@@ -21,7 +21,7 @@ import (

 //

 // Usage: docker login SERVER

 func (cli *DockerCli) CmdLogin(args ...string) error {

-	cmd := cli.Subcmd("login", []string{"[SERVER]"}, "Register or log in to a Docker registry server, if no server is\nspecified \""+registry.IndexServerAddress()+"\" is the default.", true)

+	cmd := cli.Subcmd("login", []string{"[SERVER]"}, "Register or log in to a Docker registry server, if no server is\nspecified \""+registry.INDEXSERVER+"\" is the default.", true)

 	cmd.Require(flag.Max, 1)

 	var username, password, email string

@@ -32,7 +32,7 @@ func (cli *DockerCli) CmdLogin(args ...string) error {

 	cmd.ParseFlags(args, true)

-	serverAddress := registry.IndexServerAddress()

+	serverAddress := registry.INDEXSERVER

 	if len(cmd.Args()) > 0 {

 		serverAddress = cmd.Arg(0)

 	}

@@ -13,12 +13,12 @@ import (

 //

 // Usage: docker logout [SERVER]

 func (cli *DockerCli) CmdLogout(args ...string) error {

-	cmd := cli.Subcmd("logout", []string{"[SERVER]"}, "Log out from a Docker registry, if no server is\nspecified \""+registry.IndexServerAddress()+"\" is the default.", true)

+	cmd := cli.Subcmd("logout", []string{"[SERVER]"}, "Log out from a Docker registry, if no server is\nspecified \""+registry.INDEXSERVER+"\" is the default.", true)

 	cmd.Require(flag.Max, 1)

 	cmd.ParseFlags(args, true)

-	serverAddress := registry.IndexServerAddress()

+	serverAddress := registry.INDEXSERVER

 	if len(cmd.Args()) > 0 {

 		serverAddress = cmd.Arg(0)

 	}

@@ -74,7 +74,7 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {

 		NEventsListener:    daemon.EventsService.SubscribersCount(),

 		KernelVersion:      kernelVersion,

 		OperatingSystem:    operatingSystem,

-		IndexServerAddress: registry.IndexServerAddress(),

+		IndexServerAddress: registry.INDEXSERVER,

 		RegistryConfig:     daemon.RegistryService.Config,

 		InitSha1:           dockerversion.INITSHA1,

 		InitPath:           initPath,

deleted file mode 100644

@@ -1,178 +0,0 @@

-package graph

-

-import (

-	"encoding/json"

-	"fmt"

-

-	"github.com/Sirupsen/logrus"

-	"github.com/docker/distribution/digest"

-	"github.com/docker/docker/registry"

-	"github.com/docker/docker/trust"

-	"github.com/docker/libtrust"

-)

-

-// loadManifest loads a manifest from a byte array and verifies its content,

-// returning the local digest, the manifest itself, whether or not it was

-// verified. If ref is a digest, rather than a tag, this will be treated as

-// the local digest. An error will be returned if the signature verification

-// fails, local digest verification fails and, if provided, the remote digest

-// verification fails. The boolean return will only be false without error on

-// the failure of signatures trust check.

-func (s *TagStore) loadManifest(manifestBytes []byte, ref string, remoteDigest digest.Digest) (digest.Digest, *registry.ManifestData, bool, error) {

-	payload, keys, err := unpackSignedManifest(manifestBytes)

-	if err != nil {

-		return "", nil, false, fmt.Errorf("error unpacking manifest: %v", err)

-	}

-

-	// TODO(stevvooe): It would be a lot better here to build up a stack of

-	// verifiers, then push the bytes one time for signatures and digests, but

-	// the manifests are typically small, so this optimization is not worth

-	// hacking this code without further refactoring.

-

-	var localDigest digest.Digest

-

-	// Verify the local digest, if present in ref. ParseDigest will validate

-	// that the ref is a digest and verify against that if present. Otherwize

-	// (on error), we simply compute the localDigest and proceed.

-	if dgst, err := digest.ParseDigest(ref); err == nil {

-		// verify the manifest against local ref

-		if err := verifyDigest(dgst, payload); err != nil {

-			return "", nil, false, fmt.Errorf("verifying local digest: %v", err)

-		}

-

-		localDigest = dgst

-	} else {

-		// We don't have a local digest, since we are working from a tag.

