1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Prevent fallback to v1 registry for digest pulls

The intention of the user is to download a verified image if explicitly
pulling with a digest and falling back to v1 registry circumvents that
protection.

Signed-off-by: Nuutti Kotivuori <naked@iki.fi>
This commit is contained in:
Nuutti Kotivuori 2015-04-29 22:29:50 +03:00
parent d716f22aad
commit 642e6a3773
2 changed files with 14 additions and 0 deletions

View file

@ -88,6 +88,10 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf
logrus.Debug("image does not exist on v2 registry, falling back to v1")
}
if utils.DigestReference(tag) {
return fmt.Errorf("pulling with digest reference failed from v2 registry")
}
logrus.Debugf("pulling v1 repository with local name %q", repoInfo.LocalName)
if err = s.pullRepository(r, imagePullConfig.OutStream, repoInfo, tag, sf, imagePullConfig.Parallel); err != nil {
return err

View file

@ -115,6 +115,16 @@ func (s *DockerRegistrySuite) TestPullByDigest(c *check.C) {
}
}
func (s *DockerRegistrySuite) TestPullByDigestNoFallback(c *check.C) {
// pull from the registry using the <name>@<digest> reference
imageReference := fmt.Sprintf("%s@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", repoName)
cmd := exec.Command(dockerBinary, "pull", imageReference)
out, _, err := runCommandWithOutput(cmd)
if err == nil || !strings.Contains(out, "pulling with digest reference failed from v2 registry") {
c.Fatalf("expected non-zero exit status and correct error message when pulling non-existing image: %s", out)
}
}
func (s *DockerRegistrySuite) TestCreateByDigest(c *check.C) {
pushDigest, err := setupImage()
if err != nil {