kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #33629 from thaJeztah/disable-v1-registry-by-default

Browse source 
Disable legacy (v1) registries by default
This commit is contained in:
Kenfe-Mickaël Laventure 2017-06-12 13:11:34 -04:00 committed by GitHub
commit df33013720
11 changed files with 46 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

6
cmd/dockerd/daemon.go
View file

@ -406,8 +406,12 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
return nil, err return nil, err
} }
if conf.V2Only == false {
logrus.Warnf(`The "disable-legacy-registry" option is deprecated and wil be removed in Docker v17.12. Interacting with legacy (v1) registries will no longer be supported in Docker v17.12"`)
}
if flags.Changed("graph") { if flags.Changed("graph") {
logrus.Warnf(`the "-g / --graph" flag is deprecated. Please use "--data-root" instead`) logrus.Warnf(`The "-g / --graph" flag is deprecated. Please use "--data-root" instead`)
} }
// Labels of the docker engine used to allow multiple values associated with the same key. // Labels of the docker engine used to allow multiple values associated with the same key.

4
cmd/dockerd/daemon_unix_test.go
View file

@ -102,7 +102,7 @@ func TestLoadDaemonConfigWithTrueDefaultValuesLeaveDefaults(t *testing.T) {
} }
func TestLoadDaemonConfigWithLegacyRegistryOptions(t *testing.T) { func TestLoadDaemonConfigWithLegacyRegistryOptions(t *testing.T) {
content := `{"disable-legacy-registry": true}` content := `{"disable-legacy-registry": false}`
tempFile := tempfile.NewTempFile(t, "config", content) tempFile := tempfile.NewTempFile(t, "config", content)
defer tempFile.Remove() defer tempFile.Remove()
@ -110,5 +110,5 @@ func TestLoadDaemonConfigWithLegacyRegistryOptions(t *testing.T) {
loadedConfig, err := loadDaemonCliConfig(opts) loadedConfig, err := loadDaemonCliConfig(opts)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, loadedConfig) require.NotNil(t, loadedConfig)
assert.True(t, loadedConfig.V2Only) assert.False(t, loadedConfig.V2Only)
} }

2
contrib/completion/zsh/_docker
View file

@ -2620,7 +2620,7 @@ __docker_subcommand() {
"($help)--default-gateway-v6[Container default gateway IPv6 address]:IPv6 address: " \ "($help)--default-gateway-v6[Container default gateway IPv6 address]:IPv6 address: " \
"($help)--default-shm-size=[Default shm size for containers]:size:" \ "($help)--default-shm-size=[Default shm size for containers]:size:" \
"($help)*--default-ulimit=[Default ulimits for containers]:ulimit: " \ "($help)*--default-ulimit=[Default ulimits for containers]:ulimit: " \
"($help)--disable-legacy-registry[Disable contacting legacy registries]" \ "($help)--disable-legacy-registry[Disable contacting legacy registries (default true)]" \
"($help)*--dns=[DNS server to use]:DNS: " \ "($help)*--dns=[DNS server to use]:DNS: " \
"($help)*--dns-opt=[DNS options to use]:DNS option: " \ "($help)*--dns-opt=[DNS options to use]:DNS option: " \
"($help)*--dns-search=[DNS search domains to use]:DNS search: " \ "($help)*--dns-search=[DNS search domains to use]:DNS search: " \

2
docs/deprecated.md
View file

@ -292,7 +292,7 @@ of the `--changes` flag that allows to pass `Dockerfile` commands.
**Target For Removal In Release: v17.12** **Target For Removal In Release: v17.12**
Version 1.9 adds a flag (`--disable-legacy-registry=false`) which prevents the Version 1.8.3 added a flag (`--disable-legacy-registry=false`) which prevents the
docker daemon from `pull`, `push`, and `login` operations against v1 docker daemon from `pull`, `push`, and `login` operations against v1
registries. Though enabled by default, this signals the intent to deprecate registries. Though enabled by default, this signals the intent to deprecate
the v1 protocol. the v1 protocol.

