NOTE: This is a pre-release that does not contain any artifacts!

What's Changed

• Fix runaway allocation on /v2/_catalog by @josegomezr 521ea3d9
• Fix CVE-2022-28391 by bumping alpine from 3.14 to 3.16 by @thaJeztah in #3650
• Fix panic in inmemory driver by @wy65701436 in #3815
• bump up golang version (alternative) by @thaJeztah in #3903
• Dockerfile: update xx to v1.2.1 by @thaJeztah in #3907
• update to go1.19.9 by @thaJeztah in #3908
• Add code to handle pagination of parts. Fixes max layer size of 10GB bug by @davidspek in #3893

Full Changelog: v2.8.1...v2.8.2-beta.1

Welcome to the v2.8.1 release of registry!

The 2.8.1 registry release fixes the Go module issues that have popped up in the v2.8.0

There have been no changes made in the released binaries other than the bump of the Go runtime.

See the changelog below for a full list of changes.

CI

• ci: use proper git ref for versioning #3595
• Go: make Go version explicit and pin it to the latest 1.16 release #3604

Contributors

• CrazyMax
• Milos Gajdos

Changes

Dependency Changes

This release has no dependency changes

The previous release can be found at v2.8.0

registry 2.8.0

Welcome to the v2.8.0 release of registry!

The 2.8.0 registry release has been a long time overdue.
This is the first step towards the last 2.x release.
No further active development will continue on 2.x branch.
Security vulnerability patches to 2.x might be considered, but
all active development will be focussed on v3 release due in 2022.
This release includes a security vulnerability fix along
with a few minor bug fixes and improvemnts in documentation and CI.

See changelog below for full list of changes.

Bugfixes

• Close the io.ReadCloser from storage driver #3370
• Remove empty Content-Type header #3297
• Make ipfilteredby not required in cloudfront storage middleware #3088

Features

• Add reference.ParseDockerRef utility function #3002

CI build

• First draft of actions based ci #3347
• Fix vndr and check #3001
• Improve code quality by adding linter checks #3385

Documentation

• Add redirect for old URL #3197
• Fix broken table #3073
• Adding deprecated schema v1 instructions #2987
• Change should to must in v2 spec (#3495)

Storage drivers

• S3 Driver: add support for ceph radosgw #3119

Security

• Added flag for user configurable cipher suites #3384
• Address CVE-2020-26160 by replacing vulnerable third-party depedency#3466
• Replace math rand with crypto rand #3531
• Address CVE-2021-41190 by validating document type before unmarshal GHSA-77vh-xpmg-72qh

Changes

Dependency Changes

• github.com/dgrijalva/jwt-go -> github.com/golang-jwt/jwt.git # v3.2.2 (a601269ab70c -> 4bbdd8ac624f)
• github.com/opencontainers/image-spec -> github.com/opencontainers/image-spec # v1.0.2 (ab7389ef9f50 -> 67d2d5658fe0)

Previous release can be found at v2.7.1

Welcome to the v2.8.0-beta.1 release of registry!

The 2.8.0 registry release has been a long time overdue.
This is the first step towards the last 2.x release.
No further active development will continue on 2.x branch.
Security vulnerability patches to 2.x might be considered, but
all active development will be focussed on v3 release due in 2022.
This beta release includes a security vulnerability fix along
with a few minor bug fixes and improvemnts in documentation and CI.

See changelog below for full list of changes.

Bugfixes

• Close the io.ReadCloser from storage driver #3370
• Remove empty Content-Type header #3297
• Make ipfilteredby not required in cloudfront storage middleware #3088

Features

• Add reference.ParseDockerRef utility function #3002

CI build

• First draft of actions based ci #3347
• Fix vndr and check #3001
• Improve code quality by adding linter checks #3385

Documentation

• Add redirect for old URL #3197
• Fix broken table #3073
• Adding deprecated schema v1 instructions #2987
• Change should to must in v2 spec (#3495)

