diff --git a/api/client/cli.go b/api/client/cli.go index d80f9cc32c5ab..b513c943c189a 100644 --- a/api/client/cli.go +++ b/api/client/cli.go @@ -13,6 +13,7 @@ import ( flag "github.com/docker/docker/pkg/mflag" "github.com/docker/docker/pkg/term" "github.com/docker/docker/registry" + "github.com/docker/libtrust" ) type DockerCli struct { @@ -22,6 +23,7 @@ type DockerCli struct { in io.ReadCloser out io.Writer err io.Writer + key libtrust.PrivateKey isTerminal bool terminalFd uintptr tlsConfig *tls.Config @@ -78,7 +80,7 @@ func (cli *DockerCli) LoadConfigFile() (err error) { return err } -func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string, tlsConfig *tls.Config) *DockerCli { +func NewDockerCli(in io.ReadCloser, out, err io.Writer, key libtrust.PrivateKey, proto, addr string, tlsConfig *tls.Config) *DockerCli { var ( isTerminal = false terminalFd uintptr @@ -105,6 +107,7 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string, tlsC in: in, out: out, err: err, + key: key, isTerminal: isTerminal, terminalFd: terminalFd, tlsConfig: tlsConfig, diff --git a/api/client/commands.go b/api/client/commands.go index 29dbbc7290bde..6eb440259832c 100644 --- a/api/client/commands.go +++ b/api/client/commands.go @@ -37,6 +37,7 @@ import ( "github.com/docker/docker/registry" "github.com/docker/docker/runconfig" "github.com/docker/docker/utils" + "github.com/docker/libtrust" ) const ( @@ -1153,6 +1154,26 @@ func (cli *DockerCli) CmdPush(args ...string) error { v := url.Values{} v.Set("tag", tag) + + body, _, err := readBody(cli.call("GET", "/images/"+remote+"/manifest?"+v.Encode(), nil, false)) + if err != nil { + return err + } + + js, err := libtrust.NewJSONSignature(body) + if err != nil { + return err + } + err = js.Sign(cli.key) + if err != nil { + return err + } + + signedBody, err := js.PrettySignature("buildSignatures") + if err != nil { + return err + } + push := func(authConfig registry.AuthConfig) error { buf, err := json.Marshal(authConfig) if err != nil { @@ -1162,7 +1183,7 @@ func (cli *DockerCli) CmdPush(args ...string) error { base64.URLEncoding.EncodeToString(buf), } - return cli.stream("POST", "/images/"+remote+"/push?"+v.Encode(), nil, cli.out, map[string][]string{ + return cli.stream("POST", "/images/"+remote+"/push?"+v.Encode(), bytes.NewReader(signedBody), cli.out, map[string][]string{ "X-Registry-Auth": registryAuthHeader, }) } diff --git a/api/server/server.go b/api/server/server.go index 906e3d8e386f6..94f92130e5a78 100644 --- a/api/server/server.go +++ b/api/server/server.go @@ -555,6 +555,18 @@ func getImagesSearch(eng *engine.Engine, version version.Version, w http.Respons return job.Run() } +func getImageManifest(eng *engine.Engine, version version.Version, w http.ResponseWriter, r *http.Request, vars map[string]string) error { + if err := parseForm(r); err != nil { + return err + } + + job := eng.Job("image_manifest", vars["name"]) + job.Setenv("tag", r.Form.Get("tag")) + job.Stdout.Add(utils.NewWriteFlusher(w)) + + return job.Run() +} + func postImagesPush(eng *engine.Engine, version version.Version, w http.ResponseWriter, r *http.Request, vars map[string]string) error { if vars == nil { return fmt.Errorf("Missing parameter") @@ -586,9 +598,15 @@ func postImagesPush(eng *engine.Engine, version version.Version, w http.Response } } + manifest, err := ioutil.ReadAll(r.Body) + if err != nil { + return err + } + job := eng.Job("push", vars["name"]) job.SetenvJson("metaHeaders", metaHeaders) job.SetenvJson("authConfig", authConfig) + job.Setenv("manifest", string(manifest)) job.Setenv("tag", r.Form.Get("tag")) if version.GreaterThan("1.0") { job.SetenvBool("json", true) @@ -1105,6 +1123,7 @@ func createRouter(eng *engine.Engine, logging, enableCors bool, dockerVersion st "/images/json": getImagesJSON, "/images/viz": getImagesViz, "/images/search": getImagesSearch, + "/images/{name:.