diff --git a/vendor.mod b/vendor.mod
index 7b64a12c7fcd..c0920162255d 100644
--- a/vendor.mod
+++ b/vendor.mod
@@ -13,7 +13,7 @@ require (
github.com/distribution/reference v0.6.0
github.com/docker/cli-docs-tool v0.8.0
github.com/docker/distribution v2.8.3+incompatible
- github.com/docker/docker v27.0.2-0.20241209174241-b249c5ebd214+incompatible // master (v-next)
+ github.com/docker/docker v27.0.2-0.20241216174307-9fe5649fedaa+incompatible // master (v-next)
github.com/docker/docker-credential-helpers v0.8.2
github.com/docker/go-connections v0.5.0
github.com/docker/go-units v0.5.0
diff --git a/vendor.sum b/vendor.sum
index 35a4f86e7a56..ff111790d8ca 100644
--- a/vendor.sum
+++ b/vendor.sum
@@ -51,8 +51,8 @@ github.com/docker/cli-docs-tool v0.8.0/go.mod h1:8TQQ3E7mOXoYUs811LiPdUnAhXrcVsB
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.0.2-0.20241209174241-b249c5ebd214+incompatible h1:n78wXsuD+b4ch68cGrR/SfpXPi4Q9T3jrBGIN5NEAtE=
-github.com/docker/docker v27.0.2-0.20241209174241-b249c5ebd214+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.0.2-0.20241216174307-9fe5649fedaa+incompatible h1:/nu75ri8z+YUQRZIpURDNNAPbl5oFo/6IDiwg5Q0aBQ=
+github.com/docker/docker v27.0.2-0.20241216174307-9fe5649fedaa+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml
index b9f805a52f73..79bb65755616 100644
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
@@ -5859,8 +5859,6 @@ definitions:
type: "string"
example:
- "WARNING: No memory limit support"
- - "WARNING: bridge-nf-call-iptables is disabled"
- - "WARNING: bridge-nf-call-ip6tables is disabled"
CDISpecDirs:
description: |
List of directories where (Container Device Interface) CDI
@@ -5983,55 +5981,27 @@ definitions:
List of IP ranges to which nondistributable artifacts can be pushed,
using the CIDR syntax [RFC 4632](https://tools.ietf.org/html/4632).
- Some images (for example, Windows base images) contain artifacts
- whose distribution is restricted by license. When these images are
- pushed to a registry, restricted artifacts are not included.
-
- This configuration override this behavior, and enables the daemon to
- push nondistributable artifacts to all registries whose resolved IP
- address is within the subnet described by the CIDR syntax.
-
- This option is useful when pushing images containing
- nondistributable artifacts to a registry on an air-gapped network so
- hosts on that network can pull the images without connecting to
- another server.
-
- > **Warning**: Nondistributable artifacts typically have restrictions
- > on how and where they can be distributed and shared. Only use this
- > feature to push artifacts to private registries and ensure that you
- > are in compliance with any terms that cover redistributing
- > nondistributable artifacts.
+
+ > **Deprecated**: Pushing nondistributable artifacts is now always enabled
+ > and this field is always `null`. This field will be removed in a API v1.49.
type: "array"
items:
type: "string"
- example: ["::1/128", "127.0.0.0/8"]
+ example: []
AllowNondistributableArtifactsHostnames:
description: |
List of registry hostnames to which nondistributable artifacts can be
pushed, using the format `[:]` or `[:]`.
- Some images (for example, Windows base images) contain artifacts
- whose distribution is restricted by license. When these images are
- pushed to a registry, restricted artifacts are not included.
-
- This configuration override this behavior for the specified
- registries.
-
- This option is useful when pushing images containing
- nondistributable artifacts to a registry on an air-gapped network so
- hosts on that network can pull the images without connecting to
- another server.
+
- > **Warning**: Nondistributable artifacts typically have restrictions
- > on how and where they can be distributed and shared. Only use this
- > feature to push artifacts to private registries and ensure that you
- > are in compliance with any terms that cover redistributing
- > nondistributable artifacts.
