kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/registry/registry.go

181 lines
5.1 KiB
Go
Raw Normal View History

registry: Change default endpoint on windows to a windows-specific one Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-24 14:59:36 -04:00
// Package registry contains client primitives to interact with a remote Docker registry.
Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:05:59 -05:00
package registry // import "github.com/docker/docker/registry"
Split registry into subpackage
2013-05-14 21:41:39 -04:00
import (
Add support for client certificates for registries This lets you specify custom client TLS certificates and CA root for a specific registry hostname. Docker will then verify the registry against the CA and present the client cert when talking to that registry. This allows the registry to verify that the client has a proper key, indicating that the client is allowed to access the images. A custom cert is configured by creating a directory in /etc/docker/certs.d with the same name as the registry hostname. Inside this directory all *.crt files are added as CA Roots (if none exists, the system default is used) and pair of files <filename>.key and <filename>.cert indicate a custom certificate to present to the registry. If there are multiple certificates each one will be tried in alphabetical order, proceeding to the next if we get a 403 of 5xx response. So, an example setup would be: /etc/docker/certs.d/ └── localhost ├── client.cert ├── client.key └── localhost.crt A simple way to test this setup is to use an apache server to host a registry. Just copy a registry tree into the apache root, here is an example one containing the busybox image: http://people.gnome.org/~alexl/v1.tar.gz Then add this conf file as /etc/httpd/conf.d/registry.conf: # This must be in the root context, otherwise it causes a re-negotiation # which is not supported by the tls implementation in go SSLVerifyClient optional_no_ca <Location /v1> Action cert-protected /cgi-bin/cert.cgi SetHandler cert-protected Header set x-docker-registry-version "0.6.2" SetEnvIf Host (.*) custom_host=$1 Header set X-Docker-Endpoints "%{custom_host}e" </Location> And this as /var/www/cgi-bin/cert.cgi #!/bin/bash if [ "$HTTPS" != "on" ]; then echo "Status: 403 Not using SSL" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then echo "Status: 403 Client certificate invalid" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)" echo "x-docker-registry-version: 0.6.2" echo "X-Docker-Endpoints: $SERVER_NAME" echo "X-Docker-Size: 0" echo cat $PATH_TRANSLATED This will return 403 for all accessed to /v1 unless *any* client cert is presented. Obviously a real implementation would verify more details about the certificate. Example client certs can be generated with: openssl genrsa -out client.key 1024 openssl req -new -x509 -text -key client.key -out client.cert Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2013-12-04 09:03:51 -05:00
"crypto/tls"
Reduce connect and read timeout when pinging the registry (fixes issue #1363)
2013-08-04 20:42:24 -04:00
"net"
Split registry into subpackage
2013-05-14 21:41:39 -04:00
"net/http"
Add support for client certificates for registries This lets you specify custom client TLS certificates and CA root for a specific registry hostname. Docker will then verify the registry against the CA and present the client cert when talking to that registry. This allows the registry to verify that the client has a proper key, indicating that the client is allowed to access the images. A custom cert is configured by creating a directory in /etc/docker/certs.d with the same name as the registry hostname. Inside this directory all *.crt files are added as CA Roots (if none exists, the system default is used) and pair of files <filename>.key and <filename>.cert indicate a custom certificate to present to the registry. If there are multiple certificates each one will be tried in alphabetical order, proceeding to the next if we get a 403 of 5xx response. So, an example setup would be: /etc/docker/certs.d/ └── localhost ├── client.cert ├── client.key └── localhost.crt A simple way to test this setup is to use an apache server to host a registry. Just copy a registry tree into the apache root, here is an example one containing the busybox image: http://people.gnome.org/~alexl/v1.tar.gz Then add this conf file as /etc/httpd/conf.d/registry.conf: # This must be in the root context, otherwise it causes a re-negotiation # which is not supported by the tls implementation in go SSLVerifyClient optional_no_ca <Location /v1> Action cert-protected /cgi-bin/cert.cgi SetHandler cert-protected Header set x-docker-registry-version "0.6.2" SetEnvIf Host (.*) custom_host=$1 Header set X-Docker-Endpoints "%{custom_host}e" </Location> And this as /var/www/cgi-bin/cert.cgi #!/bin/bash if [ "$HTTPS" != "on" ]; then echo "Status: 403 Not using SSL" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then echo "Status: 403 Client certificate invalid" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)" echo "x-docker-registry-version: 0.6.2" echo "X-Docker-Endpoints: $SERVER_NAME" echo "X-Docker-Size: 0" echo cat $PATH_TRANSLATED This will return 403 for all accessed to /v1 unless *any* client cert is presented. Obviously a real implementation would verify more details about the certificate. Example client certs can be generated with: openssl genrsa -out client.key 1024 openssl req -new -x509 -text -key client.key -out client.cert Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2013-12-04 09:03:51 -05:00