Storage drivers

• S3 Driver: add support for ceph radosgw #3119

Security

• Added flag for user configurable cipher suites #3384
• Address CVE-2020-26160 by replacing vulnerable third-party depedency#3466
• Replace math rand with crypto rand #3531
• Address CVE-2021-41190 by validating document type before unmarshal GHSA-77vh-xpmg-72qh

Changes

Dependency Changes

• github.com/dgrijalva/jwt-go -> github.com/golang-jwt/jwt.git # v3.2.2 (a601269ab70c -> 4bbdd8ac624f)
• github.com/opencontainers/image-spec -> github.com/opencontainers/image-spec # v1.0.2 (ab7389ef9f50 -> 67d2d5658fe0)

Previous release can be found at v2.7.1

Welcome to the v2.7.1 release of registry!

The first patch release of 2.7 addresses an upgrade issue when
using configurations from pre-2.7 registries. When upgrading from
2.6 or earlier use this patch release or newer to avoid a failure
on startup from not updating the configuration file.

• Set default for new autoredirect option
• GCS driver is now included in binary builds using Dockerfile

Please try out the release binaries and report any issues at
https://github.com/docker/distribution/issues.

Contributors

• Derek McGowan
• Ryan Abrams
• David Wu

Changes

• 2461543d Merge pull request #2824 from dmcgowan/update-version-file-2.7.1
• 5b98226a Update version file for 2.7.1
• 2eab12df Merge pull request #2805 from dmcgowan/release-2.7.1
• 445ef068 Release notes for 2.7.1
• cbc30be4 Merge pull request #2821 from caervs/ISS-2819
• bf74e4f9 Use same env var in Dockerfile and Makefile
• 62994fdd Merge pull request #2804 from caervs/ISS-2793-2.7
• e702d95c Merge pull request #2802 from davidswu/2.7-autoredirect
• caf43bbc default autoredirect to false
• d1abdeb6 Add docs for autoredirect config parameter

Dependency Changes

Previous release can be found at v2.7.0

Welcome to the v2.7.0 release of registry!

The 2.7 registry release has been a long time coming and represents both
a long gap since the previous release and a renewed effort to release
regularly. The maintainers were committed to get OCI support into the
next release and thanks to much effort in the community that has
been accomplished.

OCI Support

Push and Pull of OCI Images

The registry now allows pushing and pulling OCI images. OCI images will always
be preserved exactly without conversion to older types. With this change,
clients which implement OCI can feel comfortable creating OCI images as part of
their container image build process.

Specification Donation

The Distribution specification which has had 4 years of review, implementation,
and production use is now part of OCI. As part of that move, specification
changes will no longer be accepted in the open source registry and should
instead go to OCI's distribution-spec.

Bug Fixes and Improvements

General

• Update Go version to 1.11
• Switch to multi-stage Dockerfile
• Validations enabled by default with new disabled config option
• Optimize health check performance
• Create separate permission for deleting objects in a repo
• Fix storage driver error propagation for manifest GETs
• Fix forwarded header resolution
• Add prometheus metrics
• Disable schema1 manifest by default (this affects docker versions 1.9 and older)
• Graceful shutdown
• TLS: remove ciphers that do not support perfect forward secrecy
• Fix registry stripping newlines from manifests
• Add bugsnag logrus hook
• Support ARM builds

Storage Driver

• OSS: fix current directory showing up in OSS driver.List()
• Azure: fix race condition in PutContent()
• Azure: update vendor
• S3: update AWS SDK and use AWS SDK to validate regions
• S3: remove expiration tag on multi-part uploads
• S3: improve Walk performance
• S3: allow bypassing cloudfront when in the same region
• S3: remove s3-goamz driver in favor of s3-aws
• Swift: update vendor

See changelog below for full list of changes

Please try out the release binaries and report any issues at
https://github.com/docker/distribution/issues.

