github.com/ralexstokes/docker@v1.6.2/registry/endpoint.go (about) 1 package registry 2 3 import ( 4 "crypto/tls" 5 "encoding/json" 6 "fmt" 7 "io/ioutil" 8 "net" 9 "net/http" 10 "net/url" 11 "strings" 12 13 log "github.com/Sirupsen/logrus" 14 "github.com/docker/docker/registry/v2" 15 "github.com/docker/docker/utils" 16 ) 17 18 // for mocking in unit tests 19 var lookupIP = net.LookupIP 20 21 // scans string for api version in the URL path. returns the trimmed address, if version found, string and API version. 22 func scanForAPIVersion(address string) (string, APIVersion) { 23 var ( 24 chunks []string 25 apiVersionStr string 26 ) 27 28 if strings.HasSuffix(address, "/") { 29 address = address[:len(address)-1] 30 } 31 32 chunks = strings.Split(address, "/") 33 apiVersionStr = chunks[len(chunks)-1] 34 35 for k, v := range apiVersions { 36 if apiVersionStr == v { 37 address = strings.Join(chunks[:len(chunks)-1], "/") 38 return address, k 39 } 40 } 41 42 return address, APIVersionUnknown 43 } 44 45 // NewEndpoint parses the given address to return a registry endpoint. 46 func NewEndpoint(index *IndexInfo) (*Endpoint, error) { 47 // *TODO: Allow per-registry configuration of endpoints. 48 endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure) 49 if err != nil { 50 return nil, err 51 } 52 if err := validateEndpoint(endpoint); err != nil { 53 return nil, err 54 } 55 56 return endpoint, nil 57 } 58 59 func validateEndpoint(endpoint *Endpoint) error { 60 log.Debugf("pinging registry endpoint %s", endpoint) 61 62 // Try HTTPS ping to registry 63 endpoint.URL.Scheme = "https" 64 if _, err := endpoint.Ping(); err != nil { 65 if endpoint.IsSecure { 66 // If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry` 67 // in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP. 68 return fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) 69 } 70 71 // If registry is insecure and HTTPS failed, fallback to HTTP. 72 log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err) 73 endpoint.URL.Scheme = "http" 74 75 var err2 error 76 if _, err2 = endpoint.Ping(); err2 == nil { 77 return nil 78 } 79 80 return fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2) 81 } 82 83 return nil 84 } 85 86 func newEndpoint(address string, secure bool) (*Endpoint, error) { 87 var ( 88 endpoint = new(Endpoint) 89 trimmedAddress string 90 err error 91 ) 92 93 if !strings.HasPrefix(address, "http") { 94 address = "https://" + address 95 } 96 97 trimmedAddress, endpoint.Version = scanForAPIVersion(address) 98 99 if endpoint.URL, err = url.Parse(trimmedAddress); err != nil { 100 return nil, err 101 } 102 endpoint.IsSecure = secure 103 return endpoint, nil 104 } 105 106 func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) { 107 return NewEndpoint(repoInfo.Index) 108 } 109 110 // Endpoint stores basic information about a registry endpoint. 111 type Endpoint struct { 112 URL *url.URL 113 Version APIVersion 114 IsSecure bool 115 AuthChallenges []*AuthorizationChallenge 116 URLBuilder *v2.URLBuilder 117 } 118 119 // Get the formated URL for the root of this registry Endpoint 120 func (e *Endpoint) String() string { 121 return fmt.Sprintf("%s/v%d/", e.URL, e.Version) 122 } 123 124 // VersionString returns a formatted string of this 125 // endpoint address using the given API Version. 126 func (e *Endpoint) VersionString(version APIVersion) string { 127 return fmt.Sprintf("%s/v%d/", e.URL, version) 128 } 129 130 // Path returns a formatted string for the URL 131 // of this endpoint with the given path appended. 132 func (e *Endpoint) Path(path string) string { 133 return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path) 134 } 135 136 func (e *Endpoint) Ping() (RegistryInfo, error) { 137 // The ping logic to use is determined by the registry endpoint version. 138 factory := HTTPRequestFactory(nil) 139 switch e.Version { 140 case APIVersion1: 141 return e.pingV1(factory) 142 case APIVersion2: 143 return e.pingV2(factory) 144 } 145 146 // APIVersionUnknown 147 // We should try v2 first... 148 e.Version = APIVersion2 149 regInfo, errV2 := e.pingV2(factory) 150 if errV2 == nil { 151 return regInfo, nil 152 } 153 154 // ... then fallback to v1. 