Allow either configure registry as read-only or add some human-friendly message when push is rejected by driver

[grossws]

I use Amazon S3 as backend. I have user (key/secret pair) with read-only policy. When I start registry with these credentials I want to allow user pull some updates from it (as a part of simple continious delivery system).

Pull works fine. If user tries to push something into it he will get weird error message:

[root@test ~]# docker push localhost:5000/java7
The push refers to a repository [localhost:5000/java7] (len: 1)
Sending image list
2014/11/27 20:15:35

Log shows that S3 response is 403 Forbidden which can be traced to return human-friendly error message.

Other solution is to provide option to start docker-registry in read-only mode, so it will always produce human-friendly message on docker push invocation.

Amazon S3 policy is quite simple:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "s3:GetBucketLocation",
         "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>"
    },
    {
      "Effect": "Allow",
      "Action": [
         "s3:GetBucketLocation",
         "s3:GetObject",
         "s3:GetObjectAcl",
         "s3:GetObjectTorrent",
         "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>/dr/*"
    }
  ]
}

[dmp42]

cc @stevvooe interesting for v2 - we should:

• handle gracefully backends that are configured read-only
• return and display appropriate read-only error to the engine