Remove build tags which are already implied by the name of the file.
Ensures build tags are used consistently
Signed-off-by: Derek McGowan <derek@mcg.dev>
Discovered this while using HTTP tracing via OpenTelemetry inside of
buildkitd, where the trace spans were not being reported for the
registry PUT http requests. The spans are only reported on the Close
for the Body, after adding these Close calls, the spans are reported as
expected.
Signed-off-by: coryb <cbennett@netflix.com>
Adds support for mirrors which are non-compliant with the
OCI distribution specification but have previously mirrored
content with a namespace prefix after the API root `/v2`.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Previously, containerd uses Go's default UA "Go-http-client/1.1" while authenticating with registry.
This commit changes it to the pattern like "containerd/v1.5.2" which is used for all other requests.
Signed-off-by: Ethan Chen <pov@mahou-shoujo.moe>
Allows redirects to be authorized if authorization is provided
for the redirected to host. The authorization will always go
to the redirect and never to the referrer.
Signed-off-by: Derek McGowan <derek@mcg.dev>
The `(dockerPusher).Push` method uses a `StatusTracker` to check if an
upload already happened, before repeating the upload. However, there is
no provision for failure handling. If a PUT request returns an error,
the `StatusTracker` will still see the upload as if it happened
successfully. Add a status boolean so that only successful uploads
short-circuit `Push`.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
- changed the `MatchLocalhost` function in remotes/docker/registry.go
- Make use of SplitHostPort to split host and port number
- Added additional tests for modified code in remotes/docker/registry_test.go
- Note: this does not handle mathcing of IP addresses in octal, decimal or hex format or a mix of these.
Fixes: #5129
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
The certs dir parsing was skipping over files instead of reading them,
as such the certs would never load.
It was also stating the file name rather than the full path for cert
pairs.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`docker.Authorizer` requires library clients to configure scope via context.
It is helpful for the clients to use the helper (currently private) functions
for generating scope string and to use that function with the combination of
other scope-related ones (e.g. `docker.WithScope`).
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
This accomplishes a few long-standing TODO items, but also helps users
in showing exact registry error messages
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
Proxy registries are designed to serve content from upstreams.
However, the proxy hostname will usually not match the hostname
of the upstream, requiring the proxy to only use a single
upstream or use its own pattern matching to determine the upstream.
To solve this issue, the client will pass along the namespace which
is being used for the request, allowing mirrors to easily map
to multiple upstreams. This query parameter can safely be ignored
if multiple upstreams are not supported.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Authorizer interface can’t be really implemented because
scopes are passed in on a side channel via private value in context.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
When a server is specified at the top level, there is a bug
that prevents the keys from being checked properly.
When no server is provided, the server attempts to parse
with an empty host, leaving partial values and a defaulted
skip verify configuration.
Signed-off-by: Derek McGowan <derek@mcg.dev>