Contributors

• Derek McGowan
• Stephen J Day
• Olivier Gambier
• Mike Brown
• Aaron Lehmann
• David Wu
• Manish Tomar
• Misty Stanley-Jones
• Sargun Dhillon
• fate-grand-order
• Huu Nguyen
• Ryan Abrams
• Yu Wang
• Ahmet Alp Balkan
• Andrew Leung
• Andrey Kostov
• Clayton Coleman
• Noah Treuhaft
• Owen W. Taylor
• Rui Cao
• Troels Thomsen
• Feng Honglin
• Gwendolynne Barr
• Haibing Zhou 周海兵
• Masataka Mizukoshi
• Michal Fojtik
• Oleg Bulatov
• Per Lundberg
• Tibor Vass
• Viktor Stanchev
• ning xie
• Alvin Feng
• Antonio Murdaca
• Christy Perez
• Corey Quon
• Deshi Xiao
• Elsan Li 李楠
• Elton Stoneman
• Eric Yang
• Felix Bünemann
• Gladkov Alexey
• Grachev Mikhail
• Helen Xie
• Igor Morozov
• Ina Panova
• Javier Palomo Almena
• Jesse Haka
• Joao Fernandes
• Jon Johnson
• Justin Cormack
• Justin Santa Barbara
• Kevin Lin
• Kira
• Leonardo Azize Martins
• LingFaKe
• Liron Levin
• Luis Lobo Borobia
• Matt Tescher
• Michal Minář
• Monika Katiyar
• Nishant Totla
• Nycholas de Oliveira e Oliveira
• Oleg Bulatov
• Parth Mehrotra
• Raphaël Enrici
• Riyaz Faizullabhoy
• Sakeven Jiang
• Santiago Torres
• Sebastiaan van Stijn
• Tianon Gravi
• Tonis Tiigi
• Tony Holdstock-Brown
• Wenkai Yin
• Yong Tang
• Yongxin Li
• YuJie
• kaiwentan
• liyongxin
• mlmhl
• uhayate
• william wei
• yixi zhang

Changes

• 40b7b583 Merge pull request #2775 from caervs/release_notes_2.7
• 08c6bbed Release notes for 2.7
• d9e12182 Merge pull request #2772 from dmcgowan/add-arm-flag
• 63f6c120 Add GOARM flag to dockerfile
• aa985ba8 Merge pull request #2711 from davidswu/autoredirect
• dd36fd36 Merge pull request #2742 from tescherm/configure-bugsnag-logging
• 7c4d584e add bugsnag logrus hook
• 93e08274 Merge pull request #2734 from mgrachev/patch-1
• f7046a6d Merge pull request #2735 from tonistiigi/update-dockerfile
• cd1648d6 Fix typo
• 8a800e12 update Dockerfile to multi-stage
• 1cb4180b Merge pull request #2729 from liyongxin/master
• 451cd548 Merge pull request #2731 from mirake/fix-typos
• 6335cc25 Fix typo: commmand -> command
• 17b3ff18 Merge pull request #2730 from dmcgowan/version-update-2.7.0-rc.0
• f08b3486 Update version to 2.7.0-rc.0
• f3adfea3 Merge pull request #2721 from dmcgowan/release-notes-2.7.0-rc
• e1817db8 Merge pull request #2720 from dmcgowan/update-release-process
• de8636b7 typo fix about overridden
• 97cb7f35 Update release documents
• 2eb7a172 Add 2.7.0-rc release notes
• 06a4c2f6 Update mailmap file
• d37f8164 Merge pull request #2723 from mirake/fix-typos
• 569d18ae Fix some typos
• 2e1e6307 add autoredirect to option
• b2bd4657 fix checks
• f730f3ab add autoredirect auth config
• 16128bba Merge pull request #2707 from davidswu/go-1.11
• b089e916 Merge pull request #2712 from liyongxin/master
• 6133840f typo fix from existant to existent
• a927fbdb track digest offset in blobwriter
• d8bde9b9 remove go 1.9 and 1.10 checks from travis
• bd41413d remove closenotifier
• 166874ad fix gofmt and goimports
• a5c2fdc5 Merge pull request #2705 from mirake/fix-typo
• 9da0f07c update travis with go 1.11
• 877d706b remove dependencies on resumable
• d1f36d46 Fix some typos
• 642075f4 Merge pull request [#2631](https://github.com/dock...

