Use Docker's official registry domain detection logic (#6360)

* Use Docker's official registry domain detection logic

Replace the custom IMAGE_WITH_HOST regex with a proper implementation
based on Docker's reference parser (vendor/github.com/distribution/
reference/normalize.go).

Changes:
- Change DOCKER_HUB from "hub.docker.com" to "docker.io" (official default)
- Add DOCKER_HUB_LEGACY for backward compatibility with "hub.docker.com"
- Add IMAGE_DOMAIN_REGEX and get_domain() function that properly detects:
  - localhost (with optional port)
  - Domains with "." (e.g., ghcr.io, 127.0.0.1)
  - Domains with ":" port (e.g., myregistry:5000)
  - IPv6 addresses (e.g., [::1]:5000)
- Update credential handling to support both docker.io and hub.docker.com
- Add comprehensive tests for domain detection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Refactor Docker domain detection to utils module

Move get_domain function to supervisor/docker/utils.py and rename it
to get_domain_from_image for consistency with get_registry_for_image.
Use named group in the regex for better readability.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Rename domain to registry for consistency

Use consistent "registry" terminology throughout the codebase:
- Rename get_domain_from_image to get_registry_from_image
- Rename IMAGE_DOMAIN_REGEX to IMAGE_REGISTRY_REGEX
- Update named group from "domain" to "registry"
- Update all related comments and variable names

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: agners

supervisor/addons/build.py

@@ -23,7 +23,7 @@
     CpuArch,
 )
 from ..coresys import CoreSys, CoreSysAttributes
-from ..docker.const import DOCKER_HUB
+from ..docker.const import DOCKER_HUB, DOCKER_HUB_LEGACY
 from ..docker.interface import MAP_ARCH
 from ..exceptions import ConfigurationFileError, HassioArchNotFound
 from ..utils.common import FileConfiguration, find_one_filetype
@@ -155,8 +155,11 @@ def get_docker_config_json(self) -> str | None:
 
         # Use the actual registry URL for the key
         # Docker Hub uses "https://index.docker.io/v1/" as the key
+        # Support both docker.io (official) and hub.docker.com (legacy)
         registry_key = (
-            "https://index.docker.io/v1/" if registry == DOCKER_HUB else registry
+            "https://index.docker.io/v1/"
+            if registry in (DOCKER_HUB, DOCKER_HUB_LEGACY)
+            else registry
         )
 
         config = {"auths": {registry_key: {"auth": auth_string}}}

supervisor/docker/const.py

@@ -15,11 +15,12 @@
 
 RE_RETRYING_DOWNLOAD_STATUS = re.compile(r"Retrying in \d+ seconds?")
 
-# Docker Hub registry identifier
-DOCKER_HUB = "hub.docker.com"
+# Docker Hub registry identifier (official default)
+# Docker's default registry is docker.io
+DOCKER_HUB = "docker.io"
 
-# Regex to match images with a registry host (e.g., ghcr.io/org/image)
-IMAGE_WITH_HOST = re.compile(r"^((?:[a-z0-9]+(?:-[a-z0-9]+)*\.)+[a-z]{2,})\/.+")
+# Legacy Docker Hub identifier for backward compatibility
+DOCKER_HUB_LEGACY = "hub.docker.com"
 
 
 class Capabilities(StrEnum):

supervisor/docker/interface.py

@@ -45,7 +45,13 @@
 from ..jobs.job_group import JobGroup
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..utils.sentry import async_capture_exception
-from .const import DOCKER_HUB, ContainerState, PullImageLayerStage, RestartPolicy
+from .const import (
+    DOCKER_HUB,
+    DOCKER_HUB_LEGACY,
+    ContainerState,
+    PullImageLayerStage,
+    RestartPolicy,
+)
 from .manager import CommandReturn, PullLogEntry
 from .monitor import DockerContainerStateEvent
 from .stats import DockerStats
@@ -184,7 +190,8 @@ def _get_credentials(self, image: str) -> dict:
             stored = self.sys_docker.config.registries[registry]
             credentials[ATTR_USERNAME] = stored[ATTR_USERNAME]
             credentials[ATTR_PASSWORD] = stored[ATTR_PASSWORD]
-            if registry != DOCKER_HUB:
+            # Don't include registry for Docker Hub (both official and legacy)
+            if registry not in (DOCKER_HUB, DOCKER_HUB_LEGACY):
                 credentials[ATTR_REGISTRY] = registry
 