-		// Compute the digest of the payload and return that.

-		logrus.Debugf("provided manifest reference %q is not a digest: %v", ref, err)

-		localDigest, err = digest.FromBytes(payload)

-		if err != nil {

-			// near impossible

-			logrus.Errorf("error calculating local digest during tag pull: %v", err)

-			return "", nil, false, err

-		}

-	}

-

-	// verify against the remote digest, if available

-	if remoteDigest != "" {

-		if err := verifyDigest(remoteDigest, payload); err != nil {

-			return "", nil, false, fmt.Errorf("verifying remote digest: %v", err)

-		}

-	}

-

-	var manifest registry.ManifestData

-	if err := json.Unmarshal(payload, &manifest); err != nil {

-		return "", nil, false, fmt.Errorf("error unmarshalling manifest: %s", err)

-	}

-

-	// validate the contents of the manifest

-	if err := validateManifest(&manifest); err != nil {

-		return "", nil, false, err

-	}

-

-	var verified bool

-	verified, err = s.verifyTrustedKeys(manifest.Name, keys)

-	if err != nil {

-		return "", nil, false, fmt.Errorf("error verifying trusted keys: %v", err)

-	}

-

-	return localDigest, &manifest, verified, nil

-}

-

-// unpackSignedManifest takes the raw, signed manifest bytes, unpacks the jws

-// and returns the payload and public keys used to signed the manifest.

-// Signatures are verified for authenticity but not against the trust store.

-func unpackSignedManifest(p []byte) ([]byte, []libtrust.PublicKey, error) {

-	sig, err := libtrust.ParsePrettySignature(p, "signatures")

-	if err != nil {

-		return nil, nil, fmt.Errorf("error parsing payload: %s", err)

-	}

-

-	keys, err := sig.Verify()

-	if err != nil {

-		return nil, nil, fmt.Errorf("error verifying payload: %s", err)

-	}

-

-	payload, err := sig.Payload()

-	if err != nil {

-		return nil, nil, fmt.Errorf("error retrieving payload: %s", err)

-	}

-

-	return payload, keys, nil

-}

-

-// verifyTrustedKeys checks the keys provided against the trust store,

-// ensuring that the provided keys are trusted for the namespace. The keys

-// provided from this method must come from the signatures provided as part of

-// the manifest JWS package, obtained from unpackSignedManifest or libtrust.

-func (s *TagStore) verifyTrustedKeys(namespace string, keys []libtrust.PublicKey) (verified bool, err error) {

-	if namespace[0] != '/' {

-		namespace = "/" + namespace

-	}

-

-	for _, key := range keys {

-		b, err := key.MarshalJSON()

-		if err != nil {

-			return false, fmt.Errorf("error marshalling public key: %s", err)

-		}

-		// Check key has read/write permission (0x03)

-		v, err := s.trustService.CheckKey(namespace, b, 0x03)

-		if err != nil {

-			vErr, ok := err.(trust.NotVerifiedError)

-			if !ok {

-				return false, fmt.Errorf("error running key check: %s", err)

-			}

-			logrus.Debugf("Key check result: %v", vErr)

-		}

-		verified = v

-	}

-

-	if verified {

-		logrus.Debug("Key check result: verified")

-	}

-

-	return

-}

-

-// verifyDigest checks the contents of p against the provided digest. Note

-// that for manifests, this is the signed payload and not the raw bytes with

-// signatures.

-func verifyDigest(dgst digest.Digest, p []byte) error {

-	if err := dgst.Validate(); err != nil {

-		return fmt.Errorf("error validating  digest %q: %v", dgst, err)

-	}

-

-	verifier, err := digest.NewDigestVerifier(dgst)

-	if err != nil {

-		// There are not many ways this can go wrong: if it does, its

-		// fatal. Likley, the cause would be poor validation of the

-		// incoming reference.