15
docs/reference/commandline/dockerd.md
View file

@ -42,7 +42,7 @@ Options:
--default-gateway-v6 ip Container default gateway IPv6 address --default-gateway-v6 ip Container default gateway IPv6 address
--default-runtime string Default OCI runtime for containers (default "runc") --default-runtime string Default OCI runtime for containers (default "runc")
--default-ulimit ulimit Default ulimits for containers (default []) --default-ulimit ulimit Default ulimits for containers (default [])
--disable-legacy-registry Disable contacting legacy registries --disable-legacy-registry Disable contacting legacy registries (default true)
--dns list DNS server to use (default []) --dns list DNS server to use (default [])
--dns-opt list DNS options to use (default []) --dns-opt list DNS options to use (default [])
--dns-search list DNS search domains to use (default []) --dns-search list DNS search domains to use (default [])
@ -901,7 +901,18 @@ system's list of trusted CAs instead of enabling `--insecure-registry`.
##### Legacy Registries ##### Legacy Registries
Enabling `--disable-legacy-registry` forces a docker daemon to only interact with registries which support the V2 protocol. Specifically, the daemon will not attempt `push`, `pull` and `login` to v1 registries. The exception to this is `search` which can still be performed on v1 registries. Operations against registries supporting only the legacy v1 protocol are
disabled by default. Specifically, the daemon will not attempt `push`,
`pull` and `login` to v1 registries. The exception to this is `search`
which can still be performed on v1 registries.
Add `"disable-legacy-registry":false` to the [daemon configuration
file](#daemon-configuration-file), or set the
`--disable-legacy-registry=false` flag, if you need to interact with
registries that have not yet migrated to the v2 protocol.
Interaction v1 registries will no longer be supported in Docker v17.12,
and the `disable-legacy-registry` configuration option will be removed.
#### Running a Docker daemon behind an HTTPS_PROXY #### Running a Docker daemon behind an HTTPS_PROXY

20
integration-cli/docker_cli_logout_test.go
View file

@ -13,6 +13,10 @@ import (
) )
func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C) { func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C) {
// @TODO TestLogoutWithExternalAuth expects docker to fall back to a v1 registry, so has to be updated for v17.12, when v1 registries are no longer supported
s.d.StartWithBusybox(c, "--disable-legacy-registry=false")
osPath := os.Getenv("PATH") osPath := os.Getenv("PATH")
defer os.Setenv("PATH", osPath) defer os.Setenv("PATH", osPath)
@ -28,6 +32,7 @@ func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C)
tmp, err := ioutil.TempDir("", "integration-cli-") tmp, err := ioutil.TempDir("", "integration-cli-")
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
defer os.RemoveAll(tmp)
externalAuthConfig := `{ "credsStore": "shell-test" }` externalAuthConfig := `{ "credsStore": "shell-test" }`
@ -35,24 +40,27 @@ func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C)
err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644) err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL) _, err = s.d.Cmd("--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
c.Assert(err, checker.IsNil)
b, err := ioutil.ReadFile(configPath) b, err := ioutil.ReadFile(configPath)
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":") c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":")
c.Assert(string(b), checker.Contains, privateRegistryURL) c.Assert(string(b), checker.Contains, privateRegistryURL)
dockerCmd(c, "--config", tmp, "tag", "busybox", repoName) _, err = s.d.Cmd("--config", tmp, "tag", "busybox", repoName)
dockerCmd(c, "--config", tmp, "push", repoName) c.Assert(err, checker.IsNil)
_, err = s.d.Cmd("--config", tmp, "push", repoName)
dockerCmd(c, "--config", tmp, "logout", privateRegistryURL) c.Assert(err, checker.IsNil)
_, err = s.d.Cmd("--config", tmp, "logout", privateRegistryURL)
c.Assert(err, checker.IsNil)
b, err = ioutil.ReadFile(configPath) b, err = ioutil.ReadFile(configPath)
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
c.Assert(string(b), checker.Not(checker.Contains), privateRegistryURL) c.Assert(string(b), checker.Not(checker.Contains), privateRegistryURL)
// check I cannot pull anymore // check I cannot pull anymore
out, _, err := dockerCmdWithError("--config", tmp, "pull", repoName) out, err := s.d.Cmd("--config", tmp, "pull", repoName)
c.Assert(err, check.NotNil, check.Commentf(out)) c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, checker.Contains, "Error: image dockercli/busybox:authtest not found") c.Assert(out, checker.Contains, "Error: image dockercli/busybox:authtest not found")
} }

