From 39fbd603e9d07c9cd5ad968d901ee873484453e6 Mon Sep 17 00:00:00 2001 From: Anusha Ragunathan Date: Wed, 10 Aug 2016 12:04:42 -0700 Subject: [PATCH] Make `docker pull` detect plugin content and error out. Signed-off-by: Anusha Ragunathan (cherry picked from commit 9b6dcc8b9d1366d3da3c8f60f89de1a36b087b88) Signed-off-by: Victor Vieux --- api/client/image/pull.go | 10 +++++++--- distribution/pull_v2.go | 17 ++++++++++++++++- plugin/distribution/pull.go | 3 +-- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/api/client/image/pull.go b/api/client/image/pull.go index e5968db269..159156f538 100644 --- a/api/client/image/pull.go +++ b/api/client/image/pull.go @@ -77,9 +77,13 @@ func runPull(dockerCli *client.DockerCli, opts pullOptions) error { if client.IsTrusted() && !registryRef.HasDigest() { // Check if tag is digest - return dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege) + err = dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege) + } else { + err = dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all) + } + if err != nil { + return err } - return dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all) - + return nil } diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go index c78e221f04..5a786fba4b 100644 --- a/distribution/pull_v2.go +++ b/distribution/pull_v2.go @@ -9,6 +9,7 @@ import ( "net/url" "os" "runtime" + "strings" "github.com/Sirupsen/logrus" "github.com/docker/distribution" @@ -32,7 +33,11 @@ import ( "golang.org/x/net/context" ) -var errRootFSMismatch = errors.New("layers from manifest don't match image configuration") +var ( + errRootFSMismatch = errors.New("layers from manifest don't match image configuration") + errMediaTypePlugin = errors.New("target is a plugin") + errRootFSInvalid = errors.New("invalid rootfs in image configuration") +) // ImageConfigPullError is an error pulling the image config blob // (only applies to schema2). @@ -356,6 +361,12 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named) (tagUpdat return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest) } + if m, ok := manifest.(*schema2.DeserializedManifest); ok { + if strings.HasPrefix(m.Manifest.Config.MediaType, "application/vnd.docker.plugin") { + return false, errMediaTypePlugin + } + } + // If manSvc.Get succeeded, we can be confident that the registry on // the other side speaks the v2 protocol. p.confirmedV2 = true @@ -583,6 +594,10 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s } } + if unmarshalledConfig.RootFS == nil { + return "", "", errRootFSInvalid + } + // The DiffIDs returned in rootFS MUST match those in the config. // Otherwise the image config could be referencing layers that aren't // included in the manifest. diff --git a/plugin/distribution/pull.go b/plugin/distribution/pull.go index b8b3ebb492..1bae8d4bb7 100644 --- a/plugin/distribution/pull.go +++ b/plugin/distribution/pull.go @@ -143,8 +143,7 @@ func Pull(name string, rs registry.Service, metaheader http.Header, authConfig * logrus.Debugf("pull.go: error in json.Unmarshal(): %v", err) return nil, err } - if m.Config.MediaType != MediaTypeConfig && - m.Config.MediaType != "application/vnd.docker.plugin.image.v0+json" { + if m.Config.MediaType != MediaTypeConfig { return nil, ErrUnsupportedMediaType }