-		return fmt.Errorf("error creating verifier for digest %q: %v", dgst, err)

-	}

-

-	if _, err := verifier.Write(p); err != nil {

-		return fmt.Errorf("error writing payload to digest verifier (verifier target %q): %v", dgst, err)

-	}

-

-	if !verifier.Verified() {

-		return fmt.Errorf("verification against digest %q failed", dgst)

-	}

-

-	return nil

-}

-

-func validateManifest(manifest *registry.ManifestData) error {

-	if manifest.SchemaVersion != 1 {

-		return fmt.Errorf("unsupported schema version: %d", manifest.SchemaVersion)

-	}

-

-	if len(manifest.FSLayers) != len(manifest.History) {

-		return fmt.Errorf("length of history not equal to number of layers")

-	}

-

-	if len(manifest.FSLayers) == 0 {

-		return fmt.Errorf("no FSLayers in manifest")

-	}

-

-	return nil

-}

deleted file mode 100644

@@ -1,293 +0,0 @@

-package graph

-

-import (

-	"encoding/json"

-	"fmt"

-	"os"

-	"testing"

-

-	"github.com/docker/distribution/digest"

-	"github.com/docker/docker/registry"

-	"github.com/docker/docker/runconfig"

-	"github.com/docker/docker/utils"

-	"github.com/docker/libtrust"

-)

-

-const (

-	testManifestImageName    = "testapp"

-	testManifestImageID      = "d821b739e8834ec89ac4469266c3d11515da88fdcbcbdddcbcddb636f54fdde9"

-	testManifestImageIDShort = "d821b739e883"

-	testManifestTag          = "manifesttest"

-)

-

-func (s *TagStore) newManifest(localName, remoteName, tag string) ([]byte, error) {

-	manifest := &registry.ManifestData{

-		Name:          remoteName,

-		Tag:           tag,

-		SchemaVersion: 1,

-	}

-	localRepo, err := s.Get(localName)

-	if err != nil {

-		return nil, err

-	}

-	if localRepo == nil {

-		return nil, fmt.Errorf("Repo does not exist: %s", localName)

-	}

-

-	// Get the top-most layer id which the tag points to

-	layerId, exists := localRepo[tag]

-	if !exists {

-		return nil, fmt.Errorf("Tag does not exist for %s: %s", localName, tag)

-	}

-	layersSeen := make(map[string]bool)

-

-	layer, err := s.graph.Get(layerId)

-	if err != nil {

-		return nil, err

-	}

-	manifest.Architecture = layer.Architecture

-	manifest.FSLayers = make([]*registry.FSLayer, 0, 4)

-	manifest.History = make([]*registry.ManifestHistory, 0, 4)

-	var metadata runconfig.Config

-	if layer.Config != nil {

-		metadata = *layer.Config

-	}

-

-	for ; layer != nil; layer, err = s.graph.GetParent(layer) {

-		if err != nil {

-			return nil, err

-		}

-

-		if layersSeen[layer.ID] {

-			break

-		}

-		if layer.Config != nil && metadata.Image != layer.ID {

-			err = runconfig.Merge(&metadata, layer.Config)

-			if err != nil {

-				return nil, err

-			}

-		}

-

-		dgst, err := s.graph.GetDigest(layer.ID)

-		if err == ErrDigestNotSet {

-			archive, err := s.graph.TarLayer(layer)

-			if err != nil {

-				return nil, err

-			}

-

-			defer archive.Close()

-

-			dgst, err = digest.FromReader(archive)

-			if err != nil {

-				return nil, err

-			}

-

-			// Save checksum value

-			if err := s.graph.SetDigest(layer.ID, dgst); err != nil {

-				return nil, err

-			}

-		} else if err != nil {

-			return nil, fmt.Errorf("Error getting image checksum: %s", err)

-		}

-

-		jsonData, err := s.graph.RawJSON(layer.ID)

-		if err != nil {

-			return nil, fmt.Errorf("Cannot retrieve the path for {%s}: %s", layer.ID, err)

-		}

-

-		manifest.FSLayers = append(manifest.FSLayers, &registry.FSLayer{BlobSum: dgst.String()})

-

-		layersSeen[layer.ID] = true

-

-		manifest.History = append(manifest.History, &registry.ManifestHistory{V1Compatibility: string(jsonData)})

-	}

-

-	manifestBytes, err := json.MarshalIndent(manifest, "", "   ")

-	if err != nil {

-		return nil, err

-	}

-

-	return manifestBytes, nil

-}

-

-func TestManifestTarsumCache(t *testing.T) {

-	tmp, err := utils.TestDirectory("")

