fix insecure manifest inspect with restrictive certs perms

If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using the `insecure` flag. Since the cli doesn't access the engine's list of insecure registries, the registry client should make a singleton list of the registry being queried with the `insecure` flag. Fixes docker#1358 Signed-off-by: Christy Norman <[email protected]>
clnperez · Sep 18, 2018 · f46c713 · f46c713
1 parent b4180e8
commit f46c713
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/cli/registry/client/fetcher.go b/cli/registry/client/fetcher.go
@@ -97,6 +97,7 @@ func pullManifestSchemaV2(ctx context.Context, ref reference.Named, repo distrib
 
 func pullManifestSchemaV2ImageConfig(ctx context.Context, dgst digest.Digest, repo distribution.Repository) ([]byte, error) {
 	blobs := repo.Blobs(ctx)
+	logrus.Debug("getting blobs in pullManifestSchemaV2imageConfig")
 	configJSON, err := blobs.Get(ctx, dgst)
 	if err != nil {
 		return nil, err
@@ -200,7 +201,7 @@ func continueOnError(err error) bool {
 }
 
 func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, each func(context.Context, distribution.Repository, reference.Named) (bool, error)) error {
-	endpoints, err := allEndpoints(namedRef)
+	endpoints, err := allEndpoints(namedRef, c.insecureRegistry)
 	if err != nil {
 		return err
 	}
@@ -262,12 +263,18 @@ func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named,
 }
 
 // allEndpoints returns a list of endpoints ordered by priority (v2, https, v1).
-func allEndpoints(namedRef reference.Named) ([]registry.APIEndpoint, error) {
+func allEndpoints(namedRef reference.Named, insecure bool) ([]registry.APIEndpoint, error) {
 	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
 	if err != nil {
 		return nil, err
 	}
-	registryService, err := registry.NewService(registry.ServiceOptions{})
+
+	serviceOpts := registry.ServiceOptions{}
+	if insecure {
+		logrus.Debugf("allowing insecure registry for: %s", reference.Domain(namedRef))
+		serviceOpts.InsecureRegistries = []string{reference.Domain(namedRef)}
+	}
+	registryService, err := registry.NewService(serviceOpts)
 	if err != nil {
 		return []registry.APIEndpoint{}, err
 	}