vendor: github.com/docker/distribution v2.8.2

CI

- Dockerfile: fix filenames of artifacts

Bugfixes

-  Fix panic in inmemory driver
-  Add code to handle pagination of parts. Fixes max layer size of 10GB bug
-  Parse http forbidden as denied
-  Revert "registry/client: set Accept: identity header when getting layers

Runtime

- Update to go1.19.9
- Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))

Security

- Fix [CVE-2022-28391](https://www.cve.org/CVERecord?id=CVE-2022-28391) by bumping alpine from 3.14 to 3.16
- Fix [CVE-2023-2253](https://www.cve.org/CVERecord?id=CVE-2023-2253) runaway allocation on /v2/_catalog [`521ea3d9`](521ea3d973)

full diff: https://github.com/docker/distribution/compare/v2.8.1...v2.8.2-beta.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2023-05-11 19:13:41 +02:00
parent 185ac35553
commit 353e0a942d
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
15 changed files with 100 additions and 64 deletions

View File

@ -12,7 +12,7 @@ replace github.com/docker/docker => github.com/docker/docker v24.0.0-rc.2.0.2023
require ( require (
github.com/containerd/containerd v1.6.21 github.com/containerd/containerd v1.6.21
github.com/creack/pty v1.1.18 github.com/creack/pty v1.1.18
github.com/docker/distribution v2.8.1+incompatible github.com/docker/distribution v2.8.2+incompatible
github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible // replaced; this is master / v25.0.0-dev; see replace rule above. github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible // replaced; this is master / v25.0.0-dev; see replace rule above.
github.com/docker/docker-credential-helpers v0.7.0 github.com/docker/docker-credential-helpers v0.7.0
github.com/docker/go-connections v0.4.0 github.com/docker/go-connections v0.4.0

View File

@ -94,8 +94,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible h1:JH72n+pwNXSy/3lBlzKDQ22RcL+tDqVOU5O6m/dLuho= github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible h1:JH72n+pwNXSy/3lBlzKDQ22RcL+tDqVOU5O6m/dLuho=
github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v24.0.0-rc.2.0.20230506131059-88f4bf4ae4ba+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=

1
vendor/github.com/docker/distribution/.dockerignore generated vendored Normal file
View File

@ -0,0 +1 @@
bin/

View File

@ -18,3 +18,10 @@ run:
deadline: 2m deadline: 2m
skip-dirs: skip-dirs:
- vendor - vendor
issues:
exclude-rules:
# io/ioutil is deprecated, but won't be removed until Go v2. It's safe to ignore for the release/2.8 branch.
- text: "SA1019: \"io/ioutil\" has been deprecated since Go 1.16"
linters:
- staticcheck

View File

@ -44,6 +44,8 @@ Thomas Berger <loki@lokis-chaos.de> Thomas Berger <tbe@users.noreply.github.com>
Samuel Karp <skarp@amazon.com> Samuel Karp <samuelkarp@users.noreply.github.com> Samuel Karp <skarp@amazon.com> Samuel Karp <samuelkarp@users.noreply.github.com>
Justin Cormack <justin.cormack@docker.com> Justin Cormack <justin.cormack@docker.com>
sayboras <sayboras@yahoo.com> sayboras <sayboras@yahoo.com>
CrazyMax <github@crazymax.dev>
CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com> CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com>
CrazyMax <github@crazymax.dev> <crazy-max@users.noreply.github.com> Hayley Swimelar <hswimelar@gmail.com>
Jose D. Gomez R <jose.gomez@suse.com>
Shengjing Zhu <zhsj@debian.org>
Silvin Lubecki <31478878+silvin-lubecki@users.noreply.github.com>