-	if err != nil {

-		t.Fatal(err)

-	}

-	defer os.RemoveAll(tmp)

-	store := mkTestTagStore(tmp, t)

-	defer store.graph.driver.Cleanup()

-

-	archive, err := fakeTar()

-	if err != nil {

-		t.Fatal(err)

-	}

-	img := &Image{ID: testManifestImageID}

-	if err := store.graph.Register(img, archive); err != nil {

-		t.Fatal(err)

-	}

-	if err := store.Tag(testManifestImageName, testManifestTag, testManifestImageID, false); err != nil {

-		t.Fatal(err)

-	}

-

-	if _, err := store.graph.GetDigest(testManifestImageID); err == nil {

-		t.Fatalf("Non-empty checksum file after register")

-	} else if err != ErrDigestNotSet {

-		t.Fatal(err)

-	}

-

-	// Generate manifest

-	payload, err := store.newManifest(testManifestImageName, testManifestImageName, testManifestTag)

-	if err != nil {

-		t.Fatal(err)

-	}

-

-	manifestChecksum, err := store.graph.GetDigest(testManifestImageID)

-	if err != nil {

-		t.Fatal(err)

-	}

-

-	var manifest registry.ManifestData

-	if err := json.Unmarshal(payload, &manifest); err != nil {

-		t.Fatalf("error unmarshalling manifest: %s", err)

-	}

-

-	if len(manifest.FSLayers) != 1 {

-		t.Fatalf("Unexpected number of layers, expecting 1: %d", len(manifest.FSLayers))

-	}

-

-	if manifest.FSLayers[0].BlobSum != manifestChecksum.String() {

-		t.Fatalf("Unexpected blob sum, expecting %q, got %q", manifestChecksum, manifest.FSLayers[0].BlobSum)

-	}

-

-	if len(manifest.History) != 1 {

-		t.Fatalf("Unexpected number of layer history, expecting 1: %d", len(manifest.History))

-	}

-

-	v1compat, err := store.graph.RawJSON(img.ID)

-	if err != nil {

-		t.Fatal(err)

-	}

-	if manifest.History[0].V1Compatibility != string(v1compat) {

-		t.Fatalf("Unexpected json value\nExpected:\n%s\nActual:\n%s", v1compat, manifest.History[0].V1Compatibility)

-	}

-}

-

-// TestManifestDigestCheck ensures that loadManifest properly verifies the

-// remote and local digest.

-func TestManifestDigestCheck(t *testing.T) {

-	tmp, err := utils.TestDirectory("")

-	if err != nil {

-		t.Fatal(err)

-	}

-	defer os.RemoveAll(tmp)

-	store := mkTestTagStore(tmp, t)

-	defer store.graph.driver.Cleanup()

-

-	archive, err := fakeTar()

-	if err != nil {

-		t.Fatal(err)

-	}

-	img := &Image{ID: testManifestImageID}

-	if err := store.graph.Register(img, archive); err != nil {

-		t.Fatal(err)

-	}

-	if err := store.Tag(testManifestImageName, testManifestTag, testManifestImageID, false); err != nil {

-		t.Fatal(err)

-	}

-

-	if _, err := store.graph.GetDigest(testManifestImageID); err == nil {

-		t.Fatalf("Non-empty checksum file after register")

-	} else if err != ErrDigestNotSet {

-		t.Fatal(err)

-	}

-

-	// Generate manifest

-	payload, err := store.newManifest(testManifestImageName, testManifestImageName, testManifestTag)

-	if err != nil {

-		t.Fatalf("unexpected error generating test manifest: %v", err)

-	}

-

-	pk, err := libtrust.GenerateECP256PrivateKey()

-	if err != nil {

-		t.Fatalf("unexpected error generating private key: %v", err)

-	}

-

-	sig, err := libtrust.NewJSONSignature(payload)

-	if err != nil {

-		t.Fatalf("error creating signature: %v", err)

-	}

-

-	if err := sig.Sign(pk); err != nil {

-		t.Fatalf("error signing manifest bytes: %v", err)

-	}

-

-	signedBytes, err := sig.PrettySignature("signatures")

