-
Notifications
You must be signed in to change notification settings - Fork 0
/
endpoint.go
213 lines (186 loc) · 6.47 KB
/
endpoint.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
package registry
import (
"encoding/json"
"fmt"
"io/ioutil"
"net"
"net/http"
"net/url"
"strings"
"github.com/docker/docker/pkg/log"
)
// for mocking in unit tests
var lookupIP = net.LookupIP
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
func scanForApiVersion(hostname string) (string, APIVersion) {
var (
chunks []string
apiVersionStr string
)
if strings.HasSuffix(hostname, "/") {
chunks = strings.Split(hostname[:len(hostname)-1], "/")
apiVersionStr = chunks[len(chunks)-1]
} else {
chunks = strings.Split(hostname, "/")
apiVersionStr = chunks[len(chunks)-1]
}
for k, v := range apiVersions {
if apiVersionStr == v {
hostname = strings.Join(chunks[:len(chunks)-1], "/")
return hostname, k
}
}
return hostname, DefaultAPIVersion
}
func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
endpoint, err := newEndpoint(hostname, insecureRegistries)
if err != nil {
return nil, err
}
// Try HTTPS ping to registry
endpoint.URL.Scheme = "https"
if _, err := endpoint.Ping(); err != nil {
//TODO: triggering highland build can be done there without "failing"
if endpoint.secure {
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
}
// If registry is insecure and HTTPS failed, fallback to HTTP.
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
endpoint.URL.Scheme = "http"
_, err2 := endpoint.Ping()
if err2 == nil {
return endpoint, nil
}
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
}
return endpoint, nil
}
func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
var (
endpoint = Endpoint{}
trimmedHostname string
err error
)
if !strings.HasPrefix(hostname, "http") {
hostname = "https://" + hostname
}
trimmedHostname, endpoint.Version = scanForApiVersion(hostname)
endpoint.URL, err = url.Parse(trimmedHostname)
if err != nil {
return nil, err
}
endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
if err != nil {
return nil, err
}
return &endpoint, nil
}
type Endpoint struct {
URL *url.URL
Version APIVersion
secure bool
}
// Get the formated URL for the root of this registry Endpoint
func (e Endpoint) String() string {
return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
}
func (e Endpoint) VersionString(version APIVersion) string {
return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
}
func (e Endpoint) Ping() (RegistryInfo, error) {
if e.String() == IndexServerAddress() {
// Skip the check, we now this one is valid
// (and we never want to fallback to http in case of error)
return RegistryInfo{Standalone: false}, nil
}
req, err := http.NewRequest("GET", e.String()+"_ping", nil)
if err != nil {
return RegistryInfo{Standalone: false}, err
}
resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
if err != nil {
return RegistryInfo{Standalone: false}, err
}
defer resp.Body.Close()
jsonString, err := ioutil.ReadAll(resp.Body)
if err != nil {
return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
}
// If the header is absent, we assume true for compatibility with earlier
// versions of the registry. default to true
info := RegistryInfo{
Standalone: true,
}
if err := json.Unmarshal(jsonString, &info); err != nil {
log.Debugf("Error unmarshalling the _ping RegistryInfo: %s", err)
// don't stop here. Just assume sane defaults
}
if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
log.Debugf("Registry version header: '%s'", hdr)
info.Version = hdr
}
log.Debugf("RegistryInfo.Version: %q", info.Version)
standalone := resp.Header.Get("X-Docker-Registry-Standalone")
log.Debugf("Registry standalone header: '%s'", standalone)
// Accepted values are "true" (case-insensitive) and "1".
if strings.EqualFold(standalone, "true") || standalone == "1" {
info.Standalone = true
} else if len(standalone) > 0 {
// there is a header set, and it is not "true" or "1", so assume fails
info.Standalone = false
}
log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
return info, nil
}
// isSecure returns false if the provided hostname is part of the list of insecure registries.
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
//
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
// insecure.
//
// hostname should be a URL.Host (`host:port` or `host`)
func isSecure(hostname string, insecureRegistries []string) (bool, error) {
if hostname == IndexServerURL.Host {
return true, nil
}
host, _, err := net.SplitHostPort(hostname)
if err != nil {
// assume hostname is of the form `host` without the port and go on.
host = hostname
}
addrs, err := lookupIP(host)
if err != nil {
ip := net.ParseIP(host)
if ip == nil {
// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway
return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
}
addrs = []net.IP{ip}
}
if len(addrs) == 0 {
return true, fmt.Errorf("issecure: could not resolve %q", host)
}
for _, addr := range addrs {
for _, r := range insecureRegistries {
// hostname matches insecure registry
if hostname == r {
return false, nil
}
// now assume a CIDR was passed to --insecure-registry
_, ipnet, err := net.ParseCIDR(r)
if err != nil {
// if could not parse it as a CIDR, even after removing
// assume it's not a CIDR and go on with the next candidate
continue
}
// check if the addr falls in the subnet
if ipnet.Contains(addr) {
return false, nil
}
}
}
return true, nil
}