It is correct, because the line in DockerClient is
$tmp['registry'] = $tmp['registry'] ?? $this->getTemplateValue($image, 'Registry');
And if I switch that, then god knows what else has to change in addition
#363 has been implicated in a glitch in the docker template system. While I cannot replicate the issue at all, revert the PR as the edge case issue that it solved has only ever occurred during synthetic tests.
The docker logs command outputs to both stdout and stderr depending upon the type of log entry. Both have to be accounting for in determining the log size
CA currently when installing multiple previously installed apps will copy, modify, and execute a different version of CreateDocker.php to avoid a harmless display error. Minor code adjustment to prevent CA from having to do that (since it may at some point in the future break).
1. get www-authenticate header for realm, service & scope
2. get token from generated url (realm + query args service & scope)
3. get manifest header Docker-Content-Digest
Also allows access to private docker registries
While I think this was a decent idea, in actual practice there are too many possibilities / permutations of quoting etc that can potentially result in a false positive and prevent the user from executing their container. Net result is that the security routine would have to be continually updated as more legit usages com to light.
Since the whole point of the original change was to prevent repository maintainers from maliciously executing arbitrary commands in the docker run and not to impact end-users at all, this will have to be purely enforced on CA's end instead.