*}/manifest": getImageManifest, "/images/{name:.*}/get": getImagesGet, "/images/{name:.*}/history": getImagesHistory, "/images/{name:.*}/json": getImagesByName, diff --git a/docker/daemon.go b/docker/daemon.go index dc9d56d1d92a5..3c5666c7e2968 100644 --- a/docker/daemon.go +++ b/docker/daemon.go @@ -74,6 +74,7 @@ func mainDaemon() { job.Setenv("TlsCa", *flCa) job.Setenv("TlsCert", *flCert) job.Setenv("TlsKey", *flKey) + job.Setenv("TrustKey", *flTrustKey) job.SetenvBool("BufferRequests", true) if err := job.Run(); err != nil { log.Fatal(err) diff --git a/docker/docker.go b/docker/docker.go index f2b4ca90b1b87..6728fb1507dd7 100644 --- a/docker/docker.go +++ b/docker/docker.go @@ -15,12 +15,14 @@ import ( flag "github.com/docker/docker/pkg/mflag" "github.com/docker/docker/reexec" "github.com/docker/docker/utils" + "github.com/docker/libtrust" ) const ( - defaultCaFile = "ca.pem" - defaultKeyFile = "key.pem" - defaultCertFile = "cert.pem" + defaultCaFile = "ca.pem" + defaultKeyFile = "key.pem" + defaultCertFile = "cert.pem" + defaultTrustKeyFile = "key.json" ) func main() { @@ -60,6 +62,17 @@ func main() { } protoAddrParts := strings.SplitN(flHosts[0], "://", 2) + trustKey, keyErr := libtrust.LoadKeyFile(*flTrustKey) + if keyErr == libtrust.ErrKeyFileDoesNotExist { + trustKey, keyErr = libtrust.GenerateECP256PrivateKey() + if keyErr == nil { + keyErr = libtrust.SaveKey(*flTrustKey, trustKey) + } + } + if keyErr != nil { + log.Fatal(keyErr) + } + var ( cli *client.DockerCli tlsConfig tls.Config @@ -94,9 +107,9 @@ func main() { } if *flTls || *flTlsVerify { - cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, protoAddrParts[0], protoAddrParts[1], &tlsConfig) + cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, trustKey, protoAddrParts[0], protoAddrParts[1], &tlsConfig) } else { - cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, protoAddrParts[0], protoAddrParts[1], nil) + cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, trustKey, protoAddrParts[0], protoAddrParts[1], nil) } if err := cli.Cmd(flag.Args()...); err != nil { diff --git a/docker/flags.go b/docker/flags.go index baae40eafcc11..41ef221d5a4aa 100644 --- a/docker/flags.go +++ b/docker/flags.go @@ -28,13 +28,15 @@ var ( flTlsVerify = flag.Bool([]string{"-tlsverify"}, false, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)") // these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs - flCa *string - flCert *string - flKey *string - flHosts []string + flTrustKey *string + flCa *string + flCert *string + flKey *string + flHosts []string ) func init() { + flTrustKey = flag.String([]string{"i", "-identity"}, filepath.Join(dockerCertPath, defaultTrustKeyFile), "Path to libtrust key file") flCa = flag.String([]string{"-tlscacert"}, filepath.Join(dockerCertPath, defaultCaFile), "Trust only remotes providing a certificate signed by the CA given here") flCert = flag.String([]string{"-tlscert"}, filepath.Join(dockerCertPath, defaultCertFile), "Path to TLS certificate file") flKey = flag.String([]string{"-tlskey"}, filepath.Join(dockerCertPath, defaultKeyFile), "Path to TLS key file") diff --git a/graph/manifest.go b/graph/manifest.go new file mode 100644 index 0000000000000..3f956a2f889d6 --- /dev/null +++ b/graph/manifest.go @@ -0,0 +1,104 @@ +package graph + +import ( + "encoding/json" + "fmt" + "io" + "io/ioutil" + "path" + + "github.com/docker/docker/engine" + "github.com/docker/docker/pkg/tarsum" + "github.com/docker/docker/registry" + "github.com/docker/docker/runconfig" +) + +func (s *TagStore) CmdManifest(job *engine.Job) engine.Status { + if len(job.Args) != 1 { + return job.Errorf("usage: %s NAME", job.Name) + } + name := job.Args[0] + tag := job.Getenv("tag") + if tag == "" { + tag = "latest" + } + + // Resolve the Repository name from fqn to endpoint + name + _, remoteName, err := registry.ResolveRepositoryName(name) + if err != nil { + return job.Error(err) + } + + manifest := map[string]interface{}{ + "name": remoteName, + "tag": tag, + } + localRepo, exists := s.Repositories[name] + if !exists { + return job.Errorf("Repo does not exist: %s", name) + } + + layerId, exists := localRepo[tag] + if !exists { + return job.Errorf("Tag does not exist for %s: %s", name, tag) + } + tarsums := make([]string, 0, 4) + layersSeen := make(map[string]bool) + + layer, err := s.graph.Get(layerId) + manifest["architecture"] = layer.Architecture + var metadata runconfig.Config + metadata = *layer.Config + history := make(map[string]string) + + for ; layer != nil; layer, err = layer.GetParent() { + if err != nil { + return job.Error(err) + } + + if layersSeen[layer.ID] { + break + } + if layer.Config != nil && metadata.Image != layer.ID { + err = runconfig.Merge(&metadata, layer.Config) + if err != nil { + return job.Error(err) + } + } + archive, err := layer.TarLayer() + if err != nil { + return job.Error(err) + } + + tarSum := &tarsum.TarSum{Reader: archive, DisableCompression: true} + if _, err := io.Copy(ioutil.Discard, tarSum); err != nil { + return job.Error(err) + } + + layersSeen[layer.ID] = true + tarId := tarSum.Sum(nil) + tarsums = append(tarsums, tarId) + + jsonData, err := ioutil.ReadFile(path.Join(s.graph.Root, layer.ID, "json")) + if err != nil { + return job.Error(fmt.Errorf("Cannot retrieve the path for {%s}: %s", layer.ID, err)) + } + history[tarId] = string(jsonData) + } + + manifest["tarsum"] = tarsums + manifest["metadata"] = &metadata + manifest["history"] = history + + manifestBytes, err := json.MarshalIndent(manifest, "", " ") + if err != nil { + return job.Error(err) + } + + _, err = job.Stdout.Write(manifestBytes) + if err != nil { + return job.Error(err) + } + + return engine.StatusOK +} diff --git a/graph/push.go b/graph/push.go index 39c77e4a81bfa..936c1389076fc 100644 --- a/graph/push.go +++ b/graph/push.go @@ -2,7 +2,6 @@ package graph import ( "bytes" - "encoding/json" "fmt" "io" "io/ioutil" @@ -64,7 +63,7 @@ func (s *TagStore) getImageList(localRepo map[string]string, requestedTag string return imageList, tagsByImage, nil } -func (s *TagStore) pushRepository(r *registry.Session, out io.Writer, localName, remoteName string, localRepo map[string]string, tag string, sf *utils.StreamFormatter) error { +func (s *TagStore) pushRepository(r *registry.Session, out io.Writer, localName, remoteName, manifest string, localRepo map[string]string, tag string, sf *utils.StreamFormatter) error { out = utils.NewWriteFlusher(out) log.Debugf("Local repo: %s", localRepo) imgList, tagsByImage, err := s.getImageList(localRepo, tag) @@ -123,7 +122,7 @@ func (s *TagStore) pushRepository(r *registry.Session, out io.Writer, localName, if r.LookupRemoteImage(imgId, ep, repoData.Tokens) { out.Write(sf.FormatStatus("", "Image %s already pushed, skipping", utils.TruncateID(imgId))) } else { - if _, err := s.pushImage(r, out, remoteName, imgId, ep, repoData.Tokens, sf); err != nil { + if _, err := s.pushImage(r, out, remoteName, imgId, ep, manifest, repoData.Tokens, sf); err != nil { // FIXME: Continue on error? return err } @@ -146,7 +145,7 @@ func (s *TagStore) pushRepository(r *registry.Session, out io.Writer, localName, return nil } -func (s *TagStore) pushImage(r *registry.Session, out io.Writer, remote, imgID, ep string, token []string, sf *utils.StreamFormatter) (checksum string, err error) { +func (s *TagStore) pushImage(r *registry.Session, out io.Writer, remote, imgID, ep, manifest string, token []string, sf *utils.StreamFormatter) (checksum string, err error) { out = utils.NewWriteFlusher(out) jsonRaw, err := ioutil.ReadFile(path.Join(s.graph.Root, imgID, "json")) if err != nil { @@ -157,6 +156,7 @@ func (s *TagStore) pushImage(r *registry.Session, out io.Writer, remote, imgID, imgData := ®istry.ImgData{ ID: imgID, } + log.Debugf("Pushing images %s to %s\n%s", imgID, remote, manifest) // Send the json if err := r.PushImageJSONRegistry(imgData, jsonRaw, ep, token); err != nil { @@ -204,6 +204,7 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { ) tag := job.Getenv("tag") + manifest := job.Getenv("manifest") job.GetenvJson("authConfig", authConfig) job.GetenvJson("metaHeaders", &metaHeaders) if _, err := s.poolAdd("push", localName); err != nil { @@ -243,7 +244,6 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { // XXX wait this requires having the TarSum of the layer.tar first // skip this step for now. Just push the layer every time for this naive implementation //shouldPush, err := r.PostV2ImageMountBlob(imageName, sumType, sum string, token []string) - var manifestData = make(map[string][]byte) // XXX unfortunately this goes from child to parent, // but the list of blobs in the manifest is expected to go parent to child @@ -274,40 +274,14 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { log.Debugf("imgID: %q, serverChecksum: %q, localChecksum: %q", img.ID, serverChecksum, localChecksum) } - // So dumb. This should be a call to the image.Image RawJson() - manifestData[localChecksum], err = ioutil.ReadFile(path.Join(s.graph.Root, imgID, "json")) - if err != nil { - return job.Error(fmt.Errorf("Cannot retrieve the path for {%s}: %s", imgID, err)) - } } // Next, produce the merged/flattened "image json" // ... - // Next, produce the manifest - blobSums := []string{} - for k := range manifestData { - blobSums = append(blobSums, k) - } - manifest := struct { - Name string - BlobSums []string - History []map[string][]byte - }{ - Name: remoteName, - BlobSums: blobSums, - History: []map[string][]byte{ - manifestData, - }, - } - manifestBuf, err := json.Marshal(manifest) - if err != nil { - return job.Error(err) - } - // Next, push the manifest - log.Debugf("SUCH MANIFEST %s:%s -- %s", localName, tag, manifestBuf) - err = r.PutV2ImageManifest(remoteName, tag, bytes.NewReader(manifestBuf), nil) + log.Debugf("SUCH MANIFEST %s:%s -- %s", localName, tag, manifest) + err = r.PutV2ImageManifest(remoteName, tag, bytes.NewReader([]byte(manifest)), nil) if err != nil { return job.Error(err) } @@ -324,7 +298,7 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { job.Stdout.Write(sf.FormatStatus("", "The push refers to a repository [%s] (len: %d)", localName, reposLen)) // If it fails, try to get the repository if localRepo, exists := s.Repositories[localName]; exists { - if err := s.pushRepository(r, job.Stdout, localName, remoteName, localRepo, tag, sf); err != nil { + if err := s.pushRepository(r, job.Stdout, localName, remoteName, manifest, localRepo, tag, sf); err != nil { return job.Error(err) } return engine.StatusOK @@ -334,7 +308,7 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { var token []string job.Stdout.Write(sf.FormatStatus("", "The push refers to an image: [%s]", localName)) - if _, err := s.pushImage(r, job.Stdout, remoteName, img.ID, endpoint.String(), token, sf); err != nil { + if _, err := s.pushImage(r, job.Stdout, remoteName, img.ID, endpoint.String(), manifest, token, sf); err != nil { return job.Error(err) } return engine.StatusOK diff --git a/graph/service.go b/graph/service.go index b7db35dcdd04c..1b241da44c25e 100644 --- a/graph/service.go +++ b/graph/service.go @@ -25,6 +25,7 @@ func (s *TagStore) Install(eng *engine.Engine) error { "import": s.CmdImport, "pull": s.CmdPull, "push": s.CmdPush, + "image_manifest": s.CmdManifest, } { if err := eng.Register(name, handler); err != nil { return fmt.Errorf("Could not register %q: %v", name, err)