github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/registry/config.go (about) 1 package registry // import "github.com/docker/docker/registry" 2 3 import ( 4 "fmt" 5 "net" 6 "net/url" 7 "regexp" 8 "strconv" 9 "strings" 10 11 "github.com/docker/distribution/reference" 12 registrytypes "github.com/docker/docker/api/types/registry" 13 "github.com/pkg/errors" 14 "github.com/sirupsen/logrus" 15 ) 16 17 // ServiceOptions holds command line options. 18 type ServiceOptions struct { 19 AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` 20 Mirrors []string `json:"registry-mirrors,omitempty"` 21 InsecureRegistries []string `json:"insecure-registries,omitempty"` 22 } 23 24 // serviceConfig holds daemon configuration for the registry service. 25 type serviceConfig struct { 26 registrytypes.ServiceConfig 27 } 28 29 var ( 30 // DefaultNamespace is the default namespace 31 DefaultNamespace = "docker.io" 32 // DefaultRegistryVersionHeader is the name of the default HTTP header 33 // that carries Registry version info 34 DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version" 35 36 // IndexHostname is the index hostname 37 IndexHostname = "index.docker.io" 38 // IndexServer is used for user auth and image search 39 IndexServer = "https://" + IndexHostname + "/v1/" 40 // IndexName is the name of the index 41 IndexName = "docker.io" 42 43 // DefaultV2Registry is the URI of the default v2 registry 44 DefaultV2Registry = &url.URL{ 45 Scheme: "https", 46 Host: "registry-1.docker.io", 47 } 48 ) 49 50 var ( 51 // ErrInvalidRepositoryName is an error returned if the repository name did 52 // not have the correct form 53 ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")") 54 55 emptyServiceConfig, _ = newServiceConfig(ServiceOptions{}) 56 ) 57 58 var ( 59 validHostPortRegex = regexp.MustCompile(`^` + reference.DomainRegexp.String() + `$`) 60 ) 61 62 // for mocking in unit tests 63 var lookupIP = net.LookupIP 64 65 // newServiceConfig returns a new instance of ServiceConfig 66 func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { 67 config := &serviceConfig{ 68 ServiceConfig: registrytypes.ServiceConfig{ 69 InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), 70 IndexConfigs: make(map[string]*registrytypes.IndexInfo), 71 // Hack: Bypass setting the mirrors to IndexConfigs since they are going away 72 // and Mirrors are only for the official registry anyways. 73 }, 74 } 75 if err := config.LoadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts); err != nil { 76 return nil, err 77 } 78 if err := config.LoadMirrors(options.Mirrors); err != nil { 79 return nil, err 80 } 81 if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { 82 return nil, err 83 } 84 85 return config, nil 86 } 87 88 // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. 89 func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { 90 cidrs := map[string]*registrytypes.NetIPNet{} 91 hostnames := map[string]bool{} 92 93 for _, r := range registries { 94 if _, err := ValidateIndexName(r); err != nil { 95 return err 96 } 97 if validateNoScheme(r) != nil { 98 return fmt.Errorf("allow-nondistributable-artifacts registry %s should not contain '://'", r) 99 } 100 101 if _, ipnet, err := net.ParseCIDR(r); err == nil { 102 // Valid CIDR. 103 cidrs[ipnet.String()] = (*registrytypes.NetIPNet)(ipnet) 104 } else if err := validateHostPort(r); err == nil { 105 // Must be `host:port` if not CIDR. 106 hostnames[r] = true 107 } else { 108 return fmt.Errorf("allow-nondistributable-artifacts registry %s is not valid: %v", r, err) 109 } 110 } 111 112 config.AllowNondistributableArtifactsCIDRs = make([]*(registrytypes.NetIPNet), 0) 113 for _, c := range cidrs { 114 config.AllowNondistributableArtifactsCIDRs = append(config.AllowNondistributableArtifactsCIDRs, c) 115 } 116 117 config.AllowNondistributableArtifactsHostnames = make([]string, 0) 118 for h := range hostnames { 119 config.AllowNondistributableArtifactsHostnames = append(config.AllowNondistributableArtifactsHostnames, h) 120 } 121 122 return nil 123 } 124 125 // LoadMirrors loads mirrors to config, after removing duplicates. 126 // Returns an error if mirrors contains an invalid mirror. 127 func (config *serviceConfig) LoadMirrors(mirrors []string) error { 128 mMap := map[string]struct{}{} 129 unique := []string{} 130 131 for _, mirror := range mirrors { 132 m, err := ValidateMirror(mirror) 133 if err != nil { 134 return err 135 } 136 if _, exist := mMap[m]; !exist { 137 mMap[m] = struct{}{} 138 unique = append(unique, m) 139 } 140 } 141 142 config.Mirrors = unique 143 144 // Configure public registry since mirrors may have changed. 145 config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{ 146 Name: IndexName, 147 Mirrors: config.Mirrors, 148 Secure: true, 149 Official: true, 150 } 151 152 return nil 153 } 154 155 // LoadInsecureRegistries loads insecure registries to config 156 func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { 157 // Localhost is by default considered as an insecure registry 158 // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker). 