle <princess@docker.com>
2015-07-21 19:08:15 -07:00
Tibor Vass 42533e323c Merge pull request #14829 from RichardScothern/registry-tls
Configure TLS for private v2 registry mirrors.
2015-07-21 19:23:39 -04:00
Richard Scothern 6b36a488e7 Remove v1 registry mirror configuration from LookupEndpoints.
V1 mirrors do not mirror the index and those endpoints should
only be indexes.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:41 -07:00
Richard Scothern cb57b25689 Configure TLS for private registry mirrors.
If a registry mirror is using TLS, ensure that certs for it
are picked up from /etc/docker/certs.d

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-07-21 15:21:25 -07:00
Aaron Lehmann 9e76e184e4 Remove unused types in registry package
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:53:57 -07:00
Aaron Lehmann 962dc622d9 Remove dead code in registry package
The only uses of RequestAuthorization and its associated functions were
removed in 19515a7ad8 ("Update graph to
use vendored distribution client for the v2 codepath")

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 11:45:53 -07:00
Morgan Bauer dea49b7474
golint for cliconfig
- fully capitalize HTTP in HTTPHeaders
 - comment for CONFIGFILE
 - camelcase and privatize oldConfigfile, defaultIndexserver
 - remove unused var errConfigFileMissing
 - comments for methods and functions throughout
 - external references to renamed variables changed

Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
2015-07-20 16:48:58 -07:00
Ma Shimiao 1b67c38f6f fix 8926: rmi dangling is unsafe when pulling
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-17 11:39:57 -04:00
Derek McGowan 19515a7ad8 Update graph to use vendored distribution client for the v2 codepath
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:47 -04:00
Tibor Vass 276c640be4 remove pkg/transport and use the one from distribution
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 13:13:46 -04:00
Tibor Vass b32c4cb459 Fix issue where Search API endpoint would panic due to empty AuthConfig
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-16 12:38:44 -04:00
David Calavera 46aea60fb0 Merge pull request #14332 from ankushagarwal/failedLogin
Add 500 check for registry api call
2015-07-15 11:19:31 -07:00
Derek McGowan 7f48cd7dce Set canonical name correctly
Currently canonical name gets set to the local name and displayed in the errors.
Canonical name should be the unique and canonical name for an image.
Use docker.io as the canonical domain for images on the public registry.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-14 17:45:49 -07:00
Stephen Day c7d4a4b2b4 Merge pull request #14521 from mattmoor/authenticated-search
Add the X-Docker-Token header to the /v1/search requests.
2015-07-14 15:43:28 -07:00
Stephen J Day 451789cf88 Allow one character repository name components
The docker/distribution dependency was updated in the previous commit to allow
repository name components to only consist of a single letter. The unit tests
have been updated to cement this change.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-07-10 14:06:15 -06:00
Matt Moore 5a170484d1 Add the X-Docker-Token header to the /v1/search requests.
By adding this header AuthTransport will add Basic authentication to the request and allow 'docker search' results to include private images.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-07-09 20:56:23 -07:00
Ankush Agarwal 88f02c2f33 Add 500 check for registry api call
Partially Addresses #14326

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
2015-07-02 12:41:24 -07:00
Eric Windisch 37846bff58 Remove RC4 from the list of registry cipher suites
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.

Uses the tlsconfig package to define allowed ciphers.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-06-29 09:15:13 -04:00
Stephen Day c7ece73fa4 Merge pull request #14046 from mattmoor/token-investigation
Unconditionally use AuthTransport.
2015-06-25 19:07:10 -07:00
Antonio Murdaca 927d13bc3c Remove dead code
Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-06-20 19:14:15 +02:00
Matt Moore c2315102ff Unconditionally add AuthTransport.
Today, endpoints implementing v2 cannot properly fallback to v1 because the underlying transport that deals with authentication (Basic / Token) doesn't get annotated.

This doesn't affect DockerHub because the DockerHub endpoint appears as 'https://index.docker.io/v1/' (in .dockercfg), and the 'v1' tricks this logic just long enough that the transport is always annotated for DockerHub accesses.

Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-19 10:12:52 -07:00
Sebastiaan van Stijn 206acbcf89 Merge pull request #13070 from shishir-a412ed/cleanup_cmd_tag
Use distribution's ValidateRepositoryName for remote name validation.
2015-06-17 23:26:27 +02:00
Derek McGowan d86345b9f7 Merge pull request #13575 from mattmoor/consistent-push-fallback
Make v2 push have v1-fallback behavior consistent with pull.
2015-06-17 13:41:58 -07:00
Shishir Mahajan b8301005ff Use distribution's ValidateRepositoryName for remote name validation.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-06-17 15:15:16 -04:00
Don Kjer b349a74c71 Only pulling single repository tag on pull for a specific tag. extending TestGetRemoteTags unit test
Splitting out GetRemoteTag from GetRemoteTags.  Adding registry.ErrRepoNotFound error

Signed-off-by: Don Kjer <don.kjer@gmail.com>
2015-06-16 07:10:09 +00:00
Arnaud Porterie 13baeb3b70 Merge pull request #13815 from tiborvass/do-not-send-basic-auth-on-302
Do not set auth headers for registry v1 if 302
2015-06-09 15:34:53 -07:00
xiekeyang a31be25121 Registry: remove unwanted return variable name
Signed-off-by: xiekeyang <xiekeyang@huawei.com>
2015-06-09 10:58:33 +08:00
Tibor Vass 123a0582b2 Do not set auth headers if 302
This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.

This also ensures v2 does not use authTransport.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-08 19:59:39 -04:00
Antonio Murdaca a06e0bb8b4 Merge pull request #13648 from tiborvass/print-debugtransport-to-test-output
registry: debugTransport should print with testing.T.Log
2015-06-05 00:42:22 +02:00
Matt Moore bd2575cc4f Make the v2 logic fallback on v1 when v2 requests cannot be authorized.
Signed-off-by: Matt Moore <mattmoor@google.com>
2015-06-02 21:22:59 -07:00
Phil Estes 278798236b Merge pull request #13650 from jvgogh/master
Upon HTTP 302 redirect do not include "Authorization" header on 'untr…
2015-06-02 14:23:20 -04:00
Arnaud Porterie 274baf70bf Merge pull request #13576 from stevvooe/verify-digests
Properly verify manifests and layer digests on pull
2015-06-02 11:16:23 -07:00
Jeffrey van Gogh 65c5105fcc Upon HTTP 302 redirect do not include "Authorization" header on 'untrusted' registries.
Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect.

This closes #13649

Signed-off-by: Jeffrey van Gogh <jvg@google.com>
2015-06-01 16:12:56 -07:00
Tibor Vass 78bc233a01 registry: debugTransport should print with testing.T.Log
It should not print to STDOUT so that it only prints the debugTransport
output if there was an error in one of the registry tests.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-01 17:48:30 -04:00
Alexander Morozov 9d98c28855 Fix race condition in registry/session
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-06-01 13:25:18 -07:00
Stephen J Day 06612cc0fe Properly verify manifests and layer digests on pull
To ensure manifest integrity when pulling by digest, this changeset ensures
that not only the remote digest provided by the registry is verified but also
that the digest provided on the command line is checked, as well. If this check
fails, the pull is cancelled as with an error. Inspection also should that
while layers were being verified against their digests, the error was being
treated as tech preview image signing verification error. This, in fact, is not
a tech preview and opens up the docker daemon to man in the middle attacks that
can be avoided with the v2 registry protocol.

As a matter of cleanliness, the digest package from the distribution project
has been updated to latest version. There were some recent improvements in the
digest package.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-05-29 15:20:28 -07:00
Antonio Murdaca 15134a3320 Remove PortSpecs from Config
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-29 22:38:09 +02:00
Alexander Morozov 3bda841e3e Merge pull request #13430 from runcom/fix-race-modify-request
Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
2015-05-28 11:31:04 -07:00
Richard 13deed3801 Registry v2 mirror support.
The v2 registry will act as a pull-through cache, and needs to be
handled differently by the client to the v1 registry mirror.

See docker/distribution#459 for details

Configuration

Only one v2 registry can be configured as a mirror. Acceptable configurations
in this chanage are: 0...n v1 mirrors or 1 v2 mirror. A mixture of v1 and v2
mirrors is considered an error.

Pull

If a v2 mirror is configured, all pulls are redirected to that mirror. The
mirror will serve the content locally or attempt a pull from the upstream mirror,
cache it locally, and then serve to the client.

Push

If an image is tagged to a mirror, it will be pushed to the mirror and be
stored locally there. Otherwise, images are pushed to the hub. This is
unchanged behavior.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
2015-05-26 11:08:19 -07:00
Antonio Murdaca a27395e6df Fix race in httpsRequestModifier.ModifyRequest when writing tlsConfig
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-05-23 23:50:08 +02:00
Tibor Vass fc29f7f70b registry: fix auth bug
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-21 16:53:22 -04:00
Jacob Atzen 007269ba24 Fix wording in comment
Signed-off-by: Jacob Atzen <jatzen@gmail.com>
2015-05-20 18:03:46 +02:00