Welcome to the v2.7.0-rc.0 release of registry!
This is a pre-release of registry

The 2.7 registry release has been a long time coming and represents both
a long gap since the previous release and a renewed effort to release
regularly. The maintainers were committed to get OCI support into the
next release and thanks to much effort in the community that has
been accomplished.

OCI Support

Push and Pull of OCI Images

The registry now allows pushing and pulling OCI images. OCI images will always
be preserved exactly without conversion to older types. With this change,
clients which implement OCI can feel comfortable creating OCI images as part of
their container image build process.

Specification Donation

The Distribution specification which has had 4 years of review, implementation,
and production use is now part of OCI. As part of that move, specification
changes will no longer be accepted in the open source registry and should
instead go to OCI's distribution-spec.

Bug fixes

Many many fixes and improvements, see the change log below

Please try out the release binaries and report any issues at
https://github.com/docker/distribution/issues.

Contributors

• Derek McGowan
• Stephen J Day
• Olivier Gambier
• Mike Brown
• Aaron Lehmann
• David Wu
• Manish Tomar
• Misty Stanley-Jones
• Sargun Dhillon
• fate-grand-order
• Huu Nguyen
• Yu Wang
• Ahmet Alp Balkan
• Andrew Leung
• Andrey Kostov
• Clayton Coleman
• Noah Treuhaft
• Owen W. Taylor
• Ryan Abrams
• Troels Thomsen
• Feng Honglin
• Gwendolynne Barr
• Haibing Zhou 周海兵
• Masataka Mizukoshi
• Michal Fojtik
• Oleg Bulatov
• Per Lundberg
• Rui Cao
• Tibor Vass
• ning xie
• Alvin Feng
• Antonio Murdaca
• Christy Perez
• Corey Quon
• Deshi Xiao
• Elsan Li 李楠
• Elton Stoneman
• Eric Yang
• Felix Bünemann
• Gladkov Alexey
• Helen Xie
• Igor Morozov
• Ina Panova
• Javier Palomo Almena
• Jesse Haka
• Joao Fernandes
• Jon Johnson
• Justin Cormack
• Justin Santa Barbara
• Kevin Lin
• Kira
• Leonardo Azize Martins
• LingFaKe
• Liron Levin
• Luis Lobo Borobia
• Michal Minář
• Monika Katiyar
• Nishant Totla
• Nycholas de Oliveira e Oliveira
• Oleg Bulatov
• Parth Mehrotra
• Raphaël Enrici
• Riyaz Faizullabhoy
• Sakeven Jiang
• Santiago Torres
• Sebastiaan van Stijn
• Tianon Gravi
• Tony Holdstock-Brown
• Viktor Stanchev
• Wenkai Yin
• Yong Tang
• YuJie
• kaiwentan
• liyongxin
• mlmhl
• uhayate
• william wei
• yixi zhang

