[systemd-devel] [PATCH 0/5] systemd-importd - support for pulling from V2 Dkr registries

Thu May 14 13:12:44 PDT 2015

On 11/05/15 11:15 -0400, Vincent Batts wrote:
>On 11/05/15 17:07 +0200, Pavel Odvody wrote:
>>On Mon, 2015-05-11 at 10:32 -0400, Vincent Batts wrote:
>>>On 09/05/15 00:31 +0200, Pavel Odvody wrote:
>>>>On Fri, 2015-05-08 at 14:33 -0400, Vincent Batts wrote:
>>>>> On 08/05/15 11:31 +1000, Daurnimator wrote:
>>>>> >On 8 May 2015 at 01:46, Pavel Odvody <podvody at redhat.com> wrote:
>>>>> >>  - To access the V2 registry we need to send a special User-Agent
>>>>> >>    docker/1.6.0
>>>>> >
>>>>> >Is this really required?
>>>>> >Can we request they change something server side?
>>>>>
>>>>> I would have to double check the behavior on their docker hub, but for
>>>>> local registries this user agent header is not required. It is the
>>>>> expectation that a docker registry can always be served as a static file
>>>>> tree (pull only).
>>>>>
>>>>> vb
>>>>
>>>>Hey,
>>>>
>>>>$ curl -XGET https://registry-1.docker.io/v2/library/node/manifests/latest
>>>><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>><title>404 Not Found</title>
>>>><h1>Not Found</h1>
>>>><p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>
>>>>
>>>>$ curl -XGET -H"User-Agent: docker/1.6.0" https://registry-1.docker.io/v2/library/node/manifests/latest
>>>>{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"repository","Name":"library/node","Action":"pull"}]}]}
>>>>
>>>>I actually added a little clarification in my 5th patch:
>>>>
>>>>"User-Agent: do" /* otherwise we get load-balanced(!) to a V1 registyry */
>>>>(I got this information from Andy G.)
>>>>
>>>>The second request obviously fails due to the bearer token not being provided,
>>>>but at least we can see that we're hitting the correct endpoint here.
>>>>
>>>>I think that this is the correct behavior, since the original systemd-pull
>>>>workflow was to check the Hub first and obtain the token, which I'm simply
>>>>following here, however the token is now obtained from a separate endpoint.
>>>>
>>>>The thing is that the argument is --dkr-index-url, so we're actually specifying
>>>>the Hub URL here and there's no way to specify a registry alone.
>>>>(the "mirror" registry is received in HTTP headers from the Hub)
>>>>
>>>>Sounds like a topic for another patch?
>>>>
>>>>I hope that the pull-only policy will be relaxed soon :) A lot of roundtrips ...
>>>
>>>I understand they've done this on their hub, to route client versions
>>>< 1.6.0 which can not do the v2 api. There ought to be a way not no
>>>require UA headers. Will see what I can do.
>>>
>>>vb
>>
>>I find that solution rather unfortunate, since the endpoints are already
>>versioned /v1/ and /v2/ respectively.
>>The clients before 1.6.0 have hardcoded the /v1/ endpoints so really no
>>additional reason for this. (oh, didn't 1.5.0 ship half-assed
>>implementation of v2 with old header names?)
>
>My same argument to them. The issue has been raised with them.

Cool. My raised issue was heard and acted on. Now the UA header is not
required on the hub either.

$ curl -XGET https://registry-1.docker.io/v2/library/node/manifests/latest
{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested
resource is not authorized","detail":[{"Type":"repository","Name":"library/node","Action":"pull"}]}]}

vb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150514/59a14b6f/attachment.sig>