View File

@ -1,49 +1,59 @@
# syntax=docker/dockerfile:1.3 # syntax=docker/dockerfile:1
ARG GO_VERSION=1.16.15 ARG GO_VERSION=1.19.9
ARG GORELEASER_XX_VERSION=1.2.5 ARG ALPINE_VERSION=3.16
ARG XX_VERSION=1.2.1
FROM --platform=$BUILDPLATFORM crazymax/goreleaser-xx:${GORELEASER_XX_VERSION} AS goreleaser-xx FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
COPY --from=goreleaser-xx / / COPY --from=xx / /
RUN apk add --no-cache file git RUN apk add --no-cache bash coreutils file git
WORKDIR /go/src/github.com/docker/distribution
FROM base AS build
ENV GO111MODULE=auto ENV GO111MODULE=auto
ENV CGO_ENABLED=0 ENV CGO_ENABLED=0
# GIT_REF is used by goreleaser-xx to handle the proper git ref when available. WORKDIR /go/src/github.com/docker/distribution
# It will fallback to the working tree info if empty and use "git tag --points-at"
# or "git describe" to define the version info. FROM base AS version
ARG GIT_REF ARG PKG="github.com/docker/distribution"
RUN --mount=target=. \
VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
echo "-X ${PKG}/version.Version=${VERSION#v} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
echo -n "${VERSION}" | tee /tmp/.version;
FROM base AS build
ARG TARGETPLATFORM ARG TARGETPLATFORM
ARG PKG="github.com/distribution/distribution" ARG LDFLAGS="-s -w"
ARG BUILDTAGS="include_oss include_gcs" ARG BUILDTAGS="include_oss include_gcs"
RUN --mount=type=bind,rw \ RUN --mount=type=bind,target=/go/src/github.com/docker/distribution,rw \
--mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/root/.cache/go-build \
--mount=target=/go/pkg/mod,type=cache \ --mount=target=/go/pkg/mod,type=cache \
goreleaser-xx --debug \ --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \
--name="registry" \ set -x ; xx-go build -trimpath -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/registry ./cmd/registry \
--dist="/out" \ && xx-verify --static /usr/bin/registry
--main="./cmd/registry" \
--flags="-v" \
--ldflags="-s -w -X '$PKG/version.Version={{.Version}}' -X '$PKG/version.Revision={{.Commit}}' -X '$PKG/version.Package=$PKG'" \
--tags="$BUILDTAGS" \
--files="LICENSE" \
--files="README.md"
FROM scratch AS artifact
COPY --from=build /out/*.tar.gz /
COPY --from=build /out/*.zip /
COPY --from=build /out/*.sha256 /
FROM scratch AS binary FROM scratch AS binary
COPY --from=build /usr/local/bin/registry* / COPY --from=build /usr/bin/registry /
FROM alpine:3.14 FROM base AS releaser
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
WORKDIR /work
RUN --mount=from=binary,target=/build \
--mount=type=bind,target=/src \
--mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
VERSION=$(cat /tmp/.version) \
&& mkdir -p /out \
&& cp /build/registry /src/README.md /src/LICENSE . \
&& tar -czvf "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" * \
&& sha256sum -z "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" | awk '{ print $1 }' > "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz.sha256"
FROM scratch AS artifact
COPY --from=releaser /out /
FROM alpine:${ALPINE_VERSION}
RUN apk add --no-cache ca-certificates RUN apk add --no-cache ca-certificates
COPY cmd/registry/config-dev.yml /etc/docker/registry/config.yml COPY cmd/registry/config-dev.yml /etc/docker/registry/config.yml
COPY --from=build /usr/local/bin/registry /bin/registry COPY --from=binary /registry /bin/registry
VOLUME ["/var/lib/registry"] VOLUME ["/var/lib/registry"]
EXPOSE 5000 EXPOSE 5000
ENTRYPOINT ["registry"] ENTRYPOINT ["registry"]

View File

@ -50,7 +50,7 @@ version/version.go:
check: ## run all linters (TODO: enable "unused", "varcheck", "ineffassign", "unconvert", "staticheck", "goimports", "structcheck") check: ## run all linters (TODO: enable "unused", "varcheck", "ineffassign", "unconvert", "staticheck", "goimports", "structcheck")
@echo "$(WHALE) $@" @echo "$(WHALE) $@"
golangci-lint run @GO111MODULE=off golangci-lint run
test: ## run tests, except integration test with test.short test: ## run tests, except integration test with test.short
@echo "$(WHALE) $@" @echo "$(WHALE) $@"

View File

@ -1,15 +1,3 @@
// GITHUB_REF is the actual ref that triggers the workflow
// https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
variable "GITHUB_REF" {
default = ""
}
target "_common" {
args = {
GIT_REF = GITHUB_REF
}
}
group "default" { group "default" {
targets = ["image-local"] targets = ["image-local"]
} }
@ -20,13 +8,11 @@ target "docker-metadata-action" {
} }
target "binary" { target "binary" {
inherits = ["_common"]
target = "binary" target = "binary"
output = ["./bin"] output = ["./bin"]
} }
target "artifact" { target "artifact" {
inherits = ["_common"]
target = "artifact" target = "artifact"
output = ["./bin"] output = ["./bin"]
} }
@ -43,8 +29,13 @@ target "artifact-all" {
] ]
} }
// Special target: https://github.com/docker/metadata-action#bake-definition
target "docker-metadata-action" {
tags = ["registry:local"]
}
target "image" { target "image" {
inherits = ["_common", "docker-metadata-action"] inherits = ["docker-metadata-action"]
} }
target "image-local" { target "image-local" {