+ > **Deprecated**: Pushing nondistributable artifacts is now always enabled
+ > and this field is always `null`. This field will be removed in a API v1.49.
type: "array"
items:
type: "string"
- example: ["registry.internal.corp.example.com:3000", "[2001:db8:a0b:12f0::1]:443"]
+ example: []
InsecureRegistryCIDRs:
description: |
List of IP ranges of insecure registries, using the CIDR syntax
@@ -9626,7 +9596,7 @@ paths:
type: "string"
example: "OK"
headers:
- API-Version:
+ Api-Version:
type: "string"
description: "Max API Version the server supports"
Builder-Version:
@@ -9682,7 +9652,7 @@ paths:
type: "string"
example: "(empty)"
headers:
- API-Version:
+ Api-Version:
type: "string"
description: "Max API Version the server supports"
Builder-Version:
diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go
index 75ee07b15f97..b0a4d604f5f8 100644
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@@ -9,11 +9,29 @@ import (
// ServiceConfig stores daemon registry services configuration.
type ServiceConfig struct {
- AllowNondistributableArtifactsCIDRs []*NetIPNet
- AllowNondistributableArtifactsHostnames []string
- InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"`
- IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"`
- Mirrors []string
+ AllowNondistributableArtifactsCIDRs []*NetIPNet `json:"AllowNondistributableArtifactsCIDRs,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+ AllowNondistributableArtifactsHostnames []string `json:"AllowNondistributableArtifactsHostnames,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+
+ InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"`
+ IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"`
+ Mirrors []string
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (sc ServiceConfig) MarshalJSON() ([]byte, error) {
+ tmp := map[string]interface{}{
+ "InsecureRegistryCIDRs": sc.InsecureRegistryCIDRs,
+ "IndexConfigs": sc.IndexConfigs,
+ "Mirrors": sc.Mirrors,
+ }
+ if sc.AllowNondistributableArtifactsCIDRs != nil {
+ tmp["AllowNondistributableArtifactsCIDRs"] = nil
+ }
+ if sc.AllowNondistributableArtifactsHostnames != nil {
+ tmp["AllowNondistributableArtifactsHostnames"] = nil
+ }
+ return json.Marshal(tmp)
}
// NetIPNet is the net.IPNet type, which can be marshalled and
diff --git a/vendor/github.com/docker/docker/client/ping.go b/vendor/github.com/docker/docker/client/ping.go
index bf3e9b1cd6d5..7c43268b3a0c 100644
--- a/vendor/github.com/docker/docker/client/ping.go
+++ b/vendor/github.com/docker/docker/client/ping.go
@@ -56,8 +56,8 @@ func parsePingResponse(cli *Client, resp serverResponse) (types.Ping, error) {
err := cli.checkResponseErr(resp)
return ping, errdefs.FromStatusCode(err, resp.statusCode)
}
- ping.APIVersion = resp.header.Get("API-Version")
- ping.OSType = resp.header.Get("OSType")
+ ping.APIVersion = resp.header.Get("Api-Version")
+ ping.OSType = resp.header.Get("Ostype")
if resp.header.Get("Docker-Experimental") == "true" {
ping.Experimental = true
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive.go b/vendor/github.com/docker/docker/pkg/archive/archive.go
index 963f865bd1db..92195628c92e 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive.go
@@ -9,6 +9,7 @@ import (
"compress/gzip"
"context"
"encoding/binary"
+ "errors"
"fmt"
"io"
"os"
@@ -28,7 +29,6 @@ import (
"github.com/klauspost/compress/zstd"
"github.com/moby/patternmatcher"
"github.com/moby/sys/sequential"
- "github.com/pkg/errors"
)
// ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
@@ -762,11 +762,11 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
chownOpts = &idtools.Identity{UID: hdr.Uid, GID: hdr.Gid}
}
if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
- msg := "failed to Lchown %q for UID %d, GID %d"
+ var msg string
if inUserns && errors.Is(err, syscall.EINVAL) {
- msg += " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
+ msg = " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
}
- return errors.Wrapf(err, msg, path, hdr.Uid, hdr.Gid)
+ return fmt.Errorf("failed to Lchown %q for UID %d, GID %d%s: %w", path, hdr.Uid, hdr.Gid, msg, err)
}
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
index b9d2a538ab01..061564991c6b 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
@@ -2,13 +2,13 @@ package archive // import "github.com/docker/docker/pkg/archive"
import (
"archive/tar"
+ "fmt"
"os"
"path/filepath"
"strings"
"github.com/docker/docker/pkg/system"
"github.com/moby/sys/userns"
- "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -79,7 +79,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
err := unix.Setxattr(dir, opaqueXattrName, []byte{'y'}, 0)
if err != nil {
- return false, errors.Wrapf(err, "setxattr(%q, %s=y)", dir, opaqueXattrName)
+ return false, fmt.Errorf("setxattr('%s', %s=y): %w", dir, opaqueXattrName, err)
}
// don't write the file itself
return false, err
@@ -91,7 +91,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
originalPath := filepath.Join(dir, originalBase)
if err := unix.Mknod(originalPath, unix.S_IFCHR, 0); err != nil {
- return false, errors.Wrapf(err, "failed to mknod(%q, S_IFCHR, 0)", originalPath)
+ return false, fmt.Errorf("failed to mknod('%s', S_IFCHR, 0): %w", originalPath, err)
}
if err := os.Chown(originalPath, hdr.Uid, hdr.Gid); err != nil {
return false, err
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go b/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
index 5e29a6b3b8a9..97f355d2e4d4 100644
--- a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
@@ -10,7 +10,9 @@ import (
// Lstat takes a path to a file and returns
// a system.StatT type pertaining to that file.