             _LOGGER.debug(

supervisor/docker/manager.py

@@ -49,9 +49,10 @@
 )
 from ..utils.common import FileConfiguration
 from ..validate import SCHEMA_DOCKER_CONFIG
-from .const import DOCKER_HUB, IMAGE_WITH_HOST, LABEL_MANAGED
+from .const import DOCKER_HUB, DOCKER_HUB_LEGACY, LABEL_MANAGED
 from .monitor import DockerMonitor
 from .network import DockerNetwork
+from .utils import get_registry_from_image
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -212,19 +213,25 @@ def get_registry_for_image(self, image: str) -> str | None:
 
         Matches the image against configured registries and returns the registry
         name if found, or None if no matching credentials are configured.
+
+        Uses Docker's domain detection logic from:
+        vendor/github.com/distribution/reference/normalize.go
         """
         if not self.registries:
             return None
 
         # Check if image uses a custom registry (e.g., ghcr.io/org/image)
-        matcher = IMAGE_WITH_HOST.match(image)
-        if matcher:
-            registry = matcher.group(1)
+        registry = get_registry_from_image(image)
+        if registry:
             if registry in self.registries:
                 return registry
-        # If no registry prefix, check for Docker Hub credentials
-        elif DOCKER_HUB in self.registries:
-            return DOCKER_HUB
+        else:
+            # No registry prefix means Docker Hub
+            # Support both docker.io (official) and hub.docker.com (legacy)
+            if DOCKER_HUB in self.registries:
+                return DOCKER_HUB
+            if DOCKER_HUB_LEGACY in self.registries:
+                return DOCKER_HUB_LEGACY
 
         return None
 

supervisor/docker/utils.py

@@ -0,0 +1,57 @@
+"""Docker utilities."""
+
+from __future__ import annotations
+
+import re
+
+# Docker image reference domain regex
+# Based on Docker's reference implementation:
+# vendor/github.com/distribution/reference/normalize.go
+#
+# A domain is detected if the part before the first / contains:
+# - "localhost" (with optional port)
+# - Contains "." (like registry.example.com or 127.0.0.1)
+# - Contains ":" (like myregistry:5000)
+# - IPv6 addresses in brackets (like [::1]:5000)
+#
+# Note: Docker also treats uppercase letters as registry indicators since
+# namespaces must be lowercase, but this regex handles lowercase matching
+# and the get_registry_from_image() function validates the registry rules.
+IMAGE_REGISTRY_REGEX = re.compile(
+    r"^(?P<registry>"
+    r"localhost(?::[0-9]+)?|"  # localhost with optional port
+    r"(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])"  # domain component
+    r"(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))*"  # more components
+    r"(?::[0-9]+)?|"  # optional port
+    r"\[[a-fA-F0-9:]+\](?::[0-9]+)?"  # IPv6 with optional port
+    r")/"  # must be followed by /
+)
+
+
+def get_registry_from_image(image_ref: str) -> str | None:
+    """Extract registry from Docker image reference.
+
+    Returns the registry if the image reference contains one,
+    or None if the image uses Docker Hub (docker.io).
+
+    Based on Docker's reference implementation:
+    vendor/github.com/distribution/reference/normalize.go
+
+    Examples:
+        get_registry_from_image("nginx")                        -> None (docker.io)
+        get_registry_from_image("library/nginx")                -> None (docker.io)
+        get_registry_from_image("myregistry.com/nginx")         -> "myregistry.com"
+        get_registry_from_image("localhost/myimage")            -> "localhost"
+        get_registry_from_image("localhost:5000/myimage")       -> "localhost:5000"
+        get_registry_from_image("registry.io:5000/org/app:v1")  -> "registry.io:5000"
+        get_registry_from_image("[::1]:5000/myimage")           -> "[::1]:5000"
+
+    """
+    match = IMAGE_REGISTRY_REGEX.match(image_ref)
+    if match:
+        registry = match.group("registry")
+        # Must contain '.' or ':' or be 'localhost' to be a real registry
+        # This prevents treating "myuser/myimage" as having registry "myuser"
+        if "." in registry or ":" in registry or registry == "localhost":
+            return registry
+    return None  # No registry = Docker Hub (docker.io)

tests/docker/test_credentials.py

@@ -1,9 +1,49 @@
 """Test docker login."""
 
