Merge pull request #49 from projectatomic/split-docker

*: split docker.go for future pkg creation
2025-06-27 23:27:29 +00:00 · 2016-05-09 21:30:38 +02:00 · 2016-05-09 21:30:38 +02:00 · dbdb03eddb
commit dbdb03eddb
parent 9229d72a37 f43a92a78f
6 changed files with 862 additions and 826 deletions
--- a/docker.go
+++ b/docker.go
@ -1,826 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"crypto/tls"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/projectatomic/skopeo/dockerutils"
-	"github.com/projectatomic/skopeo/reference"
-	"github.com/projectatomic/skopeo/types"
-)
-
-const (
-	dockerHostname     = "docker.io"
-	dockerRegistry     = "registry-1.docker.io"
-	dockerAuthRegistry = "https://index.docker.io/v1/"
-
-	dockerCfg         = ".docker"
-	dockerCfgFileName = "config.json"
-	dockerCfgObsolete = ".dockercfg"
-
-	baseURL       = "%s://%s/v2/"
-	tagsURL       = "%s/tags/list"
-	manifestURL   = "%s/manifests/%s"
-	blobsURL      = "%s/blobs/%s"
-	blobUploadURL = "%s/blobs/uploads/?digest=%s"
-)
-
-var (
-	validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
-)
-
-type errFetchManifest struct {
-	statusCode int
-	body       []byte
-}
-
-func (e errFetchManifest) Error() string {
-	return fmt.Sprintf("error fetching manifest: status code: %d, body: %s", e.statusCode, string(e.body))
-}
-
-type dockerImage struct {
-	src         *dockerImageSource
-	digest      string
-	rawManifest []byte
-}
-
-func (i *dockerImage) RawManifest(version string) ([]byte, error) {
-	// TODO(runcom): unused version param for now, default to docker v2-1
-	if err := i.retrieveRawManifest(); err != nil {
-		return nil, err
-	}
-	return i.rawManifest, nil
-}
-
-func (i *dockerImage) Manifest() (types.ImageManifest, error) {
-	// TODO(runcom): unused version param for now, default to docker v2-1
-	m, err := i.getSchema1Manifest()
-	if err != nil {
-		return nil, err
-	}
-	ms1, ok := m.(*manifestSchema1)
-	if !ok {
-		return nil, fmt.Errorf("error retrivieng manifest schema1")
-	}
-	tags, err := i.getTags()
-	if err != nil {
-		return nil, err
-	}
-	imgManifest, err := makeImageManifest(i.src.ref.FullName(), ms1, i.digest, tags)
-	if err != nil {
-		return nil, err
-	}
-	return imgManifest, nil
-}
-
-func (i *dockerImage) getTags() ([]string, error) {
-	// FIXME? Breaking the abstraction.
-	url := fmt.Sprintf(tagsURL, i.src.ref.RemoteName())
-	res, err := i.src.c.makeRequest("GET", url, nil, nil)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		// print url also
-		return nil, fmt.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
-	}
-	type tagsRes struct {
-		Tags []string
-	}
-	tags := &tagsRes{}
-	if err := json.NewDecoder(res.Body).Decode(tags); err != nil {
-		return nil, err
-	}
-	return tags.Tags, nil
-}
-
-type config struct {
-	Labels map[string]string
-}
-
-type v1Image struct {
-	// Config is the configuration of the container received from the client
-	Config *config `json:"config,omitempty"`
-	// DockerVersion specifies version on which image is built
-	DockerVersion string `json:"docker_version,omitempty"`
-	// Created timestamp when image was created
-	Created time.Time `json:"created"`
-	// Architecture is the hardware that the image is build and runs on
-	Architecture string `json:"architecture,omitempty"`
-	// OS is the operating system used to build and run the image
-	OS string `json:"os,omitempty"`
-}
-
-func makeImageManifest(name string, m *manifestSchema1, dgst string, tagList []string) (types.ImageManifest, error) {
-	v1 := &v1Image{}
-	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), v1); err != nil {
-		return nil, err
-	}
-	return &types.DockerImageManifest{
-		Name:          name,
-		Tag:           m.Tag,
-		Digest:        dgst,
-		RepoTags:      tagList,
-		DockerVersion: v1.DockerVersion,
-		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-		Layers:        m.GetLayers(),
-	}, nil
-}
-
-// TODO(runcom)
-func (i *dockerImage) DockerTar() ([]byte, error) {
-	return nil, nil
-}
-
-// will support v1 one day...
-type manifest interface {
-	String() string
-	GetLayers() []string
-}
-
-type manifestSchema1 struct {
-	Name     string
-	Tag      string
-	FSLayers []struct {
-		BlobSum string `json:"blobSum"`
-	} `json:"fsLayers"`
-	History []struct {
-		V1Compatibility string `json:"v1Compatibility"`
-	} `json:"history"`
-	// TODO(runcom) verify the downloaded manifest
-	//Signature []byte `json:"signature"`
-}
-
-func (m *manifestSchema1) GetLayers() []string {
-	layers := make([]string, len(m.FSLayers))
-	for i, layer := range m.FSLayers {
-		layers[i] = layer.BlobSum
-	}
-	return layers
-}
-
-func (m *manifestSchema1) String() string {
-	return fmt.Sprintf("%s-%s", sanitize(m.Name), sanitize(m.Tag))
-}
-
-func sanitize(s string) string {
-	return strings.Replace(s, "/", "-", -1)
-}
-
-type dockerImageSource struct {
-	ref reference.Named
-	tag string
-	c   *dockerClient
-}
-
-func (s *dockerImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) {
-	url := fmt.Sprintf(manifestURL, s.ref.RemoteName(), s.tag)
-	// TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1
-	// TODO(runcom) NO, switch on the resulter manifest like Docker is doing
-	res, err := s.c.makeRequest("GET", url, nil, nil)
-	if err != nil {
-		return nil, "", err
-	}
-	defer res.Body.Close()
-	manblob, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, "", err
-	}
-	if res.StatusCode != http.StatusOK {
-		return nil, "", errFetchManifest{res.StatusCode, manblob}
-	}
-	return manblob, res.Header.Get("Docker-Content-Digest"), nil
-}
-
-func (s *dockerImageSource) GetLayer(digest string) (io.ReadCloser, error) {
-	url := fmt.Sprintf(blobsURL, s.ref.RemoteName(), digest)
-	logrus.Infof("Downloading %s", url)
-	res, err := s.c.makeRequest("GET", url, nil, nil)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusOK {
-		// print url also
-		return nil, fmt.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
-	}
-	return res.Body, nil
-}
-
-func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
-	return [][]byte{}, nil
-}
-
-// dockerClient is configuration for dealing with a single Docker registry.