//
-// Throws an error if the file does not exist
+// Throws an error if the file does not exist.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Lstat(path string) (*StatT, error) {
s := &syscall.Stat_t{}
if err := syscall.Lstat(path, s); err != nil {
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go b/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
index 359c791d9b62..4180f3ac207c 100644
--- a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
@@ -4,6 +4,8 @@ import "os"
// Lstat calls os.Lstat to get a fileinfo interface back.
// This is then copied into our own locally defined structure.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Lstat(path string) (*StatT, error) {
fi, err := os.Lstat(path)
if err != nil {
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod.go b/vendor/github.com/docker/docker/pkg/system/mknod.go
index 2a62237a45cd..e0cd22d7a78c 100644
--- a/vendor/github.com/docker/docker/pkg/system/mknod.go
+++ b/vendor/github.com/docker/docker/pkg/system/mknod.go
@@ -11,6 +11,8 @@ import (
// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
// then the top 12 bits of the minor.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Mkdev(major int64, minor int64) uint32 {
return uint32(unix.Mkdev(uint32(major), uint32(minor)))
}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go b/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
index e218e742d495..4f66453d622b 100644
--- a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
+++ b/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
@@ -8,6 +8,8 @@ import (
// Mknod creates a filesystem node (file, device special file or named pipe) named path
// with attributes specified by mode and dev.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Mknod(path string, mode uint32, dev int) error {
return unix.Mknod(path, mode, uint64(dev))
}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go b/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
index 34df0b9236c8..34c5532631a0 100644
--- a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
@@ -8,6 +8,8 @@ import (
// Mknod creates a filesystem node (file, device special file or named pipe) named path
// with attributes specified by mode and dev.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Mknod(path string, mode uint32, dev int) error {
return unix.Mknod(path, mode, dev)
}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_linux.go b/vendor/github.com/docker/docker/pkg/system/stat_linux.go
index 4309d42b9fd5..0557235f9878 100644
--- a/vendor/github.com/docker/docker/pkg/system/stat_linux.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_linux.go
@@ -17,6 +17,8 @@ func fromStatT(s *syscall.Stat_t) (*StatT, error) {
// FromStatT converts a syscall.Stat_t type to a system.Stat_t type
// This is exposed on Linux as pkg/archive/changes uses it.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func FromStatT(s *syscall.Stat_t) (*StatT, error) {
return fromStatT(s)
}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_unix.go b/vendor/github.com/docker/docker/pkg/system/stat_unix.go
index 205e54677db3..661b0bed2017 100644
--- a/vendor/github.com/docker/docker/pkg/system/stat_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_unix.go
@@ -9,6 +9,8 @@ import (
// StatT type contains status of a file. It contains metadata
// like permission, owner, group, size, etc about a file.
+//
+// Deprecated: this type is only used internally, and will be removed in the next release.
type StatT struct {
mode uint32
uid uint32
@@ -56,7 +58,9 @@ func (s StatT) IsDir() bool {
// Stat takes a path to a file and returns
// a system.StatT type pertaining to that file.
//
-// Throws an error if the file does not exist
+// Throws an error if the file does not exist.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Stat(path string) (*StatT, error) {
s := &syscall.Stat_t{}
if err := syscall.Stat(path, s); err != nil {
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_windows.go b/vendor/github.com/docker/docker/pkg/system/stat_windows.go
index 10876cd73e28..e74a0f4fd701 100644
--- a/vendor/github.com/docker/docker/pkg/system/stat_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_windows.go
@@ -7,6 +7,8 @@ import (
// StatT type contains status of a file. It contains metadata
// like permission, size, etc about a file.
