server

package
v3.5.4-1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 23, 2017 License: Apache-2.0 Imports: 50 Imported by: 0

Documentation

Overview

Package server wraps repository and blob store objects of docker/distribution upstream. Most significantly, the wrappers cause manifests to be stored in OpenShift's etcd store instead of registry's storage. Registry's middleware API is utilized to register the object factories.

Module with quotaRestrictedBlobStore defines a wrapper for upstream blob store that does an image quota and limits check before committing image layer to a registry. Master server contains admission check that will refuse the manifest if the image exceeds whatever quota or limit set. But the check occurs too late (after the layers are written). This addition allows us to refuse the layers and thus keep the storage clean.

*Note*: Here, we take into account just a single layer, not the image as a whole because the layers are uploaded before the manifest. This leads to a situation where several layers can be written until a big enough layer will be received that exceeds the limit.

Index

Constants

View Source
const (
	OpenShiftAuth = "openshift"

	RealmKey      = "realm"
	TokenRealmKey = "tokenrealm"
)
View Source
const (

	// DockerRegistryURLEnvVar is a mandatory environment variable name specifying url of internal docker
	// registry. All references to pushed images will be prefixed with its value.
	DockerRegistryURLEnvVar = "DOCKER_REGISTRY_URL"

	// EnforceQuotaEnvVar is a boolean environment variable that allows to turn quota enforcement on or off.
	// By default, quota enforcement is off. It overrides openshift middleware configuration option.
	// Recognized values are "true" and "false".
	EnforceQuotaEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA"

	// ProjectCacheTTLEnvVar is an environment variable specifying an eviction timeout for project quota
	// objects. It takes a valid time duration string (e.g. "2m"). If empty, you get the default timeout. If
	// zero (e.g. "0m"), caching is disabled.
	ProjectCacheTTLEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PROJECTCACHETTL"

	// AcceptSchema2EnvVar is a boolean environment variable that allows to accept manifest schema v2
	// on manifest put requests.
	AcceptSchema2EnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ACCEPTSCHEMA2"

	// BlobRepositoryCacheTTLEnvVar  is an environment variable specifying an eviction timeout for <blob
	// belongs to repository> entries. The higher the value, the faster queries but also a higher risk of
	// leaking a blob that is no longer tagged in given repository.
	BlobRepositoryCacheTTLEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_BLOBREPOSITORYCACHETTL"

	// Pullthrough is a boolean environment variable that controls whether pullthrough is enabled.
	PullthroughEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PULLTHROUGH"

	// MirrorPullthrough is a boolean environment variable that controls mirroring of blobs on pullthrough.
	MirrorPullthroughEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_MIRRORPULLTHROUGH"
)

Variables

View Source
var (
	// Challenging errors
	ErrTokenRequired         = errors.New("authorization header required")
	ErrTokenInvalid          = errors.New("failed to decode credentials")
	ErrOpenShiftAccessDenied = errors.New("access denied")

	// Non-challenging errors
	ErrNamespaceRequired   = errors.New("repository namespace required")
	ErrUnsupportedAction   = errors.New("unsupported action")
	ErrUnsupportedResource = errors.New("unsupported resource")
)

Errors used and exported by this package.

View Source
var (
	ErrorCodeSignatureInvalid = errcode.Register(errGroup, errcode.ErrorDescriptor{
		Value:          "SIGNATURE_INVALID",
		Message:        "invalid image signature",
		HTTPStatusCode: http.StatusBadRequest,
	})

	ErrorCodeSignatureAlreadyExists = errcode.Register(errGroup, errcode.ErrorDescriptor{
		Value:          "SIGNATURE_EXISTS",
		Message:        "image signature already exists",
		HTTPStatusCode: http.StatusConflict,
	})
)
View Source
var DefaultRegistryClient = NewRegistryClient(clientcmd.NewConfig().BindToFile())

DefaultRegistryClient is exposed for testing the registry with fake client.

Functions

func AuthPerformed added in v1.3.0

func AuthPerformed(ctx context.Context) bool

func BlobDispatcher added in v0.5.3

func BlobDispatcher(ctx *handlers.Context, r *http.Request) http.Handler

BlobDispatcher takes the request context and builds the appropriate handler for handling blob requests.

func DeferredErrorsFrom added in v1.3.0

func DeferredErrorsFrom(ctx context.Context) (deferredErrors, bool)

func NewTokenHandler added in v1.3.0

func NewTokenHandler(ctx context.Context, client RegistryClient) http.Handler

NewTokenHandler returns a handler that implements the docker token protocol

func RegisterSignatureHandler added in v1.5.0

func RegisterSignatureHandler(app *handlers.App)

RegisterSignatureHandler registers the Docker image signature extension to Docker registry.