"os"
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
"path/filepath"
Split registry into subpackage
2013-05-14 21:41:39 -04:00
"strings"
Reduce connect and read timeout when pinging the registry (fixes issue #1363)
2013-08-04 20:42:24 -04:00
"time"
Use proper scheme with static registry Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 05:01:07 -04:00
remove pkg/transport and use the one from distribution Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-17 05:07:48 -04:00
"github.com/docker/distribution/registry/client/transport"
registry: fix goimports Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 10:01:02 -05:00
"github.com/docker/go-connections/tlsconfig"
"github.com/sirupsen/logrus"
Split registry into subpackage
2013-05-14 21:41:39 -04:00
)
registry: remove unused error return from HostCertsDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:40:46 -05:00
// HostCertsDir returns the config directory for a specific host.
func HostCertsDir(hostname string) string {
return filepath.Join(CertsDir(), cleanPath(hostname))
vendor: update buildkit to ae7ff174 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-04-13 23:31:26 -04:00
}
registry: defaultService: use sync.RWMutex Most operations only require read access, so change this to use an RWMutex, and some minor refactoring in lookupV2Endpoints() so that we are not constructing tlsconfig multiple times in some cases. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 08:52:12 -05:00
// newTLSConfig constructs a client TLS configuration based on server defaults
Fix login and search TLS configuration Currently login and search do not load per registry certificates. This is a regression caused by the last refactor since this was recently fixed. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 13:36:57 -04:00
func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
// PreferredServerCipherSuites should have no effect
Fix govet for go1.7 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 21:27:20 -04:00
tlsConfig := tlsconfig.ServerDefault()
Fix login and search TLS configuration Currently login and search do not load per registry certificates. This is a regression caused by the last refactor since this was recently fixed. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 13:36:57 -04:00
tlsConfig.InsecureSkipVerify = !isSecure
registry: fix mtls config dir passing Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-05-13 16:55:43 -04:00
if isSecure && CertsDir() != "" {
registry: remove unused error return from HostCertsDir() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:40:46 -05:00
hostDir := HostCertsDir(hostname)
Fix login and search TLS configuration Currently login and search do not load per registry certificates. This is a regression caused by the last refactor since this was recently fixed. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 13:36:57 -04:00
logrus.Debugf("hostDir: %s", hostDir)
Fix govet for go1.7 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 21:27:20 -04:00
if err := ReadCertsDirectory(tlsConfig, hostDir); err != nil {
Fix login and search TLS configuration Currently login and search do not load per registry certificates. This is a regression caused by the last refactor since this was recently fixed. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 13:36:57 -04:00
return nil, err
}
}
Fix govet for go1.7 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 21:27:20 -04:00
return tlsConfig, nil
Fix login and search TLS configuration Currently login and search do not load per registry certificates. This is a regression caused by the last refactor since this was recently fixed. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-28 13:36:57 -04:00
}
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-24 06:10:50 -04:00
func hasFile(files []os.DirEntry, name string) bool {
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
for _, f := range files {
if f.Name() == name {
return true
Add support for client certificates for registries This lets you specify custom client TLS certificates and CA root for a specific registry hostname. Docker will then verify the registry against the CA and present the client cert when talking to that registry. This allows the registry to verify that the client has a proper key, indicating that the client is allowed to access the images. A custom cert is configured by creating a directory in /etc/docker/certs.d with the same name as the registry hostname. Inside this directory all *.crt files are added as CA Roots (if none exists, the system default is used) and pair of files <filename>.key and <filename>.cert indicate a custom certificate to present to the registry. If there are multiple certificates each one will be tried in alphabetical order, proceeding to the next if we get a 403 of 5xx response. So, an example setup would be: /etc/docker/certs.d/ └── localhost ├── client.cert ├── client.key └── localhost.crt A simple way to test this setup is to use an apache server to host a registry. Just copy a registry tree into the apache root, here is an example one containing the busybox image: http://people.gnome.org/~alexl/v1.tar.gz Then add this conf file as /etc/httpd/conf.d/registry.conf: # This must be in the root context, otherwise it causes a re-negotiation # which is not supported by the tls implementation in go SSLVerifyClient optional_no_ca <Location /v1> Action cert-protected /cgi-bin/cert.cgi SetHandler cert-protected Header set x-docker-registry-version "0.6.2" SetEnvIf Host (.