Pass "meta" headers in API calls to the registry

[shin-]

This will allow us to implement registry storages that use external authentication. The first use case for this is to allow upen-stack support (by allowing keystone tokens to be passed through to the registry, then to glance)

cc @samalba

[samalba]

LGTM

cc @crosbymichael any chance to see this in 0.6? It's required for the openstack integration.
cc @creack Another pair of eyes to double check and test this would be appreciated!

[creack]

It breaks the tests as the srv.ImagePull prototype changed

[samalba]

Ouch, LGTM

@shin- almost there! Could you fix the test asap?

[shin-]

sure, sorry about that

[shin-]

fix'd!

[samalba]

Restoring my... LGTM!

cc @creack @crosbymichael

[shykes]

It's too late for 0.6, but we can release a 0.6.1 hotfix if you need it urgently. We could even do it tomorrow.

  ​

  In the meantime, remember we have the http://test.docker.io release channel for master, so you can get this PR in a .deb before it's actually released. 



—

@solomonstre
@getdocker

On Thu, Aug 22, 2013 at 7:45 PM, Sam Alba notifications@github.com
wrote:

Restoring my... LGTM!

cc @creack @crosbymichael

Reply to this email directly or view it on GitHub:
#1627 (comment)

[samalba]

test.docker.io won't be useful for devstack, it's using the PPA.

[solomonstre]

We're no longer using the PPA as of 0.6... So you will need to change your apt-sources in any case. Sorry if that makes your life more complicated. If you want we can discuss on irc tomorrow morning to find a solution.

—

@solomonstre
@getdocker

On Thu, Aug 22, 2013 at 9:27 PM, Sam Alba notifications@github.com
wrote:

test.docker.io won't be useful for devstack, it's using the PPA.

Reply to this email directly or view it on GitHub:
#1627 (comment)

[crosbymichael]

LGTM

[creack]

LGTM

[iamolegga]

I'm so sorry for bothering after all these years, but could anyone tell if we really need that X-Meta- limitation for headers?

Asking because there is the open issue for 5 years without any response from owners regarding this undocumented restriction for headers.

Thank you in advance 🙏

[thaJeztah]

Looks like that constraint is there indeed, e.g.;

moby/daemon/server/router/image/image_routes.go

Lines 159 to 165 in 578ce11

	func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
	metaHeaders := map[string][]string{}
	for k, v := range r.Header {
	if strings.HasPrefix(k, "X-Meta-") {
	metaHeaders[k] = v
	}
	}

[iamolegga]

Thank you @thaJeztah for the fast reaction 🙏 So, my question is is this limitation for headers really needed or we can drop it from the code and pass all the headers specified in the docker config or via DOCKER_CUSTOM_HEADERS?

Real life example: we have a registry behind some authorization layer which requires some headers, so when we push images we cannot set those headers simply via docker config due to this X-Meta- limitation.

[thaJeztah]

Probably better to open a new ticket for that with more details; we'd probably need to look if there's potential risks in unconditionally forwarding all headers and if there's constraint that should be kept. If you can provide a more detailed use-case that would be good; also because there's various parts of the codebase being transitioned.

[iamolegga]

@thaJeztah will do. I've decided to ask it first here as this is the PR which introduces this feature.

[iamolegga]

Just opened here