61c6f206 |
package registry
import ( |
19515a7a |
"crypto/tls" |
61c6f206 |
"encoding/json"
"fmt"
"io/ioutil" |
28ee373e |
"net" |
61c6f206 |
"net/http"
"net/url"
"strings"
|
6f4d8470 |
"github.com/Sirupsen/logrus" |
62009ef7 |
"github.com/docker/distribution/registry/api/v2" |
276c640b |
"github.com/docker/distribution/registry/client/transport" |
907407d0 |
registrytypes "github.com/docker/engine-api/types/registry" |
61c6f206 |
)
|
6aba75db |
// for mocking in unit tests
var lookupIP = net.LookupIP
|
41e20cec |
// scans string for api version in the URL path. returns the trimmed address, if version found, string and API version.
func scanForAPIVersion(address string) (string, APIVersion) { |
61c6f206 |
var (
chunks []string
apiVersionStr string
) |
41e20cec |
if strings.HasSuffix(address, "/") {
address = address[:len(address)-1] |
61c6f206 |
} |
41e20cec |
chunks = strings.Split(address, "/")
apiVersionStr = chunks[len(chunks)-1]
|
61c6f206 |
for k, v := range apiVersions {
if apiVersionStr == v { |
41e20cec |
address = strings.Join(chunks[:len(chunks)-1], "/")
return address, k |
61c6f206 |
}
} |
41e20cec |
return address, APIVersionUnknown |
61c6f206 |
}
|
39f2f15a |
// NewEndpoint parses the given address to return a registry endpoint. v can be used to
// specify a specific endpoint version |
96c10098 |
func NewEndpoint(index *registrytypes.IndexInfo, metaHeaders http.Header, v APIVersion) (*Endpoint, error) { |
e863a07b |
tlsConfig, err := newTLSConfig(index.Name, index.Secure)
if err != nil {
return nil, err
} |
96c10098 |
endpoint, err := newEndpoint(GetAuthConfigKey(index), tlsConfig, metaHeaders) |
61c6f206 |
if err != nil {
return nil, err
} |
39f2f15a |
if v != APIVersionUnknown {
endpoint.Version = v
} |
213e3d11 |
if err := validateEndpoint(endpoint); err != nil {
return nil, err
}
return endpoint, nil
} |
61c6f206 |
|
213e3d11 |
func validateEndpoint(endpoint *Endpoint) error { |
6f4d8470 |
logrus.Debugf("pinging registry endpoint %s", endpoint) |
41e20cec |
|
6a1ff022 |
// Try HTTPS ping to registry |
61c6f206 |
endpoint.URL.Scheme = "https"
if _, err := endpoint.Ping(); err != nil { |
213e3d11 |
if endpoint.IsSecure { |
6a1ff022 |
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP. |
213e3d11 |
return fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) |
6a1ff022 |
}
// If registry is insecure and HTTPS failed, fallback to HTTP. |
6f4d8470 |
logrus.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err) |
61c6f206 |
endpoint.URL.Scheme = "http" |
41e20cec |
var err2 error
if _, err2 = endpoint.Ping(); err2 == nil { |
213e3d11 |
return nil |
61c6f206 |
} |
6a1ff022 |
|
213e3d11 |
return fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2) |
61c6f206 |
}
|
213e3d11 |
return nil |
3eba7194 |
} |
41e20cec |
|
19515a7a |
func newEndpoint(address string, tlsConfig *tls.Config, metaHeaders http.Header) (*Endpoint, error) { |
3eba7194 |
var ( |
41e20cec |
endpoint = new(Endpoint)
trimmedAddress string
err error |
3eba7194 |
) |
41e20cec |
if !strings.HasPrefix(address, "http") {
address = "https://" + address |
3eba7194 |
} |
41e20cec |
|
19515a7a |
endpoint.IsSecure = (tlsConfig == nil || !tlsConfig.InsecureSkipVerify)
|
41e20cec |
trimmedAddress, endpoint.Version = scanForAPIVersion(address)
if endpoint.URL, err = url.Parse(trimmedAddress); err != nil { |
3eba7194 |
return nil, err
} |
19515a7a |
// TODO(tiborvass): make sure a ConnectTimeout transport is used
tr := NewTransport(tlsConfig) |
73823e5e |
endpoint.client = HTTPClient(transport.NewTransport(tr, DockerHeaders(metaHeaders)...)) |
41e20cec |
return endpoint, nil |
61c6f206 |
}
|
41e20cec |
// Endpoint stores basic information about a registry endpoint. |
61c6f206 |
type Endpoint struct { |
a01cc3ca |
client *http.Client |
41e20cec |
URL *url.URL
Version APIVersion
IsSecure bool
AuthChallenges []*AuthorizationChallenge |
7d61255f |
URLBuilder *v2.URLBuilder |
61c6f206 |
}
|
927b334e |
// Get the formatted URL for the root of this registry Endpoint |
41e20cec |
func (e *Endpoint) String() string {
return fmt.Sprintf("%s/v%d/", e.URL, e.Version)
}
// VersionString returns a formatted string of this
// endpoint address using the given API Version.
func (e *Endpoint) VersionString(version APIVersion) string {
return fmt.Sprintf("%s/v%d/", e.URL, version) |
61c6f206 |
}
|
41e20cec |
// Path returns a formatted string for the URL
// of this endpoint with the given path appended.
