如何使用HTTP API v2获取清单？

Question

How to authenticate with the V2 API有用且有效。

REPO="https://hub.docker.com/v2"

我能够获取令牌，列出（我的）存储库并列出其图像和标签。

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/tags/

我想“获取清单”，但我正努力使它起作用： https://docs.docker.com/registry/spec/api/#manifest：

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/

curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/${TAG}

我尝试过||没有Host标头。 Host标头具有各种值。但是，我显然缺少了一些东西。我尝试针对工作端点进行模式匹配，但没有任何乐趣：

curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/

奇怪的是，此页面似乎错误地将“获取标签”显示为/v2/<name>/tags/list： https://docs.docker.com/registry/spec/api/#tags

评论： https://stackoverflow.com/a/45605443/609290

跟进

我是Googler，可以访问Google Container Registry（GCR）。

REPO="https://gcr.io/v2/"

一时兴起，我刚刚针对GCR尝试了“获取清单”，并且请求有效：

curl --silent \
--request GET \
--user _token:$(gcloud auth print-access-token) \
${REPO}/${PROJECT}/${IMAGE}/manifests/${TAG}

Answer 1

与所有*.docker.com|io子域非常混淆！
我发现registry.hub.docker.com和index.docker.io是最可靠的。

您可以轻松地从那里查询标签，但是对于清单，您将需要获得用于首先拉动的令牌：

REGISTRY=https://index.docker.io/v2
#REGISTRY="https://registry.hub.docker.com/v2"
#REGISTRY="https://registry.docker.io/v2"
#REGISTRY="https://registry-1.docker.io/v2"
#REGISTRY="https://hub.docker.com/v2"

REPO=library
IMAGE=debian
# Could also be a repo digest
TAG=latest

# Query tags
curl "$REGISTRY/repositories/$REPO/$IMAGE/tags/"

# Query manifest
curl -iL "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# HTTP/1.1 401 Unauthorized
# Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/debian:pull"

TOKEN=$(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" \
  | jq --raw-output .token)
curl -LH "Authorization: Bearer ${TOKEN}" "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

# Some repos seem to return V1 Schemas by default

REPO=nginxinc
IMAGE=nginx-unprivileged 
TAG=1.17.2

curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
 "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

# Solution: Set the Accept Header for V2

curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
  -H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
 "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"

请参见

• this gist作为另一个示例，
• 此仓库可重复使用的脚本docker-image-size-curl.sh

使用hub.docker.com works differently进行授权，您似乎无法从那里获得清单?