mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Prevent fallback to v1 registry for digest pulls
The intention of the user is to download a verified image if explicitly pulling with a digest and falling back to v1 registry circumvents that protection. Signed-off-by: Nuutti Kotivuori <naked@iki.fi>
This commit is contained in:
parent
d716f22aad
commit
642e6a3773
2 changed files with 14 additions and 0 deletions
|
@ -88,6 +88,10 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf
|
|||
logrus.Debug("image does not exist on v2 registry, falling back to v1")
|
||||
}
|
||||
|
||||
if utils.DigestReference(tag) {
|
||||
return fmt.Errorf("pulling with digest reference failed from v2 registry")
|
||||
}
|
||||
|
||||
logrus.Debugf("pulling v1 repository with local name %q", repoInfo.LocalName)
|
||||
if err = s.pullRepository(r, imagePullConfig.OutStream, repoInfo, tag, sf, imagePullConfig.Parallel); err != nil {
|
||||
return err
|
||||
|
|
|
@ -115,6 +115,16 @@ func (s *DockerRegistrySuite) TestPullByDigest(c *check.C) {
|
|||
}
|
||||
}
|
||||
|
||||
func (s *DockerRegistrySuite) TestPullByDigestNoFallback(c *check.C) {
|
||||
// pull from the registry using the <name>@<digest> reference
|
||||
imageReference := fmt.Sprintf("%s@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", repoName)
|
||||
cmd := exec.Command(dockerBinary, "pull", imageReference)
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err == nil || !strings.Contains(out, "pulling with digest reference failed from v2 registry") {
|
||||
c.Fatalf("expected non-zero exit status and correct error message when pulling non-existing image: %s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerRegistrySuite) TestCreateByDigest(c *check.C) {
|
||||
pushDigest, err := setupImage()
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue