[28.x backport] client: always send (empty) body on push #50471
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before ea29dff, the image create endpoint had a [fallback for very old client versions][1] that would send authentication as body instead of through the `X-Registry-Auth` header. However, the implementation of this fallback did not handle empty bodies, resulting in an `io.EOF` error to be returned when trying to parse the body as JSON. In practice, this problem didn't happen when using the CLI, because even if no authentication was present, `registry.EncodeAuthConfig()` (used by the CLI to set the `X-Registry-Auth` header) would produce an empty JSON document (`{}`), which would be encoded in base64 (`e30=`), so we would never set an empty `X-Registry-Auth` (but other clients may have hit this situation). That behavior was unexpected, because not all registries require authentication, and omitting the `X-Registry-Auth` should be valid. We also want to have more flexibility in authentication (and being able to distinguish unauthenticated requests, so that we can fallback to alternative paths). Unfortunately, we can't change existing daemons, so must account for the faulty fallback. Currently, omitting the `X-Registry-Auth` produces an error, but we can avoid this by unconditionally sending a body, which may be an empty JSON document (`{}`). I explored possible options for this; we can either construct our own empty JSON (`json.RawMessage("{}")`) to be explicit that we're sending empty JSON, but [`encodeBody()`][2] is currently hard-coded to expect JSON requests, and unconditionally calls [`encodeData`][3], which encodes to JSON, so we may as well take advantage of `http.NoBody`, which gets marshaled to an empty JSON document; https://go.dev/play/p/QCw9dJ6LGQu package main import ( "encoding/json" "fmt" "net/http" ) func main() { body, _ := json.Marshal(http.NoBody) fmt.Println(string(body)) } Before this patch, a client omitting `X-Registry-Auth` (and no body) would produce an error; docker pull -q busybox docker tag busybox 127.0.0.1:5001/myimage:latest docker run -d --name registry -p 127.0.0.1:5001:5000 registry:3 docker push 127.0.0.1:5001/myimage:latest Error response from daemon: bad parameters and missing X-Registry-Auth: invalid X-Registry-Auth header: EOF With this patch applied, no error is produced; docker pull -q busybox docker tag busybox 127.0.0.1:5001/myimage:latest docker run -d --name registry -p 127.0.0.1:5001:5000 registry:3 docker push 127.0.0.1:5001/myimage:latest The push refers to repository [127.0.0.1:5001/myimage] 189fdd150837: Pushed latest: digest: sha256:68a0d55a75c935e1101d16ded1c748babb7f96a9af43f7533ba83b87e2508b82 size: 610 [1]: https://github.com/moby/moby/blob/63fcf7d8582bf901b912015db5a590186710b8c6/api/types/registry/authconfig_test.go#L109-L114 [2]: https://github.com/moby/moby/blob/63fcf7d8582bf901b912015db5a590186710b8c6/client/request.go#L67-L87 [3]: https://github.com/moby/moby/blob/63fcf7d8582bf901b912015db5a590186710b8c6/client/request.go#L296-L304 [4]: moby@ea29dff Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b1ce0c8) Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
|
Failure is unrelated; I think we have a fix for that one as well in master; |
|
We should probably consider including this in other maintained branches as well. |
|
(and the PR that removes the fallback) |
|
@thaJeztah, is this the fallback you are referencing? moby/api/types/registry/authconfig_test.go Lines 109 to 114 in 63fcf7d |
|
@austinvazquez no it's this one on the daemon side; that's the one that was causing issues if a request was made that did not send a non-empty Related to that was this PR that tried to omit the header if no value was set (but that didn't work with the existing way we encoded the value, so it was never empty); I DONT think we need to (or should!) backport that last one, but it's good if the daemon accepts requests with an empty body without producing an obscure error (which is what #50371 should fix). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before ea29dff, the image create endpoint had a fallback for very old client versions that would send authentication as body instead of through the
X-Registry-Authheader.However, the implementation of this fallback did not handle empty bodies, resulting in an
io.EOFerror to be returned when trying to parse the body as JSON.In practice, this problem didn't happen when using the CLI, because even if no authentication was present,
registry.EncodeAuthConfig()(used by the CLI to set theX-Registry-Authheader) would produce an empty JSON document ({}), which would be encoded in base64 (e30=), so we would never set an emptyX-Registry-Auth(but other clients may have hit this situation). That behavior was unexpected, because not all registries require authentication, and omitting theX-Registry-Authshould be valid. We also want to have more flexibility in authentication (and being able to distinguish unauthenticated requests, so that we can fallback to alternative paths).Unfortunately, we can't change existing daemons, so must account for the faulty fallback. Currently, omitting the
X-Registry-Authproduces an error, but we can avoid this by unconditionally sending a body, which may be an empty JSON document ({}).I explored possible options for this; we can either construct our own empty JSON (
json.RawMessage("{}")) to be explicit that we're sending empty JSON, butencodeBody()is currently hard-coded to expect JSON requests, and unconditionally callsencodeData, which encodes to JSON, so we may as well take advantage ofhttp.NoBody, which gets marshaled to an empty JSON document;https://go.dev/play/p/QCw9dJ6LGQu
Before this patch, a client omitting
X-Registry-Auth(and no body) would produce an error;With this patch applied, no error is produced;
(cherry picked from commit b1ce0c8)
- What I did
Backports #50415 to 28.x branch
- How I did it
* manually resolved conflicts in
tryImagePushfunction. i.e. patch did not apply cleanly.- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)