// Execute runs the Docker registry. func Execute(configFile io.Reader) { config, err := configuration.Parse(configFile) if err != nil { log.Fatalf("Error parsing configuration file: %s", err) } tokenPath := "/openshift/token" // If needed, generate and populate the token realm URL in the config. // Must be done prior to instantiating the app, so our auth provider has the config available. _, usingOpenShiftAuth := config.Auth[server.OpenShiftAuth] _, hasTokenRealm := config.Auth[server.OpenShiftAuth][server.TokenRealmKey].(string) if usingOpenShiftAuth && !hasTokenRealm { registryHost := os.Getenv(server.DockerRegistryURLEnvVar) if len(registryHost) == 0 { log.Fatalf("%s is required", server.DockerRegistryURLEnvVar) } tokenURL := &url.URL{Scheme: "https", Host: registryHost, Path: tokenPath} if len(config.HTTP.TLS.Certificate) == 0 { tokenURL.Scheme = "http" } if config.Auth[server.OpenShiftAuth] == nil { config.Auth[server.OpenShiftAuth] = configuration.Parameters{} } config.Auth[server.OpenShiftAuth][server.TokenRealmKey] = tokenURL.String() } ctx := context.Background() ctx, err = configureLogging(ctx, config) if err != nil { log.Fatalf("error configuring logger: %v", err) } log.Infof("version=%s", version.Version) // inject a logger into the uuid library. warns us if there is a problem // with uuid generation under low entropy. uuid.Loggerf = context.GetLogger(ctx).Warnf app := handlers.NewApp(ctx, config) // Add a token handling endpoint if usingOpenShiftAuth { app.NewRoute().Methods("GET").PathPrefix(tokenPath).Handler(server.NewTokenHandler(ctx, server.DefaultRegistryClient)) } // TODO add https scheme adminRouter := app.NewRoute().PathPrefix("/admin/").Subrouter() pruneAccessRecords := func(*http.Request) []auth.Access { return []auth.Access{ { Resource: auth.Resource{ Type: "admin", }, Action: "prune", }, } } app.RegisterRoute( // DELETE /admin/blobs/<digest> adminRouter.Path("/blobs/{digest:"+reference.DigestRegexp.String()+"}").Methods("DELETE"), // handler server.BlobDispatcher, // repo name not required in url handlers.NameNotRequired, // custom access records pruneAccessRecords, ) app.RegisterHealthChecks() handler := alive("/", app) // TODO: temporarily keep for backwards compatibility; remove in the future handler = alive("/healthz", handler) handler = health.Handler(handler) handler = panicHandler(handler) handler = gorillahandlers.CombinedLoggingHandler(os.Stdout, handler) if config.HTTP.TLS.Certificate == "" { context.GetLogger(app).Infof("listening on %v", config.HTTP.Addr) if err := http.ListenAndServe(config.HTTP.Addr, handler); err != nil { context.GetLogger(app).Fatalln(err) } } else { tlsConf := crypto.SecureTLSConfig(&tls.Config{ClientAuth: tls.NoClientCert}) if len(config.HTTP.TLS.ClientCAs) != 0 { pool := x509.NewCertPool() for _, ca := range config.HTTP.TLS.ClientCAs { caPem, err := ioutil.ReadFile(ca) if err != nil { context.GetLogger(app).Fatalln(err) } if ok := pool.AppendCertsFromPEM(caPem); !ok { context.GetLogger(app).Fatalln(fmt.Errorf("Could not add CA to pool")) } } for _, subj := range pool.Subjects() { context.GetLogger(app).Debugf("CA Subject: %s", string(subj)) } tlsConf.ClientAuth = tls.RequireAndVerifyClientCert tlsConf.ClientCAs = pool } context.GetLogger(app).Infof("listening on %v, tls", config.HTTP.Addr) server := &http.Server{ Addr: config.HTTP.Addr, Handler: handler, TLSConfig: tlsConf, } if err := server.ListenAndServeTLS(config.HTTP.TLS.Certificate, config.HTTP.TLS.Key); err != nil { context.GetLogger(app).Fatalln(err) } } }
// Execute runs the Docker registry. func Execute(configFile io.Reader) { config, err := configuration.Parse(configFile) if err != nil { log.Fatalf("error parsing configuration file: %s", err) } setDefaultMiddleware(config) ctx := context.Background() ctx, err = configureLogging(ctx, config) if err != nil { log.Fatalf("error configuring logger: %v", err) } log.Infof("version=%s", version.Version) // inject a logger into the uuid library. warns us if there is a problem // with uuid generation under low entropy. uuid.Loggerf = context.GetLogger(ctx).Warnf app := handlers.NewApp(ctx, config) // Add a token handling endpoint if options, usingOpenShiftAuth := config.Auth[server.OpenShiftAuth]; usingOpenShiftAuth { tokenRealm, err := server.TokenRealm(options) if err != nil { log.Fatalf("error setting up token auth: %s", err) } err = app.NewRoute().Methods("GET").PathPrefix(tokenRealm.Path).Handler(server.NewTokenHandler(ctx, server.DefaultRegistryClient)).GetError() if err != nil { log.Fatalf("error setting up token endpoint at %q: %v", tokenRealm.Path, err) } log.Debugf("configured token endpoint at %q", tokenRealm.String()) } // TODO add https scheme adminRouter := app.NewRoute().PathPrefix("/admin/").Subrouter() pruneAccessRecords := func(*http.Request) []auth.Access { return []auth.Access{ { Resource: auth.Resource{ Type: "admin", }, Action: "prune", }, } } app.RegisterRoute( // DELETE /admin/blobs/<digest> adminRouter.Path("/blobs/{digest:"+reference.DigestRegexp.String()+"}").Methods("DELETE"), // handler server.BlobDispatcher, // repo name not required in url handlers.NameNotRequired, // custom access records pruneAccessRecords, ) app.RegisterHealthChecks() handler := alive("/", app) // TODO: temporarily keep for backwards compatibility; remove in the future handler = alive("/healthz", handler) handler = health.Handler(handler) handler = panicHandler(handler) handler = gorillahandlers.CombinedLoggingHandler(os.Stdout, handler) if config.HTTP.TLS.Certificate == "" { context.GetLogger(app).Infof("listening on %v", config.HTTP.Addr) if err := http.ListenAndServe(config.HTTP.Addr, handler); err != nil { context.GetLogger(app).Fatalln(err) } } else { tlsConf := crypto.SecureTLSConfig(&tls.Config{ClientAuth: tls.NoClientCert}) if len(config.HTTP.TLS.ClientCAs) != 0 { pool := x509.NewCertPool() for _, ca := range config.HTTP.TLS.ClientCAs { caPem, err := ioutil.ReadFile(ca) if err != nil { context.GetLogger(app).Fatalln(err) } if ok := pool.AppendCertsFromPEM(caPem); !ok { context.GetLogger(app).Fatalln(fmt.Errorf("Could not add CA to pool")) } } for _, subj := range pool.Subjects() { context.GetLogger(app).Debugf("CA Subject: %s", string(subj)) } tlsConf.ClientAuth = tls.RequireAndVerifyClientCert tlsConf.ClientCAs = pool } context.GetLogger(app).Infof("listening on %v, tls", config.HTTP.Addr) server := &http.Server{ Addr: config.HTTP.Addr, Handler: handler, TLSConfig: tlsConf, } if err := server.ListenAndServeTLS(config.HTTP.TLS.Certificate, config.HTTP.TLS.Key); err != nil { context.GetLogger(app).Fatalln(err) } } }