func (e *Endpoint) Path(path string) string {
return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path) |
61c6f206 |
}
|
4fcb9ac4 |
// Ping pings the remote endpoint with v2 and v1 pings to determine the API
// version. It returns a PingResult containing the discovered version. The
// PingResult also indicates whether the registry is standalone or not.
func (e *Endpoint) Ping() (PingResult, error) { |
41e20cec |
// The ping logic to use is determined by the registry endpoint version.
switch e.Version {
case APIVersion1: |
a01cc3ca |
return e.pingV1() |
41e20cec |
case APIVersion2: |
a01cc3ca |
return e.pingV2() |
41e20cec |
}
// APIVersionUnknown
// We should try v2 first...
e.Version = APIVersion2 |
a01cc3ca |
regInfo, errV2 := e.pingV2() |
41e20cec |
if errV2 == nil {
return regInfo, nil
}
// ... then fallback to v1.
e.Version = APIVersion1 |
a01cc3ca |
regInfo, errV1 := e.pingV1() |
41e20cec |
if errV1 == nil {
return regInfo, nil
}
e.Version = APIVersionUnknown |
4fcb9ac4 |
return PingResult{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1) |
41e20cec |
}
|
4fcb9ac4 |
func (e *Endpoint) pingV1() (PingResult, error) { |
6f4d8470 |
logrus.Debugf("attempting v1 ping for registry endpoint %s", e) |
41e20cec |
|
4fcb9ac4 |
if e.String() == IndexServer { |
41e20cec |
// Skip the check, we know this one is valid |
61c6f206 |
// (and we never want to fallback to http in case of error) |
4fcb9ac4 |
return PingResult{Standalone: false}, nil |
61c6f206 |
}
|
a01cc3ca |
req, err := http.NewRequest("GET", e.Path("_ping"), nil) |
61c6f206 |
if err != nil { |
4fcb9ac4 |
return PingResult{Standalone: false}, err |
61c6f206 |
}
|
73823e5e |
resp, err := e.client.Do(req) |
61c6f206 |
if err != nil { |
4fcb9ac4 |
return PingResult{Standalone: false}, err |
61c6f206 |
}
defer resp.Body.Close()
jsonString, err := ioutil.ReadAll(resp.Body)
if err != nil { |
4fcb9ac4 |
return PingResult{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err) |
61c6f206 |
}
// If the header is absent, we assume true for compatibility with earlier
// versions of the registry. default to true |
4fcb9ac4 |
info := PingResult{ |
61c6f206 |
Standalone: true,
}
if err := json.Unmarshal(jsonString, &info); err != nil { |
4fcb9ac4 |
logrus.Debugf("Error unmarshalling the _ping PingResult: %s", err) |
61c6f206 |
// don't stop here. Just assume sane defaults
}
if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" { |
6f4d8470 |
logrus.Debugf("Registry version header: '%s'", hdr) |
61c6f206 |
info.Version = hdr
} |
4fcb9ac4 |
logrus.Debugf("PingResult.Version: %q", info.Version) |
61c6f206 |
standalone := resp.Header.Get("X-Docker-Registry-Standalone") |
6f4d8470 |
logrus.Debugf("Registry standalone header: '%s'", standalone) |
61c6f206 |
// Accepted values are "true" (case-insensitive) and "1".
if strings.EqualFold(standalone, "true") || standalone == "1" {
info.Standalone = true
} else if len(standalone) > 0 {
// there is a header set, and it is not "true" or "1", so assume fails
info.Standalone = false
} |
4fcb9ac4 |
logrus.Debugf("PingResult.Standalone: %t", info.Standalone) |
61c6f206 |
return info, nil
} |
41e20cec |
|
4fcb9ac4 |
func (e *Endpoint) pingV2() (PingResult, error) { |
6f4d8470 |
logrus.Debugf("attempting v2 ping for registry endpoint %s", e) |
41e20cec |
|
a01cc3ca |
req, err := http.NewRequest("GET", e.Path(""), nil) |
41e20cec |
if err != nil { |
4fcb9ac4 |
return PingResult{}, err |
41e20cec |
}
|
73823e5e |
resp, err := e.client.Do(req) |
41e20cec |
if err != nil { |
4fcb9ac4 |
return PingResult{}, err |
41e20cec |
}
defer resp.Body.Close()
|
f46923be |
// The endpoint may have multiple supported versions.
// Ensure it supports the v2 Registry API.
var supportsV2 bool
|
58c142bc |
HeaderLoop:
for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey("Docker-Distribution-API-Version")] {
for _, versionName := range strings.Fields(supportedVersions) {
if versionName == "registry/2.0" {
supportsV2 = true
break HeaderLoop
} |
f46923be |
}
}
if !supportsV2 { |
4fcb9ac4 |
return PingResult{}, fmt.Errorf("%s does not appear to be a v2 registry endpoint", e) |
f46923be |
}
|
41e20cec |
if resp.StatusCode == http.StatusOK {
// It would seem that no authentication/authorization is required.
// So we don't need to parse/add any authorization schemes. |
4fcb9ac4 |
return PingResult{Standalone: true}, nil |
41e20cec |
}
if resp.StatusCode == http.StatusUnauthorized {
// Parse the WWW-Authenticate Header and store the challenges
// on this endpoint object.
e.AuthChallenges = parseAuthHeader(resp.Header) |
4fcb9ac4 |
return PingResult{}, nil |
41e20cec |
}
|
4fcb9ac4 |
return PingResult{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode)) |
41e20cec |
} |