-type dockerClient struct {
-	registry        string
-	username        string
-	password        string
-	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
-	scheme          string // Cache of a value returned by a successful ping() if not empty
-	transport       *http.Transport
-}
-
-func (c *dockerClient) makeRequest(method, url string, headers map[string]string, stream io.Reader) (*http.Response, error) {
-	if c.scheme == "" {
-		pr, err := c.ping()
-		if err != nil {
-			return nil, err
-		}
-		c.wwwAuthenticate = pr.WWWAuthenticate
-		c.scheme = pr.scheme
-	}
-
-	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
-	req, err := http.NewRequest(method, url, stream)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
-	for n, h := range headers {
-		req.Header.Add(n, h)
-	}
-	if c.wwwAuthenticate != "" {
-		if err := c.setupRequestAuth(req); err != nil {
-			return nil, err
-		}
-	}
-	client := &http.Client{}
-	if c.transport != nil {
-		client.Transport = c.transport
-	}
-	logrus.Debugf("%s %s", method, url)
-	res, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	return res, nil
-}
-
-func (c *dockerClient) setupRequestAuth(req *http.Request) error {
-	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
-	if len(tokens) != 2 {
-		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
-	}
-	switch tokens[0] {
-	case "Basic":
-		req.SetBasicAuth(c.username, c.password)
-		return nil
-	case "Bearer":
-		client := &http.Client{}
-		if c.transport != nil {
-			client.Transport = c.transport
-		}
-		res, err := client.Do(req)
-		if err != nil {
-			return err
-		}
-		hdr := res.Header.Get("WWW-Authenticate")
-		if hdr == "" || res.StatusCode != http.StatusUnauthorized {
-			// no need for bearer? wtf?
-			return nil
-		}
-		tokens = strings.Split(hdr, " ")
-		tokens = strings.Split(tokens[1], ",")
-		var realm, service, scope string
-		for _, token := range tokens {
-			if strings.HasPrefix(token, "realm") {
-				realm = strings.Trim(token[len("realm="):], "\"")
-			}
-			if strings.HasPrefix(token, "service") {
-				service = strings.Trim(token[len("service="):], "\"")
-			}
-			if strings.HasPrefix(token, "scope") {
-				scope = strings.Trim(token[len("scope="):], "\"")
-			}
-		}
-
-		if realm == "" {
-			return fmt.Errorf("missing realm in bearer auth challenge")
-		}
-		if service == "" {
-			return fmt.Errorf("missing service in bearer auth challenge")
-		}
-		// The scope can be empty if we're not getting a token for a specific repo
-		//if scope == "" && repo != "" {
-		if scope == "" {
-			return fmt.Errorf("missing scope in bearer auth challenge")
-		}
-		token, err := c.getBearerToken(realm, service, scope)
-		if err != nil {
-			return err
-		}
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-		return nil
-	}
-	return fmt.Errorf("no handler for %s authentication", tokens[0])
-	// support docker bearer with authconfig's Auth string? see docker2aci
-}
-
-func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
-	authReq, err := http.NewRequest("GET", realm, nil)
-	if err != nil {
-		return "", err
-	}
-	getParams := authReq.URL.Query()
-	getParams.Add("service", service)
-	if scope != "" {
-		getParams.Add("scope", scope)
-	}
-	authReq.URL.RawQuery = getParams.Encode()
-	if c.username != "" && c.password != "" {
-		authReq.SetBasicAuth(c.username, c.password)
-	}
-	// insecure for now to contact the external token service
-	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
-	client := &http.Client{Transport: tr}
-	res, err := client.Do(authReq)
-	if err != nil {
-		return "", err
-	}
-	defer res.Body.Close()
-	switch res.StatusCode {
-	case http.StatusUnauthorized:
-		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
-	case http.StatusOK:
-		break
-	default:
-		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
-	}
-	tokenBlob, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return "", err
-	}
-	tokenStruct := struct {
-		Token string `json:"token"`
-	}{}
-	if err := json.Unmarshal(tokenBlob, &tokenStruct); err != nil {
-		return "", err
-	}
-	// TODO(runcom): reuse tokens?
-	//hostAuthTokens, ok = rb.hostsV2AuthTokens[req.URL.Host]
-	//if !ok {
-	//hostAuthTokens = make(map[string]string)
-	//rb.hostsV2AuthTokens[req.URL.Host] = hostAuthTokens
-	//}
-	//hostAuthTokens[repo] = tokenStruct.Token
-	return tokenStruct.Token, nil
-}
-
-func (i *dockerImage) retrieveRawManifest() error {
-	if i.rawManifest != nil {
-		return nil
-	}
-	manblob, unverifiedCanonicalDigest, err := i.src.GetManifest()
-	if err != nil {
-		return err
-	}
-	i.rawManifest = manblob
-	i.digest = unverifiedCanonicalDigest
-	return nil
-}
-
-func (i *dockerImage) getSchema1Manifest() (manifest, error) {
-	if err := i.retrieveRawManifest(); err != nil {
-		return nil, err
-	}
-	mschema1 := &manifestSchema1{}
-	if err := json.Unmarshal(i.rawManifest, mschema1); err != nil {
-		return nil, err
-	}
-	if err := fixManifestLayers(mschema1); err != nil {
-		return nil, err
-	}
-	// TODO(runcom): verify manifest schema 1, 2 etc
-	//if len(m.FSLayers) != len(m.History) {
-	//return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
-	//}
-	//if len(m.FSLayers) == 0 {
-	//return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
-	//}
-	return mschema1, nil
-}
-
-func (i *dockerImage) Layers(layers ...string) error {
-	m, err := i.getSchema1Manifest()
-	if err != nil {
-		return err
-	}
-	tmpDir, err := ioutil.TempDir(".", "layers-"+m.String()+"-")
-	if err != nil {
-		return err
-	}
-	dest := NewDirImageDestination(tmpDir)
-	data, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	if err := dest.PutManifest(data); err != nil {
-		return err
-	}
-	if len(layers) == 0 {
-		layers = m.GetLayers()
-	}
-	for _, l := range layers {
-		if !strings.HasPrefix(l, "sha256:") {
-			l = "sha256:" + l
-		}
-		if err := i.getLayer(dest, l); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (i *dockerImage) getLayer(dest types.ImageDestination, digest string) error {
-	stream, err := i.src.GetLayer(digest)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-	return dest.PutLayer(digest, stream)
-}
-
-// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
-func newDockerClient(refHostname, certPath string, tlsVerify bool) (*dockerClient, error) {
-	var registry string
-	if refHostname == dockerHostname {
-		registry = dockerRegistry
-	} else {
-		registry = refHostname
-	}
-	username, password, err := getAuth(refHostname)
-	if err != nil {
-		return nil, err
-	}
-	var tr *http.Transport
-	if certPath != "" || !tlsVerify {
-		tlsc := &tls.Config{}
-
-		if certPath != "" {
-			cert, err := tls.LoadX509KeyPair(filepath.Join(certPath, "cert.pem"), filepath.Join(certPath, "key.pem"))
-			if err != nil {
-				return nil, fmt.Errorf("Error loading x509 key pair: %s", err)
-			}
-			tlsc.Certificates = append(tlsc.Certificates, cert)
-		}
-		tlsc.InsecureSkipVerify = !tlsVerify
-		tr = &http.Transport{
-			TLSClientConfig: tlsc,
-		}
-	}
-	return &dockerClient{
-		registry:  registry,
-		username:  username,
-		password:  password,
-		transport: tr,
-	}, nil
-}
-
-// parseDockerImageName converts a string into a reference and tag value.
-func parseDockerImageName(img string) (reference.Named, string, error) {
-	ref, err := reference.ParseNamed(img)
-	if err != nil {
-		return nil, "", err
-	}
-	if reference.IsNameOnly(ref) {
-		ref = reference.WithDefaultTag(ref)
-	}
-	var tag string
-	switch x := ref.(type) {
-	case reference.Canonical:
-		tag = x.Digest().String()
-	case reference.NamedTagged:
-		tag = x.Tag()
-	}
-	return ref, tag, nil
-}
-
-// newDockerImageSource is the same as NewDockerImageSource, only it returns the more specific *dockerImageSource type.
-func newDockerImageSource(img, certPath string, tlsVerify bool) (*dockerImageSource, error) {
-	ref, tag, err := parseDockerImageName(img)
-	if err != nil {
-		return nil, err
-	}
-	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImageSource{
-		ref: ref,
-		tag: tag,
-		c:   c,
-	}, nil
-}
-
-// NewDockerImageSource creates a new ImageSource for the specified image and connection specification.
-func NewDockerImageSource(img, certPath string, tlsVerify bool) (types.ImageSource, error) {
-	return newDockerImageSource(img, certPath, tlsVerify)
-}
-
-func parseDockerImage(img, certPath string, tlsVerify bool) (types.Image, error) {
-	s, err := newDockerImageSource(img, certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImage{src: s}, nil
-}
-
-func getDefaultConfigDir(confPath string) string {
-	return filepath.Join(homedir.Get(), confPath)
-}
-
-type dockerAuthConfigObsolete struct {
-	Auth string `json:"auth"`
-}
-
-type dockerAuthConfig struct {
-	Auth string `json:"auth,omitempty"`
-}
-
-type dockerConfigFile struct {
-	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
-}
-
-func decodeDockerAuth(s string) (string, string, error) {
-	decoded, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return "", "", err
-	}
-	parts := strings.SplitN(string(decoded), ":", 2)
-	if len(parts) != 2 {
-		// if it's invalid just skip, as docker does
-		return "", "", nil
-	}
-	user := parts[0]
-	password := strings.Trim(parts[1], "\x00")
-	return user, password, nil
-}
-
-func getAuth(hostname string) (string, string, error) {
-	// TODO(runcom): get this from *cli.Context somehow
-	//if username != "" && password != "" {
-	//return username, password, nil
-	//}
-	if hostname == dockerHostname {
-		hostname = dockerAuthRegistry
-	}
-	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
-	if _, err := os.Stat(dockerCfgPath); err == nil {
-		j, err := ioutil.ReadFile(dockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		var dockerAuth dockerConfigFile
-		if err := json.Unmarshal(j, &dockerAuth); err != nil {
-			return "", "", err
-		}
-		// try the normal case
-		if c, ok := dockerAuth.AuthConfigs[hostname]; ok {
-			return decodeDockerAuth(c.Auth)
-		}
-	} else if os.IsNotExist(err) {
-		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
-		if _, err := os.Stat(oldDockerCfgPath); err != nil {
-			return "", "", nil //missing file is not an error
-		}