159 // 160 // TODO: should we deprecate this once it is easier for people to set up a TLS registry or change 161 // daemon flags on boot2docker? 162 registries = append(registries, "127.0.0.0/8") 163 164 // Store original InsecureRegistryCIDRs and IndexConfigs 165 // Clean InsecureRegistryCIDRs and IndexConfigs in config, as passed registries has all insecure registry info. 166 originalCIDRs := config.ServiceConfig.InsecureRegistryCIDRs 167 originalIndexInfos := config.ServiceConfig.IndexConfigs 168 169 config.ServiceConfig.InsecureRegistryCIDRs = make([]*registrytypes.NetIPNet, 0) 170 config.ServiceConfig.IndexConfigs = make(map[string]*registrytypes.IndexInfo) 171 172 skip: 173 for _, r := range registries { 174 // validate insecure registry 175 if _, err := ValidateIndexName(r); err != nil { 176 // before returning err, roll back to original data 177 config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs 178 config.ServiceConfig.IndexConfigs = originalIndexInfos 179 return err 180 } 181 if strings.HasPrefix(strings.ToLower(r), "http://") { 182 logrus.Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r) 183 r = r[7:] 184 } else if strings.HasPrefix(strings.ToLower(r), "https://") { 185 logrus.Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r) 186 r = r[8:] 187 } else if validateNoScheme(r) != nil { 188 // Insecure registry should not contain '://' 189 // before returning err, roll back to original data 190 config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs 191 config.ServiceConfig.IndexConfigs = originalIndexInfos 192 return fmt.Errorf("insecure registry %s should not contain '://'", r) 193 } 194 // Check if CIDR was passed to --insecure-registry 195 _, ipnet, err := net.ParseCIDR(r) 196 if err == nil { 197 // Valid CIDR. If ipnet is already in config.InsecureRegistryCIDRs, skip. 198 data := (*registrytypes.NetIPNet)(ipnet) 199 for _, value := range config.InsecureRegistryCIDRs { 200 if value.IP.String() == data.IP.String() && value.Mask.String() == data.Mask.String() { 201 continue skip 202 } 203 } 204 // ipnet is not found, add it in config.InsecureRegistryCIDRs 205 config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, data) 206 207 } else { 208 if err := validateHostPort(r); err != nil { 209 config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs 210 config.ServiceConfig.IndexConfigs = originalIndexInfos 211 return fmt.Errorf("insecure registry %s is not valid: %v", r, err) 212 213 } 214 // Assume `host:port` if not CIDR. 215 config.IndexConfigs[r] = ®istrytypes.IndexInfo{ 216 Name: r, 217 Mirrors: make([]string, 0), 218 Secure: false, 219 Official: false, 220 } 221 } 222 } 223 224 // Configure public registry. 225 config.IndexConfigs[IndexName] = ®istrytypes.IndexInfo{ 226 Name: IndexName, 227 Mirrors: config.Mirrors, 228 Secure: true, 229 Official: true, 230 } 231 232 return nil 233 } 234 235 // allowNondistributableArtifacts returns true if the provided hostname is part of the list of registries 236 // that allow push of nondistributable artifacts. 237 // 238 // The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP 239 // of the registry specified by hostname, true is returned. 240 // 241 // hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name 242 // or an IP address. If it is a domain name, then it will be resolved to IP addresses for matching. If 243 // resolution fails, CIDR matching is not performed. 244 func allowNondistributableArtifacts(config *serviceConfig, hostname string) bool { 245 for _, h := range config.AllowNondistributableArtifactsHostnames { 246 if h == hostname { 247 return true 248 } 249 } 250 251 return isCIDRMatch(config.AllowNondistributableArtifactsCIDRs, hostname) 252 } 253 254 // isSecureIndex returns false if the provided indexName is part of the list of insecure registries 255 // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. 256 // 257 // The list of insecure registries can contain an element with CIDR notation to specify a whole subnet. 258 // If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered 259 // insecure. 260 // 261 // indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name 262 // or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained 263 // in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element 264 // of insecureRegistries. 265 func isSecureIndex(config *serviceConfig, indexName string) bool { 266 // Check for configured index, first. This is needed in case isSecureIndex 267 // is called from anything besides newIndexInfo, in order to honor per-index configurations. 268 if index, ok := config.IndexConfigs[indexName]; ok { 269 return index.Secure 270 } 271 272 return !isCIDRMatch(config.InsecureRegistryCIDRs, indexName) 273 } 274 275 // isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`) 276 // where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be 277 // resolved to IP addresses for matching. If resolution fails, false is returned. 