reg
reg copied to clipboard
genuinetools
Proposal: Add support for re-tagging/aliasing tags
Right now the workflow for pushing identical image tags to a registry is through docker tag:
docker build -t r.j3ss.co/mycoolimage:tag .
docker push r.j3ss.co/mycoolimage:tag
docker tag r.j3ss.co/mycoolimage:tag r.j3ss.co/mycoolimage:tag2
docker push r.j3ss.co/mycoolimage:tag2
Is there possibly a way to "fake" a push to re-tag a tag as another tag, pointing to the same manifest? e.g.
docker build -t r.j3ss.co/mycoolimage:tag .
docker push r.j3ss.co/mycoolimage:tag
reg -r r.j3ss.co tag mycoolimage:tag mycoolimage:tag2
oh hmm ya i bet there is a way to do this server side, will think about it
Oh, yeah... this would be helpful for some of the build scripts I have.
I figured as much! Just wanted to gut check to make sure I wasn't missing anything.
If this seems like a reasonable feature request, we'd be more than happy to take point on it as it impacts our tooling's performance when aliasing two tags pointing to the same manifest. :)
coming from #149
here's my shell version, that works with gitlab registry (first PoC, so it's rather clumsy)
#!/bin/sh
: ${REGISTRY="https://registry.gitlab.example.net"}
: ${AUTHURL="https://gitlab.example.net/jwt/auth"}
request() {
local request="$1"
curl -sSf -H "Authorization: Bearer ${TOKEN}" "${REGISTRY}$request"
}
get_token() {
local scope="$1"
curl -sSf --user "${USERNAME}:${PASSWORD}" "$AUTHURL?client_id=docker&offline_token=true&service=container_registry&scope=$scope" | jq -r .token
}
get_catalog_token() {
get_token "registry:catalog:*"
}
get_repo_token() {
local repo="$1"
get_token "repository:$repo:*"
}
get_manifest() {
local image="$1" tag="$2"
curl -sSf -H "Authorization: Bearer ${TOKEN}" "$REGISTRY/v2/$image/manifests/$tag" \
-H 'accept: application/vnd.docker.distribution.manifest.v2+json'
}
put_manifest() {
curl -sSf -XPUT -H "Authorization: Bearer ${TOKEN}" "$REGISTRY/v2/$IMAGE/manifests/$NEW_TAG" \
-H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \
-d '@manifest.json'
}
set -xe
IMAGE=ed/php
TAG=5.3-cli
NEW_TAG=deploy-123
# load $USERNAME and $PASSWORD
. ./auth
TOKEN=$(get_repo_token $IMAGE)
get_manifest "$IMAGE" "$TAG" > manifest.json
put_manifest "$IMAGE" "$NEW_TAG"
cleaned up the script and put to gist: https://gist.github.com/glensc/b14b4af29942fc2f22ea36682b860f8f
the auth token url probably could be extracted from registry server headers. at least somehow docker client itself is able to use just user:password (or user:token) and figure out url where to request jwt token.
indeed. the discovery is possible:
➔ curl -i https://registry.example.delfi.net/v2/ed/php/manifests/5.3-cli
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://gitlab.example.net/jwt/auth",service="container_registry",scope="repository:ed/php:pull"
X-Content-Type-Options: nosniff
Date: Thu, 04 Oct 2018 20:52:30 GMT
Content-Length: 149
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ed/php","Action":"pull"}]}]}
i won't add this parsing yet to my shell script. i hope this project implements this all sooner, as it's likely easier to parse this, maybe even reuse existing code.
converted the above gist to a real project https://github.com/glensc/docker-create-tag.
and released 1.0.0 as it's now feature complete.
last bit was to create tags across different images: https://github.com/glensc/docker-create-tag/pull/2