fix(registry): image name parsing behavior #1526
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Pwuts
force-pushed
the
fix/ref-processing
branch
from
fa184af to
cba8af0
Compare
I'm not sure why that would be the case. Watchtower warns the user that the |
Unfortunately, I think this will break users configs, since they have been explicitly told to use the full |
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1526 +/- ##
==========================================
+ Coverage 66.87% 66.98% +0.10%
==========================================
Files 25 25
Lines 2373 2311 -62
==========================================
- Hits 1587 1548 -39
+ Misses 685 667 -18
+ Partials 101 96 -5
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report in Codecov by Sentry. |
Users who have followed the instructions and specified the registry domain explicitly in their docker-compose config or However, I see there's a todo (from 2019) to elaborate
Edit 2: Apparently, docker's native behavior is to only parse hosts that satisfy |
|
Yeah, the fallback to |
Pwuts
force-pushed
the
fix/ref-processing
branch
from
abf1e32 to
0671ee8
Compare
|
0671ee8 also improves test coverage |
|
@piksel could you approve another codecov run? I think it would be more positive this time. :) Also, I'm not sure how to proceed. I have made all the semantic changes I intended, but now there's a certain amount of dead code. Should I wait with removing that until after a first round of CR? |
|
Thanks! Looks good, it's only complaining about The security vulnerability ("password logging") that the CodeQL check warns for was already there when I got here, and is only in a |
Pwuts
changed the title
Pwuts
force-pushed
the
fix/ref-processing
branch
4 times, most recently
from
675509e to
0a2d4f9
Compare
|
There we go:
I think that was the last to be done here without further expanding the scope of this PR. :) |
Pwuts
changed the title
|
@simskij can I ask for your judgment on the semantic changes so far? :) |
Yeah, but there really isn't any need for it anymore. I created a PR (#1534) to remove all the logging that has no clear usage scenario and could potentially leak credentials. |
docs/private-registries.md
Outdated
|
|
||
| !!! info "Using private images on Docker Hub" | ||
| To access private repositories on Docker Hub, | ||
| `<REGISTRY_NAME>` should be `index.docker.io`. |
There was a problem hiding this comment.
| `<REGISTRY_NAME>` should be `index.docker.io`. | |
| `<REGISTRY_NAME>` should be `docker.io`. |
If using docker.io is fully supported, we might as well put it in the docs for new users, no?
There was a problem hiding this comment.
Agreed, but it is a bit more nuanced than that. Docker uses docker.io internally as the default registry domain, but the Docker Registry API for Docker Hub is hosted on index.docker.io, and so docker libraries expect config.json to contain credentials for index.docker.io.
Worse, the Docker CLI does not recognize any other key than https://index.docker.io/v1/, and docker/cli/cli/config/credentials (that supplies credStore.Get()) applies some backwards compatibility magic to match this key when requesting credStore.Get('index.docker.io'). A call to docker pull PRIVATE_IMAGE (with PRIVATE_IMAGE an image on Docker Hub) fails with config.json only containing an entry for index.docker.io.
There was a problem hiding this comment.
I have amended my last 2 commits to "comply" with Docker's own behavior and reflect this in the documentation.
It took a few iterations to get it right and I didn't want to pollute the git history, hence the multiple force-pushes.
There was a problem hiding this comment.
Note: the CLI treats index.docker.io as an exception to the rule of how credentials are stored in config.json, and a comment in docker/cli remarks that this is legacy.
Would you agree that we should play it safe and ensure that a config.json manually generated according to the Watchtower docs should also work with the Docker CLI, even though this means we tell users to go along with this legacy, inconsistent behavior?
Pwuts
force-pushed
the
fix/ref-processing
branch
4 times, most recently
from
5241c26 to
6a6c7ae
Compare
Pwuts
force-pushed
the
fix/ref-processing
branch
from
6a6c7ae to
138730a
Compare
|
Repackaged the changes to reduce diff with upstream and make it easier to CR (per commit) |
Pwuts
force-pushed
the
fix/ref-processing
branch
from
138730a to
6d64f81
Compare
|
@piksel any timeline for review/merge? |
|
No, sorry. But I will take a look as soon as I get some free time. |
piksel
changed the title
|
Thanks a lot! :) |
What this PR contributes
It replaces Watchtower's own image ref manipulation logic (wherever possible) by docker's own implementations as imported from
docker/distribution/reference.As a result, this PR:
Changes are limited to pkg/registry, and deprecate pkg/registry/helpers.
How/what/why this works
In reference/normalize.go,
ParseNormalizedNamedandParseDockerRefcallsplitDockerDomainwhich normalizes the registry domain from index.docker.io to docker.io if applicable. This allows us to directly use the properties of theNamed/NamedTagged/NamedDigestedthat is returned by these (and other) functions.helpers.NormalizeRegistry(normalizedName.String())->reference.Domain(normalizedName)ExtractImageAndTag([...])->reference.Path(normalizedRef), reference.Tag(normalizedRef)(if container image is not pinned)auth.GetScopeFromImageName(img, host)->reference.Path(normalizedName)Notable choices made along the way
docker.iocredentials (stored in the config underindex.docker.ioorhttps://index.docker.io/v1/) when an image name does not contain a registry host. This was an outstanding todo, and can be done safely under the right conditions.index.docker.ioto specify an image on Docker Hub is legacy, so I have replacedindex.docker.iowithdocker.ioin all relevant places, or removed it altogether, as with this PR, Watchtower should use the right Docker Hub domain by default when no registry is specified in an image name.registry-1.docker.iois only supposed to be used in setting up a pull-through cache registry, not for pulling images directly. Hence, I think it's reasonable to drop "special support" for this case (and disable the corresponding test).If anyone really wants to use that domain, they can still specify the image as
registry-1.docker.io/library/image, just like they already need to do when using a docker hub mirror.ubuntufordocker.io/library/ubuntu) that is not hosted on Docker Hub. Containers pulled from registries other than Docker Hub will always have the registry domain incontainer.ImageName().Tests
After my updates, all tests succeed except for the two mentioned above, which I have commented for now.
I tried to improve test coverage as best as possible for the files that I changed, including a test in pkg/registry/manifest/manifest_test.go for the specific issue that triggered me to do this work :)
Updates to the documentation
As mentioned above, I have replaced
index.docker.iobydocker.iowherever relevant and appropriate.Also added a heads-up + examples of using private registries on local and remote hosts.