reg
reg copied to clipboard
Proposal: Add support for re-tagging/aliasing tags
Right now the workflow for pushing identical image tags to a registry is through docker tag
:
docker build -t r.j3ss.co/mycoolimage:tag .
docker push r.j3ss.co/mycoolimage:tag
docker tag r.j3ss.co/mycoolimage:tag r.j3ss.co/mycoolimage:tag2
docker push r.j3ss.co/mycoolimage:tag2
Is there possibly a way to "fake" a push to re-tag a tag as another tag, pointing to the same manifest? e.g.
docker build -t r.j3ss.co/mycoolimage:tag .
docker push r.j3ss.co/mycoolimage:tag
reg -r r.j3ss.co tag mycoolimage:tag mycoolimage:tag2
oh hmm ya i bet there is a way to do this server side, will think about it
Oh, yeah... this would be helpful for some of the build scripts I have.
I figured as much! Just wanted to gut check to make sure I wasn't missing anything.
If this seems like a reasonable feature request, we'd be more than happy to take point on it as it impacts our tooling's performance when aliasing two tags pointing to the same manifest. :)
coming from #149
here's my shell version, that works with gitlab registry (first PoC, so it's rather clumsy)
#!/bin/sh
: ${REGISTRY="https://registry.gitlab.example.net"}
: ${AUTHURL="https://gitlab.example.net/jwt/auth"}
request() {
local request="$1"
curl -sSf -H "Authorization: Bearer ${TOKEN}" "${REGISTRY}$request"
}
get_token() {
local scope="$1"
curl -sSf --user "${USERNAME}:${PASSWORD}" "$AUTHURL?client_id=docker&offline_token=true&service=container_registry&scope=$scope" | jq -r .token
}
get_catalog_token() {
get_token "registry:catalog:*"
}
get_repo_token() {
local repo="$1"
get_token "repository:$repo:*"
}
get_manifest() {
local image="$1" tag="$2"
curl -sSf -H "Authorization: Bearer ${TOKEN}" "$REGISTRY/v2/$image/manifests/$tag" \
-H 'accept: application/vnd.docker.distribution.manifest.v2+json'
}
put_manifest() {
curl -sSf -XPUT -H "Authorization: Bearer ${TOKEN}" "$REGISTRY/v2/$IMAGE/manifests/$NEW_TAG" \
-H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \
-d '@manifest.json'
}
set -xe
IMAGE=ed/php
TAG=5.3-cli
NEW_TAG=deploy-123
# load $USERNAME and $PASSWORD
. ./auth
TOKEN=$(get_repo_token $IMAGE)
get_manifest "$IMAGE" "$TAG" > manifest.json
put_manifest "$IMAGE" "$NEW_TAG"
cleaned up the script and put to gist: https://gist.github.com/glensc/b14b4af29942fc2f22ea36682b860f8f
the auth token url probably could be extracted from registry server headers. at least somehow docker client itself is able to use just user:password (or user:token) and figure out url where to request jwt token.
indeed. the discovery is possible:
➔ curl -i https://registry.example.delfi.net/v2/ed/php/manifests/5.3-cli
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://gitlab.example.net/jwt/auth",service="container_registry",scope="repository:ed/php:pull"
X-Content-Type-Options: nosniff
Date: Thu, 04 Oct 2018 20:52:30 GMT
Content-Length: 149
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ed/php","Action":"pull"}]}]}
i won't add this parsing yet to my shell script. i hope this project implements this all sooner, as it's likely easier to parse this, maybe even reuse existing code.
ok, added service discovery to above shared gist.
converted the above gist to a real project https://github.com/glensc/docker-create-tag.
and released 1.0.0 as it's now feature complete.
last bit was to create tags across different images: https://github.com/glensc/docker-create-tag/pull/2