如何使用 HTTP API v2 获取清单？

Question

如何使用 V2 API 进行身份验证很有用且有效。

REPO="https://hub.docker.com/v2"

我能够获得令牌，列出（我的）存储库并列出他们的图像和标签。

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/tags/

我想“获取清单”，但我正在努力让它发挥作用： https://docs.docker.com/registry/spec/api/#manifest：

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/${TAG}

我试过没有Host标题。具有不同的Host标头值。但是，我显然错过了一些东西。我尝试对工作端点进行模式匹配，但没有任何乐趣：

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/

奇怪的是，此页面似乎错误地显示了“GET TAGS” /v2/<name>/tags/list：https : //docs.docker.com/registry/spec/api/#tags

审核：https : //stackoverflow.com/a/45605443/609290

跟进

我是一名 Google 员工，可以访问 Google Container Registry (GCR)。

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/

On a whim, I just tried 'GET MANIFEST' against GCR and the requests works:

REPO="https://gcr.io/v2/"

Answer 1

所有的*.docker.com|io子域都令人困惑！
我发现registry.hub.docker.com和index.docker.io最可靠的。

您可以轻松地从那里查询标签，但对于清单，您需要先获取一个令牌以进行拉取：

REGISTRY=https://index.docker.io/v2
#REGISTRY="https://registry.hub.docker.com/v2"
#REGISTRY="https://registry.docker.io/v2"
#REGISTRY="https://registry-1.docker.io/v2"
#REGISTRY="https://hub.docker.com/v2"

REPO=library
IMAGE=debian
# Could also be a repo digest
TAG=latest

# Query tags
curl "$REGISTRY/repositories/$REPO/$IMAGE/tags/"

# Query manifest
curl -iL "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# HTTP/1.1 401 Unauthorized
# Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/debian:pull"

TOKEN=$(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" \
  | jq --raw-output .token)
curl -LH "Authorization: Bearer ${TOKEN}" "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

# Some repos seem to return V1 Schemas by default

REPO=nginxinc
IMAGE=nginx-unprivileged 
TAG=1.17.2

curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
 "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

# Solution: Set the Accept Header for V2

curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
  -H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
 "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

看

• 另一个例子的要点和
• 这个 repo 用于可重用脚本docker-image-size-curl.sh

授权的hub.docker.com 工作方式不同，您似乎没有从那里获得清单