*) custom_host=$1 Header set X-Docker-Endpoints "%{custom_host}e" </Location> And this as /var/www/cgi-bin/cert.cgi #!/bin/bash if [ "$HTTPS" != "on" ]; then echo "Status: 403 Not using SSL" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then echo "Status: 403 Client certificate invalid" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)" echo "x-docker-registry-version: 0.6.2" echo "X-Docker-Endpoints: $SERVER_NAME" echo "X-Docker-Size: 0" echo cat $PATH_TRANSLATED This will return 403 for all accessed to /v1 unless *any* client cert is presented. Obviously a real implementation would verify more details about the certificate. Example client certs can be generated with: openssl genrsa -out client.key 1024 openssl req -new -x509 -text -key client.key -out client.cert Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2013-12-04 09:03:51 -05:00
}
Style fixes for registry/registry.go Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-25 12:50:18 -04:00
}
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
return false
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
}
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
// ReadCertsDirectory reads the directory for TLS certificates
// including roots and certificate pairs and updates the
// provided TLS configuration.
func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-24 06:10:50 -04:00
fs, err := os.ReadDir(directory)
Revert "Don't die when daemon cannot read certs.d" This reverts commit 2808762b27b9e4e94a705193c8554184f6beb151. This exception was added for rootless mode, but superseded by the follow-up commit f4fa98f583a64d736eea1bb3a8fab755e159fdf4, which uses a different path to look for the certs when running in rootless mode Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-25 05:47:58 -05:00
if err != nil && !os.IsNotExist(err) {
registry: return "errdefs" compatible error types Adding some small utility functions to make generating them easier. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:45:12 -05:00
return invalidParam(err)
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
}
for _, f := range fs {
if strings.HasSuffix(f.Name(), ".crt") {
if tlsConfig.RootCAs == nil {
Use system ca pool from tlsconfig Remove deprecated config from local pkg/tlsconfig. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-10-31 17:52:07 -04:00
systemPool, err := tlsconfig.SystemCertPool()
if err != nil {
registry: return "errdefs" compatible error types Adding some small utility functions to make generating them easier. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:45:12 -05:00
return invalidParamWrapf(err, "unable to get system cert pool")
Use system ca pool from tlsconfig Remove deprecated config from local pkg/tlsconfig. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-10-31 17:52:07 -04:00
}
tlsConfig.RootCAs = systemPool
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
}
logrus.Debugf("crt: %s", filepath.Join(directory, f.Name()))
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-24 06:10:50 -04:00
data, err := os.ReadFile(filepath.Join(directory, f.Name()))
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
if err != nil {
return err
}
tlsConfig.RootCAs.AppendCertsFromPEM(data)
}
if strings.HasSuffix(f.Name(), ".cert") {
certName := f.Name()
keyName := certName[:len(certName)-5] + ".key"
logrus.Debugf("cert: %s", filepath.Join(directory, f.Name()))
if !hasFile(fs, keyName) {
registry: return "errdefs" compatible error types Adding some small utility functions to make generating them easier. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:45:12 -05:00
return invalidParamf("missing key %s for client certificate %s. CA certificates must use the extension .crt", keyName, certName)
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
}
cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
if err != nil {
return err
}
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
}
if strings.HasSuffix(f.Name(), ".key") {
keyName := f.Name()
certName := keyName[:len(keyName)-4] + ".cert"
logrus.Debugf("key: %s", filepath.Join(directory, f.Name()))
if !hasFile(fs, certName) {
registry: return "errdefs" compatible error types Adding some small utility functions to make generating them easier. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-26 07:45:12 -05:00
return invalidParamf("missing client certificate %s for key %s", certName, keyName)
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-15 16:42:45 -04:00
}
}
}
return nil
}
Remove Docker from some functions Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-10-25 08:39:51 -04:00
// Headers returns request modifiers with a User-Agent and metaHeaders
func Headers(userAgent string, metaHeaders http.Header) []transport.RequestModifier {
Remove the use of dockerversion from the registry package Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-01-04 13:36:01 -05:00
modifiers := []transport.RequestModifier{}
if userAgent != "" {
modifiers = append(modifiers, transport.NewHeaderRequestModifier(http.Header{
"User-Agent": []string{userAgent},
}))
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
}
Add transport package to support CancelRequest Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-15 21:35:04 -04:00
if metaHeaders != nil {
modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
}
Add transport package to support CancelRequest Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-15 21:35:04 -04:00
return modifiers
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
}
registry: un-export HTTPClient() and NewTransport() They're only used internally. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 17:58:25 -05:00
// httpClient returns an HTTP client structure which uses the given transport
Improve documentation and golint compliance of registry package * Add godoc documentation where it was missing * Change identifier names that don't match Go style, such as INDEX_NAME * Rename RegistryInfo to PingResult, which more accurately describes what this structure is for. It also has the benefit of making the name not stutter if used outside the package. Updates #14756 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 15:40:36 -04:00
// and contains the necessary headers for redirected requests
registry: un-export HTTPClient() and NewTransport() They're only used internally. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 17:58:25 -05:00
func httpClient(transport http.RoundTripper) *http.Client {
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
return &http.Client{
Transport: transport,
Improve documentation and golint compliance of registry package * Add godoc documentation where it was missing * Change identifier names that don't match Go style, such as INDEX_NAME * Rename RegistryInfo to PingResult, which more accurately describes what this structure is for. It also has the benefit of making the name not stutter if used outside the package. Updates #14756 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 15:40:36 -04:00
CheckRedirect: addRequiredHeadersToRedirectedRequests,
registry: Refactor requestfactory to use http.RoundTrippers This patch removes the need for requestFactories and decorators by implementing http.RoundTripper transports instead. It refactors some challenging-to-read code. NewSession now takes an *http.Client that can already have a custom Transport, it will add its own auth transport by wrapping it. The idea is that callers of http.Client should not bother setting custom headers for every handler but instead it should be transparent to the callers of a same context. This patch is needed for future refactorings of registry, namely refactoring of the v1 client code. Signed-off-by: Tibor Vass <tibor@docker.com>
2015-05-14 10:12:54 -04:00
}
Add support for client certificates for registries This lets you specify custom client TLS certificates and CA root for a specific registry hostname. Docker will then verify the registry against the CA and present the client cert when talking to that registry. This allows the registry to verify that the client has a proper key, indicating that the client is allowed to access the images. A custom cert is configured by creating a directory in /etc/docker/certs.d with the same name as the registry hostname. Inside this directory all *.crt files are added as CA Roots (if none exists, the system default is used) and pair of files <filename>.key and <filename>.cert indicate a custom certificate to present to the registry. If there are multiple certificates each one will be tried in alphabetical order, proceeding to the next if we get a 403 of 5xx response. So, an example setup would be: /etc/docker/certs.d/ └── localhost ├── client.cert ├── client.key └── localhost.crt A simple way to test this setup is to use an apache server to host a registry. Just copy a registry tree into the apache root, here is an example one containing the busybox image: http://people.gnome.org/~alexl/v1.tar.gz Then add this conf file as /etc/httpd/conf.d/registry.conf: # This must be in the root context, otherwise it causes a re-negotiation # which is not supported by the tls implementation in go SSLVerifyClient optional_no_ca <Location /v1> Action cert-protected /cgi-bin/cert.cgi SetHandler cert-protected Header set x-docker-registry-version "0.6.2" SetEnvIf Host (.*) custom_host=$1 Header set X-Docker-Endpoints "%{custom_host}e" </Location> And this as /var/www/cgi-bin/cert.cgi #!/bin/bash if [ "$HTTPS" != "on" ]; then echo "Status: 403 Not using SSL" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then echo "Status: 403 Client certificate invalid" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)" echo "x-docker-registry-version: 0.6.2" echo "X-Docker-Endpoints: $SERVER_NAME" echo "X-Docker-Size: 0" echo cat $PATH_TRANSLATED This will return 403 for all accessed to /v1 unless *any* client cert is presented. Obviously a real implementation would verify more details about the certificate. Example client certs can be generated with: openssl genrsa -out client.key 1024 openssl req -new -x509 -text -key client.key -out client.cert Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2013-12-04 09:03:51 -05:00