-	if err != nil {

-		t.Fatalf("error getting signed bytes: %v", err)

-	}

-

-	dgst, err := digest.FromBytes(payload)

-	if err != nil {

-		t.Fatalf("error getting digest of manifest: %v", err)

-	}

-

-	// use this as the "bad" digest

-	zeroDigest, err := digest.FromBytes([]byte{})

-	if err != nil {

-		t.Fatalf("error making zero digest: %v", err)

-	}

-

-	// Remote and local match, everything should look good

-	local, _, _, err := store.loadManifest(signedBytes, dgst.String(), dgst)

-	if err != nil {

-		t.Fatalf("unexpected error verifying local and remote digest: %v", err)

-	}

-

-	if local != dgst {

-		t.Fatalf("local digest not correctly calculated: %v", err)

-	}

-

-	// remote and no local, since pulling by tag

-	local, _, _, err = store.loadManifest(signedBytes, "tag", dgst)

-	if err != nil {

-		t.Fatalf("unexpected error verifying tag pull and remote digest: %v", err)

-	}

-

-	if local != dgst {

-		t.Fatalf("local digest not correctly calculated: %v", err)

-	}

-

-	// remote and differing local, this is the most important to fail

-	local, _, _, err = store.loadManifest(signedBytes, zeroDigest.String(), dgst)

-	if err == nil {

-		t.Fatalf("error expected when verifying with differing local digest")

-	}

-

-	// no remote, no local (by tag)

-	local, _, _, err = store.loadManifest(signedBytes, "tag", "")

-	if err != nil {

-		t.Fatalf("unexpected error verifying manifest without remote digest: %v", err)

-	}

-

-	if local != dgst {

-		t.Fatalf("local digest not correctly calculated: %v", err)

-	}

-

-	// no remote, with local

-	local, _, _, err = store.loadManifest(signedBytes, dgst.String(), "")

-	if err != nil {

-		t.Fatalf("unexpected error verifying manifest without remote digest: %v", err)

-	}

-

-	if local != dgst {

-		t.Fatalf("local digest not correctly calculated: %v", err)

-	}

-

-	// bad remote, we fail the check.

-	local, _, _, err = store.loadManifest(signedBytes, dgst.String(), zeroDigest)

-	if err == nil {

-		t.Fatalf("error expected when verifying with differing remote digest")

-	}

-}

@@ -3,20 +3,10 @@ package graph

 import (

 	"fmt"

 	"io"

-	"io/ioutil"

-	"net"

-	"net/url"

-	"os"

-	"strings"

-	"time"

 	"github.com/Sirupsen/logrus"

-	"github.com/docker/distribution/digest"

-	"github.com/docker/distribution/registry/client/transport"

 	"github.com/docker/docker/cliconfig"

-	"github.com/docker/docker/pkg/progressreader"

 	"github.com/docker/docker/pkg/streamformatter"

-	"github.com/docker/docker/pkg/stringid"

 	"github.com/docker/docker/registry"

 	"github.com/docker/docker/utils"

 )

@@ -27,10 +17,38 @@ type ImagePullConfig struct {

 	OutStream   io.Writer

 }

+type Puller interface {

+	// Pull tries to pull the image referenced by `tag`

+	// Pull returns an error if any, as well as a boolean that determines whether to retry Pull on the next configured endpoint.

+	//

+	// TODO(tiborvass): have Pull() take a reference to repository + tag, so that the puller itself is repository-agnostic.

+	Pull(tag string) (fallback bool, err error)

+}

+

+func NewPuller(s *TagStore, endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, imagePullConfig *ImagePullConfig, sf *streamformatter.StreamFormatter) (Puller, error) {

+	switch endpoint.Version {

+	case registry.APIVersion2:

+		return &v2Puller{

+			TagStore: s,

+			endpoint: endpoint,

+			config:   imagePullConfig,

+			sf:       sf,

+			repoInfo: repoInfo,

+		}, nil

+	case registry.APIVersion1:

+		return &v1Puller{

+			TagStore: s,

+			endpoint: endpoint,

+			config:   imagePullConfig,

+			sf:       sf,

+			repoInfo: repoInfo,

+		}, nil

+	}

+	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)

+}

+

 func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConfig) error {

-	var (

-		sf = streamformatter.NewJSONStreamFormatter()

