[systemd-devel] [PATCH 0/5] systemd-importd - support for pulling from V2 Dkr registries

Mon May 11 08:15:54 PDT 2015

On 11/05/15 17:07 +0200, Pavel Odvody wrote:
>On Mon, 2015-05-11 at 10:32 -0400, Vincent Batts wrote:
>> On 09/05/15 00:31 +0200, Pavel Odvody wrote:
>> >On Fri, 2015-05-08 at 14:33 -0400, Vincent Batts wrote:
>> >> On 08/05/15 11:31 +1000, Daurnimator wrote:
>> >> >On 8 May 2015 at 01:46, Pavel Odvody <podvody at redhat.com> wrote:
>> >> >>  - To access the V2 registry we need to send a special User-Agent
>> >> >>    docker/1.6.0
>> >> >
>> >> >Is this really required?
>> >> >Can we request they change something server side?
>> >>
>> >> I would have to double check the behavior on their docker hub, but for
>> >> local registries this user agent header is not required. It is the
>> >> expectation that a docker registry can always be served as a static file
>> >> tree (pull only).
>> >>
>> >> vb
>> >
>> >Hey,
>> >
>> >$ curl -XGET https://registry-1.docker.io/v2/library/node/manifests/latest
>> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>> ><title>404 Not Found</title>
>> ><h1>Not Found</h1>
>> ><p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>
>> >
>> >$ curl -XGET -H"User-Agent: docker/1.6.0" https://registry-1.docker.io/v2/library/node/manifests/latest
>> >{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"repository","Name":"library/node","Action":"pull"}]}]}
>> >
>> >I actually added a little clarification in my 5th patch:
>> >
>> >"User-Agent: do" /* otherwise we get load-balanced(!) to a V1 registyry */
>> >(I got this information from Andy G.)
>> >
>> >The second request obviously fails due to the bearer token not being provided,
>> >but at least we can see that we're hitting the correct endpoint here.
>> >
>> >I think that this is the correct behavior, since the original systemd-pull
>> >workflow was to check the Hub first and obtain the token, which I'm simply
>> >following here, however the token is now obtained from a separate endpoint.
>> >
>> >The thing is that the argument is --dkr-index-url, so we're actually specifying
>> >the Hub URL here and there's no way to specify a registry alone.
>> >(the "mirror" registry is received in HTTP headers from the Hub)
>> >
>> >Sounds like a topic for another patch?
>> >
>> >I hope that the pull-only policy will be relaxed soon :) A lot of roundtrips ...
>>
>> I understand they've done this on their hub, to route client versions
>> < 1.6.0 which can not do the v2 api. There ought to be a way not no
>> require UA headers. Will see what I can do.
>>
>> vb
>
>I find that solution rather unfortunate, since the endpoints are already
>versioned /v1/ and /v2/ respectively.
>The clients before 1.6.0 have hardcoded the /v1/ endpoints so really no
>additional reason for this. (oh, didn't 1.5.0 ship half-assed
>implementation of v2 with old header names?)

My same argument to them. The issue has been raised with them. 

vb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150511/914321f3/attachment.sig>