Documentation ¶
Overview ¶
Package server wraps repository and blob store objects of docker/distribution upstream. Most significantly, the wrappers cause manifests to be stored in OpenShift's etcd store instead of registry's storage. Registry's middleware API is utilized to register the object factories.
Module with quotaRestrictedBlobStore defines a wrapper for upstream blob store that does an image quota and limits check before committing image layer to a registry. Master server contains admission check that will refuse the manifest if the image exceeds whatever quota or limit set. But the check occurs too late (after the layers are written). This addition allows us to refuse the layers and thus keep the storage clean.
*Note*: Here, we take into account just a single layer, not the image as a whole because the layers are uploaded before the manifest. This leads to a situation where several layers can be written until a big enough layer will be received that exceeds the limit.
Index ¶
- Constants
- Variables
- func NewApp(ctx context.Context, registryClient client.RegistryClient, ...) http.Handler
- func NewSignatureDispatcher(isImageClient client.ImageStreamImagesNamespacer) func(*handlers.Context, *http.Request) http.Handler
- func NewTokenHandler(ctx context.Context, client client.RegistryClient) http.Handler
- func RegisterMetricHandler(app *handlers.App)
- func RegisterSignatureHandler(app *handlers.App, isImageClient client.ImageStreamImagesNamespacer)
- func TokenRealm(options map[string]interface{}) (*url.URL, error)
- func WithUserInfoLogger(ctx context.Context, username, userid string) context.Context
- type AccessController
- type App
- type BlobGetterService
- type ByGeneration
- type ErrManifestBlobBadSize
- type ImageStreamGetter
- type ManifestHandler
Constants ¶
const ( RealmKey = "realm" TokenRealmKey = "tokenrealm" )
const ( // DockerRegistryURLEnvVar is a mandatory environment variable name specifying url of internal docker // registry. All references to pushed images will be prefixed with its value. // DEPRECATED: Use the OPENSHIFT_DEFAULT_REGISTRY instead. DockerRegistryURLEnvVar = "DOCKER_REGISTRY_URL" // DockerRegistryURLEnvVarOption is an optional environment that overrides the // DOCKER_REGISTRY_URL. DockerRegistryURLEnvVarOption = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_DOCKERREGISTRYURL" // OpenShiftDefaultRegistry overrides the DockerRegistryURLEnvVar as in OpenShift the // default registry URL is controller by this environment variable. OpenShiftDefaultRegistryEnvVar = "OPENSHIFT_DEFAULT_REGISTRY" // EnforceQuotaEnvVar is a boolean environment variable that allows to turn quota enforcement on or off. // By default, quota enforcement is off. It overrides openshift middleware configuration option. // Recognized values are "true" and "false". EnforceQuotaEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA" // ProjectCacheTTLEnvVar is an environment variable specifying an eviction timeout for project quota // objects. It takes a valid time duration string (e.g. "2m"). If empty, you get the default timeout. If // zero (e.g. "0m"), caching is disabled. ProjectCacheTTLEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PROJECTCACHETTL" // AcceptSchema2EnvVar is a boolean environment variable that allows to accept manifest schema v2 // on manifest put requests. AcceptSchema2EnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ACCEPTSCHEMA2" // BlobRepositoryCacheTTLEnvVar is an environment variable specifying an eviction timeout for <blob // belongs to repository> entries. The higher the value, the faster queries but also a higher risk of // leaking a blob that is no longer tagged in given repository. BlobRepositoryCacheTTLEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_BLOBREPOSITORYCACHETTL" // Pullthrough is a boolean environment variable that controls whether pullthrough is enabled. PullthroughEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PULLTHROUGH" // MirrorPullthrough is a boolean environment variable that controls mirroring of blobs on pullthrough. MirrorPullthroughEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_MIRRORPULLTHROUGH" )
Environment variables.
Variables ¶
var ( // Challenging errors ErrTokenRequired = errors.New("authorization header required") ErrTokenInvalid = errors.New("failed to decode credentials") ErrOpenShiftAccessDenied = errors.New("access denied") // Non-challenging errors ErrNamespaceRequired = errors.New("repository namespace required") ErrUnsupportedAction = errors.New("unsupported action") ErrUnsupportedResource = errors.New("unsupported resource") )
Errors used and exported by this package.
var ( ErrorCodeSignatureInvalid = errcode.Register(errGroup, errcode.ErrorDescriptor{ Value: "SIGNATURE_INVALID", Message: "invalid image signature", HTTPStatusCode: http.StatusBadRequest, }) ErrorCodeSignatureAlreadyExists = errcode.Register(errGroup, errcode.ErrorDescriptor{ Value: "SIGNATURE_EXISTS", Message: "image signature already exists", HTTPStatusCode: http.StatusConflict, }) )
Functions ¶
func NewApp ¶
func NewApp(ctx context.Context, registryClient client.RegistryClient, dockerConfig *configuration.Configuration, extraConfig *registryconfig.Configuration, writeLimiter maxconnections.Limiter) http.Handler
NewApp configures the registry application and returns http.Handler for it. The program will be terminated if an error happens.
func NewSignatureDispatcher ¶
func NewSignatureDispatcher(isImageClient client.ImageStreamImagesNamespacer) func(*handlers.Context, *http.Request) http.Handler
NewSignatureDispatcher provides a function that handles the GET and PUT requests for signature endpoint.
func NewTokenHandler ¶ added in v1.3.0
NewTokenHandler returns a handler that implements the docker token protocol
func RegisterMetricHandler ¶
func RegisterSignatureHandler ¶
func RegisterSignatureHandler(app *handlers.App, isImageClient client.ImageStreamImagesNamespacer)
RegisterSignatureHandler registers the Docker image signature extension to Docker registry.
func TokenRealm ¶ added in v1.3.0
TokenRealm returns the template URL to use as the token realm redirect. An empty scheme/host in the returned URL means to match the scheme/host on incoming requests.