func RemoteBlobAccessCheckEnabledFrom added in v1.5.0

func RemoteBlobAccessCheckEnabledFrom(ctx context.Context) bool

func RepositoryFrom added in v1.3.0

func RepositoryFrom(ctx context.Context) (repo *repository, found bool)

func SignatureDispatcher added in v1.5.0

func SignatureDispatcher(ctx *handlers.Context, r *http.Request) http.Handler

SignatureDispatcher handles the GET and PUT requests for signature endpoint.

func TokenRealm added in v1.3.0

func TokenRealm(options map[string]interface{}) (*url.URL, error)

TokenRealm returns the template URL to use as the token realm redirect. An empty scheme/host in the returned URL means to match the scheme/host on incoming requests.

func UserClientFrom

func UserClientFrom(ctx context.Context) (client.Interface, bool)

func WithAuthPerformed added in v1.3.0

func WithAuthPerformed(parent context.Context) context.Context

func WithDeferredErrors added in v1.3.0

func WithDeferredErrors(parent context.Context, errs deferredErrors) context.Context

func WithRemoteBlobAccessCheckEnabled added in v1.5.0

func WithRemoteBlobAccessCheckEnabled(parent context.Context, enable bool) context.Context

func WithRepository added in v1.3.0

func WithRepository(parent context.Context, repo *repository) context.Context

func WithUserClient

func WithUserClient(parent context.Context, userClient client.Interface) context.Context

func WithUserInfoLogger added in v1.5.0

func WithUserInfoLogger(ctx context.Context, username, userid string) context.Context

WithUserInfoLogger creates a new context with provided user infomation.

Types

type AccessController

type AccessController struct {
	// contains filtered or unexported fields
}

func (*AccessController) Authorized

func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...registryauth.Access) (context.Context, error)

Authorized handles checking whether the given request is authorized for actions on resources allowed by openshift. Sources of access records:

origin/pkg/cmd/dockerregistry/dockerregistry.go#Execute
docker/distribution/registry/handlers/app.go#appendAccessRecords

type BlobGetterService added in v1.5.0

BlobGetterService combines the operations to access and read blobs.

func NewBlobGetterService added in v1.5.0

func NewBlobGetterService(
	namespace, name string,
	cacheTTL time.Duration,
	imageStreamGetter ImageStreamGetter,
	isSecretsNamespacer osclient.ImageStreamSecretsNamespacer,
	cachedLayers digestToRepositoryCache,
) BlobGetterService

NewBlobGetterService returns a getter for remote blobs. Its cache will be shared among different middleware wrappers, which is a must at least for stat calls made on manifest's dependencies during its verification.

type ByGeneration added in v1.3.0

type ByGeneration []*imageapi.TagEvent

ByGeneration allows for sorting tag events from latest to oldest.

func (ByGeneration) Len added in v1.3.0

func (b ByGeneration) Len() int

func (ByGeneration) Less added in v1.3.0

func (b ByGeneration) Less(i, j int) bool

func (ByGeneration) Swap added in v1.3.0

func (b ByGeneration) Swap(i, j int)

type ImageStreamGetter added in v1.5.0

type ImageStreamGetter func() (*imageapi.ImageStream, error)

type ManifestHandler added in v1.3.3

type ManifestHandler interface {
	// FillImageMetadata fills a given image with metadata parsed from manifest. It also corrects layer sizes
	// with blob sizes. Newer Docker client versions don't set layer sizes in the manifest schema 1 at all.
	// Origin master needs correct layer sizes for proper image quota support. That's why we need to fill the
	// metadata in the registry.
	FillImageMetadata(ctx context.Context, image *imageapi.Image) error

	// Manifest returns a deserialized manifest object.
	Manifest() distribution.Manifest

	// Payload returns manifest's media type, complete payload with signatures and canonical payload without
	// signatures or an error if the information could not be fetched.
	Payload() (mediaType string, payload []byte, canonical []byte, err error)

	// Verify returns an error if the contained manifest is not valid or has missing dependencies.
	Verify(ctx context.Context, skipDependencyVerification bool) error

	// Digest returns manifest's digest
	Digest() (manifestDigest digest.Digest, err error)
}

A ManifestHandler defines a common set of operations on all versions of manifest schema.

func NewManifestHandler added in v1.3.3

func NewManifestHandler(repo *repository, manifest distribution.Manifest) (ManifestHandler, error)

NewManifestHandler creates a manifest handler for the given manifest.

func NewManifestHandlerFromImage added in v1.3.3

func NewManifestHandlerFromImage(repo *repository, image *imageapi.Image) (ManifestHandler, error)

NewManifestHandlerFromImage creates a new manifest handler for a manifest stored in the given image.

type RegistryClient added in v1.1.4

type RegistryClient interface {
	// Clients return the authenticated clients to use with the server.
	Clients() (client.Interface, kclientset.Interface, error)
	// SafeClientConfig returns a client config without authentication info.
	SafeClientConfig() restclient.Config
}

RegistryClient encapsulates getting access to the OpenShift API.

func NewRegistryClient added in v1.1.4

func NewRegistryClient(config *clientcmd.Config) RegistryClient

NewRegistryClient creates a registry client.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL