From 88dba6259156914e39b5fe00b6f5e0e3a128088b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Sat, 11 May 2019 19:13:04 +0200 Subject: [PATCH] Reset SystemContext.DockerAuthConfig when using mirrors at different registries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit .. so that we don't send credentials intended for the primary endpoint to mirrors. Signed-off-by: Miloslav Trmač --- docker/docker_image_src.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docker/docker_image_src.go b/docker/docker_image_src.go index 1a424fd314..63d9c7ccd3 100644 --- a/docker/docker_image_src.go +++ b/docker/docker_image_src.go @@ -16,7 +16,7 @@ import ( "github.com/containers/image/pkg/sysregistriesv2" "github.com/containers/image/types" "github.com/docker/distribution/registry/client" - "github.com/opencontainers/go-digest" + digest "github.com/opencontainers/go-digest" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -74,6 +74,7 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef } } + primaryDomain := reference.Domain(ref.ref) // Found the registry within the sysregistriesv2 configuration. Now we test // all endpoints for the manifest availability. If a working image source // was found, it will be used for all future pull actions. @@ -93,7 +94,15 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef return nil, err } - client, err := newDockerClientFromRef(sys, dockerRef, false, "pull") + endpointSys := sys + // sys.DockerAuthConfig does not explicitly specify a registry; we must not blindly send the credentials intended for the primary endpoint to mirrors. + if endpointSys != nil && endpointSys.DockerAuthConfig != nil && reference.Domain(dockerRef.ref) != primaryDomain { + copy := *endpointSys + copy.DockerAuthConfig = nil + endpointSys = © + } + + client, err := newDockerClientFromRef(endpointSys, dockerRef, false, "pull") if err != nil { return nil, err }