+//
+// Deprecated: this type is only used internally, and will be removed in the next release.
type StatT struct {
mode os.FileMode
size int64
@@ -31,7 +33,9 @@ func (s StatT) Mtim() time.Time {
// Stat takes a path to a file and returns
// a system.StatT type pertaining to that file.
//
-// Throws an error if the file does not exist
+// Throws an error if the file does not exist.
+//
+// Deprecated: this function is only used internally, and will be removed in the next release.
func Stat(path string) (*StatT, error) {
fi, err := os.Stat(path)
if err != nil {
diff --git a/vendor/github.com/docker/docker/registry/auth.go b/vendor/github.com/docker/docker/registry/auth.go
index 905ccf5f5120..8c62b83c0759 100644
--- a/vendor/github.com/docker/docker/registry/auth.go
+++ b/vendor/github.com/docker/docker/registry/auth.go
@@ -66,23 +66,23 @@ func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
// loginV2 tries to login to the v2 registry server. The given registry
// endpoint will be pinged to get authorization challenges. These challenges
// will be used to authenticate against the registry to validate credentials.
-func loginV2(authConfig *registry.AuthConfig, endpoint APIEndpoint, userAgent string) (string, string, error) {
- var (
- endpointStr = strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
- modifiers = Headers(userAgent, nil)
- authTransport = transport.NewTransport(newTransport(endpoint.TLSConfig), modifiers...)
- credentialAuthConfig = *authConfig
- creds = loginCredentialStore{authConfig: &credentialAuthConfig}
- )
-
+func loginV2(authConfig *registry.AuthConfig, endpoint APIEndpoint, userAgent string) (status string, token string, _ error) {
+ endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
log.G(context.TODO()).Debugf("attempting v2 login to registry endpoint %s", endpointStr)
- loginClient, err := v2AuthHTTPClient(endpoint.URL, authTransport, modifiers, creds, nil)
+ req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
if err != nil {
return "", "", err
}
- req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
+ var (
+ modifiers = Headers(userAgent, nil)
+ authTrans = transport.NewTransport(newTransport(endpoint.TLSConfig), modifiers...)
+ credentialAuthConfig = *authConfig
+ creds = loginCredentialStore{authConfig: &credentialAuthConfig}
+ )
+
+ loginClient, err := v2AuthHTTPClient(endpoint.URL, authTrans, modifiers, creds, nil)
if err != nil {
return "", "", err
}
@@ -133,12 +133,13 @@ func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifi
// files).
func ConvertToHostname(url string) string {
stripped := url
- if strings.HasPrefix(url, "http://") {
- stripped = strings.TrimPrefix(url, "http://")
- } else if strings.HasPrefix(url, "https://") {
- stripped = strings.TrimPrefix(url, "https://")
+ if strings.HasPrefix(stripped, "http://") {
+ stripped = strings.TrimPrefix(stripped, "http://")
+ } else if strings.HasPrefix(stripped, "https://") {
+ stripped = strings.TrimPrefix(stripped, "https://")
}
- return strings.SplitN(stripped, "/", 2)[0]
+ stripped, _, _ = strings.Cut(stripped, "/")
+ return stripped
}
// ResolveAuthConfig matches an auth configuration to a server address or a URL
diff --git a/vendor/github.com/docker/docker/registry/config.go b/vendor/github.com/docker/docker/registry/config.go
index f351d21a92c4..07fdea1b6cea 100644
--- a/vendor/github.com/docker/docker/registry/config.go
+++ b/vendor/github.com/docker/docker/registry/config.go
@@ -15,9 +15,10 @@ import (
// ServiceOptions holds command line options.
type ServiceOptions struct {
- AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"`
- Mirrors []string `json:"registry-mirrors,omitempty"`
- InsecureRegistries []string `json:"insecure-registries,omitempty"`
+ AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+
+ Mirrors []string `json:"registry-mirrors,omitempty"`
+ InsecureRegistries []string `json:"insecure-registries,omitempty"`
}
// serviceConfig holds daemon configuration for the registry service.