-		j, err := ioutil.ReadFile(oldDockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		var dockerAuthOld map[string]dockerAuthConfigObsolete
-		if err := json.Unmarshal(j, &dockerAuthOld); err != nil {
-			return "", "", err
-		}
-		if c, ok := dockerAuthOld[hostname]; ok {
-			return decodeDockerAuth(c.Auth)
-		}
-	} else {
-		// if file is there but we can't stat it for any reason other
-		// than it doesn't exist then stop
-		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
-	}
-	return "", "", nil
-}
-
-type apiErr struct {
-	Code    string
-	Message string
-	Detail  interface{}
-}
-
-type pingResponse struct {
-	WWWAuthenticate string
-	APIVersion      string
-	scheme          string
-	errors          []apiErr
-}
-
-func (c *dockerClient) ping() (*pingResponse, error) {
-	client := &http.Client{}
-	if c.transport != nil {
-		client.Transport = c.transport
-	}
-	ping := func(scheme string) (*pingResponse, error) {
-		url := fmt.Sprintf(baseURL, scheme, c.registry)
-		resp, err := client.Get(url)
-		logrus.Debugf("Ping %s err %#v", url, err)
-		if err != nil {
-			return nil, err
-		}
-		defer resp.Body.Close()
-		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
-		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
-			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
-		}
-		pr := &pingResponse{}
-		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
-		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
-		pr.scheme = scheme
-		if resp.StatusCode == http.StatusUnauthorized {
-			type APIErrors struct {
-				Errors []apiErr
-			}
-			errs := &APIErrors{}
-			if err := json.NewDecoder(resp.Body).Decode(errs); err != nil {
-				return nil, err
-			}
-			pr.errors = errs.Errors
-		}
-		return pr, nil
-	}
-	scheme := "https"
-	pr, err := ping(scheme)
-	if err != nil {
-		scheme = "http"
-		pr, err = ping(scheme)
-		if err == nil {
-			return pr, nil
-		}
-	}
-	return pr, err
-}
-
-func fixManifestLayers(manifest *manifestSchema1) error {
-	type imageV1 struct {
-		ID     string
-		Parent string
-	}
-	imgs := make([]*imageV1, len(manifest.FSLayers))
-	for i := range manifest.FSLayers {
-		img := &imageV1{}
-
-		if err := json.Unmarshal([]byte(manifest.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := validateV1ID(img.ID); err != nil {
-			return err
-		}
-	}
-	if imgs[len(imgs)-1].Parent != "" {
-		return errors.New("Invalid parent ID in the base layer of the image.")
-	}
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
-			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-	return nil
-}
-
-func validateV1ID(id string) error {
-	if ok := validHex.MatchString(id); !ok {
-		return fmt.Errorf("image ID %q is invalid", id)
-	}
-	return nil
-}
-
-type dockerImageDestination struct {
-	ref reference.Named
-	tag string
-	c   *dockerClient
-}
-
-// NewDockerImageDestination creates a new ImageDestination for the specified image and connection specification.
-func NewDockerImageDestination(img, certPath string, tlsVerify bool) (types.ImageDestination, error) {
-	ref, tag, err := parseDockerImageName(img)
-	if err != nil {
-		return nil, err
-	}
-	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImageDestination{
-		ref: ref,
-		tag: tag,
-		c:   c,
-	}, nil
-}
-
-func (d *dockerImageDestination) CanonicalDockerReference() (string, error) {
-	return fmt.Sprintf("%s:%s", d.ref.Name(), d.tag), nil
-}
-
-func (d *dockerImageDestination) PutManifest(manifest []byte) error {
-	// FIXME: This only allows upload by digest, not creating a tag.  See the
-	// corresponding comment in NewOpenshiftImageDestination.
-	digest, err := dockerutils.ManifestDigest(manifest)
-	if err != nil {
-		return err
-	}
-	url := fmt.Sprintf(manifestURL, d.ref.RemoteName(), digest)
-
-	headers := map[string]string{}
-	mimeType := dockerutils.GuessManifestMIMEType(manifest)
-	if mimeType != "" {
-		headers["Content-Type"] = mimeType
-	}
-	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(manifest))
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		body, err := ioutil.ReadAll(res.Body)
-		if err == nil {
-			logrus.Debugf("Error body %s", string(body))
-		}
-		logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
-		return fmt.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode)
-	}
-	return nil
-}
-
-func (d *dockerImageDestination) PutLayer(digest string, stream io.Reader) error {
-	checkURL := fmt.Sprintf(blobsURL, d.ref.RemoteName(), digest)
-
-	logrus.Debugf("Checking %s", checkURL)
-	res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode == http.StatusOK && res.Header.Get("Docker-Content-Digest") == digest {
-		logrus.Debugf("... already exists, not uploading")
-		return nil
-	}
-	logrus.Debugf("... failed, status %d", res.StatusCode)
-
-	// FIXME? Chunked upload, progress reporting, etc.
-	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.RemoteName(), digest)
-	logrus.Debugf("Uploading %s", uploadURL)
-	// FIXME: Set Content-Length?
-	res, err = d.c.makeRequest("POST", uploadURL, map[string]string{"Content-Type": "application/octet-stream"}, stream)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		logrus.Debugf("Error uploading, status %d", res.StatusCode)
-		return fmt.Errorf("Error uploading to %s, status %d", uploadURL, res.StatusCode)
-	}
-
-	return nil
-}
-
-func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
-	if len(signatures) != 0 {
-		return fmt.Errorf("Pushing signatures to a Docker Registry is not supported")
-	}
-	return nil
-}
--- a/docker_client.go
+++ b/docker_client.go
@ -0,0 +1,360 @@
+package main
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/pkg/homedir"
+)
+
+const (
+	dockerHostname     = "docker.io"
+	dockerRegistry     = "registry-1.docker.io"
+	dockerAuthRegistry = "https://index.docker.io/v1/"
+
+	dockerCfg         = ".docker"
+	dockerCfgFileName = "config.json"
+	dockerCfgObsolete = ".dockercfg"
+
+	baseURL       = "%s://%s/v2/"
+	tagsURL       = "%s/tags/list"
+	manifestURL   = "%s/manifests/%s"
+	blobsURL      = "%s/blobs/%s"
+	blobUploadURL = "%s/blobs/uploads/?digest=%s"
+)
+
+// dockerClient is configuration for dealing with a single Docker registry.
