Thanks to visit codestin.com
Credit goes to github.com

Skip to content

On Red Hat Registry Servers we return 404 on certification errors.#8559

Merged
crosbymichael merged 1 commit into
moby:masterfrom
rhatdan:404
Oct 20, 2014
Merged

On Red Hat Registry Servers we return 404 on certification errors.#8559
crosbymichael merged 1 commit into
moby:masterfrom
rhatdan:404

Conversation

@rhatdan

@rhatdan rhatdan commented Oct 14, 2014

Copy link
Copy Markdown
Contributor

We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.

According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."

https://www.ietf.org/rfc/rfc2616.txt

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No
indication is given of whether the condition is temporary or
permanent. The 410 (Gone) status code SHOULD be used if the server
knows, through some internally configurable mechanism, that an old
resource is permanently unavailable and has no forwarding address.
This status code is commonly used when the server does not wish to
reveal exactly why the request has been refused, or when no other
response is applicable.

When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.

Docker-DCO-1.1-Signed-off-by: Dan Walsh [email protected] (github: rhatdan)

@crosbymichael

Copy link
Copy Markdown
Contributor

@dmcgowan @dmp42

Could you please take a look at this issue? It looks pretty straight forward and should be easy to address.

@aweiteka

Copy link
Copy Markdown

To be clear, the issue is not the registry. The issue is how the client/daemon handles 404 from the registry.

@dmcgowan

Copy link
Copy Markdown
Member

LGTM, continuing though the cert list on 404 seems reasonable to me. I would also ping @ewindisch.

@dmp42

dmp42 commented Oct 17, 2014

Copy link
Copy Markdown
Contributor

About this change specifically, LGTM.

Now, @aweiteka @rhatdan the docker registry pipeline as a whole is being rewritten, and discussion is ongoing on the auth mechanisms we are going to support and ship for v2 (including with people from RedHat).
Though we are still figuring out proper processes there, I would really suggest that we connect and you have someone participate in these discussions (you can ping me on irc or join on #docker-dev on mondays 10AMPST).

With the further separation of image naming and transport, and making it easier for registries to proliferate, we will need robust multi-credentials handling. In this particular case, trying a request with every certificate until one works is not going to fly and it's unlikely this code would be supported in v2 as-is.

@ewindisch

Copy link
Copy Markdown
Contributor

LGTM

@rhatdan

rhatdan commented Oct 20, 2014

Copy link
Copy Markdown
Contributor Author

@dmp42 Not my area of expertise. @aweiteka and @vbatts would be much better to handle this. I just put in fixes requested by others. This fix we need for the current model, and I am sure there will be other fixes in the future. But if we can get this merged soon, we could turn on verification of images in the V1 Registry protocol for our customers.

@dmp42

dmp42 commented Oct 20, 2014

Copy link
Copy Markdown
Contributor

@rhatdan thanks!

@crosbymichael This should be good to be merged.

We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.

According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."

https://www.ietf.org/rfc/rfc2616.txt

10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
   If the request method was not HEAD and the server wishes to make
   public why the request has not been fulfilled, it SHOULD describe the
   reason for the refusal in the entity.  If the server does not wish to
   make this information available to the client, the status code 404
   (Not Found) can be used instead.

10.4.5 404 Not Found

   The server has not found anything matching the Request-URI. No
   indication is given of whether the condition is temporary or
   permanent. The 410 (Gone) status code SHOULD be used if the server
   knows, through some internally configurable mechanism, that an old
   resource is permanently unavailable and has no forwarding address.
   This status code is commonly used when the server does not wish to
   reveal exactly why the request has been refused, or when no other
   response is applicable.

When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan)
@crosbymichael

Copy link
Copy Markdown
Contributor

Thanks for the reviews.

LGTM

crosbymichael added a commit that referenced this pull request Oct 20, 2014
On Red Hat Registry Servers we return 404 on certification errors.
@crosbymichael crosbymichael merged commit 0c7d2ff into moby:master Oct 20, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants