568f86eb |
package registry
import ( |
6f0068f2 |
"errors" |
568f86eb |
"fmt"
"net"
"net/url" |
6f0068f2 |
"strings" |
568f86eb |
"github.com/docker/docker/opts"
flag "github.com/docker/docker/pkg/mflag" |
2655954c |
"github.com/docker/docker/reference" |
907407d0 |
registrytypes "github.com/docker/engine-api/types/registry" |
568f86eb |
)
|
59586d02 |
// ServiceOptions holds command line options.
type ServiceOptions struct {
Mirrors []string `json:"registry-mirrors,omitempty"`
InsecureRegistries []string `json:"insecure-registries,omitempty"`
// V2Only controls access to legacy registries. If it is set to true via the
// command line flag the daemon will not attempt to contact v1 legacy registries
V2Only bool `json:"disable-legacy-registry,omitempty"`
}
// serviceConfig holds daemon configuration for the registry service.
type serviceConfig struct {
registrytypes.ServiceConfig
V2Only bool |
568f86eb |
}
|
79db131a |
var ( |
831b0030 |
// DefaultNamespace is the default namespace
DefaultNamespace = "docker.io"
// DefaultRegistryVersionHeader is the name of the default HTTP header
// that carries Registry version info
DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
// IndexServer is the v1 registry server used for user auth + account creation |
79db131a |
IndexServer = DefaultV1Registry.String() + "/v1/" |
831b0030 |
// IndexName is the name of the index
IndexName = "docker.io"
// NotaryServer is the endpoint serving the Notary trust server
NotaryServer = "https://notary.docker.io"
|
87535ca2 |
// DefaultV1Registry is the URI of the default v1 registry
DefaultV1Registry = &url.URL{
Scheme: "https",
Host: "index.docker.io",
}
// DefaultV2Registry is the URI of the default v2 registry
DefaultV2Registry = &url.URL{
Scheme: "https",
Host: "registry-1.docker.io",
} |
831b0030 |
)
|
6f0068f2 |
var ( |
4fcb9ac4 |
// ErrInvalidRepositoryName is an error returned if the repository name did
// not have the correct form |
6f0068f2 |
ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")") |
4fcb9ac4 |
|
59586d02 |
emptyServiceConfig = newServiceConfig(ServiceOptions{}) |
6f0068f2 |
)
|
f2d481a2 |
// for mocking in unit tests
var lookupIP = net.LookupIP
|
59586d02 |
// InstallCliFlags adds command-line options to the top-level flag parser for |
568f86eb |
// the current process. |
59586d02 |
func (options *ServiceOptions) InstallCliFlags(cmd *flag.FlagSet, usageFn func(string) string) {
mirrors := opts.NewNamedListOptsRef("registry-mirrors", &options.Mirrors, ValidateMirror)
cmd.Var(mirrors, []string{"-registry-mirror"}, usageFn("Preferred Docker registry mirror")) |
568f86eb |
|
59586d02 |
insecureRegistries := opts.NewNamedListOptsRef("insecure-registries", &options.InsecureRegistries, ValidateIndexName)
cmd.Var(insecureRegistries, []string{"-insecure-registry"}, usageFn("Enable insecure registry communication"))
cmd.BoolVar(&options.V2Only, []string{"-disable-legacy-registry"}, false, usageFn("Do not contact legacy registries"))
} |
568f86eb |
|
59586d02 |
// newServiceConfig returns a new instance of ServiceConfig
func newServiceConfig(options ServiceOptions) *serviceConfig { |
568f86eb |
// Localhost is by default considered as an insecure registry
// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
//
// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
// daemon flags on boot2docker? |
59586d02 |
options.InsecureRegistries = append(options.InsecureRegistries, "127.0.0.0/8")
config := &serviceConfig{
ServiceConfig: registrytypes.ServiceConfig{
InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0),
IndexConfigs: make(map[string]*registrytypes.IndexInfo, 0),
// Hack: Bypass setting the mirrors to IndexConfigs since they are going away
// and Mirrors are only for the official registry anyways.
Mirrors: options.Mirrors,
},
V2Only: options.V2Only, |
568f86eb |
}
// Split --insecure-registry into CIDR and registry-specific settings. |
59586d02 |
for _, r := range options.InsecureRegistries { |
568f86eb |
// Check if CIDR was passed to --insecure-registry
_, ipnet, err := net.ParseCIDR(r)
if err == nil {
// Valid CIDR. |
96c10098 |
config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, (*registrytypes.NetIPNet)(ipnet)) |
568f86eb |
} else {
// Assume `host:port` if not CIDR. |
96c10098 |
config.IndexConfigs[r] = ®istrytypes.IndexInfo{ |
568f86eb |
Name: r,
Mirrors: make([]string, 0),
Secure: false,
Official: false,
}
}
}
// Configure public registry. |
96c10098 |
config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{ |
4fcb9ac4 |
Name: IndexName, |
19515a7a |
Mirrors: config.Mirrors, |
568f86eb |
Secure: true,
Official: true,
}
return config
} |
6f0068f2 |
// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
//
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
// insecure.
