Protect official registry when pulling during builds

Ensure that registries missing hostname specified during builds will be pulled from official registry. If the official registry is blocked, the pull will fail. All the other pull jobs shall set `protectOfficialRegistry` env variable to `false` in order for additional registires added with `--add-registry` to have any effect. Prevent already pulled image to be updated from currently blocked registry. Also make sure that image tags can be operated upon when they miss the hostname part and docker has some additional repositories. Signed-off-by: Michal Minar <miminar@redhat.com>
miminar · Jan 29, 2015 · 7950901 · 7950901
1 parent 95bd20f
commit 7950901
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 3 deletions.
diff --git a/api/server/server.go b/api/server/server.go
@@ -565,6 +565,7 @@ func postImagesCreate(eng *engine.Engine, version version.Version, w http.Respon
 		job.SetenvBool("parallel", version.GreaterThan("1.3"))
 		job.SetenvJson("metaHeaders", metaHeaders)
 		job.SetenvJson("authConfig", authConfig)
+		job.SetenvBool("protectOfficialRegistry", false)
 	} else { //import
 		if tag == "" {
 			repo, tag = parsers.ParseRepositoryTag(repo)

diff --git a/builder/internals.go b/builder/internals.go
@@ -438,6 +438,7 @@ func (b *Builder) pullImage(name string) (*imagepkg.Image, error) {
 	job.SetenvBool("json", b.StreamFormatter.Json())
 	job.SetenvBool("parallel", true)
 	job.SetenvJson("authConfig", pullRegistryAuth)
+	job.SetenvBool("protectOfficialRegistry", true)
 	job.Stdout.Add(b.OutOld)
 	if err := job.Run(); err != nil {
 		return nil, err

diff --git a/graph/export.go b/graph/export.go
@@ -40,7 +40,9 @@ func (s *TagStore) CmdImageExport(job *engine.Job) engine.Status {
 		}
 	}
 	for _, name := range job.Args {
-		name = registry.NormalizeLocalName(name)
+		if _, exists := s.Repositories[name]; !exists {
+			name = registry.NormalizeLocalName(name)
+		}
 		log.Debugf("Serializing %s", name)
 		rootRepo := s.Repositories[name]
 		if rootRepo != nil {

diff --git a/graph/pull.go b/graph/pull.go
@@ -30,6 +30,11 @@ func (s *TagStore) CmdRegistryPull(job *engine.Job) engine.Status {
 		registries = []string{""}
 	} else if len(registries) == 0 {
 		return job.Errorf("No configured registry to pull from.")
+	} else if job.GetenvBool("protectOfficialRegistry") && registries[0] != registry.INDEXNAME {
+		// We must ensure that registry missing hostname will be pulled from
+		// official one, if the `protectOfficialRegistry` tells us so.
+		registries = []string{""}
+		tmp = fmt.Sprintf("%s/%s", registry.INDEXNAME, tmp)
 	}
 	for i, r := range registries {
 		if i > 0 {

diff --git a/graph/tags.go b/graph/tags.go
@@ -178,7 +178,9 @@ func (store *TagStore) Delete(repoName, tag string) (bool, error) {
 	if err := store.reload(); err != nil {
 		return false, err
 	}
-	repoName = registry.NormalizeLocalName(repoName)
+	if _, exists := store.Repositories[repoName]; !exists {
+		repoName = registry.NormalizeLocalName(repoName)
+	}
 	if r, exists := store.Repositories[repoName]; exists {
 		if tag != "" {
 			if _, exists2 := r[tag]; exists2 {
@@ -240,10 +242,12 @@ func (store *TagStore) Get(repoName string) (Repository, error) {
 	if err := store.reload(); err != nil {
 		return nil, err
 	}
-	repoName = registry.NormalizeLocalName(repoName)
 	if r, exists := store.Repositories[repoName]; exists {
 		return r, nil
 	}
+	if r, exists := store.Repositories[registry.NormalizeLocalName(repoName)]; exists {
+		return r, nil
+	}
 	return nil, nil
 }
 

diff --git a/registry/session.go b/registry/session.go
@@ -200,13 +200,26 @@ func (r *Session) GetRemoteImageLayer(imgID, registry string, token []string, im
 	return res.Body, nil
 }
 
+func isEndpointBlocked(endpoint string) bool {
+	if parsedURL, err := url.Parse(endpoint); err == nil {
+		if _, ok := BlockedRegistries[parsedURL.Host]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
 func (r *Session) GetRemoteTags(registries []string, repository string, token []string) (map[string]string, error) {
 	if strings.Count(repository, "/") == 0 {
 		// This will be removed once the Registry supports auto-resolution on
 		// the "library" namespace
 		repository = "library/" + repository
 	}
 	for _, host := range registries {
+		if isEndpointBlocked(host) {
+			log.Errorf("Cannot query blocked registry at %s for remote tags.", host)
+			continue
+		}
 		endpoint := fmt.Sprintf("%srepositories/%s/tags", host, repository)
 		req, err := r.reqFactory.NewRequest("GET", endpoint, nil)