155 e.Version = APIVersion1 156 regInfo, errV1 := e.pingV1(factory) 157 if errV1 == nil { 158 return regInfo, nil 159 } 160 161 e.Version = APIVersionUnknown 162 return RegistryInfo{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1) 163 } 164 165 func (e *Endpoint) pingV1(factory *utils.HTTPRequestFactory) (RegistryInfo, error) { 166 log.Debugf("attempting v1 ping for registry endpoint %s", e) 167 168 if e.String() == IndexServerAddress() { 169 // Skip the check, we know this one is valid 170 // (and we never want to fallback to http in case of error) 171 return RegistryInfo{Standalone: false}, nil 172 } 173 174 req, err := factory.NewRequest("GET", e.Path("_ping"), nil) 175 if err != nil { 176 return RegistryInfo{Standalone: false}, err 177 } 178 179 resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure) 180 if err != nil { 181 return RegistryInfo{Standalone: false}, err 182 } 183 184 defer resp.Body.Close() 185 186 jsonString, err := ioutil.ReadAll(resp.Body) 187 if err != nil { 188 return RegistryInfo{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err) 189 } 190 191 // If the header is absent, we assume true for compatibility with earlier 192 // versions of the registry. default to true 193 info := RegistryInfo{ 194 Standalone: true, 195 } 196 if err := json.Unmarshal(jsonString, &info); err != nil { 197 log.Debugf("Error unmarshalling the _ping RegistryInfo: %s", err) 198 // don't stop here. Just assume sane defaults 199 } 200 if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" { 201 log.Debugf("Registry version header: '%s'", hdr) 202 info.Version = hdr 203 } 204 log.Debugf("RegistryInfo.Version: %q", info.Version) 205 206 standalone := resp.Header.Get("X-Docker-Registry-Standalone") 207 log.Debugf("Registry standalone header: '%s'", standalone) 208 // Accepted values are "true" (case-insensitive) and "1". 209 if strings.EqualFold(standalone, "true") || standalone == "1" { 210 info.Standalone = true 211 } else if len(standalone) > 0 { 212 // there is a header set, and it is not "true" or "1", so assume fails 213 info.Standalone = false 214 } 215 log.Debugf("RegistryInfo.Standalone: %t", info.Standalone) 216 return info, nil 217 } 218 219 func (e *Endpoint) pingV2(factory *utils.HTTPRequestFactory) (RegistryInfo, error) { 220 log.Debugf("attempting v2 ping for registry endpoint %s", e) 221 222 req, err := factory.NewRequest("GET", e.Path(""), nil) 223 if err != nil { 224 return RegistryInfo{}, err 225 } 226 227 resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure) 228 if err != nil { 229 return RegistryInfo{}, err 230 } 231 defer resp.Body.Close() 232 233 // The endpoint may have multiple supported versions. 234 // Ensure it supports the v2 Registry API. 235 var supportsV2 bool 236 237 HeaderLoop: 238 for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey("Docker-Distribution-API-Version")] { 239 for _, versionName := range strings.Fields(supportedVersions) { 240 if versionName == "registry/2.0" { 241 supportsV2 = true 242 break HeaderLoop 243 } 244 } 245 } 246 247 if !supportsV2 { 248 return RegistryInfo{}, fmt.Errorf("%s does not appear to be a v2 registry endpoint", e) 249 } 250 251 if resp.StatusCode == http.StatusOK { 252 // It would seem that no authentication/authorization is required. 253 // So we don't need to parse/add any authorization schemes. 254 return RegistryInfo{Standalone: true}, nil 255 } 256 257 if resp.StatusCode == http.StatusUnauthorized { 258 // Parse the WWW-Authenticate Header and store the challenges 259 // on this endpoint object. 260 e.AuthChallenges = parseAuthHeader(resp.Header) 261 return RegistryInfo{}, nil 262 } 263 264 return RegistryInfo{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode)) 265 } 266 267 func (e *Endpoint) HTTPClient() *http.Client { 268 tlsConfig := tls.Config{ 269 MinVersion: tls.VersionTLS10, 270 } 271 if !e.IsSecure { 272 tlsConfig.InsecureSkipVerify = true 273 } 274 return &http.Client{ 275 Transport: &http.Transport{ 276 DisableKeepAlives: true, 277 Proxy: http.ProxyFromEnvironment, 278 TLSClientConfig: &tlsConfig, 279 }, 280 CheckRedirect: AddRequiredHeadersToRedirectedRequests, 281 } 282 }