On Red Hat Registry Servers we return 404 on certification errors.#8559
Conversation
|
To be clear, the issue is not the registry. The issue is how the client/daemon handles 404 from the registry. |
|
LGTM, continuing though the cert list on 404 seems reasonable to me. I would also ping @ewindisch. |
|
About this change specifically, LGTM. Now, @aweiteka @rhatdan the docker registry pipeline as a whole is being rewritten, and discussion is ongoing on the auth mechanisms we are going to support and ship for v2 (including with people from RedHat). With the further separation of image naming and transport, and making it easier for registries to proliferate, we will need robust multi-credentials handling. In this particular case, trying a request with every certificate until one works is not going to fly and it's unlikely this code would be supported in v2 as-is. |
|
LGTM |
|
@dmp42 Not my area of expertise. @aweiteka and @vbatts would be much better to handle this. I just put in fixes requested by others. This fix we need for the current model, and I am sure there will be other fixes in the future. But if we can get this merged soon, we could turn on verification of images in the V1 Registry protocol for our customers. |
|
@rhatdan thanks! @crosbymichael This should be good to be merged. |
We do this to prevent leakage of information, we don't want people to be able to probe for existing content. According to RFC 2616, "This status code (404) is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response i is applicable." https://www.ietf.org/rfc/rfc2616.txt 10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. 10.4.5 404 Not Found The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable. When docker is running through its certificates, it should continue trying with a new certificate even if it gets back a 404 error code. Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan)
|
Thanks for the reviews. LGTM |
On Red Hat Registry Servers we return 404 on certification errors.
We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.
According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."
https://www.ietf.org/rfc/rfc2616.txt
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No
indication is given of whether the condition is temporary or
permanent. The 410 (Gone) status code SHOULD be used if the server
knows, through some internally configurable mechanism, that an old
resource is permanently unavailable and has no forwarding address.
This status code is commonly used when the server does not wish to
reveal exactly why the request has been refused, or when no other
response is applicable.
When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.
Docker-DCO-1.1-Signed-off-by: Dan Walsh [email protected] (github: rhatdan)