+type dockerClient struct {
+	registry        string
+	username        string
+	password        string
+	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
+	scheme          string // Cache of a value returned by a successful ping() if not empty
+	transport       *http.Transport
+}
+
+// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
+func newDockerClient(refHostname, certPath string, tlsVerify bool) (*dockerClient, error) {
+	var registry string
+	if refHostname == dockerHostname {
+		registry = dockerRegistry
+	} else {
+		registry = refHostname
+	}
+	username, password, err := getAuth(refHostname)
+	if err != nil {
+		return nil, err
+	}
+	var tr *http.Transport
+	if certPath != "" || !tlsVerify {
+		tlsc := &tls.Config{}
+
+		if certPath != "" {
+			cert, err := tls.LoadX509KeyPair(filepath.Join(certPath, "cert.pem"), filepath.Join(certPath, "key.pem"))
+			if err != nil {
+				return nil, fmt.Errorf("Error loading x509 key pair: %s", err)
+			}
+			tlsc.Certificates = append(tlsc.Certificates, cert)
+		}
+		tlsc.InsecureSkipVerify = !tlsVerify
+		tr = &http.Transport{
+			TLSClientConfig: tlsc,
+		}
+	}
+	return &dockerClient{
+		registry:  registry,
+		username:  username,
+		password:  password,
+		transport: tr,
+	}, nil
+}
+
+func (c *dockerClient) makeRequest(method, url string, headers map[string]string, stream io.Reader) (*http.Response, error) {
+	if c.scheme == "" {
+		pr, err := c.ping()
+		if err != nil {
+			return nil, err
+		}
+		c.wwwAuthenticate = pr.WWWAuthenticate
+		c.scheme = pr.scheme
+	}
+
+	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
+	req, err := http.NewRequest(method, url, stream)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
+	for n, h := range headers {
+		req.Header.Add(n, h)
+	}
+	if c.wwwAuthenticate != "" {
+		if err := c.setupRequestAuth(req); err != nil {
+			return nil, err
+		}
+	}
+	client := &http.Client{}
+	if c.transport != nil {
+		client.Transport = c.transport
+	}
+	logrus.Debugf("%s %s", method, url)
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func (c *dockerClient) setupRequestAuth(req *http.Request) error {
+	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
+	if len(tokens) != 2 {
+		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
+	}
+	switch tokens[0] {
+	case "Basic":
+		req.SetBasicAuth(c.username, c.password)
+		return nil
+	case "Bearer":
+		client := &http.Client{}
+		if c.transport != nil {
+			client.Transport = c.transport
+		}
+		res, err := client.Do(req)
+		if err != nil {
+			return err
+		}
+		hdr := res.Header.Get("WWW-Authenticate")
+		if hdr == "" || res.StatusCode != http.StatusUnauthorized {
+			// no need for bearer? wtf?
+			return nil
+		}
+		tokens = strings.Split(hdr, " ")
+		tokens = strings.Split(tokens[1], ",")
+		var realm, service, scope string
+		for _, token := range tokens {
+			if strings.HasPrefix(token, "realm") {
+				realm = strings.Trim(token[len("realm="):], "\"")
+			}
+			if strings.HasPrefix(token, "service") {
+				service = strings.Trim(token[len("service="):], "\"")
+			}
+			if strings.HasPrefix(token, "scope") {
+				scope = strings.Trim(token[len("scope="):], "\"")
+			}
+		}
+
+		if realm == "" {
+			return fmt.Errorf("missing realm in bearer auth challenge")
+		}
+		if service == "" {
+			return fmt.Errorf("missing service in bearer auth challenge")
+		}
+		// The scope can be empty if we're not getting a token for a specific repo
+		//if scope == "" && repo != "" {
+		if scope == "" {
+			return fmt.Errorf("missing scope in bearer auth challenge")
+		}
+		token, err := c.getBearerToken(realm, service, scope)
+		if err != nil {
+			return err
+		}
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+		return nil
+	}
+	return fmt.Errorf("no handler for %s authentication", tokens[0])
+	// support docker bearer with authconfig's Auth string? see docker2aci
+}
+
+func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
+	authReq, err := http.NewRequest("GET", realm, nil)
+	if err != nil {
+		return "", err
+	}
+	getParams := authReq.URL.Query()
+	getParams.Add("service", service)
+	if scope != "" {
+		getParams.Add("scope", scope)
+	}
+	authReq.URL.RawQuery = getParams.Encode()
+	if c.username != "" && c.password != "" {
+		authReq.SetBasicAuth(c.username, c.password)
+	}
+	// insecure for now to contact the external token service
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
+	res, err := client.Do(authReq)
+	if err != nil {
+		return "", err
+	}
+	defer res.Body.Close()
+	switch res.StatusCode {
+	case http.StatusUnauthorized:
+		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
+	case http.StatusOK:
+		break
+	default:
+		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
+	}
+	tokenBlob, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return "", err
+	}
+	tokenStruct := struct {
+		Token string `json:"token"`
+	}{}
+	if err := json.Unmarshal(tokenBlob, &tokenStruct); err != nil {
+		return "", err
+	}
+	// TODO(runcom): reuse tokens?