@@ -80,9 +81,6 @@ func CertsDir() string {
// newServiceConfig returns a new instance of ServiceConfig
func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
config := &serviceConfig{}
- if err := config.loadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts); err != nil {
- return nil, err
- }
if err := config.loadMirrors(options.Mirrors); err != nil {
return nil, err
}
@@ -100,49 +98,10 @@ func (config *serviceConfig) copy() *registry.ServiceConfig {
ic[key] = value
}
return ®istry.ServiceConfig{
- AllowNondistributableArtifactsCIDRs: append([]*registry.NetIPNet(nil), config.AllowNondistributableArtifactsCIDRs...),
- AllowNondistributableArtifactsHostnames: append([]string(nil), config.AllowNondistributableArtifactsHostnames...),
- InsecureRegistryCIDRs: append([]*registry.NetIPNet(nil), config.InsecureRegistryCIDRs...),
- IndexConfigs: ic,
- Mirrors: append([]string(nil), config.Mirrors...),
- }
-}
-
-// loadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config.
-func (config *serviceConfig) loadAllowNondistributableArtifacts(registries []string) error {
- cidrs := map[string]*registry.NetIPNet{}
- hostnames := map[string]bool{}
-
- for _, r := range registries {
- if _, err := ValidateIndexName(r); err != nil {
- return err
- }
- if hasScheme(r) {
- return invalidParamf("allow-nondistributable-artifacts registry %s should not contain '://'", r)
- }
-
- if _, ipnet, err := net.ParseCIDR(r); err == nil {
- // Valid CIDR.
- cidrs[ipnet.String()] = (*registry.NetIPNet)(ipnet)
- } else if err = validateHostPort(r); err == nil {
- // Must be `host:port` if not CIDR.
- hostnames[r] = true
- } else {
- return invalidParamWrapf(err, "allow-nondistributable-artifacts registry %s is not valid", r)
- }
- }
-
- config.AllowNondistributableArtifactsCIDRs = make([]*registry.NetIPNet, 0, len(cidrs))
- for _, c := range cidrs {
- config.AllowNondistributableArtifactsCIDRs = append(config.AllowNondistributableArtifactsCIDRs, c)
+ InsecureRegistryCIDRs: append([]*registry.NetIPNet(nil), config.InsecureRegistryCIDRs...),
+ IndexConfigs: ic,
+ Mirrors: append([]string(nil), config.Mirrors...),
}
-
- config.AllowNondistributableArtifactsHostnames = make([]string, 0, len(hostnames))
- for h := range hostnames {
- config.AllowNondistributableArtifactsHostnames = append(config.AllowNondistributableArtifactsHostnames, h)
- }
-
- return nil
}
// loadMirrors loads mirrors to config, after removing duplicates.
@@ -242,25 +201,6 @@ skip:
return nil
}
-// allowNondistributableArtifacts returns true if the provided hostname is part of the list of registries
-// that allow push of nondistributable artifacts.
-//
-// The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP
-// of the registry specified by hostname, true is returned.
-//
-// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
-// or an IP address. If it is a domain name, then it will be resolved to IP addresses for matching. If
-// resolution fails, CIDR matching is not performed.
-func (config *serviceConfig) allowNondistributableArtifacts(hostname string) bool {
- for _, h := range config.AllowNondistributableArtifactsHostnames {
- if h == hostname {
- return true
- }
- }
-
- return isCIDRMatch(config.AllowNondistributableArtifactsCIDRs, hostname)
-}
-
// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
//
diff --git a/vendor/github.com/docker/docker/registry/service.go b/vendor/github.com/docker/docker/registry/service.go
index 672a721ff6d3..4d66523c616a 100644
--- a/vendor/github.com/docker/docker/registry/service.go
+++ b/vendor/github.com/docker/docker/registry/service.go
@@ -68,10 +68,11 @@ func (s *Service) Auth(ctx context.Context, authConfig *registry.AuthConfig, use
registryHostName = u.Host
}
- // Lookup endpoints for authentication using "LookupPushEndpoints", which
- // excludes mirrors to prevent sending credentials of the upstream registry
- // to a mirror.
- endpoints, err := s.LookupPushEndpoints(registryHostName)
+ // Lookup endpoints for authentication but exclude mirrors to prevent
+ // sending credentials of the upstream registry to a mirror.