-	)

+	var sf = streamformatter.NewJSONStreamFormatter()

 	// Resolve the Repository name from fqn to RepositoryInfo

 	repoInfo, err := s.registryService.ResolveRepository(image)

@@ -38,424 +56,74 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf

 		return err

 	}

+	// makes sure name is not empty or `scratch`

 	if err := validateRepoName(repoInfo.LocalName); err != nil {

 		return err

 	}

-	c, err := s.poolAdd("pull", utils.ImageReference(repoInfo.LocalName, tag))

+	endpoints, err := s.registryService.LookupEndpoints(repoInfo.CanonicalName)

 	if err != nil {

-		if c != nil {

-			// Another pull of the same repository is already taking place; just wait for it to finish

-			imagePullConfig.OutStream.Write(sf.FormatStatus("", "Repository %s already being pulled by another client. Waiting.", repoInfo.LocalName))

-			<-c

-			return nil

-		}

 		return err

 	}

-	defer s.poolRemove("pull", utils.ImageReference(repoInfo.LocalName, tag))

 	logName := repoInfo.LocalName

 	if tag != "" {

 		logName = utils.ImageReference(logName, tag)

 	}

-	// Attempt pulling official content from a provided v2 mirror

-	if repoInfo.Index.Official {

-		v2mirrorEndpoint, v2mirrorRepoInfo, err := configureV2Mirror(repoInfo, s.registryService)

-		if err != nil {

-			logrus.Errorf("Error configuring mirrors: %s", err)

-			return err

-		}

-

-		if v2mirrorEndpoint != nil {

-			logrus.Debugf("Attempting to pull from v2 mirror: %s", v2mirrorEndpoint.URL)

-			return s.pullFromV2Mirror(v2mirrorEndpoint, v2mirrorRepoInfo, imagePullConfig, tag, sf, logName)

-		}

-	}

-

-	logrus.Debugf("pulling image from host %q with remote name %q", repoInfo.Index.Name, repoInfo.RemoteName)

-

-	endpoint, err := repoInfo.GetEndpoint(imagePullConfig.MetaHeaders)

-	if err != nil {

-		return err

-	}

-	// TODO(tiborvass): reuse client from endpoint?

-	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)

-	tr := transport.NewTransport(

-		registry.NewTransport(registry.ReceiveTimeout, endpoint.IsSecure),

-		registry.DockerHeaders(imagePullConfig.MetaHeaders)...,

+	var (

+		lastErr error

+

+		// discardNoSupportErrors is used to track whether an endpoint encountered an error of type registry.ErrNoSupport

+		// By default it is false, which means that if a ErrNoSupport error is encountered, it will be saved in lastErr.

+		// As soon as another kind of error is encountered, discardNoSupportErrors is set to true, avoiding the saving of

+		// any subsequent ErrNoSupport errors in lastErr.

+		// It's needed for pull-by-digest on v1 endpoints: if there are only v1 endpoints configured, the error should be

+		// returned and displayed, but if there was a v2 endpoint which supports pull-by-digest, then the last relevant

+		// error is the ones from v2 endpoints not v1.

+		discardNoSupportErrors bool

 	)

-	client := registry.HTTPClient(tr)

-	r, err := registry.NewSession(client, imagePullConfig.AuthConfig, endpoint)

-	if err != nil {

-		return err

-	}

-

-	if len(repoInfo.Index.Mirrors) == 0 && (repoInfo.Index.Official || endpoint.Version == registry.APIVersion2) {

-		if repoInfo.Official {

-			s.trustService.UpdateBase()

-		}

+	for _, endpoint := range endpoints {

+		logrus.Debugf("Trying to pull %s from %s %s", repoInfo.LocalName, endpoint.URL, endpoint.Version)

-		logrus.Debugf("pulling v2 repository with local name %q", repoInfo.LocalName)

-		if err := s.pullV2Repository(r, imagePullConfig.OutStream, repoInfo, tag, sf); err == nil {

-			s.eventsService.Log("pull", logName, "")

-			return nil

-		} else if err != registry.ErrDoesNotExist && err != ErrV2RegistryUnavailable {

-			logrus.Errorf("Error from V2 registry: %s", err)