//
// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
// of insecureRegistries. |
59586d02 |
func isSecureIndex(config *serviceConfig, indexName string) bool { |
6f0068f2 |
// Check for configured index, first. This is needed in case isSecureIndex |
96c10098 |
// is called from anything besides newIndexInfo, in order to honor per-index configurations. |
6f0068f2 |
if index, ok := config.IndexConfigs[indexName]; ok {
return index.Secure
}
host, _, err := net.SplitHostPort(indexName)
if err != nil {
// assume indexName is of the form `host` without the port and go on.
host = indexName
}
addrs, err := lookupIP(host)
if err != nil {
ip := net.ParseIP(host)
if ip != nil {
addrs = []net.IP{ip}
}
// if ip == nil, then `host` is neither an IP nor it could be looked up,
// either because the index is unreachable, or because the index is behind an HTTP proxy.
// So, len(addrs) == 0 and we're not aborting.
}
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
for _, addr := range addrs {
for _, ipnet := range config.InsecureRegistryCIDRs {
// check if the addr falls in the subnet
if (*net.IPNet)(ipnet).Contains(addr) {
return false
}
}
}
return true
}
// ValidateMirror validates an HTTP(S) registry mirror
func ValidateMirror(val string) (string, error) {
uri, err := url.Parse(val)
if err != nil {
return "", fmt.Errorf("%s is not a valid URI", val)
}
if uri.Scheme != "http" && uri.Scheme != "https" {
return "", fmt.Errorf("Unsupported scheme %s", uri.Scheme)
}
if uri.Path != "" || uri.RawQuery != "" || uri.Fragment != "" {
return "", fmt.Errorf("Unsupported path/query/fragment at end of the URI")
}
|
13deed38 |
return fmt.Sprintf("%s://%s/", uri.Scheme, uri.Host), nil |
6f0068f2 |
}
// ValidateIndexName validates an index name.
func ValidateIndexName(val string) (string, error) { |
ffded61d |
if val == reference.LegacyDefaultHostname {
val = reference.DefaultHostname |
6f0068f2 |
} |
e00cfbb6 |
if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
return "", fmt.Errorf("Invalid index name (%s). Cannot begin or end with a hyphen.", val)
} |
6f0068f2 |
return val, nil
}
func validateNoSchema(reposName string) error {
if strings.Contains(reposName, "://") {
// It cannot contain a scheme!
return ErrInvalidRepositoryName
}
return nil
}
|
96c10098 |
// newIndexInfo returns IndexInfo configuration from indexName |
59586d02 |
func newIndexInfo(config *serviceConfig, indexName string) (*registrytypes.IndexInfo, error) { |
6f0068f2 |
var err error
indexName, err = ValidateIndexName(indexName)
if err != nil {
return nil, err
}
// Return any configured index info, first.
if index, ok := config.IndexConfigs[indexName]; ok {
return index, nil
}
// Construct a non-configured index info. |
96c10098 |
index := ®istrytypes.IndexInfo{ |
6f0068f2 |
Name: indexName,
Mirrors: make([]string, 0),
Official: false,
} |
96c10098 |
index.Secure = isSecureIndex(config, indexName) |
6f0068f2 |
return index, nil
}
// GetAuthConfigKey special-cases using the full index address of the official
// index as the AuthConfig key, and uses the (host)name[:port] for private indexes. |
96c10098 |
func GetAuthConfigKey(index *registrytypes.IndexInfo) string { |
6f0068f2 |
if index.Official { |
4fcb9ac4 |
return IndexServer |
6f0068f2 |
}
return index.Name
}
|
96c10098 |
// newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo |
59586d02 |
func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) { |
ffded61d |
index, err := newIndexInfo(config, name.Hostname()) |
6f0068f2 |
if err != nil {
return nil, err
} |
ffded61d |
official := !strings.ContainsRune(name.Name(), '/')
return &RepositoryInfo{name, index, official}, nil |
6f0068f2 |
}
// ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
// lacks registry configuration. |
4352da78 |
func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) { |
96c10098 |
return newRepositoryInfo(emptyServiceConfig, reposName) |
f04e8fdb |
}
|
4352da78 |
// ParseSearchIndexInfo will use repository name to get back an indexInfo. |
96c10098 |
func ParseSearchIndexInfo(reposName string) (*registrytypes.IndexInfo, error) { |
4352da78 |
indexName, _ := splitReposSearchTerm(reposName) |
f04e8fdb |
|
96c10098 |
indexInfo, err := newIndexInfo(emptyServiceConfig, indexName) |
f04e8fdb |
if err != nil {
return nil, err
}
return indexInfo, nil |
6f0068f2 |
} |