Types ¶
type AccessController ¶
type AccessController struct {
// contains filtered or unexported fields
}
func (*AccessController) Authorized ¶
func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...registryauth.Access) (context.Context, error)
Authorized handles checking whether the given request is authorized for actions on resources allowed by openshift. Sources of access records:
origin/pkg/cmd/dockerregistry/dockerregistry.go#Execute docker/distribution/registry/handlers/app.go#appendAccessRecords
type App ¶
type App struct {
// contains filtered or unexported fields
}
App is a global registry application object. Shared resources can be placed on this object that will be accessible from all requests.
type BlobGetterService ¶
type BlobGetterService interface { distribution.BlobStatter distribution.BlobProvider distribution.BlobServer }
BlobGetterService combines the operations to access and read blobs.
func NewBlobGetterService ¶
func NewBlobGetterService( namespace, name string, cacheTTL time.Duration, imageStreamGetter ImageStreamGetter, isSecretsNamespacer client.ImageStreamSecretsNamespacer, cachedLayers digestToRepositoryCache, ) BlobGetterService
NewBlobGetterService returns a getter for remote blobs. Its cache will be shared among different middleware wrappers, which is a must at least for stat calls made on manifest's dependencies during its verification.
type ByGeneration ¶ added in v1.3.0
type ByGeneration []*imageapiv1.TagEvent
ByGeneration allows for sorting tag events from latest to oldest.
func (ByGeneration) Len ¶ added in v1.3.0
func (b ByGeneration) Len() int
func (ByGeneration) Less ¶ added in v1.3.0
func (b ByGeneration) Less(i, j int) bool
func (ByGeneration) Swap ¶ added in v1.3.0
func (b ByGeneration) Swap(i, j int)
type ErrManifestBlobBadSize ¶
ErrManifestBlobBadSize is returned when the blob size in a manifest does not match the actual size. The docker/distribution does not check this and therefore does not provide an error for this.
func (ErrManifestBlobBadSize) Error ¶
func (err ErrManifestBlobBadSize) Error() string
type ImageStreamGetter ¶
type ImageStreamGetter func() (*imageapiv1.ImageStream, error)
type ManifestHandler ¶ added in v1.3.3
type ManifestHandler interface { // Config returns a blob with image configuration associated with the manifest. This applies only to // manifet schema 2. Config(ctx context.Context) ([]byte, error) // Digest returns manifest's digest. Digest() (manifestDigest digest.Digest, err error) // Manifest returns a deserialized manifest object. Manifest() distribution.Manifest // Layers returns image layers and a value for the dockerLayersOrder annotation. Layers(ctx context.Context) (order string, layers []imageapiv1.ImageLayer, err error) // Payload returns manifest's media type, complete payload with signatures and canonical payload without // signatures or an error if the information could not be fetched. Payload() (mediaType string, payload []byte, canonical []byte, err error) // Verify returns an error if the contained manifest is not valid or has missing dependencies. Verify(ctx context.Context, skipDependencyVerification bool) error }
A ManifestHandler defines a common set of operations on all versions of manifest schema.
func NewManifestHandler ¶ added in v1.3.3
func NewManifestHandler(repo *repository, manifest distribution.Manifest) (ManifestHandler, error)
NewManifestHandler creates a manifest handler for the given manifest.
func NewManifestHandlerFromImage ¶ added in v1.3.3
func NewManifestHandlerFromImage(repo *repository, image *imageapiv1.Image) (ManifestHandler, error)
NewManifestHandlerFromImage creates a new manifest handler for a manifest stored in the given image.
Source Files ¶
- admin.go
- app.go
- auth.go
- blobdescriptorservice.go
- context.go
- digestcache.go
- errorblobstore.go
- errormanifestservice.go
- errortagservice.go
- init.go
- manifesthandler.go
- manifestschema1handler.go
- manifestschema2handler.go
- manifestservice.go
- metrichandler.go
- projectcache.go
- pullthroughblobstore.go
- pullthroughmanifestservice.go
- quotarestrictedblobstore.go
- remoteblobgetter.go
- repository.go
- repositoryconfig.go
- signaturedispatcher.go
- signaturehandler.go
- tagservice.go
- token.go
- util.go
Directories ¶
Path | Synopsis |
---|---|
Package api describes routes and urls that extends the Registry JSON HTTP API.
|
Package api describes routes and urls that extends the Registry JSON HTTP API. |
Package audit log the beginning and end of each API request to different logger.
|
Package audit log the beginning and end of each API request to different logger. |
Package client provides functions to make requests to external APIs.
|
Package client provides functions to make requests to external APIs. |
Package metrics provides functions to collect runtime registry statistics and expose the registered metrics via HTTP.
|
Package metrics provides functions to collect runtime registry statistics and expose the registered metrics via HTTP. |