New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registry host configuration cleanup #47380
base: master
Are you sure you want to change the base?
Conversation
e99532d
to
e3fb795
Compare
Couple of failures that look related. Could be that the test was written for a specific error output though (these are the integration-cli tests, which use a fixed, old version of the CLI), or perhaps we're missing some conversion for errors returned 🤔
|
11ed7f8
to
28acdd4
Compare
Marked this as ready to go. I fixed the authorizer with the containerd image service resolver. The other failures now don't seem related, look like flakes. |
daemon/hosts.go
Outdated
isLocalhost, err := docker.MatchLocalhost(hosts[i].Host) | ||
if err != nil { | ||
continue | ||
} | ||
if isLocalhost { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this make only the localhost insecure registries use the http fallback?
Also, shouldn't localhost registries should always use the http fallback by default, even if they're not explicitly an insecure registry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't look at this PR in-depth, but I think we have some code somewhere that automatically adds localhost (more factually; the loopback range) as insecure), so it's possible that it's already automatically configured as insecure before we hit this code (????);
Insecure Registries:
127.0.0.0/8
(Now wondering if that should also include the IPv6 loopback address ::1
, but I guess that's a separate topic).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dmcgowan could you have a look?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this make only the localhost insecure registries use the http fallback?
It was intentional here to only use this for localhost since stepping down from insecure TLS to HTTP on localhost does not have the same implications as non-localhost. Although to keep the functionality the same in regards to the existing ambiguity over the meaning of "insecure" this could be applied to all hosts. In that case an empty TLS config would need to be generated if not set still to match existing logic I think.
I need to find a better approach for skipping over the legacy config, currently it checks for a nil configuration but I don't believe that is ever nil. Ideally the new (and less ambiguous) configuration files can be used without hitting the legacy merge logic when no legacy configuration is provided.
Also, shouldn't localhost registries should always use the http fallback by default, even if they're not explicitly an insecure registry?
I think that is up to the default configuration, as @thaJeztah mentioned, localhost is added by default. (see https://github.com/moby/moby/blob/master/registry/config.go#L187).
Now wondering if that should also include the IPv6 loopback address ::1 , but I guess that's a separate topic
Probably wouldn't hurt to add as a default, we should just make sure the behavior is the same with the new configuration and deprecate the old one.
There is a pending fix for the http handler on the containerd side that we can wait for in 1.7 before updating this one. Also on another look I'm not sure checking for the service config being nil as the switch to merge in the legacy config is sufficient, especially if the legacy config is allowing for a more loose definition of "insecure" for non-localhost registries. |
28acdd4
to
4e5cf6d
Compare
Pushed an update the fixes I mentioned. As for the containerd fix, we need to handle TLS handshake timeouts (see containerd/containerd#10014). Although the current version we have also has this issue, so it might not be a blocker for taking this change in. There will be a followup regardless. |
4e5cf6d
to
5abfc63
Compare
This logic is going to be updated to use the new containerd resolver and needs all the logic handling resolution in the package where it is used. Signed-off-by: Derek McGowan <derek@mcg.dev>
5abfc63
to
8512eb4
Compare
daemon/hosts.go
Outdated
} | ||
if err == nil && u.Host != "" { | ||
h.Host = u.Host | ||
h.Path = strings.TrimRight(u.Path, "/") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would u.Path
ever have multiple trailing slashes (after parsing?) if not, and it will always be one, then perhaps this should be TrimSuffix https://pkg.go.dev/strings#TrimSuffix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is needed to trim but updated to TrimSuffix
Signed-off-by: Derek McGowan <derek@mcg.dev>
Use the daemon's configuration to check whether the legacy registry configuration is used. Only attempt to merge with the legacy configuration if it has been provided. This avoids merging in based on a defaulted legacy config. Signed-off-by: Derek McGowan <derek@mcg.dev>
Note that while it is not safe to use http fallback on non-localhost registries, this can be avoided using the new host directories. The previous legacy insecure configuration is ambiguous and less secure. Signed-off-by: Derek McGowan <derek@mcg.dev>
1939df7
to
9d15d56
Compare
Move the conversion to its own function and add unit tests. Signed-off-by: Derek McGowan <derek@mcg.dev>
9d15d56
to
a404358
Compare
First commit copies the resolver code from buildkit with fix for insecure registries and could be backported.
Second commit cleans up the resolve logic using containerd's host config.
closes #47240