278 func isCIDRMatch(cidrs []*registrytypes.NetIPNet, URLHost string) bool { 279 host, _, err := net.SplitHostPort(URLHost) 280 if err != nil { 281 // Assume URLHost is of the form `host` without the port and go on. 282 host = URLHost 283 } 284 285 addrs, err := lookupIP(host) 286 if err != nil { 287 ip := net.ParseIP(host) 288 if ip != nil { 289 addrs = []net.IP{ip} 290 } 291 292 // if ip == nil, then `host` is neither an IP nor it could be looked up, 293 // either because the index is unreachable, or because the index is behind an HTTP proxy. 294 // So, len(addrs) == 0 and we're not aborting. 295 } 296 297 // Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined. 298 for _, addr := range addrs { 299 for _, ipnet := range cidrs { 300 // check if the addr falls in the subnet 301 if (*net.IPNet)(ipnet).Contains(addr) { 302 return true 303 } 304 } 305 } 306 307 return false 308 } 309 310 // ValidateMirror validates an HTTP(S) registry mirror 311 func ValidateMirror(val string) (string, error) { 312 uri, err := url.Parse(val) 313 if err != nil { 314 return "", fmt.Errorf("invalid mirror: %q is not a valid URI", val) 315 } 316 if uri.Scheme != "http" && uri.Scheme != "https" { 317 return "", fmt.Errorf("invalid mirror: unsupported scheme %q in %q", uri.Scheme, uri) 318 } 319 if (uri.Path != "" && uri.Path != "/") || uri.RawQuery != "" || uri.Fragment != "" { 320 return "", fmt.Errorf("invalid mirror: path, query, or fragment at end of the URI %q", uri) 321 } 322 if uri.User != nil { 323 // strip password from output 324 uri.User = url.UserPassword(uri.User.Username(), "xxxxx") 325 return "", fmt.Errorf("invalid mirror: username/password not allowed in URI %q", uri) 326 } 327 return strings.TrimSuffix(val, "/") + "/", nil 328 } 329 330 // ValidateIndexName validates an index name. 331 func ValidateIndexName(val string) (string, error) { 332 // TODO: upstream this to check to reference package 333 if val == "index.docker.io" { 334 val = "docker.io" 335 } 336 if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") { 337 return "", fmt.Errorf("invalid index name (%s). Cannot begin or end with a hyphen", val) 338 } 339 return val, nil 340 } 341 342 func validateNoScheme(reposName string) error { 343 if strings.Contains(reposName, "://") { 344 // It cannot contain a scheme! 345 return ErrInvalidRepositoryName 346 } 347 return nil 348 } 349 350 func validateHostPort(s string) error { 351 // Split host and port, and in case s can not be splitted, assume host only 352 host, port, err := net.SplitHostPort(s) 353 if err != nil { 354 host = s 355 port = "" 356 } 357 // If match against the `host:port` pattern fails, 358 // it might be `IPv6:port`, which will be captured by net.ParseIP(host) 359 if !validHostPortRegex.MatchString(s) && net.ParseIP(host) == nil { 360 return fmt.Errorf("invalid host %q", host) 361 } 362 if port != "" { 363 v, err := strconv.Atoi(port) 364 if err != nil { 365 return err 366 } 367 if v < 0 || v > 65535 { 368 return fmt.Errorf("invalid port %q", port) 369 } 370 } 371 return nil 372 } 373 374 // newIndexInfo returns IndexInfo configuration from indexName 375 func newIndexInfo(config *serviceConfig, indexName string) (*registrytypes.IndexInfo, error) { 376 var err error 377 indexName, err = ValidateIndexName(indexName) 378 if err != nil { 379 return nil, err 380 } 381 382 // Return any configured index info, first. 383 if index, ok := config.IndexConfigs[indexName]; ok { 384 return index, nil 385 } 386 387 // Construct a non-configured index info. 388 index := ®istrytypes.IndexInfo{ 389 Name: indexName, 390 Mirrors: make([]string, 0), 391 Official: false, 392 } 393 index.Secure = isSecureIndex(config, indexName) 394 return index, nil 395 } 396 397 // GetAuthConfigKey special-cases using the full index address of the official 398 // index as the AuthConfig key, and uses the (host)name[:port] for private indexes. 399 func GetAuthConfigKey(index *registrytypes.IndexInfo) string { 400 if index.Official { 401 return IndexServer 402 } 403 return index.Name 404 } 405 406 // newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo 407 func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) { 408 index, err := newIndexInfo(config, reference.Domain(name)) 409 if err != nil { 410 return nil, err 411 } 412 official := !strings.ContainsRune(reference.FamiliarName(name), '/') 413 414 return &RepositoryInfo{ 415 Name: reference.TrimNamed(name), 416 Index: index, 417 Official: official, 418 }, nil 419 } 420 421 // ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but 422 // lacks registry configuration. 423 func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) { 424 return newRepositoryInfo(emptyServiceConfig, reposName) 425 } 426 427 // ParseSearchIndexInfo will use repository name to get back an indexInfo. 428 func ParseSearchIndexInfo(reposName string) (*registrytypes.IndexInfo, error) { 429 indexName, _ := splitReposSearchTerm(reposName) 430 431 indexInfo, err := newIndexInfo(emptyServiceConfig, indexName) 432 if err != nil { 433 return nil, err 434 } 435 return indexInfo, nil 436 }