Changes

• 17b3ff18 Merge pull request #2730 from dmcgowan/version-update-2.7.0-rc.0
• f08b3486 Update version to 2.7.0-rc.0
• f3adfea3 Merge pull request #2721 from dmcgowan/release-notes-2.7.0-rc
• e1817db8 Merge pull request #2720 from dmcgowan/update-release-process
• 97cb7f35 Update release documents
• 2eb7a172 Add 2.7.0-rc release notes
• 06a4c2f6 Update mailmap file
• d37f8164 Merge pull request #2723 from mirake/fix-typos
• 569d18ae Fix some typos
• 16128bba Merge pull request #2707 from davidswu/go-1.11
• b089e916 Merge pull request #2712 from liyongxin/master
• 6133840f typo fix from existant to existent
• a927fbdb track digest offset in blobwriter
• d8bde9b9 remove go 1.9 and 1.10 checks from travis
• bd41413d remove closenotifier
• 166874ad fix gofmt and goimports
• a5c2fdc5 Merge pull request #2705 from mirake/fix-typo
• 9da0f07c update travis with go 1.11
• 877d706b remove dependencies on resumable
• d1f36d46 Fix some typos
• 642075f4 Merge pull request #2631 from whoshuu/feature/improve-gcs-driver
• 15de837a Merge pull request #2704 from dmcgowan/fix-2703
• 7a195dd5 Add back include_gcs build constraint
• 69299d93 Use existing jwtConf instead of creating a scoped one
• f9187b25 Add regulator to GCS
• b424c3d8 Better error handling for GCS credential argument addition
• 3f9f073c Edit configuration.md to add gcs credentials option
• 78238ef1 Add credentials argument for GCS driver
• efa4c3bb Merge pull request #2702 from caervs/fix_path_enumeration
• 6d66d036 Merge pull request #2698 from cquon/swift_vendor
• c88728f2 Fix registry stripping newlines from manifests
• 6b73a9ab Ignore missing paths during enumeration
• fd32d5f9 update github.com/ncw/swift package in vendor to v1.0.40
• 5a74b806 update github.com/ncw/swift package in vendor to avoid potential memory leaks
• 9930542d Merge pull request #2701 from davidswu/metalinter
• 8d7e4cd3 fix goimports and gofmt
• 90705d2f Merge pull request #2362 from twistlock/populate_htpasswd
• b12bd400 Merge pull request #2639 from andrew-leung/manifesteventlayers
• 059f301d Merge pull request #2685 from manishtomar/mani-graceful-shutdown
• f95ac7db fix doc - thanks @dmp42
• 3354cf98 Merge pull request #2680 from manishtomar/mani-fix-mem-leak
• ef859e1b Merge pull request #2474 from vikstrous/disable-v1-master
• 90070b33 Merge pull request #2694 from caervs/fix_nginx_spacing
• [0101db11](0101db...

This release is a special security release to address an issue allowing
an attacker to force arbitrarily-sized memory allocations in a registry
instance through the manifest endpoint. The problem has been mitigated
by limiting the size of reads for image manifest content.

Details for mitigation are in 29fa466

CVE-2017-11468 has been assigned for this issue.

Changelog

48294d9 Merge pull request #2343 from stevvooe/prepare-2.6.2
04ce686 release: prepare for 2.6.2 release
c829241 Merge pull request #2341 from stevvooe/limit-payload-size-26
29fa466 registry/{storage,handlers}: limit content sizes
42ea75c Merge pull request #2284 from mstanleyjones/release/2.6
ed2b686 Put architecture.md back into distribution repo

This release is a special security release to address an issue allowing
an attacker to force arbitrarily-sized memory allocations in a registry
instance through the manifest endpoint. The problem has been mitigated
by limiting the size of reads for image manifest content.

Details for mitigation are in 58d239d.

CVE-2017-11468 has been assigned for this issue.

Changelog

0bae751 Merge pull request #2344 from stevvooe/prepare-2.5.2
48cb60a release: prepare for 2.5.2 release
2b0952d Merge pull request #2342 from stevvooe/limit-payload-size-25
58d239d registry/{storage,handlers}: limit content sizes
9bc9d21 Merge pull request #2122 from
mstanleyjones/configuration_changes_backport
fcbea60 Improve formatting of configuration.md
6b114e6 Merge pull request #2081 from Windfarer/release/2.5
6c985f7 Update main.go
2c3b616 Merge pull request #2054 from mstanleyjones/2.5_metadata_fixes
5adfbe3 Remove newlines from end of error strings
cfe7079 Satisfy the latest go lint rules
abd2d76 Metadata and formatting fixes needed for Jekyll build
6b3ccf9 Convert Markdown frontmatter to YAML
a8402a2 Merge pull request #1985 from johndmulhausen/master
0a22649 Update to fix lint errors

Changelog

Registry

• Fix Forwarded header handling, revert use of X-Forwarded-Port
• Use driver Stat for registry health check