+import pytest
+
 # pylint: disable=protected-access
 from supervisor.coresys import CoreSys
-from supervisor.docker.const import DOCKER_HUB
+from supervisor.docker.const import DOCKER_HUB, DOCKER_HUB_LEGACY
 from supervisor.docker.interface import DockerInterface
+from supervisor.docker.utils import get_registry_from_image
+
+
+@pytest.mark.parametrize(
+    ("image_ref", "expected_registry"),
+    [
+        # No registry - Docker Hub images
+        ("nginx", None),
+        ("nginx:latest", None),
+        ("library/nginx", None),
+        ("library/nginx:latest", None),
+        ("homeassistant/amd64-supervisor", None),
+        ("homeassistant/amd64-supervisor:1.2.3", None),
+        # Registry with dot
+        ("ghcr.io/homeassistant/amd64-supervisor", "ghcr.io"),
+        ("ghcr.io/homeassistant/amd64-supervisor:latest", "ghcr.io"),
+        ("myregistry.com/nginx", "myregistry.com"),
+        ("registry.example.com/org/image:v1", "registry.example.com"),
+        ("127.0.0.1/myimage", "127.0.0.1"),
+        # Registry with port
+        ("myregistry:5000/myimage", "myregistry:5000"),
+        ("localhost:5000/myimage", "localhost:5000"),
+        ("registry.io:5000/org/app:v1", "registry.io:5000"),
+        # localhost special case
+        ("localhost/myimage", "localhost"),
+        ("localhost/myimage:tag", "localhost"),
+        # IPv6
+        ("[::1]:5000/myimage", "[::1]:5000"),
+        ("[2001:db8::1]:5000/myimage:tag", "[2001:db8::1]:5000"),
+    ],
+)
+def test_get_registry_from_image(image_ref: str, expected_registry: str | None):
+    """Test get_registry_from_image extracts registry from image reference.
+
+    Based on Docker's reference implementation:
+    vendor/github.com/distribution/reference/normalize.go
+    """
+    assert get_registry_from_image(image_ref) == expected_registry
 
 
 def test_no_credentials(coresys: CoreSys, test_docker_interface: DockerInterface):
@@ -47,3 +87,36 @@ def test_matching_credentials(coresys: CoreSys, test_docker_interface: DockerInt
     )
     assert credentials["username"] == "Spongebob Squarepants"
     assert "registry" not in credentials
+
+
+def test_legacy_docker_hub_credentials(
+    coresys: CoreSys, test_docker_interface: DockerInterface
+):
+    """Test legacy hub.docker.com credentials are used for Docker Hub images."""
+    coresys.docker.config._data["registries"] = {
+        DOCKER_HUB_LEGACY: {"username": "LegacyUser", "password": "Password1!"},
+    }
+
+    credentials = test_docker_interface._get_credentials(
+        "homeassistant/amd64-supervisor"
+    )
+    assert credentials["username"] == "LegacyUser"
+    # No registry should be included for Docker Hub
+    assert "registry" not in credentials
+
+
+def test_docker_hub_preferred_over_legacy(
+    coresys: CoreSys, test_docker_interface: DockerInterface
+):
+    """Test docker.io is preferred over legacy hub.docker.com when both exist."""
+    coresys.docker.config._data["registries"] = {
+        DOCKER_HUB: {"username": "NewUser", "password": "Password1!"},
+        DOCKER_HUB_LEGACY: {"username": "LegacyUser", "password": "Password2!"},
+    }
+
+    credentials = test_docker_interface._get_credentials(
+        "homeassistant/amd64-supervisor"
+    )
+    # docker.io should be preferred
+    assert credentials["username"] == "NewUser"
+    assert "registry" not in credentials