InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 10:41:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
moby/daemon/containerd/resolver.go
Sebastiaan van Stijn a32a53ae01 daemon/containerd: pass custom metaHeaders to resolver 
Similar to how [distribution.newRepository] in the legacy distribution code
passes the (custom) http-headers. User-Agent is always set, and can't be
overridden, so we apply it after setting the custom headers.

[distribution.newRepository]: 9ce272f804/daemon/internal/distribution/registry.go (L74-L97)

Before this patch:

    docker run --rm -d --name debugger -p 127.0.0.1:5001:8080 mendhak/http-https-echo
    DOCKER_CUSTOM_HEADERS=X-Meta-Hello=thaJeztah docker pull localhost:5001/myimage:latest
    docker logs debugger
    ...
    "headers": {
        "host": "localhost:5001",
        "user-agent": "docker/dev go/go1.24.7 git-commit/8e89fe7e8cbb3048f640846590175cbae4719b25 kernel/6.10.14-linuxkit os/linux arch/arm64 containerd-client/2.1.4+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/28.3.2 \\(linux\\))",
        "accept": "application/json, */*",
        "accept-encoding": "zstd;q=1.0, gzip;q=0.8, deflate;q=0.5",
        "baggage": "trigger=api"
    },

With this patch:

    docker run --rm -d --name debugger -p 127.0.0.1:5001:8080 mendhak/http-https-echo
    DOCKER_CUSTOM_HEADERS=X-Meta-Hello=thaJeztah docker pull localhost:5001/myimage:latest
    docker logs debugger
    ...
    "headers": {
        "host": "localhost:5001",
        "user-agent": "docker/dev go/go1.24.7 git-commit/8e89fe7e8cbb3048f640846590175cbae4719b25 kernel/6.10.14-linuxkit os/linux arch/arm64 containerd-client/2.1.4+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/28.3.2 \\(linux\\))",
        "accept": "application/json, */*",
        "accept-encoding": "zstd;q=1.0, gzip;q=0.8, deflate;q=0.5",
        "baggage": "trigger=api",
        "x-meta-hello": "thaJeztah"
    },

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2025-09-23 11:42:10 +02:00

110 lines
3.1 KiB
Go
Raw Permalink Blame History

package containerd
import (
"context"
"net/http"
"github.com/containerd/containerd/v2/core/remotes"
"github.com/containerd/containerd/v2/core/remotes/docker"
"github.com/containerd/containerd/v2/version"
cerrdefs "github.com/containerd/errdefs"
"github.com/containerd/log"
"github.com/distribution/reference"
registrytypes "github.com/moby/moby/api/types/registry"
"github.com/moby/moby/v2/daemon/pkg/registry"
"github.com/moby/moby/v2/dockerversion"
"github.com/moby/moby/v2/pkg/useragent"
)
func (i *ImageService) newResolverFromAuthConfig(ctx context.Context, authConfig *registrytypes.AuthConfig, ref reference.Named, metaHeaders http.Header) (remotes.Resolver, docker.StatusTracker) {
tracker := docker.NewInMemoryTracker()
hosts := hostsWrapper(i.registryHosts, authConfig, ref)
headers := http.Header{}
if metaHeaders != nil {
headers = metaHeaders.Clone()
}
headers.Set("User-Agent", dockerversion.DockerUserAgent(ctx, useragent.VersionInfo{Name: "containerd-client", Version: version.Version}, useragent.VersionInfo{Name: "storage-driver", Version: i.snapshotter}))
return docker.NewResolver(docker.ResolverOptions{
Hosts: hosts,
Tracker: tracker,
Headers: headers,
}), tracker
}
func hostsWrapper(hostsFn docker.RegistryHosts, optAuthConfig *registrytypes.AuthConfig, ref reference.Named) docker.RegistryHosts {
if optAuthConfig == nil {
return hostsFn
}
authorizer := authorizerFromAuthConfig(*optAuthConfig, ref)
return func(n string) ([]docker.RegistryHost, error) {
hosts, err := hostsFn(n)
if err != nil {
return nil, err
}
for i := range hosts {
hosts[i].Authorizer = authorizer
}
return hosts, nil
}
}
func authorizerFromAuthConfig(authConfig registrytypes.AuthConfig, ref reference.Named) docker.Authorizer {
cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
if cfgHost == "" {
cfgHost = reference.Domain(ref)
}
if cfgHost == registry.IndexHostname || cfgHost == registry.IndexName {
cfgHost = registry.DefaultRegistryHost
}
if authConfig.RegistryToken != "" {
return &bearerAuthorizer{
host: cfgHost,
bearer: authConfig.RegistryToken,
}
}
return docker.NewDockerAuthorizer(docker.WithAuthCreds(func(host string) (string, string, error) {
if cfgHost != host {
log.G(context.TODO()).WithFields(log.Fields{
"host": host,
"cfgHost": cfgHost,
}).Warn("Host doesn't match")
return "", "", nil
}
if authConfig.IdentityToken != "" {
return "", authConfig.IdentityToken, nil
}
return authConfig.Username, authConfig.Password, nil
}))
}
type bearerAuthorizer struct {
host string
bearer string
}
func (a *bearerAuthorizer) Authorize(ctx context.Context, req *http.Request) error {
if req.Host != a.host {
log.G(ctx).WithFields(log.Fields{
"host": req.Host,
"cfgHost": a.host,
}).Warn("Host doesn't match for bearer token")
return nil
}
req.Header.Set("Authorization", "Bearer "+a.bearer)
return nil
}
func (a *bearerAuthorizer) AddResponses(context.Context, []*http.Response) error {
// Return not implemented to prevent retry of the request when bearer did not succeed
return cerrdefs.ErrNotImplemented
}
Reference in New Issue View Git Blame Copy Permalink