Commit Graph

1925 Commits

Author SHA1 Message Date
Marcus Martins
db1bf93098
Add leeway to JWT nbf and exp checking
Adds a constant leeway (60 seconds) to the nbf and exp claim check to
account for clock skew between the registry servers and the
authentication server that generated the JWT.

The leeway of 60 seconds is a bit arbitrary but based on the RFC
recommendation and hub.docker.com logs/metrics where we don't see
drifts of more than a second on our servers running ntpd.

I didn't attempt to make the leeway configurable as it would add extra
complexity to the PR and I am not sure how Distribution prefer to
handle runtime flags like that.

Also, I am simplifying the exp and nbf check for readability as the
previous `NOT (A AND B)` with cmp operators was not very friendly.

Ref:
https://tools.ietf.org/html/rfc7519#section-4.1.5

Signed-off-by: Marcus Martins <marcus@docker.com>
2016-07-18 17:47:30 -07:00
Richard Scothern
ba927007b0 Merge pull request #1677 from RichardScothern/tonyhb-fix-s3-gc-error
Move GC into storage package and add tests
2016-04-28 14:09:58 -07:00
Richard Scothern
a7dda2ce93 Merge pull request #1665 from andrewhsu/middleware-redirect
add middleware storage driver for redirect
2016-04-27 15:05:52 -07:00
Richard Scothern
69ba30dc03 Add a test with a missing _manifests directory
Signed-off-by: Richard Scothern <richard.scothern@docker.com>
2016-04-27 13:34:25 -07:00
Richard Scothern
ea492aca1a Move garbage collect code into storage package
Signed-off-by: Richard Scothern <richard.scothern@docker.com>
2016-04-27 13:34:25 -07:00
Tony Holdstock-Brown
a5aaae1f06 Ensure GC continues marking if _manifests is nonexistent
Signed-off-by: Tony Holdstock-Brown <tony@docker.com>
2016-04-27 13:33:36 -07:00
Richard Scothern
6a992e1348 Merge pull request #1675 from sergeyfd/master
Fix wording for dry-run flag in usage message for garbage collector.
2016-04-27 10:08:53 -07:00
Serge Dubrouski
32193bdcf0 Fix wording for dry-run flag in useage message for garbage collector.
Signed-off-by: Serge Dubrouski <sergeyfd@gmail.com>
2016-04-26 19:44:23 -06:00
Andrew Hsu
09a9b0cf90 separate the go/non-go imports and reorder
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-26 14:33:54 -07:00
Richard Scothern
47d14555c0 Merge pull request #1644 from fh1ch/clarify-kid-format
Clarify kid format for JWT token auth in docs
2016-04-25 17:01:15 -07:00
Richard Scothern
d654cfd985 Merge pull request #1623 from dmcgowan/docker-integration-readme
Integration test readme update
2016-04-25 16:10:19 -07:00
Richard Scothern
c83afea0c9 Merge pull request #1660 from jhaohai/cn-north-1-fix
Add cn-north-1 to valid check
2016-04-25 16:07:54 -07:00
Richard Scothern
ef32134592 Merge pull request #1666 from sergeyfd/master
Add blobWrtiter.Close() call into blobWriter.Commit()
2016-04-25 16:02:48 -07:00
Richard Scothern
96f796fb01 Merge pull request #1670 from vadmeste/fix_parts_sorting
s3 driver: Sorting completed parts by part number for a better accordance with S3 spec
2016-04-25 16:02:17 -07:00
Andrew Hsu
c4df027d41 modify redirect test to include port
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-25 11:52:46 -07:00
Andrew Hsu
fe9509f8f3 added config doc for redirect middleware
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-25 11:52:39 -07:00
Andrew Hsu
80248c3d3a scheme and host mandatory in baseurl
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-25 11:52:25 -07:00
Andrew Hsu
059bc5f5ef separate the go/non-go imports and reorder
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-25 11:52:03 -07:00
Anis Elleuch
987faca8a6 Sorting completed parts by part number for a better accordance with the S3 spec
Signed-off-by: Anis Elleuch <vadmeste@gmail.com>
2016-04-23 22:36:04 +01:00
Serge Dubrouski
21f38a74e6 Add blobWrtiter.Close() call into blobWriter.Commit()
Signed-off-by: Serge Dubrouski <sergeyfd@gmail.com>
2016-04-22 19:23:17 -06:00
Andrew Hsu
4b217ccbf5 add middleware storage driver for redirect
Signed-off-by: Andrew Hsu <andrewhsu@acm.org> (github: andrewhsu)
2016-04-21 16:02:52 -07:00
jhaohai
f76c622d8c add cn-north-1 to valid check
Signed-off-by: jhaohai <jhaohai@foxmail.com>
2016-04-21 11:51:34 +08:00
Richard Scothern
cd27f179f2 Merge pull request #1635 from hopkings2008/notifytype
use context.GetLogger to replace logrus in listener
2016-04-19 10:04:23 -07:00
Fabio Huser
17756eb43e Clarify kid format for JWT token auth in docs
The kid value can have an arbitrary format according JOSE specification, but Docker distribution expects a specific format (libtrust fingerprint) to work. This is not written in the documentation so far and is only mentioned in the libtrust source code itself.

Signed-off-by: Fabio Huser <fabio@fh1.ch>
2016-04-17 12:04:15 +02:00
Richard Scothern
9d491698cc Merge pull request #1641 from RichardScothern/ifollowtherules
Correction for JSON example.
2016-04-15 09:52:20 -07:00
Richard Scothern
b72d74464a Correction for JSON example.
Signed-off-by: Richard Scothern <richard.scothern@docker.com>
2016-04-15 09:22:44 -07:00
yuzou
f2686b8db4 use context.GetLogger to replace logrus in listener
Signed-off-by: yuzou <zouyu7@huawei.com>
2016-04-15 11:18:26 +08:00
Richard Scothern
05b0ab0302 Merge pull request #1630 from hopkings2008/notifytype
fix typepo for log message of layer push event in blobServiceListener…
2016-04-14 10:39:58 -07:00
yuzou
098005177f fix typepo for log message of layer push event in blobServiceListener Put function.
Signed-off-by: yuzou <zouyu7@huawei.com>
2016-04-14 16:41:35 +08:00
Richard Scothern
e90ff92895 Merge pull request #1625 from moxiegirl/fix-1598
Updated per conversation with Richard
2016-04-13 09:46:43 -07:00
Mary Anthony
6bce49d51d Updated per conversation with Richard
Removing draft
Richard's comments and some fixes

Signed-off-by: Mary Anthony <mary@docker.com>
2016-04-13 06:43:11 -07:00
Derek McGowan
ab2394446c Integration test readme update
Updates the readme to mention running the tests using golem.
Also provides instructions for making test development easier.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-04-12 14:03:56 -07:00
Richard Scothern
c6f63e298e Merge pull request #1619 from RichardScothern/gc-docs
Extend garbage collection documentation.
2016-04-12 10:25:43 -07:00
Richard Scothern
f9bcbd44ca Extend garbage collection documentation.
Signed-off-by: Richard Scothern <richard.scothern@docker.com>
2016-04-11 17:43:25 -07:00
Richard Scothern
467fc068d8 Merge pull request #1622 from aaronlehmann/schema2-config-mediatype
Use correct media type for config blob in schema2 manifest
2016-04-11 17:23:03 -07:00
Aaron Lehmann
2de3f1a62a Use correct media type for config blob in schema2 manifest
The schema2 manifest builder fills in this part of the manifest based on
the descriptor it gets back from BlobIngester's Put method. It passes
the correct media type to Put, but Put ends up replacing this value with
application/octet-stream in its return value.

This commit works around the issue in the manifest builder. Arguably Put
should not be changing the media type in its return value, but this
commit is a targeted fix to keep it very low-risk for possible inclusion
in Docker 1.11.

Fixes #1621 (but maybe we should open a separate issue for the media
type behavior in the distribution client, and the unnecessary stat).

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-04-11 17:05:41 -07:00
Richard Scothern
4c119524f1 Merge pull request #1604 from ArdaXi/custom-s3-skip-region-check
Only check validity of S3 region if not using custom endpoint
2016-04-08 15:38:24 -07:00
Richard Scothern
437eeeda44 Merge pull request #1605 from majewsky/swift/deal-with-outdated-container-listings
registry/storage/swift: detect and fix outdated container listings
2016-04-08 15:38:06 -07:00
Richard Scothern
55f1b7651f Merge pull request #1590 from RichardScothern/s3-permission-scopes
Document required IAM permissions for S3 storage driver.
2016-04-06 14:46:12 -07:00
Richard Scothern
e4817cfc94 Remove ListAllMyBuckets from the S3 permission scope.
Signed-off-by: Richard Scothern <richard.scothern@docker.com>
2016-04-06 14:22:08 -07:00
Stefan Majewsky
67321cb622 detect outdated container listings during Stat() and getAllSegments()
Signed-off-by: Stefan Majewsky <stefan.majewsky@sap.com>
2016-04-06 15:21:27 +02:00
Arien Holthuizen
dbb6e28da2 Only check validity of S3 region if not using custom endpoint
Signed-off-by: Arien Holthuizen <aholthuizen@schubergphilis.com>
2016-04-06 13:38:09 +02:00
Richard Scothern
27e0be3e95 Merge pull request #1583 from dmcgowan/golem-integration-tests
Update docker integration tests to use golem
2016-04-05 15:38:01 -07:00
Richard Scothern
75e55632fd Merge pull request #1597 from tonyhb/log-upload-copy-errors
Ensure we log io.Copy errors and bytes copied/total in uploads
2016-04-05 09:46:12 -07:00
Derek McGowan
2ea61dc04f Add temporary cache directory
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-04-04 19:57:40 -07:00
Derek McGowan
17f7f60d77 Update docker integration tests to use golem
Use registry example from golem repository.
Use the golem test runner for the docker integration environment

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-04-04 19:57:40 -07:00
Tony Holdstock-Brown
25c5efdef9 Ensure we log io.Copy errors and bytes copied/total in uploads
Signed-off-by: Tony Holdstock-Brown <tony@docker.com>
2016-04-04 17:21:36 -07:00
Richard Scothern
20fa47886d Merge pull request #1592 from estesp/manifest-spec-example-fix
Correct examples and architecture references in v2.2 spec
2016-04-04 10:39:54 -07:00
Phil Estes
bf9f80eaff Correct examples and architecture references in v2.2 spec
Add link to the official list of $GOOS and $GOARCH values and correct
values that were incorrectly listed in the spec examples.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-04-03 17:50:22 -04:00
Olivier Gambier
ff6f38ccb6 Merge pull request #1588 from aaronlehmann/golint-godep-location
Makefile: don't look for golint and godep in specific places
2016-03-31 15:21:40 -07:00