}
only forward auth to trusted locations Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 14:37:37 -04:00
func trustedLocation(req *http.Request) bool {
var (
trusteds = []string{"docker.com", "docker.io"}
hostname = strings.SplitN(req.Host, ":", 2)[0]
)
if req.URL.Scheme != "https" {
return false
}
for _, trusted := range trusteds {
improve trusted location detection Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-07 17:17:56 -04:00
if hostname == trusted || strings.HasSuffix(hostname, "."+trusted) {
only forward auth to trusted locations Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 14:37:37 -04:00
return true
}
}
return false
}
Improve documentation and golint compliance of registry package * Add godoc documentation where it was missing * Change identifier names that don't match Go style, such as INDEX_NAME * Rename RegistryInfo to PingResult, which more accurately describes what this structure is for. It also has the benefit of making the name not stutter if used outside the package. Updates #14756 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 15:40:36 -04:00
// addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
// for redirected requests
func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
registry: use len(via)!=0 instead of via!=nil This avoids the corner case where `via` is not nil, but has a length of 0, so the updated code does not panic in that situation. Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
2018-12-11 08:33:23 -05:00
if len(via) != 0 && via[0] != nil {
only forward auth to trusted locations Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 14:37:37 -04:00
if trustedLocation(req) && trustedLocation(via[0]) {
req.Header = via[0].Header
Style fixes for registry/registry.go Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-25 12:50:18 -04:00
return nil
}
for k, v := range via[0].Header {
if k != "Authorization" {
for _, vv := range v {
req.Header.Add(k, vv)
only forward auth to trusted locations Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-05 14:37:37 -04:00
}
}
}
resume pulling the layer on disconnect Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-03-25 20:33:17 -04:00
}
return nil
}
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
registry: un-export HTTPClient() and NewTransport() They're only used internally. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 17:58:25 -05:00
// newTransport returns a new HTTP transport. If tlsConfig is nil, it uses the
Improve documentation and golint compliance of registry package * Add godoc documentation where it was missing * Change identifier names that don't match Go style, such as INDEX_NAME * Rename RegistryInfo to PingResult, which more accurately describes what this structure is for. It also has the benefit of making the name not stutter if used outside the package. Updates #14756 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-21 15:40:36 -04:00
// default TLS configuration.
registry: un-export HTTPClient() and NewTransport() They're only used internally. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 17:58:25 -05:00
func newTransport(tlsConfig *tls.Config) *http.Transport {
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
if tlsConfig == nil {
Fix govet for go1.7 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-09-02 21:27:20 -04:00
tlsConfig = tlsconfig.ServerDefault()
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
}
Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the *engine* have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net>
2016-04-25 07:54:48 -04:00
direct := &net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}
registry: un-export HTTPClient() and NewTransport() They're only used internally. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 17:58:25 -05:00
return &http.Transport{
Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the *engine* have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net>
2016-04-25 07:54:48 -04:00
Proxy: http.ProxyFromEnvironment,
Fix base.Dial is deprecated: Use DialContext instead 1.Change base.Dial to base.DailContext. 2.Remove proxyDialer that was previously used to configure a net.Dialer to route proxy.Dialer which will route the connections through the proxy using the connections through a SOCKS proxy. SOCKS proxies are now supported by configuring only http.Transport.Proxy, and no longer require changing http.Transport.Dial. Signed-off-by: HuanHuan Ye <logindaveye@gmail.com>
2019-09-18 07:53:39 -04:00
DialContext: direct.DialContext,
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com>
2015-02-12 13:23:22 -05:00
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: tlsConfig,
// TODO(dmcgowan): Call close idle connections when complete and use keep alive
DisableKeepAlives: true,
}
}
Copy permalink