+	//hostAuthTokens, ok = rb.hostsV2AuthTokens[req.URL.Host]
+	//if !ok {
+	//hostAuthTokens = make(map[string]string)
+	//rb.hostsV2AuthTokens[req.URL.Host] = hostAuthTokens
+	//}
+	//hostAuthTokens[repo] = tokenStruct.Token
+	return tokenStruct.Token, nil
+}
+
+func getAuth(hostname string) (string, string, error) {
+	// TODO(runcom): get this from *cli.Context somehow
+	//if username != "" && password != "" {
+	//return username, password, nil
+	//}
+	if hostname == dockerHostname {
+		hostname = dockerAuthRegistry
+	}
+	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
+	if _, err := os.Stat(dockerCfgPath); err == nil {
+		j, err := ioutil.ReadFile(dockerCfgPath)
+		if err != nil {
+			return "", "", err
+		}
+		var dockerAuth dockerConfigFile
+		if err := json.Unmarshal(j, &dockerAuth); err != nil {
+			return "", "", err
+		}
+		// try the normal case
+		if c, ok := dockerAuth.AuthConfigs[hostname]; ok {
+			return decodeDockerAuth(c.Auth)
+		}
+	} else if os.IsNotExist(err) {
+		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
+		if _, err := os.Stat(oldDockerCfgPath); err != nil {
+			return "", "", nil //missing file is not an error
+		}
+		j, err := ioutil.ReadFile(oldDockerCfgPath)
+		if err != nil {
+			return "", "", err
+		}
+		var dockerAuthOld map[string]dockerAuthConfigObsolete
+		if err := json.Unmarshal(j, &dockerAuthOld); err != nil {
+			return "", "", err
+		}
+		if c, ok := dockerAuthOld[hostname]; ok {
+			return decodeDockerAuth(c.Auth)
+		}
+	} else {
+		// if file is there but we can't stat it for any reason other
+		// than it doesn't exist then stop
+		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
+	}
+	return "", "", nil
+}
+
+type apiErr struct {
+	Code    string
+	Message string
+	Detail  interface{}
+}
+
+type pingResponse struct {
+	WWWAuthenticate string
+	APIVersion      string
+	scheme          string
+	errors          []apiErr
+}
+
+func (c *dockerClient) ping() (*pingResponse, error) {
+	client := &http.Client{}
+	if c.transport != nil {
+		client.Transport = c.transport
+	}
+	ping := func(scheme string) (*pingResponse, error) {
+		url := fmt.Sprintf(baseURL, scheme, c.registry)
+		resp, err := client.Get(url)
+		logrus.Debugf("Ping %s err %#v", url, err)
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
+		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
+		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
+			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
+		}
+		pr := &pingResponse{}
+		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
+		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
+		pr.scheme = scheme
+		if resp.StatusCode == http.StatusUnauthorized {
+			type APIErrors struct {
+				Errors []apiErr
+			}
+			errs := &APIErrors{}
+			if err := json.NewDecoder(resp.Body).Decode(errs); err != nil {
+				return nil, err
+			}
+			pr.errors = errs.Errors
+		}
+		return pr, nil
+	}
+	scheme := "https"
+	pr, err := ping(scheme)
+	if err != nil {
+		scheme = "http"
+		pr, err = ping(scheme)
+		if err == nil {
+			return pr, nil
+		}
+	}
+	return pr, err
+}
+
+func getDefaultConfigDir(confPath string) string {
+	return filepath.Join(homedir.Get(), confPath)
+}
+
+type dockerAuthConfigObsolete struct {
+	Auth string `json:"auth"`
+}
+
+type dockerAuthConfig struct {
+	Auth string `json:"auth,omitempty"`
+}
+
+type dockerConfigFile struct {
+	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
+}
+
+func decodeDockerAuth(s string) (string, string, error) {
+	decoded, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return "", "", err
+	}
+	parts := strings.SplitN(string(decoded), ":", 2)
+	if len(parts) != 2 {
+		// if it's invalid just skip, as docker does
+		return "", "", nil
+	}
+	user := parts[0]
+	password := strings.Trim(parts[1], "\x00")
+	return user, password, nil
+}
--- a/docker_image.go
+++ b/docker_image.go
@ -0,0 +1,284 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/projectatomic/skopeo/types"
+)
+
+var (
+	validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
+)
+
+type dockerImage struct {
+	src         *dockerImageSource
+	digest      string
+	rawManifest []byte
+}
+
+func parseDockerImage(img, certPath string, tlsVerify bool) (types.Image, error) {
+	s, err := newDockerImageSource(img, certPath, tlsVerify)
+	if err != nil {
+		return nil, err
+	}
+	return &dockerImage{src: s}, nil
+}
+
+func (i *dockerImage) RawManifest(version string) ([]byte, error) {
+	// TODO(runcom): unused version param for now, default to docker v2-1
+	if err := i.retrieveRawManifest(); err != nil {
+		return nil, err
+	}
+	return i.rawManifest, nil
+}
+
+func (i *dockerImage) Manifest() (types.ImageManifest, error) {
+	// TODO(runcom): unused version param for now, default to docker v2-1
+	m, err := i.getSchema1Manifest()
+	if err != nil {
+		return nil, err
+	}
+	ms1, ok := m.(*manifestSchema1)
+	if !ok {
+		return nil, fmt.Errorf("error retrivieng manifest schema1")
+	}
+	tags, err := i.getTags()
+	if err != nil {
+		return nil, err
+	}
+	imgManifest, err := makeImageManifest(i.src.ref.FullName(), ms1, i.digest, tags)
+	if err != nil {
+		return nil, err
+	}
+	return imgManifest, nil
+}
+
+func (i *dockerImage) getTags() ([]string, error) {
+	// FIXME? Breaking the abstraction.
