diff --git a/vendor.mod b/vendor.mod index 8af21cb3ca..87396832c4 100644 --- a/vendor.mod +++ b/vendor.mod @@ -21,7 +21,7 @@ require ( github.com/distribution/reference v0.6.0 github.com/docker/cli-docs-tool v0.10.0 github.com/docker/distribution v2.8.3+incompatible - github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible // master (v29.0-dev) + github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible // master (v29.0-dev) github.com/docker/docker-credential-helpers v0.9.3 github.com/docker/go-connections v0.5.0 github.com/docker/go-units v0.5.0 diff --git a/vendor.sum b/vendor.sum index cc7cf26780..0e747d2a87 100644 --- a/vendor.sum +++ b/vendor.sum @@ -57,8 +57,8 @@ github.com/docker/cli-docs-tool v0.10.0/go.mod h1:5EM5zPnT2E7yCLERZmrDA234Vwn09f github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible h1:/US2sfszh6RjbwhG7saJBx2R7S8FfwUoHjsFyi+1bG4= -github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible h1:jDPHkJMR6wCbKJhFijK8GfnbpesQFzzIxRnlQ9urO+s= +github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0= diff --git a/vendor/github.com/docker/docker/registry/auth.go b/vendor/github.com/docker/docker/registry/auth.go index 56f5b78474..a361a04fe2 100644 --- a/vendor/github.com/docker/docker/registry/auth.go +++ b/vendor/github.com/docker/docker/registry/auth.go @@ -40,9 +40,9 @@ type staticCredentialStore struct { // NewStaticCredentialStore returns a credential store // which always returns the same credential values. -func NewStaticCredentialStore(auth *registry.AuthConfig) auth.CredentialStore { +func NewStaticCredentialStore(ac *registry.AuthConfig) auth.CredentialStore { return staticCredentialStore{ - auth: auth, + auth: ac, } } @@ -60,7 +60,7 @@ func (scs staticCredentialStore) RefreshToken(*url.URL, string) string { return scs.auth.IdentityToken } -func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) { +func (staticCredentialStore) SetRefreshToken(*url.URL, string, string) { } // loginV2 tries to login to the v2 registry server. The given registry @@ -131,12 +131,15 @@ func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifi // to just its hostname. It is used to match credentials, which may be either // stored as hostname or as hostname including scheme (in legacy configuration // files). -func ConvertToHostname(url string) string { - stripped := url - if strings.HasPrefix(stripped, "http://") { - stripped = strings.TrimPrefix(stripped, "http://") - } else if strings.HasPrefix(stripped, "https://") { - stripped = strings.TrimPrefix(stripped, "https://") +func ConvertToHostname(maybeURL string) string { + stripped := maybeURL + if scheme, remainder, ok := strings.Cut(stripped, "://"); ok { + switch scheme { + case "http", "https": + stripped = remainder + default: + // unknown, or no scheme; doing nothing for now, as we never did. + } } stripped, _, _ = strings.Cut(stripped, "/") return stripped @@ -175,9 +178,9 @@ func (err PingResponseError) Error() string { // PingV2Registry attempts to ping a v2 registry and on success return a // challenge manager for the supported authentication types. // If a response is received but cannot be interpreted, a PingResponseError will be returned. -func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, error) { +func PingV2Registry(endpoint *url.URL, authTransport http.RoundTripper) (challenge.Manager, error) { pingClient := &http.Client{ - Transport: transport, + Transport: authTransport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/" diff --git a/vendor/github.com/docker/docker/registry/config.go b/vendor/github.com/docker/docker/registry/config.go index fd381d9969..baa078abdd 100644 --- a/vendor/github.com/docker/docker/registry/config.go +++ b/vendor/github.com/docker/docker/registry/config.go @@ -168,14 +168,15 @@ skip: if _, err := ValidateIndexName(r); err != nil { return err } - if strings.HasPrefix(strings.ToLower(r), "http://") { - log.G(context.TODO()).Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r) - r = r[7:] - } else if strings.HasPrefix(strings.ToLower(r), "https://") { - log.G(context.TODO()).Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r) - r = r[8:] - } else if hasScheme(r) { - return invalidParamf("insecure registry %s should not contain '://'", r) + if scheme, host, ok := strings.Cut(r, "://"); ok { + switch strings.ToLower(scheme) { + case "http", "https": + log.G(context.TODO()).Warnf("insecure registry %[1]s should not contain '%[2]s' and '%[2]ss' has been removed from the insecure registry config", r, scheme) + r = host + default: + // unsupported scheme + return invalidParamf("insecure registry %s should not contain '://'", r) + } } // Check if CIDR was passed to --insecure-registry _, ipnet, err := net.ParseCIDR(r) @@ -240,18 +241,18 @@ func (config *serviceConfig) isSecureIndex(indexName string) bool { // for mocking in unit tests. var lookupIP = net.LookupIP -// isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`) +// isCIDRMatch returns true if urlHost matches an element of cidrs. urlHost is a URL.Host ("host:port" or "host") // where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be // resolved to IP addresses for matching. If resolution fails, false is returned. -func isCIDRMatch(cidrs []*registry.NetIPNet, URLHost string) bool { +func isCIDRMatch(cidrs []*registry.NetIPNet, urlHost string) bool { if len(cidrs) == 0 { return false } - host, _, err := net.SplitHostPort(URLHost) + host, _, err := net.SplitHostPort(urlHost) if err != nil { - // Assume URLHost is a host without port and go on. - host = URLHost + // Assume urlHost is a host without port and go on. + host = urlHost } var addresses []net.IP @@ -396,7 +397,6 @@ func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) { Secure: true, Official: true, }, - Official: !strings.ContainsRune(reference.FamiliarName(reposName), '/'), }, nil } diff --git a/vendor/github.com/docker/docker/registry/errors.go b/vendor/github.com/docker/docker/registry/errors.go index cc3a37da6e..d37155a789 100644 --- a/vendor/github.com/docker/docker/registry/errors.go +++ b/vendor/github.com/docker/docker/registry/errors.go @@ -8,17 +8,13 @@ import ( ) func translateV2AuthError(err error) error { - switch e := err.(type) { - case *url.Error: - switch e2 := e.Err.(type) { - case errcode.Error: - switch e2.Code { - case errcode.ErrorCodeUnauthorized: - return unauthorizedErr{err} - } + var e *url.Error + if errors.As(err, &e) { + var e2 errcode.Error + if errors.As(e, &e2) && errors.Is(e2.Code, errcode.ErrorCodeUnauthorized) { + return unauthorizedErr{err} } } - return err } diff --git a/vendor/github.com/docker/docker/registry/search_endpoint_v1.go b/vendor/github.com/docker/docker/registry/search_endpoint_v1.go index 6e58166d79..d6a6630125 100644 --- a/vendor/github.com/docker/docker/registry/search_endpoint_v1.go +++ b/vendor/github.com/docker/docker/registry/search_endpoint_v1.go @@ -5,6 +5,7 @@ import ( "crypto/tls" "encoding/json" "errors" + "fmt" "net/http" "net/url" "strings" @@ -58,7 +59,12 @@ func newV1Endpoint(ctx context.Context, index *registry.IndexInfo, headers http. if endpoint.IsSecure { // If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry` // in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fall back to HTTP. - return nil, invalidParamf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) + hint := fmt.Sprintf( + ". If this private registry supports only HTTP or HTTPS with an unknown CA certificate, add `--insecure-registry %[1]s` to the daemon's arguments. "+ + "In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; place the CA certificate at /etc/docker/certs.d/%[1]s/ca.crt", + endpoint.URL.Host, + ) + return nil, invalidParamf("invalid registry endpoint %s: %v%s", endpoint, err, hint) } // registry is insecure and HTTPS failed, fallback to HTTP. @@ -163,9 +169,9 @@ func (e *v1Endpoint) ping(ctx context.Context) (v1PingResult, error) { // httpClient returns an HTTP client structure which uses the given transport // and contains the necessary headers for redirected requests -func httpClient(transport http.RoundTripper) *http.Client { +func httpClient(tr http.RoundTripper) *http.Client { return &http.Client{ - Transport: transport, + Transport: tr, CheckRedirect: addRequiredHeadersToRedirectedRequests, } } diff --git a/vendor/github.com/docker/docker/registry/search_session.go b/vendor/github.com/docker/docker/registry/search_session.go index 2bc20acead..51d3e990ab 100644 --- a/vendor/github.com/docker/docker/registry/search_session.go +++ b/vendor/github.com/docker/docker/registry/search_session.go @@ -10,6 +10,7 @@ import ( "net/http" "net/http/cookiejar" "net/url" + "strconv" "strings" "sync" @@ -219,7 +220,7 @@ func (r *session) searchRepositories(ctx context.Context, term string, limit int if limit < 1 || limit > 100 { return nil, invalidParamf("limit %d is outside the range of [1, 100]", limit) } - u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(fmt.Sprintf("%d", limit)) + u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(strconv.Itoa(limit)) log.G(ctx).WithField("url", u).Debug("searchRepositories") req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, http.NoBody) @@ -236,7 +237,7 @@ func (r *session) searchRepositories(ctx context.Context, term string, limit int if res.StatusCode != http.StatusOK { // TODO(thaJeztah): return upstream response body for errors (see https://github.com/moby/moby/issues/27286). // TODO(thaJeztah): handle other status-codes to return correct error-type - return nil, errUnknown{fmt.Errorf("Unexpected status code %d", res.StatusCode)} + return nil, errUnknown{fmt.Errorf("unexpected status code %d", res.StatusCode)} } result := ®istry.SearchResults{} err = json.NewDecoder(res.Body).Decode(result) diff --git a/vendor/github.com/docker/docker/registry/types.go b/vendor/github.com/docker/docker/registry/types.go index b030072cdb..346db9af1c 100644 --- a/vendor/github.com/docker/docker/registry/types.go +++ b/vendor/github.com/docker/docker/registry/types.go @@ -10,15 +10,4 @@ type RepositoryInfo struct { Name reference.Named // Index points to registry information Index *registry.IndexInfo - // Official indicates whether the repository is considered official. - // If the registry is official, and the normalized name does not - // contain a '/' (e.g. "foo"), then it is considered an official repo. - // - // Deprecated: this field is no longer used and will be removed in the next release. The information captured in this field can be obtained from the [Name] field instead. - Official bool - // Class represents the class of the repository, such as "plugin" - // or "image". - // - // Deprecated: this field is no longer used, and will be removed in the next release. - Class string } diff --git a/vendor/modules.txt b/vendor/modules.txt index db2e123137..2177350f88 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -65,7 +65,7 @@ github.com/docker/distribution/registry/client/transport github.com/docker/distribution/registry/storage/cache github.com/docker/distribution/registry/storage/cache/memory github.com/docker/distribution/uuid -# github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible +# github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible ## explicit github.com/docker/docker/pkg/jsonmessage github.com/docker/docker/pkg/process