+		if !endpoint.Mirror && (endpoint.Official || endpoint.Version == registry.APIVersion2) {

+			if repoInfo.Official {

+				s.trustService.UpdateBase()

+			}

 		}

-		logrus.Debug("image does not exist on v2 registry, falling back to v1")

-	}

-

-	if utils.DigestReference(tag) {

-		return fmt.Errorf("pulling with digest reference failed from v2 registry")

-	}

-

-	logrus.Debugf("pulling v1 repository with local name %q", repoInfo.LocalName)

-	if err = s.pullRepository(r, imagePullConfig.OutStream, repoInfo, tag, sf); err != nil {

-		return err

-	}

-

-	s.eventsService.Log("pull", logName, "")

-

-	return nil

-

-}

-

-func makeMirrorRepoInfo(repoInfo *registry.RepositoryInfo, mirror string) *registry.RepositoryInfo {

-	mirrorRepo := &registry.RepositoryInfo{

-		RemoteName:    repoInfo.RemoteName,

-		LocalName:     repoInfo.LocalName,

-		CanonicalName: repoInfo.CanonicalName,

-		Official:      false,

-

-		Index: &registry.IndexInfo{

-			Official: false,

-			Secure:   repoInfo.Index.Secure,

-			Name:     mirror,

-			Mirrors:  []string{},

-		},

-	}

-	return mirrorRepo

-}

-

-func configureV2Mirror(repoInfo *registry.RepositoryInfo, s *registry.Service) (*registry.Endpoint, *registry.RepositoryInfo, error) {

-	mirrors := repoInfo.Index.Mirrors

-	if len(mirrors) == 0 {

-		// no mirrors configured

-		return nil, nil, nil

-	}

-

-	v1MirrorCount := 0

-	var v2MirrorEndpoint *registry.Endpoint

-	var v2MirrorRepoInfo *registry.RepositoryInfo

-	for _, mirror := range mirrors {

-		mirrorRepoInfo := makeMirrorRepoInfo(repoInfo, mirror)

-		endpoint, err := registry.NewEndpoint(mirrorRepoInfo.Index, nil)

+		puller, err := NewPuller(s, endpoint, repoInfo, imagePullConfig, sf)

 		if err != nil {

-			logrus.Errorf("Unable to create endpoint for %s: %s", mirror, err)

+			lastErr = err

 			continue

 		}

-		if endpoint.Version == 2 {

-			if v2MirrorEndpoint == nil {

-				v2MirrorEndpoint = endpoint

-				v2MirrorRepoInfo = mirrorRepoInfo

-			} else {

-				// > 1 v2 mirrors given

-				return nil, nil, fmt.Errorf("multiple v2 mirrors configured")

-			}

-		} else {

-			v1MirrorCount++

-		}

-	}

-

-	if v1MirrorCount == len(mirrors) {

-		// OK, but mirrors are v1

-		return nil, nil, nil

-	}

-	if v2MirrorEndpoint != nil && v1MirrorCount == 0 {

-		// OK, 1 v2 mirror specified

-		return v2MirrorEndpoint, v2MirrorRepoInfo, nil

-	}

-	if v2MirrorEndpoint != nil && v1MirrorCount > 0 {

-		return nil, nil, fmt.Errorf("v1 and v2 mirrors configured")

-	}

-	// No endpoint could be established with the given mirror configurations

-	// Fallback to pulling from the hub as per v1 behavior.

-	return nil, nil, nil

-}

-

-func (s *TagStore) pullFromV2Mirror(mirrorEndpoint *registry.Endpoint, repoInfo *registry.RepositoryInfo,

-	imagePullConfig *ImagePullConfig, tag string, sf *streamformatter.StreamFormatter, logName string) error {

-

-	tr := transport.NewTransport(

-		registry.NewTransport(registry.ReceiveTimeout, mirrorEndpoint.IsSecure),

-		registry.DockerHeaders(imagePullConfig.MetaHeaders)...,

-	)

-	client := registry.HTTPClient(tr)

-	mirrorSession, err := registry.NewSession(client, &cliconfig.AuthConfig{}, mirrorEndpoint)

-	if err != nil {

-		return err

-	}

-	logrus.Debugf("Pulling v2 repository with local name %q from %s", repoInfo.LocalName, mirrorEndpoint.URL)

