[systemd-devel] [PATCH 0/5] systemd-importd - support for pulling from V2 Dkr registries

Mon May 11 08:07:34 PDT 2015

On Mon, 2015-05-11 at 10:32 -0400, Vincent Batts wrote:
> On 09/05/15 00:31 +0200, Pavel Odvody wrote:
> >On Fri, 2015-05-08 at 14:33 -0400, Vincent Batts wrote:
> >> On 08/05/15 11:31 +1000, Daurnimator wrote:
> >> >On 8 May 2015 at 01:46, Pavel Odvody <podvody at redhat.com> wrote:
> >> >>  - To access the V2 registry we need to send a special User-Agent
> >> >>    docker/1.6.0
> >> >
> >> >Is this really required?
> >> >Can we request they change something server side?
> >>
> >> I would have to double check the behavior on their docker hub, but for
> >> local registries this user agent header is not required. It is the
> >> expectation that a docker registry can always be served as a static file
> >> tree (pull only).
> >>
> >> vb
> >
> >Hey,
> >
> >$ curl -XGET https://registry-1.docker.io/v2/library/node/manifests/latest
> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> ><title>404 Not Found</title>
> ><h1>Not Found</h1>
> ><p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>
> >
> >$ curl -XGET -H"User-Agent: docker/1.6.0" https://registry-1.docker.io/v2/library/node/manifests/latest
> >{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"repository","Name":"library/node","Action":"pull"}]}]}
> >
> >I actually added a little clarification in my 5th patch:
> >
> >"User-Agent: do" /* otherwise we get load-balanced(!) to a V1 registyry */
> >(I got this information from Andy G.)
> >
> >The second request obviously fails due to the bearer token not being provided,
> >but at least we can see that we're hitting the correct endpoint here.
> >
> >I think that this is the correct behavior, since the original systemd-pull
> >workflow was to check the Hub first and obtain the token, which I'm simply
> >following here, however the token is now obtained from a separate endpoint.
> >
> >The thing is that the argument is --dkr-index-url, so we're actually specifying
> >the Hub URL here and there's no way to specify a registry alone.
> >(the "mirror" registry is received in HTTP headers from the Hub)
> >
> >Sounds like a topic for another patch?
> >
> >I hope that the pull-only policy will be relaxed soon :) A lot of roundtrips ...
> 
> I understand they've done this on their hub, to route client versions 
> < 1.6.0 which can not do the v2 api. There ought to be a way not no
> require UA headers. Will see what I can do.
> 
> vb

I find that solution rather unfortunate, since the endpoints are already
versioned /v1/ and /v2/ respectively.
The clients before 1.6.0 have hardcoded the /v1/ endpoints so really no
additional reason for this. (oh, didn't 1.5.0 ship half-assed
implementation of v2 with old header names?)

-- 
Pavel Odvody <podvody at redhat.com>
Software Engineer - EMEA ENG Developer Experience
5EC1 95C1 8E08 5BD9 9BBF 9241 3AFA 3A66 024F F68D
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150511/4255af28/attachment-0001.sig>