+	url := fmt.Sprintf(tagsURL, i.src.ref.RemoteName())
+	res, err := i.src.c.makeRequest("GET", url, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		// print url also
+		return nil, fmt.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
+	}
+	type tagsRes struct {
+		Tags []string
+	}
+	tags := &tagsRes{}
+	if err := json.NewDecoder(res.Body).Decode(tags); err != nil {
+		return nil, err
+	}
+	return tags.Tags, nil
+}
+
+type config struct {
+	Labels map[string]string
+}
+
+type v1Image struct {
+	// Config is the configuration of the container received from the client
+	Config *config `json:"config,omitempty"`
+	// DockerVersion specifies version on which image is built
+	DockerVersion string `json:"docker_version,omitempty"`
+	// Created timestamp when image was created
+	Created time.Time `json:"created"`
+	// Architecture is the hardware that the image is build and runs on
+	Architecture string `json:"architecture,omitempty"`
+	// OS is the operating system used to build and run the image
+	OS string `json:"os,omitempty"`
+}
+
+func makeImageManifest(name string, m *manifestSchema1, dgst string, tagList []string) (types.ImageManifest, error) {
+	v1 := &v1Image{}
+	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), v1); err != nil {
+		return nil, err
+	}
+	return &types.DockerImageManifest{
+		Name:          name,
+		Tag:           m.Tag,
+		Digest:        dgst,
+		RepoTags:      tagList,
+		DockerVersion: v1.DockerVersion,
+		Created:       v1.Created,
+		Labels:        v1.Config.Labels,
+		Architecture:  v1.Architecture,
+		Os:            v1.OS,
+		Layers:        m.GetLayers(),
+	}, nil
+}
+
+// TODO(runcom)
+func (i *dockerImage) DockerTar() ([]byte, error) {
+	return nil, nil
+}
+
+// will support v1 one day...
+type manifest interface {
+	String() string
+	GetLayers() []string
+}
+
+type manifestSchema1 struct {
+	Name     string
+	Tag      string
+	FSLayers []struct {
+		BlobSum string `json:"blobSum"`
+	} `json:"fsLayers"`
+	History []struct {
+		V1Compatibility string `json:"v1Compatibility"`
+	} `json:"history"`
+	// TODO(runcom) verify the downloaded manifest
+	//Signature []byte `json:"signature"`
+}
+
+func (m *manifestSchema1) GetLayers() []string {
+	layers := make([]string, len(m.FSLayers))
+	for i, layer := range m.FSLayers {
+		layers[i] = layer.BlobSum
+	}
+	return layers
+}
+
+func (m *manifestSchema1) String() string {
+	return fmt.Sprintf("%s-%s", sanitize(m.Name), sanitize(m.Tag))
+}
+
+func sanitize(s string) string {
+	return strings.Replace(s, "/", "-", -1)
+}
+
+func (i *dockerImage) retrieveRawManifest() error {
+	if i.rawManifest != nil {
+		return nil
+	}
+	manblob, unverifiedCanonicalDigest, err := i.src.GetManifest()
+	if err != nil {
+		return err
+	}
+	i.rawManifest = manblob
+	i.digest = unverifiedCanonicalDigest
+	return nil
+}
+
+func (i *dockerImage) getSchema1Manifest() (manifest, error) {
+	if err := i.retrieveRawManifest(); err != nil {
+		return nil, err
+	}
+	mschema1 := &manifestSchema1{}
+	if err := json.Unmarshal(i.rawManifest, mschema1); err != nil {
+		return nil, err
+	}
+	if err := fixManifestLayers(mschema1); err != nil {
+		return nil, err
+	}
+	// TODO(runcom): verify manifest schema 1, 2 etc
+	//if len(m.FSLayers) != len(m.History) {
+	//return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
+	//}
+	//if len(m.FSLayers) == 0 {
+	//return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
+	//}
+	return mschema1, nil
+}
+
+func (i *dockerImage) Layers(layers ...string) error {
+	m, err := i.getSchema1Manifest()
+	if err != nil {
+		return err
+	}
+	tmpDir, err := ioutil.TempDir(".", "layers-"+m.String()+"-")
+	if err != nil {
+		return err
+	}
+	dest := NewDirImageDestination(tmpDir)
+	data, err := json.Marshal(m)
+	if err != nil {
+		return err
+	}
+	if err := dest.PutManifest(data); err != nil {
+		return err
+	}
+	if len(layers) == 0 {
+		layers = m.GetLayers()
+	}
+	for _, l := range layers {
+		if !strings.HasPrefix(l, "sha256:") {
+			l = "sha256:" + l
+		}
+		if err := i.getLayer(dest, l); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (i *dockerImage) getLayer(dest types.ImageDestination, digest string) error {
+	stream, err := i.src.GetLayer(digest)
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+	return dest.PutLayer(digest, stream)
+}
+
+func fixManifestLayers(manifest *manifestSchema1) error {
+	type imageV1 struct {
+		ID     string
+		Parent string
+	}
+	imgs := make([]*imageV1, len(manifest.FSLayers))
+	for i := range manifest.FSLayers {
+		img := &imageV1{}
+
+		if err := json.Unmarshal([]byte(manifest.History[i].V1Compatibility), img); err != nil {
+			return err
+		}
+
+		imgs[i] = img
+		if err := validateV1ID(img.ID); err != nil {
+			return err
+		}
+	}
+	if imgs[len(imgs)-1].Parent != "" {
+		return errors.New("Invalid parent ID in the base layer of the image.")
+	}
+	// check general duplicates to error instead of a deadlock
+	idmap := make(map[string]struct{})
+	var lastID string
+	for _, img := range imgs {
+		// skip IDs that appear after each other, we handle those later
+		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
+			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
+		}
+		lastID = img.ID
+		idmap[lastID] = struct{}{}
+	}
+	// backwards loop so that we keep the remaining indexes after removing items
+	for i := len(imgs) - 2; i >= 0; i-- {
+		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
+			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
+			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
+		} else if imgs[i].Parent != imgs[i+1].ID {
+			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
+		}
+	}
+	return nil
+}
+
+func validateV1ID(id string) error {
+	if ok := validHex.MatchString(id); !ok {
+		return fmt.Errorf("image ID %q is invalid", id)
+	}
+	return nil
+}
--- a/docker_image_dest.go
+++ b/docker_image_dest.go
@ -0,0 +1,110 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/projectatomic/skopeo/dockerutils"
+	"github.com/projectatomic/skopeo/reference"
+	"github.com/projectatomic/skopeo/types"
+)
+
+type dockerImageDestination struct {
+	ref reference.Named
+	tag string
+	c   *dockerClient
+}
+
+// NewDockerImageDestination creates a new ImageDestination for the specified image and connection specification.
