Make `docker pull` detect plugin content and error out.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 9b6dcc8b9d
)
Signed-off-by: Victor Vieux <vieux@docker.com>
This commit is contained in:
parent
f29c255b2c
commit
39fbd603e9
|
@ -77,9 +77,13 @@ func runPull(dockerCli *client.DockerCli, opts pullOptions) error {
|
||||||
|
|
||||||
if client.IsTrusted() && !registryRef.HasDigest() {
|
if client.IsTrusted() && !registryRef.HasDigest() {
|
||||||
// Check if tag is digest
|
// Check if tag is digest
|
||||||
return dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
|
err = dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
|
||||||
|
} else {
|
||||||
|
err = dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
|
return nil
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
"github.com/docker/distribution"
|
"github.com/docker/distribution"
|
||||||
|
@ -32,7 +33,11 @@ import (
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
)
|
)
|
||||||
|
|
||||||
var errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
|
var (
|
||||||
|
errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
|
||||||
|
errMediaTypePlugin = errors.New("target is a plugin")
|
||||||
|
errRootFSInvalid = errors.New("invalid rootfs in image configuration")
|
||||||
|
)
|
||||||
|
|
||||||
// ImageConfigPullError is an error pulling the image config blob
|
// ImageConfigPullError is an error pulling the image config blob
|
||||||
// (only applies to schema2).
|
// (only applies to schema2).
|
||||||
|
@ -356,6 +361,12 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named) (tagUpdat
|
||||||
return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
|
return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if m, ok := manifest.(*schema2.DeserializedManifest); ok {
|
||||||
|
if strings.HasPrefix(m.Manifest.Config.MediaType, "application/vnd.docker.plugin") {
|
||||||
|
return false, errMediaTypePlugin
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// If manSvc.Get succeeded, we can be confident that the registry on
|
// If manSvc.Get succeeded, we can be confident that the registry on
|
||||||
// the other side speaks the v2 protocol.
|
// the other side speaks the v2 protocol.
|
||||||
p.confirmedV2 = true
|
p.confirmedV2 = true
|
||||||
|
@ -583,6 +594,10 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if unmarshalledConfig.RootFS == nil {
|
||||||
|
return "", "", errRootFSInvalid
|
||||||
|
}
|
||||||
|
|
||||||
// The DiffIDs returned in rootFS MUST match those in the config.
|
// The DiffIDs returned in rootFS MUST match those in the config.
|
||||||
// Otherwise the image config could be referencing layers that aren't
|
// Otherwise the image config could be referencing layers that aren't
|
||||||
// included in the manifest.
|
// included in the manifest.
|
||||||
|
|
|
@ -143,8 +143,7 @@ func Pull(name string, rs registry.Service, metaheader http.Header, authConfig *
|
||||||
logrus.Debugf("pull.go: error in json.Unmarshal(): %v", err)
|
logrus.Debugf("pull.go: error in json.Unmarshal(): %v", err)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if m.Config.MediaType != MediaTypeConfig &&
|
if m.Config.MediaType != MediaTypeConfig {
|
||||||
m.Config.MediaType != "application/vnd.docker.plugin.image.v0+json" {
|
|
||||||
return nil, ErrUnsupportedMediaType
|
return nil, ErrUnsupportedMediaType
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue