Skip to content

Disable v1 protocol for the default registry#28100

Merged
thaJeztah merged 1 commit intomoby:masterfrom
nwt:disable-v1-protocol-for-default-registry
Nov 17, 2016
Merged

Disable v1 protocol for the default registry#28100
thaJeztah merged 1 commit intomoby:masterfrom
nwt:disable-v1-protocol-for-default-registry

Conversation

@nwt
Copy link
Contributor

@nwt nwt commented Nov 5, 2016

- What I did

I disabled the v1 protocol for the default registry.

All images in the default registry (AKA docker.io, index.docker.io, and registry-1.docker.io) are available via the v2 protocol, so there's no reason to use the v1 protocol. Disabling it prevents useless fallbacks.

- How I did it

I modified registry.DefaultService.lookupV1Endpoints to return no endpoints for default registry hostnames.

- How to verify it

Pull a nonexistent tag from a repository that exists on the default registry (e.g., docker pull debian:shmebian). No v1 registry activity should appear in the engine log.

- Description for the changelog

Disable v1 protocol for the default registry

- A picture of a cute animal (not mandatory but encouraged)

image

@runcom
Copy link
Member

runcom commented Nov 5, 2016

I love this, though, when there's a fallback to V1 because V2 was unauthorized, Docker showed "not found" (which is coming from the V1 404 when getting the image). With this change you'll now get just "unauthorized".

@runcom
Copy link
Member

runcom commented Nov 5, 2016

@vdemeester
Copy link
Member

/cc @stevvooe @aaronlehmann

@aaronlehmann
Copy link

IIRC we still don't get the correct error when pulling a non-existent image with the V2 protocol from Docker Hub. It returns a 403 or 401 instead of a 404, so the error message is about authentication or authorization rather than the image not existing. This is why TestPullNonExistingImage fails here.

cc @dmcgowan

@runcom
Copy link
Member

runcom commented Nov 7, 2016

We don't get 404 even with private registries.

@dmcgowan
Copy link
Member

dmcgowan commented Nov 7, 2016

@runcom @aaronlehmann I am working on a change to address this. The registry is returning a 401 when there is not sufficient scope to do the operation on the registry (such as private registry, push to unauthorized registry). This is getting pushed back to the client as needing to login since the api/server code is looking for a string containing "unauthorized" to propagate the 401 to the client, causing login.

@dmcgowan
Copy link
Member

dmcgowan commented Nov 7, 2016

Design +1, going to add to 1.13

@dmcgowan dmcgowan added this to the 1.13.0 milestone Nov 7, 2016
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't make sense to reuse DefaultV2Registry.Host, since that may change for reasons unrelated to looking up v1 endpoints. Define a constant.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevvooe: Something like const DefaultRegistryHostname = "registry-1.docker.io" in registry/config.go?

@stevvooe
Copy link
Contributor

stevvooe commented Nov 8, 2016

LGTM design

@cpuguy83
Copy link
Member

cpuguy83 commented Nov 9, 2016

00:19:31 FAIL: docker_cli_pull_test.go:41: DockerHubPullSuite.TestPullNonExistingImage
00:19:31 
00:19:31 docker_cli_pull_test.go:108:
00:19:31     c.Assert(record.out, checker.Contains, fmt.Sprintf("Error: image %s:%s not found", record.e.repo, tag), check.Commentf("expected image not found error messages"))
00:19:31 ... obtained string = "" +
00:19:31 ...     "\n" +
00:19:31 ...     "Please login prior to pull:\n" +
00:19:31 ...     "Error: Cannot perform an interactive login from a non TTY device\n"
00:19:31 ... substring string = "Error: image library/asdfasdf:latest not found"
00:19:31 ... expected image not found error messages

@thaJeztah thaJeztah added the status/failing-ci Indicates that the PR in its current state fails the test suite label Nov 9, 2016
@dmcgowan
Copy link
Member

dmcgowan commented Nov 9, 2016

Distribution change is at distribution/distribution#2047, once that is vendored in and updated the tests should be able to pass

@vieux
Copy link
Contributor

vieux commented Nov 10, 2016

@dmcgowan distribution/distribution#2047 was merged :)

@dmcgowan
Copy link
Member

Trying to figure out if the change is an acceptable UX with our current handling after #28235. The error returned for non-existent "official" repositories goes from...

$ docker pull doesnotexist
Using default tag: latest
Pulling repository docker.io/library/doesnotexist
Error: image library/doesnotexist:latest not found

to...

$ docker pull doesnotexist
Using default tag: latest
Error response from daemon: denied: requested access to the resource is denied

This error matches what is returned by the registry but is confusing to the user. I think we need to convert the messaging to be more user friendly but I am wary of saying "not found".

@thaJeztah
Copy link
Member

thaJeztah commented Nov 10, 2016

I think we should say exactly what it is; "The repository does not exist, or the user authenticated to this registry does not have permission to access the repository"

(that, or modified a bit)

Do we always return the same message / error code?

@dmcgowan
Copy link
Member

@thaJeztah I think you are right, working on updating the messaging. We are always getting the same error code but am able to distinguish between error with repository (denied) or tag not existing (manifest not found). That does allow providing a slightly more helpful error to the user.

All images in the default registry (AKA docker.io, index.docker.io, and
registry-1.docker.io) are available via the v2 protocol, so there's no
reason to use the v1 protocol.  Disabling it prevents useless fallbacks.

Signed-off-by: Noah Treuhaft <[email protected]>
@dmcgowan
Copy link
Member

Rebased, tested failing tests locally and they pass. Fingers crossed

@vdemeester vdemeester removed the status/failing-ci Indicates that the PR in its current state fails the test suite label Nov 11, 2016
@dmcgowan
Copy link
Member

LGTM

@stevvooe
Copy link
Contributor

LGTM

@marcusmartins
Copy link
Contributor

@aaronlehmann any comments?

@aaronlehmann
Copy link

LGTM

@vdemeester
Copy link
Member

@thaJeztah I guess we should update some doc ? 👼

@thaJeztah
Copy link
Member

@vdemeester hm not sure if anything is needed other than changelog; given that this only changes for docker hub, and not for local registries, perhaps no docs changes are needed

@dmcgowan
Copy link
Member

The only docs that would need to be changed would be related to the v1 mirrors. Using v1 mirrors was still possible using the mirror flag, however v2 can also use that flag so there is no interface change but if anyone is using they will need to know to update their mirror to v2. fyi @SvenDowideit 😉

@thaJeztah
Copy link
Member

Just discussed with @dmcgowan, let's merge this, and do a follow up for the docs @nwt can you look into that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.