+func NewDockerImageDestination(img, certPath string, tlsVerify bool) (types.ImageDestination, error) {
+	ref, tag, err := parseDockerImageName(img)
+	if err != nil {
+		return nil, err
+	}
+	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
+	if err != nil {
+		return nil, err
+	}
+	return &dockerImageDestination{
+		ref: ref,
+		tag: tag,
+		c:   c,
+	}, nil
+}
+
+func (d *dockerImageDestination) CanonicalDockerReference() (string, error) {
+	return fmt.Sprintf("%s:%s", d.ref.Name(), d.tag), nil
+}
+
+func (d *dockerImageDestination) PutManifest(manifest []byte) error {
+	// FIXME: This only allows upload by digest, not creating a tag.  See the
+	// corresponding comment in NewOpenshiftImageDestination.
+	digest, err := dockerutils.ManifestDigest(manifest)
+	if err != nil {
+		return err
+	}
+	url := fmt.Sprintf(manifestURL, d.ref.RemoteName(), digest)
+
+	headers := map[string]string{}
+	mimeType := dockerutils.GuessManifestMIMEType(manifest)
+	if mimeType != "" {
+		headers["Content-Type"] = mimeType
+	}
+	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(manifest))
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusCreated {
+		body, err := ioutil.ReadAll(res.Body)
+		if err == nil {
+			logrus.Debugf("Error body %s", string(body))
+		}
+		logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
+		return fmt.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode)
+	}
+	return nil
+}
+
+func (d *dockerImageDestination) PutLayer(digest string, stream io.Reader) error {
+	checkURL := fmt.Sprintf(blobsURL, d.ref.RemoteName(), digest)
+
+	logrus.Debugf("Checking %s", checkURL)
+	res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode == http.StatusOK && res.Header.Get("Docker-Content-Digest") == digest {
+		logrus.Debugf("... already exists, not uploading")
+		return nil
+	}
+	logrus.Debugf("... failed, status %d", res.StatusCode)
+
+	// FIXME? Chunked upload, progress reporting, etc.
+	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.RemoteName(), digest)
+	logrus.Debugf("Uploading %s", uploadURL)
+	// FIXME: Set Content-Length?
+	res, err = d.c.makeRequest("POST", uploadURL, map[string]string{"Content-Type": "application/octet-stream"}, stream)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusCreated {
+		logrus.Debugf("Error uploading, status %d", res.StatusCode)
+		return fmt.Errorf("Error uploading to %s, status %d", uploadURL, res.StatusCode)
+	}
+
+	return nil
+}
+
+func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
+	if len(signatures) != 0 {
+		return fmt.Errorf("Pushing signatures to a Docker Registry is not supported")
+	}
+	return nil
+}
--- a/docker_image_src.go
+++ b/docker_image_src.go
@ -0,0 +1,86 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/projectatomic/skopeo/reference"
+	"github.com/projectatomic/skopeo/types"
+)
+
+type errFetchManifest struct {
+	statusCode int
+	body       []byte
+}
+
+func (e errFetchManifest) Error() string {
+	return fmt.Sprintf("error fetching manifest: status code: %d, body: %s", e.statusCode, string(e.body))
+}
+
+type dockerImageSource struct {
+	ref reference.Named
+	tag string
+	c   *dockerClient
+}
+
+// newDockerImageSource is the same as NewDockerImageSource, only it returns the more specific *dockerImageSource type.
+func newDockerImageSource(img, certPath string, tlsVerify bool) (*dockerImageSource, error) {
+	ref, tag, err := parseDockerImageName(img)
+	if err != nil {
+		return nil, err
+	}
+	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
+	if err != nil {
+		return nil, err
+	}
+	return &dockerImageSource{
+		ref: ref,
+		tag: tag,
+		c:   c,
+	}, nil
+}
+
+// NewDockerImageSource creates a new ImageSource for the specified image and connection specification.
+func NewDockerImageSource(img, certPath string, tlsVerify bool) (types.ImageSource, error) {
+	return newDockerImageSource(img, certPath, tlsVerify)
+}
+
+func (s *dockerImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) {
+	url := fmt.Sprintf(manifestURL, s.ref.RemoteName(), s.tag)
+	// TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1
+	// TODO(runcom) NO, switch on the resulter manifest like Docker is doing
+	res, err := s.c.makeRequest("GET", url, nil, nil)
+	if err != nil {
+		return nil, "", err
+	}
+	defer res.Body.Close()
+	manblob, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, "", err
+	}
+	if res.StatusCode != http.StatusOK {
+		return nil, "", errFetchManifest{res.StatusCode, manblob}
+	}
+	return manblob, res.Header.Get("Docker-Content-Digest"), nil
+}
+
+func (s *dockerImageSource) GetLayer(digest string) (io.ReadCloser, error) {
+	url := fmt.Sprintf(blobsURL, s.ref.RemoteName(), digest)
+	logrus.Infof("Downloading %s", url)
+	res, err := s.c.makeRequest("GET", url, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusOK {
+		// print url also
+		return nil, fmt.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
+	}
+	return res.Body, nil
+}
+
+func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
+	return [][]byte{}, nil
+}
--- a/docker_utils.go
+++ b/docker_utils.go
@ -0,0 +1,22 @@
+package main
+
+import "github.com/projectatomic/skopeo/reference"
+
+// parseDockerImageName converts a string into a reference and tag value.
+func parseDockerImageName(img string) (reference.Named, string, error) {
+	ref, err := reference.ParseNamed(img)
+	if err != nil {
+		return nil, "", err
+	}
+	if reference.IsNameOnly(ref) {
+		ref = reference.WithDefaultTag(ref)
+	}
+	var tag string
+	switch x := ref.(type) {
+	case reference.Canonical:
+		tag = x.Digest().String()
+	case reference.NamedTagged:
+		tag = x.Tag()
+	}
+	return ref, tag, nil
+}