-	if err := s.pullV2Repository(mirrorSession, imagePullConfig.OutStream, repoInfo, tag, sf); err != nil {

-		return err

-	}

-	s.eventsService.Log("pull", logName, "")

-	return nil

-}

-

-func (s *TagStore) pullRepository(r *registry.Session, out io.Writer, repoInfo *registry.RepositoryInfo, askedTag string, sf *streamformatter.StreamFormatter) error {

-	out.Write(sf.FormatStatus("", "Pulling repository %s", repoInfo.CanonicalName))

-

-	repoData, err := r.GetRepositoryData(repoInfo.RemoteName)

-	if err != nil {

-		if strings.Contains(err.Error(), "HTTP code: 404") {

-			return fmt.Errorf("Error: image %s not found", utils.ImageReference(repoInfo.RemoteName, askedTag))

-		}

-		// Unexpected HTTP error

-		return err

-	}

-

-	logrus.Debugf("Retrieving the tag list")

-	tagsList := make(map[string]string)

-	if askedTag == "" {

-		tagsList, err = r.GetRemoteTags(repoData.Endpoints, repoInfo.RemoteName)

-	} else {

-		var tagId string

-		tagId, err = r.GetRemoteTag(repoData.Endpoints, repoInfo.RemoteName, askedTag)

-		tagsList[askedTag] = tagId

-	}

-	if err != nil {

-		if err == registry.ErrRepoNotFound && askedTag != "" {

-			return fmt.Errorf("Tag %s not found in repository %s", askedTag, repoInfo.CanonicalName)

-		}

-		logrus.Errorf("unable to get remote tags: %s", err)

-		return err

-	}

-

-	for tag, id := range tagsList {

-		repoData.ImgList[id] = &registry.ImgData{

-			ID:       id,

-			Tag:      tag,

-			Checksum: "",

-		}

-	}

-

-	logrus.Debugf("Registering tags")

-	// If no tag has been specified, pull them all

-	if askedTag == "" {

-		for tag, id := range tagsList {

-			repoData.ImgList[id].Tag = tag

-		}

-	} else {

-		// Otherwise, check that the tag exists and use only that one

-		id, exists := tagsList[askedTag]

-		if !exists {

-			return fmt.Errorf("Tag %s not found in repository %s", askedTag, repoInfo.CanonicalName)

-		}

-		repoData.ImgList[id].Tag = askedTag

-	}

-

-	errors := make(chan error)

-

-	layersDownloaded := false

-	for _, image := range repoData.ImgList {

-		downloadImage := func(img *registry.ImgData) {

-			if askedTag != "" && img.Tag != askedTag {

-				errors <- nil

-				return

+		if fallback, err := puller.Pull(tag); err != nil {

+			if fallback {

+				if _, ok := err.(registry.ErrNoSupport); !ok {

+					// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.

+					discardNoSupportErrors = true

+					// save the current error

+					lastErr = err

+				} else if !discardNoSupportErrors {

+					// Save the ErrNoSupport error, because it's either the first error or all encountered errors

+					// were also ErrNoSupport errors.

+					lastErr = err

+				}

+				continue

 			}

-

-			if img.Tag == "" {

-				logrus.Debugf("Image (id: %s) present in this repository but untagged, skipping", img.ID)

-				errors <- nil

-				return

-			}

-

-			// ensure no two downloads of the same image happen at the same time

-			if c, err := s.poolAdd("pull", "img:"+img.ID); err != nil {

-				if c != nil {

-					out.Write(sf.FormatProgress(stringid.TruncateID(img.ID), "Layer already being pulled by another client. Waiting.", nil))

-					<-c

-					out.Write(sf.FormatProgress(stringid.TruncateID(img.ID), "Download complete", nil))

-				} else {

-					logrus.Debugf("Image (id: %s) pull is already running, skipping: %v", img.ID, err)

-				}

-				errors <- nil

-				return

-			}

-			defer s.poolRemove("pull", "img:"+img.ID)

-

-			out.Write(sf.FormatProgress(stringid.TruncateID(img.ID), fmt.Sprintf("Pulling image (%s) from %s", img.Tag, repoInfo.CanonicalName), nil))