+ s.mu.RLock()
+ endpoints, err := s.lookupV2Endpoints(registryHostName, false)
+ s.mu.RUnlock()
if err != nil {
return "", "", invalidParam(err)
}
@@ -103,7 +104,7 @@ func (s *Service) ResolveRepository(name reference.Named) (*RepositoryInfo, erro
type APIEndpoint struct {
Mirror bool
URL *url.URL
- AllowNondistributableArtifacts bool
+ AllowNondistributableArtifacts bool // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
Official bool
TrimHostname bool // Deprecated: hostname is now trimmed unconditionally for remote names. This field will be removed in the next release.
TLSConfig *tls.Config
@@ -115,7 +116,7 @@ func (s *Service) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint,
s.mu.RLock()
defer s.mu.RUnlock()
- return s.lookupV2Endpoints(hostname)
+ return s.lookupV2Endpoints(hostname, true)
}
// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
@@ -124,15 +125,7 @@ func (s *Service) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint,
s.mu.RLock()
defer s.mu.RUnlock()
- allEndpoints, err := s.lookupV2Endpoints(hostname)
- if err == nil {
- for _, endpoint := range allEndpoints {
- if !endpoint.Mirror {
- endpoints = append(endpoints, endpoint)
- }
- }
- }
- return endpoints, err
+ return s.lookupV2Endpoints(hostname, false)
}
// IsInsecureRegistry returns true if the registry at given host is configured as
diff --git a/vendor/github.com/docker/docker/registry/service_v2.go b/vendor/github.com/docker/docker/registry/service_v2.go
index cf95ce51d107..43754527a22d 100644
--- a/vendor/github.com/docker/docker/registry/service_v2.go
+++ b/vendor/github.com/docker/docker/registry/service_v2.go
@@ -7,34 +7,33 @@ import (
"github.com/docker/go-connections/tlsconfig"
)
-func (s *Service) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) {
- ana := s.config.allowNondistributableArtifacts(hostname)
-
+func (s *Service) lookupV2Endpoints(hostname string, includeMirrors bool) ([]APIEndpoint, error) {
+ var endpoints []APIEndpoint
if hostname == DefaultNamespace || hostname == IndexHostname {
- for _, mirror := range s.config.Mirrors {
- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
- mirror = "https://" + mirror
- }
- mirrorURL, err := url.Parse(mirror)
- if err != nil {
- return nil, invalidParam(err)
- }
- mirrorTLSConfig, err := newTLSConfig(mirrorURL.Host, s.config.isSecureIndex(mirrorURL.Host))
- if err != nil {
- return nil, err
+ if includeMirrors {
+ for _, mirror := range s.config.Mirrors {
+ if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
+ mirror = "https://" + mirror
+ }
+ mirrorURL, err := url.Parse(mirror)
+ if err != nil {
+ return nil, invalidParam(err)
+ }
+ mirrorTLSConfig, err := newTLSConfig(mirrorURL.Host, s.config.isSecureIndex(mirrorURL.Host))
+ if err != nil {
+ return nil, err
+ }
+ endpoints = append(endpoints, APIEndpoint{
+ URL: mirrorURL,
+ Mirror: true,
+ TLSConfig: mirrorTLSConfig,
+ })
}
- endpoints = append(endpoints, APIEndpoint{
- URL: mirrorURL,
- Mirror: true,
- TLSConfig: mirrorTLSConfig,
- })
}
endpoints = append(endpoints, APIEndpoint{
URL: DefaultV2Registry,
Official: true,
TLSConfig: tlsconfig.ServerDefault(),
-
- AllowNondistributableArtifacts: ana,
})
return endpoints, nil
@@ -52,8 +51,6 @@ func (s *Service) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, e
Host: hostname,
},
TLSConfig: tlsConfig,
-
- AllowNondistributableArtifacts: ana,
},
}
@@ -65,8 +62,6 @@ func (s *Service) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, e
},
// used to check if supposed to be secure via InsecureSkipVerify
TLSConfig: tlsConfig,
-
- AllowNondistributableArtifacts: ana,
})
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 1bc372992db1..6bee2c9762aa 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -55,7 +55,7 @@ github.com/docker/distribution/registry/client/transport
github.com/docker/distribution/registry/storage/cache
github.com/docker/distribution/registry/storage/cache/memory
github.com/docker/distribution/uuid
-# github.com/docker/docker v27.0.2-0.20241209174241-b249c5ebd214+incompatible
+# github.com/docker/docker v27.0.2-0.20241216174307-9fe5649fedaa+incompatible
## explicit
github.com/docker/docker/api
github.com/docker/docker/api/types