package registry import ( "fmt" "net" "net/url" "regexp" "strconv" "strings" "github.com/docker/distribution/reference" registrytypes "github.com/docker/docker/api/types/registry" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) // ServiceOptions holds command line options. type ServiceOptions struct { AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` Mirrors []string `json:"registry-mirrors,omitempty"` InsecureRegistries []string `json:"insecure-registries,omitempty"` // V2Only controls access to legacy registries. If it is set to true via the // command line flag the daemon will not attempt to contact v1 legacy registries V2Only bool `json:"disable-legacy-registry,omitempty"` } // serviceConfig holds daemon configuration for the registry service. type serviceConfig struct { registrytypes.ServiceConfig V2Only bool } var ( // DefaultNamespace is the default namespace DefaultNamespace = "docker.io" // DefaultRegistryVersionHeader is the name of the default HTTP header // that carries Registry version info DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version" // IndexHostname is the index hostname IndexHostname = "index.docker.io" // IndexServer is used for user auth and image search IndexServer = "https://" + IndexHostname + "/v1/" // IndexName is the name of the index IndexName = "docker.io" // NotaryServer is the endpoint serving the Notary trust server NotaryServer = "https://notary.docker.io" // DefaultV2Registry is the URI of the default v2 registry DefaultV2Registry = &url.URL{ Scheme: "https", Host: "registry-1.docker.io", } ) var ( // ErrInvalidRepositoryName is an error returned if the repository name did // not have the correct form ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")") emptyServiceConfig, _ = newServiceConfig(ServiceOptions{}) ) var ( validHostPortRegex = regexp.MustCompile(`^` + reference.DomainRegexp.String() + `$`) ) // for mocking in unit tests var lookupIP = net.LookupIP // newServiceConfig returns a new instance of ServiceConfig func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { config := &serviceConfig{ ServiceConfig: registrytypes.ServiceConfig{ InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), IndexConfigs: make(map[string]*registrytypes.IndexInfo), // Hack: Bypass setting the mirrors to IndexConfigs since they are going away // and Mirrors are only for the official registry anyways. }, V2Only: options.V2Only, } if err := config.LoadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts); err != nil { return nil, err } if err := config.LoadMirrors(options.Mirrors); err != nil { return nil, err } if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { return nil, err } return config, nil } // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { cidrs := map[string]*registrytypes.NetIPNet{} hostnames := map[string]bool{} for _, r := range registries { if _, err := ValidateIndexName(r); err != nil { return err } if validateNoScheme(r) != nil { return fmt.Errorf("allow-nondistributable-artifacts registry %s should not contain '://'", r) } if _, ipnet, err := net.ParseCIDR(r); err == nil { // Valid CIDR. cidrs[ipnet.String()] = (*registrytypes.NetIPNet)(ipnet) } else if err := validateHostPort(r); err == nil { // Must be `host:port` if not CIDR. hostnames[r] = true } else { return fmt.Errorf("allow-nondistributable-artifacts registry %s is not valid: %v", r, err) } } config.AllowNondistributableArtifactsCIDRs = make([]*(registrytypes.NetIPNet), 0) for _, c := range cidrs { config.AllowNondistributableArtifactsCIDRs = append(config.AllowNondistributableArtifactsCIDRs, c) } config.AllowNondistributableArtifactsHostnames = make([]string, 0) for h := range hostnames { config.AllowNondistributableArtifactsHostnames = append(config.AllowNondistributableArtifactsHostnames, h) } return nil } // LoadMirrors loads mirrors to config, after removing duplicates. // Returns an error if mirrors contains an invalid mirror. func (config *serviceConfig) LoadMirrors(mirrors []string) error { mMap := map[string]struct{}{} unique := []string{} for _, mirror := range mirrors { m, err := ValidateMirror(mirror) if err != nil { return err } if _, exist := mMap[m]; !exist { mMap[m] = struct{}{} unique = append(unique, m) } } config.Mirrors = unique // Configure public registry since mirrors may have changed. config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{ Name: IndexName, Mirrors: config.Mirrors, Secure: true, Official: true, } return nil } // LoadInsecureRegistries loads insecure registries to