5
integration-cli/docker_cli_pull_test.go
View file

@ -258,10 +258,13 @@ func (s *DockerHubPullSuite) TestPullClientDisconnect(c *check.C) {
} }
func (s *DockerRegistryAuthHtpasswdSuite) TestPullNoCredentialsNotFound(c *check.C) { func (s *DockerRegistryAuthHtpasswdSuite) TestPullNoCredentialsNotFound(c *check.C) {
// @TODO TestPullNoCredentialsNotFound expects docker to fall back to a v1 registry, so has to be updated for v17.12, when v1 registries are no longer supported
s.d.StartWithBusybox(c, "--disable-legacy-registry=false")
// we don't care about the actual image, we just want to see image not found // we don't care about the actual image, we just want to see image not found
// because that means v2 call returned 401 and we fell back to v1 which usually // because that means v2 call returned 401 and we fell back to v1 which usually
// gives a 404 (in this case the test registry doesn't handle v1 at all) // gives a 404 (in this case the test registry doesn't handle v1 at all)
out, _, err := dockerCmdWithError("pull", privateRegistryURL+"/busybox") out, err := s.d.Cmd("pull", privateRegistryURL+"/busybox")
c.Assert(err, check.NotNil, check.Commentf(out)) c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, checker.Contains, "Error: image busybox:latest not found") c.Assert(out, checker.Contains, "Error: image busybox:latest not found")
} }

3
integration-cli/docker_cli_registry_user_agent_test.go
View file

@ -98,8 +98,7 @@ func (s *DockerRegistrySuite) TestUserAgentPassThrough(c *check.C) {
"--insecure-registry", buildReg.URL(), "--insecure-registry", buildReg.URL(),
"--insecure-registry", pullReg.URL(), "--insecure-registry", pullReg.URL(),
"--insecure-registry", pushReg.URL(), "--insecure-registry", pushReg.URL(),
"--insecure-registry", loginReg.URL(), "--insecure-registry", loginReg.URL())
"--disable-legacy-registry=true")
dockerfileName, cleanup1, err := makefile(fmt.Sprintf("FROM %s", buildRepoName)) dockerfileName, cleanup1, err := makefile(fmt.Sprintf("FROM %s", buildRepoName))
c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile")) c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile"))

6
integration-cli/docker_cli_v2_only_test.go
View file

@ -34,7 +34,7 @@ func makefile(contents string) (string, func(), error) {
} }
// TestV2Only ensures that a daemon in v2-only mode does not // TestV2Only ensures that a daemon by default does not
// attempt to contact any v1 registry endpoints. // attempt to contact any v1 registry endpoints.
func (s *DockerRegistrySuite) TestV2Only(c *check.C) { func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
reg, err := registry.NewMock(c) reg, err := registry.NewMock(c)
@ -51,7 +51,7 @@ func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
repoName := fmt.Sprintf("%s/busybox", reg.URL()) repoName := fmt.Sprintf("%s/busybox", reg.URL())
s.d.Start(c, "--insecure-registry", reg.URL(), "--disable-legacy-registry=true") s.d.Start(c, "--insecure-registry", reg.URL())
dockerfileName, cleanup, err := makefile(fmt.Sprintf("FROM %s/busybox", reg.URL())) dockerfileName, cleanup, err := makefile(fmt.Sprintf("FROM %s/busybox", reg.URL()))
c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile")) c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile"))
@ -66,7 +66,7 @@ func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
s.d.Cmd("pull", repoName) s.d.Cmd("pull", repoName)
} }
// TestV1 starts a daemon in 'normal' mode // TestV1 starts a daemon with legacy registries enabled
// and ensure v1 endpoints are hit for the following operations: // and ensure v1 endpoints are hit for the following operations:
// login, push, pull, build & run // login, push, pull, build & run
func (s *DockerRegistrySuite) TestV1(c *check.C) { func (s *DockerRegistrySuite) TestV1(c *check.C) {

2
man/dockerd.8.md
View file

@ -192,7 +192,7 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru
Default ulimits for containers. Default ulimits for containers.
**--disable-legacy-registry**=*true*|*false* **--disable-legacy-registry**=*true*|*false*
Disable contacting legacy registries Disable contacting legacy registries. Default is `true`.
**--dns**="" **--dns**=""
Force Docker to use specific DNS servers Force Docker to use specific DNS servers

2
registry/config_unix.go
View file

@ -21,5 +21,5 @@ func cleanPath(s string) string {
// installCliPlatformFlags handles any platform specific flags for the service. // installCliPlatformFlags handles any platform specific flags for the service.
func (options *ServiceOptions) installCliPlatformFlags(flags *pflag.FlagSet) { func (options *ServiceOptions) installCliPlatformFlags(flags *pflag.FlagSet) {
flags.BoolVar(&options.V2Only, "disable-legacy-registry", false, "Disable contacting legacy registries") flags.BoolVar(&options.V2Only, "disable-legacy-registry", true, "Disable contacting legacy registries")
} }