发布于 2015-09-10 16:18:33 | 353 次阅读 | 评论: 0 | 来源: 网络整理
The Index is responsible for centralizing information about:
The Index has different components:
The index is authoritative for those information.
We expect that there will be only one instance of the index, run and managed by Docker Inc.
We expect that there will be multiple registries out there. To help to grasp the context, here are some examples of registries:
注解
The latter would only require two new commands in docker, e.g. registryget and registryput, wrapping access to the local filesystem (and optionally doing consistency checks). Authentication and authorization are then delegated to SSH (e.g. with public keys).
On top of being a runtime for LXC, Docker is the Registry client. It supports:
It’s possible to run:
docker pull https://<registry>/repositories/samalba/busybox
In this case, Docker bypasses the Index. However the security is not guaranteed (in case Registry A is corrupted) because there won’t be any checksum checks.
Currently registry redirects to s3 urls for downloads, going forward all downloads need to be streamed through the registry. The Registry will then abstract the calls to S3 by a top-level class which implements sub-classes for S3 and local storage.
Token is only returned when the X-Docker-Token header is sent with request.
Basic Auth is required to pull private repos. Basic auth isn’t required for pulling public repos, but if one is provided, it needs to be valid and for an active account.
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== X-Docker-Token: true
(looking up the foo/bar in db and gets images and checksums for that repo (all if no tag is specified, if tag, only checksums for those tags) see part 4.4.1)
(Index -> Docker) HTTP 200 OK
- Headers:
- Authorization: Token signature=123abc,repository=”foo/bar”,access=write
- X-Docker-Endpoints: registry.docker.io [, registry2.docker.io]
- Body:
Jsonified checksums (see part 4.4.1)
Authorization: Token signature=123abc,repository=”foo/bar”,access=write
(Registry -> Index) GET /v1/repositories/foo/bar/images
- Headers:
Authorization: Token signature=123abc,repository=”foo/bar”,access=read
- Body:
<ids and checksums in payload>
- Action:
( Lookup token see if they have access to pull.)
- If good:
HTTP 200 OK Index will invalidate the token
- If bad:
HTTP 401 Unauthorized
(for each image id returned in the registry, fetch /json + /layer)
注解
If someone makes a second request, then we will always give a new token, never reuse tokens.
注解
It’s possible not to use the Index at all! In this case, a deployed version of the Registry is deployed to store and serve images. Those images are not authenticated and the security is not guaranteed.
注解
Index can be replaced! For a private Registry deployed, a custom Index can be used to serve and validate token according to different policies.
Docker computes the checksums and submit them to the Index at the end of the push. When a repository name does not have checksums on the Index, it means that the push is in progress (since checksums are submitted at the end).
Authorization: Basic sdkjfskdjfhsdkjfh== X-Docker-Token: true
(The body contains the list of images that are going to be pushed, with empty checksums. The checksums will be set at the end of the push):
[{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”}]
Authorization: Token signature=123abc,repository=”foo/bar”,access=write
Authorization: Token signature=123abc,repository=”foo/bar”,access=write
will invalidate the token.
grants a session (if token is approved) and fetches the images id
Cookie: (Cookie provided by the Registry)
Cookie: (Cookie provided by the Registry)
X-Docker-Checksum: sha256:436745873465fdjkhdfjkgh
Cookie: (Cookie provided by the Registry)
“98765432”
(Docker -> Index) PUT /v1/repositories/foo/bar/images
Authorization: Basic 123oislifjsldfj== X-Docker-Endpoints: registry1.docker.io (no validation on this right now)
(The image, id’s, tags and checksums)
[{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”, “checksum”: “b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087”}]
Return HTTP 204
注解
If push fails and they need to start again, what happens in the index, there will already be a record for the namespace/name, but it will be initialized. Should we allow it, or mark as name already used? One edge case could be if someone pushes the same thing at the same time with two different shells.
If it’s a retry on the Registry, Docker has a cookie (provided by the registry after token validation). So the Index won’t have to provide a new token.
If you need to delete something from the index or registry, we need a nice clean way to do that. Here is the workflow.
注解
The Docker client should present an “Are you sure?” prompt to confirm the deletion before starting the process. Once it starts it can’t be undone.
Authorization: Basic sdkjfskdjfhsdkjfh== X-Docker-Token: true
Empty
Authorization: Token signature=123abc,repository=”foo/bar”,access=delete
Authorization: Token signature=123abc,repository=”foo/bar”,access=delete
will invalidate the token.
deletes the repository (if token is approved)
200 If success 403 if forbidden 400 if bad request 404 if repository isn’t found
(Docker -> Index) DELETE /v1/repositories/foo/bar/
- Headers:
Authorization: Basic 123oislifjsldfj== X-Docker-Endpoints: registry-1.docker.io (no validation on this right now)
- Body:
Empty
Return HTTP 200
The Index has two main purposes (along with its fancy social features):
Authenticate a user as a repos owner (for a central referenced repository)
Using the Registry without the Index can be useful to store the images on a private network without having to rely on an external entity controlled by Docker Inc.
In this case, the registry will be launched in a special mode (–standalone? –no-index?). In this mode, the only thing which changes is that Registry will never contact the Index to verify a token. It will be the Registry owner responsibility to authenticate the user who pushes (or even pulls) an image using any mechanism (HTTP auth, IP based, etc...).
In this scenario, the Registry is responsible for the security in case of data corruption since the checksums are not delivered by a trusted entity.
As hinted previously, a standalone registry can also be implemented by any HTTP server handling GET/PUT requests (or even only GET requests if no write access is necessary).
The Index data needed by the Registry are simple:
In the scenario of a Registry running on a private network with the need of centralizing and authorizing, it’s easy to use a custom Index.
The only challenge will be to tell Docker to contact (and trust) this custom Index. Docker will be configurable at some point to use a specific Index, it’ll be the private entity responsibility (basically the organization who uses Docker in a private environment) to maintain the Index and the Docker’s configuration among its consumers.
The first version of the api is available here: https://github.com/jpetazzo/docker/blob/acd51ecea8f5d3c02b00a08176171c59442df8b3/docs/images-repositories-push-pull.md
The format returned in the images is not defined here (for layer and JSON), basically because Registry stores exactly the same kind of information as Docker uses to manage them.
The format of ancestry is a line-separated list of image ids, in age order, i.e. the image’s parent is on the last line, the parent of the parent on the next-to-last line, etc.; if the image has no parent, the file is empty.
GET /v1/images/<image_id>/layer
PUT /v1/images/<image_id>/layer
GET /v1/images/<image_id>/json
PUT /v1/images/<image_id>/json
GET /v1/images/<image_id>/ancestry
PUT /v1/images/<image_id>/ancestry
POST /v1/users
Valid: return HTTP 200
Errors: HTTP 400 (we should create error codes for possible errors) - invalid json - missing field - wrong format (username, password, email, etc) - forbidden name - name already exists
注解
A user account will be valid only if the email has been validated (a validation link is sent to the email address).
PUT /v1/users/<username>
注解
We can also update email address, if they do, they will need to reverify their new email address.
Does nothing else but asking for a user authentication. Can be used to validate credentials. HTTP Basic Auth for now, maybe change in future.
GET /v1/users
The Registry does not know anything about users. Even though repositories are under usernames, it’s just a namespace for the registry. Allowing us to implement organizations or different namespaces per user later, without modifying the Registry’s API.
The following naming restrictions apply:
GET /v1/repositories/<namespace>/<repository_name>/tags
GET /v1/repositories/<namespace>/<repo_name>/tags/<tag>
DELETE /v1/repositories/<namespace>/<repo_name>/tags/<tag>
For the Index to “resolve” the repository name to a Registry location, it uses the X-Docker-Endpoints header. In other terms, this requests always add a X-Docker-Endpoints to indicate the location of the registry which hosts this repository.
GET /v1/repositories/<namespace>/<repo_name>/images
You always add images, you never remove them.
PUT /v1/repositories/<namespace>/<repo_name>/images
Return 204
It’s possible to chain Registries server for several reasons:
When a Registry is a reference for a repository, it should host the entire images chain in order to avoid breaking the chain during the download.
The Index and Registry use this mechanism to redirect on one or the other.
Example with an image download:
On every request, a special header can be returned:
X-Docker-Endpoints: server1,server2
On the next request, the client will always pick a server from this list.
The Index supports both “Basic” and “Token” challenges. Usually when there is a 401 Unauthorized, the Index replies this:
401 Unauthorized
WWW-Authenticate: Basic realm="auth required",Token
You have 3 options:
Provide user credentials and ask for a token
- Header:
- Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- X-Docker-Token: true
In this case, along with the 200 response, you’ll get a new token (if user auth is ok): If authorization isn’t correct you get a 401 response. If account isn’t active you will get a 403 response.
- Response:
- 200 OK
- X-Docker-Token: Token signature=123abc,repository=”foo/bar”,access=read
Provide user credentials only
- Header:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Provide Token
- Header:
Authorization: Token signature=123abc,repository=”foo/bar”,access=read
The Registry only supports the Token challenge:
401 Unauthorized
WWW-Authenticate: Token
The only way is to provide a token on 401 Unauthorized responses:
Authorization: Token signature=123abc,repository="foo/bar",access=read
Usually, the Registry provides a Cookie when a Token verification succeeded. Every time the Registry passes a Cookie, you have to pass it back the same cookie.:
200 OK
Set-Cookie: session="wD/J7LqL5ctqw8haL10vgfhrb2Q=?foo=UydiYXInCnAxCi4=×tamp=RjEzNjYzMTQ5NDcuNDc0NjQzCi4="; Path=/; HttpOnly
Next request:
GET /(...)
Cookie: session="wD/J7LqL5ctqw8haL10vgfhrb2Q=?foo=UydiYXInCnAxCi4=×tamp=RjEzNjYzMTQ5NDcuNDc0NjQzCi4="