config func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { // Localhost is by default considered as an insecure registry // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker). // // TODO: should we deprecate this once it is easier for people to set up a TLS registry or change // daemon flags on boot2docker? registries = append(registries, "127.0.0.0/8") // Store original InsecureRegistryCIDRs and IndexConfigs // Clean InsecureRegistryCIDRs and IndexConfigs in config, as passed registries has all insecure registry info. originalCIDRs := config.ServiceConfig.InsecureRegistryCIDRs originalIndexInfos := config.ServiceConfig.IndexConfigs config.ServiceConfig.InsecureRegistryCIDRs = make([]*registrytypes.NetIPNet, 0) config.ServiceConfig.IndexConfigs = make(map[string]*registrytypes.IndexInfo) skip: for _, r := range registries { // validate insecure registry if _, err := ValidateIndexName(r); err != nil { // before returning err, roll back to original data config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs config.ServiceConfig.IndexConfigs = originalIndexInfos return err } if strings.HasPrefix(strings.ToLower(r), "http://") { logrus.Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r) r = r[7:] } else if strings.HasPrefix(strings.ToLower(r), "https://") { logrus.Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r) r = r[8:] } else if validateNoScheme(r) != nil { // Insecure registry should not contain '://' // before returning err, roll back to original data config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs config.ServiceConfig.IndexConfigs = originalIndexInfos return fmt.Errorf("insecure registry %s should not contain '://'", r) } // Check if CIDR was passed to --insecure-registry _, ipnet, err := net.ParseCIDR(r) if err == nil { // Valid CIDR. If ipnet is already in config.InsecureRegistryCIDRs, skip. data := (*registrytypes.NetIPNet)(ipnet) for _, value := range config.InsecureRegistryCIDRs { if value.IP.String() == data.IP.String() && value.Mask.String() == data.Mask.String() { continue skip } } // ipnet is not found, add it in config.InsecureRegistryCIDRs config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, data) } else { if err := validateHostPort(r); err != nil { config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs config.ServiceConfig.IndexConfigs = originalIndexInfos return fmt.Errorf("insecure registry %s is not valid: %v", r, err) } // Assume `host:port` if not CIDR. config.IndexConfigs[r] = ®istrytypes.IndexInfo{ Name: r, Mirrors: make([]string, 0), Secure: false, Official: false, } } } // Configure public registry. config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{ Name: IndexName, Mirrors: config.Mirrors, Secure: true, Official: true, } return nil } // allowNondistributableArtifacts returns true if the provided hostname is part of the list of registries // that allow push of nondistributable artifacts. // // The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP // of the registry specified by hostname, true is returned. // // hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name // or an IP address. If it is a domain name, then it will be resolved to IP addresses for matching. If // resolution fails, CIDR matching is not performed. func allowNondistributableArtifacts(config *serviceConfig, hostname string) bool { for _, h := range config.AllowNondistributableArtifactsHostnames { if h == hostname { return true } } return isCIDRMatch(config.AllowNondistributableArtifactsCIDRs, hostname) } // isSecureIndex returns false if the provided indexName is part of the list of insecure registries // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. // // The list of insecure registries can contain an element with CIDR notation to specify a whole subnet. // If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered // insecure. // // indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name // or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained // in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element // of insecureRegistries. func isSecureIndex(config *serviceConfig, indexName string) bool { // Check for configured index, first. This is needed in case isSecureIndex // is called from anything besides newIndexInfo, in order to honor per-index configurations. if index, ok := config.IndexConfigs[indexName]; ok { return index.Secure } return !isCIDRMatch(config.InsecureRegistryCIDRs, indexName) } // isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`) // where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be // resolved to IP addresses for matching. If resolution fails, false is returned. func isCIDRMatch(cidrs []*registrytypes.NetIPNet, URLHost string) bool { host, _, err := net.SplitHostPort(URLHost) if err != nil { // Assume URLHost is of the form `host` without the port and go on. host = URLHost } addrs, err := lookupIP(host) if err != nil { ip := net.ParseIP(host) if ip != nil { addrs = []net.IP{ip} } // if ip == nil, then `host` is neither an IP nor it could be looked up, // either because the index is unreachable, or because the index is behind an HTTP proxy. // So, len(addrs) == 0 and we're not aborting. } // Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined. for _, addr := range addrs { for _, ipnet := range cidrs { // check if the addr falls in the subnet if (*net.IPNet)(ipnet).Contains(addr) { return true } } } return false } // ValidateMirror validates an HTTP(S) registry mirror func ValidateMirror(val string) (string, error) { uri, err := url.Parse(val) if err != nil { return "", fmt.Errorf("invalid mirror: %q is not a valid URI", val) } if uri.Scheme != "http" && uri.Scheme != "https" { return "", fmt.Errorf("invalid mirror: unsupported scheme %q in %q", uri.Scheme, uri) } if (uri.Path != "" && uri.Path != "/") || uri.RawQuery != "" || uri.Fragment != "" { return "", fmt.Errorf("invalid mirror: path, query, or fragment at end of the URI %q", uri) } if uri.User != nil { // strip password from output uri.User = url.UserPassword(uri.User.Username(), "xxxxx") return "", fmt.Errorf("invalid mirror: username/password not allowed in URI %q", uri) } return strings.TrimSuffix(val, "/") + "/", nil } // ValidateIndexName validates an index name. func ValidateIndexName(val string) (string, error) { // TODO: upstream this to check to reference package if val == "index.docker.io" { val = "docker.io" } if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") { return "", fmt.Errorf("invalid index name (%s). Cannot begin or end with a hyphen", val) } return val, nil } func validateNoScheme(reposName string) error { if strings.Contains(reposName, "://") { // It cannot contain a scheme! return ErrInvalidRepositoryName } return nil } func validateHostPort(s string) error { // Split host and port, and in case s can not be splitted, assume host only host, port, err := net.SplitHostPort(s) if err != nil { host = s port = "" } // If match against the `host:port` pattern fails, // it might be `IPv6:port`, which will be captured by net.ParseIP(host) if !validHostPortRegex.MatchString(s) && net.ParseIP(host) == nil { return fmt.Errorf("invalid host %q", host) } if port != "" { v, err := strconv.Atoi(port) if err != nil { return err } if v < 0 || v > 65535 { return fmt.Errorf("invalid port %q", port) } } return nil } // newIndexInfo returns IndexInfo configuration from indexName func newIndexInfo(config *serviceConfig, indexName string) (*registrytypes.IndexInfo, error) { var err error indexName, err = ValidateIndexName(indexName) if err != nil { return nil, err } // Return any configured index info, first. if index, ok := config.IndexConfigs[indexName]; ok { return index, nil } // Construct a non-configured index info. index := ®istrytypes.IndexInfo{ Name: indexName, Mirrors: make([]string, 0), Official: false, } index.Secure = isSecureIndex(config, indexName) return index, nil } // GetAuthConfigKey special-cases using the full index address of the official // index as the AuthConfig key, and uses the (host)name[:port] for private indexes. func GetAuthConfigKey(index *registrytypes.IndexInfo) string { if index.Official { return IndexServer } return index.Name } // newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) { index, err := newIndexInfo(config, reference.Domain(name)) if err != nil { return nil, err } official := !strings.ContainsRune(reference.FamiliarName(name), '/') return &RepositoryInfo{ Name: reference.TrimNamed(name), Index: index, Official: official, }, nil } // ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but // lacks registry configuration. func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) { return newRepositoryInfo(emptyServiceConfig, reposName) } // ParseSearchIndexInfo will use repository name to get back an indexInfo. func ParseSearchIndexInfo(reposName string) (*registrytypes.IndexInfo, error) { indexName, _ := splitReposSearchTerm(reposName) indexInfo, err := newIndexInfo(emptyServiceConfig, indexName) if err != nil { return nil, err } return indexInfo, nil }