From 622b5b7f2d4eaf8eaaa4ba266183d7e062bb4a1c Mon Sep 17 00:00:00 2001 From: Christy Norman Date: Tue, 18 Sep 2018 15:58:41 -0500 Subject: [PATCH] fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using the `insecure` flag. Since the cli doesn't access the engine's list of insecure registries, the registry client should make a singleton list of the registry being queried with the `insecure` flag. Closes #1358 Signed-off-by: Christy Norman (cherry picked from commit d57adbc034a69d14b1c88c63cdf07b58fb8eb253) Signed-off-by: Sebastiaan van Stijn Upstream-commit: f9d666b05788b7441f8be61ad81c0f11ccdf5494 Component: cli --- components/cli/cli/registry/client/fetcher.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/components/cli/cli/registry/client/fetcher.go b/components/cli/cli/registry/client/fetcher.go index 66c11ce220..c4c267cfa7 100644 --- a/components/cli/cli/registry/client/fetcher.go +++ b/components/cli/cli/registry/client/fetcher.go @@ -200,7 +200,7 @@ func continueOnError(err error) bool { } func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, each func(context.Context, distribution.Repository, reference.Named) (bool, error)) error { - endpoints, err := allEndpoints(namedRef) + endpoints, err := allEndpoints(namedRef, c.insecureRegistry) if err != nil { return err } @@ -262,12 +262,18 @@ func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, } // allEndpoints returns a list of endpoints ordered by priority (v2, https, v1). -func allEndpoints(namedRef reference.Named) ([]registry.APIEndpoint, error) { +func allEndpoints(namedRef reference.Named, insecure bool) ([]registry.APIEndpoint, error) { repoInfo, err := registry.ParseRepositoryInfo(namedRef) if err != nil { return nil, err } - registryService, err := registry.NewService(registry.ServiceOptions{}) + + var serviceOpts registry.ServiceOptions + if insecure { + logrus.Debugf("allowing insecure registry for: %s", reference.Domain(namedRef)) + serviceOpts.InsecureRegistries = []string{reference.Domain(namedRef)} + } + registryService, err := registry.NewService(serviceOpts) if err != nil { return []registry.APIEndpoint{}, err }