tripleo

  1. Bug #1889122
  2. Comment #10

Comment 10 for bug 1889122

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.opendev.org/743629
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=d3af31414747f28508e236b1fea8db7601fa2e7b
Submitter: Zuul
Branch: master

commit d3af31414747f28508e236b1fea8db7601fa2e7b
Author: Alex Schultz <email address hidden>
Date: Tue Jul 28 14:42:59 2020 -0600

    Handle redirects for blobs better

    This patch adds a new function that checks if a response was a redirect
    for an a request and removes the Authorization header that we usually
    send if it is not one of our trusted hosts. This prevents authorization
    keys from going to insecure places. This is similar logic that exists in
    the moby registry code[0].

    Additionally improves the cachability of blobs from docker.io because
    they are redirects to files that exist on a CDN that doesn't actually
    require authentication. The upstream CI registry caching system doesn't
    cache any requests with the Authorization header per the apache cache
    documentation[1].

    [0] https://github.com/moby/moby/blob/a072d726c753c3b02232e6a7b08d7e7ce79fffa5/registry/registry.go#L140-L174
    [1] https://httpd.apache.org/docs/2.4/caching.html

    Change-Id: I415eec5d307ac73456aa556db9d61ceac1eaa565
    Partial-Bug: #1889122