View File

@ -134,6 +134,19 @@ var (
}, },
} }
invalidPaginationResponseDescriptor = ResponseDescriptor{
Name: "Invalid pagination number",
Description: "The received parameter n was invalid in some way, as described by the error code. The client should resolve the issue and retry the request.",
StatusCode: http.StatusBadRequest,
Body: BodyDescriptor{
ContentType: "application/json",
Format: errorsBody,
},
ErrorCodes: []errcode.ErrorCode{
ErrorCodePaginationNumberInvalid,
},
}
repositoryNotFoundResponseDescriptor = ResponseDescriptor{ repositoryNotFoundResponseDescriptor = ResponseDescriptor{
Name: "No Such Repository Error", Name: "No Such Repository Error",
StatusCode: http.StatusNotFound, StatusCode: http.StatusNotFound,
@ -490,6 +503,7 @@ var routeDescriptors = []RouteDescriptor{
}, },
}, },
Failures: []ResponseDescriptor{ Failures: []ResponseDescriptor{
invalidPaginationResponseDescriptor,
unauthorizedResponseDescriptor, unauthorizedResponseDescriptor,
repositoryNotFoundResponseDescriptor, repositoryNotFoundResponseDescriptor,
deniedResponseDescriptor, deniedResponseDescriptor,
@ -1578,6 +1592,9 @@ var routeDescriptors = []RouteDescriptor{
}, },
}, },
}, },
Failures: []ResponseDescriptor{
invalidPaginationResponseDescriptor,
},
}, },
}, },
}, },

View File

@ -133,4 +133,13 @@ var (
longer proceed.`, longer proceed.`,
HTTPStatusCode: http.StatusNotFound, HTTPStatusCode: http.StatusNotFound,
}) })
ErrorCodePaginationNumberInvalid = errcode.Register(errGroup, errcode.ErrorDescriptor{
Value: "PAGINATION_NUMBER_INVALID",
Message: "invalid number of results requested",
Description: `Returned when the "n" parameter (number of results
to return) is not an integer, "n" is negative or "n" is bigger than
the maximum allowed.`,
HTTPStatusCode: http.StatusBadRequest,
})
) )

View File

@ -55,6 +55,8 @@ func parseHTTPErrorResponse(statusCode int, r io.Reader) error {
switch statusCode { switch statusCode {
case http.StatusUnauthorized: case http.StatusUnauthorized:
return errcode.ErrorCodeUnauthorized.WithMessage(detailsErr.Details) return errcode.ErrorCodeUnauthorized.WithMessage(detailsErr.Details)
case http.StatusForbidden:
return errcode.ErrorCodeDenied.WithMessage(detailsErr.Details)
case http.StatusTooManyRequests: case http.StatusTooManyRequests:
return errcode.ErrorCodeTooManyRequests.WithMessage(detailsErr.Details) return errcode.ErrorCodeTooManyRequests.WithMessage(detailsErr.Details)
default: default:

View File

@ -114,9 +114,7 @@ func (r *registry) Repositories(ctx context.Context, entries []string, last stri
return 0, err return 0, err
} }
for cnt := range ctlg.Repositories { copy(entries, ctlg.Repositories)
entries[cnt] = ctlg.Repositories[cnt]
}
numFilled = len(ctlg.Repositories) numFilled = len(ctlg.Repositories)
link := resp.Header.Get("Link") link := resp.Header.Get("Link")

View File

@ -180,7 +180,6 @@ func (hrs *httpReadSeeker) reader() (io.Reader, error) {
// context.GetLogger(hrs.context).Infof("Range: %s", req.Header.Get("Range")) // context.GetLogger(hrs.context).Infof("Range: %s", req.Header.Get("Range"))
} }
req.Header.Add("Accept-Encoding", "identity")
resp, err := hrs.client.Do(req) resp, err := hrs.client.Do(req)
if err != nil { if err != nil {
return nil, err return nil, err

2
vendor/modules.txt vendored
View File

@ -21,7 +21,7 @@ github.com/containerd/containerd/platforms
# github.com/creack/pty v1.1.18 # github.com/creack/pty v1.1.18
## explicit; go 1.13 ## explicit; go 1.13
github.com/creack/pty github.com/creack/pty
# github.com/docker/distribution v2.8.1+incompatible # github.com/docker/distribution v2.8.2+incompatible
## explicit ## explicit
github.com/docker/distribution github.com/docker/distribution
github.com/docker/distribution/digestset github.com/docker/distribution/digestset