github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

remotes/docker/config: Skipping TLS verification for localhost

Browse Source 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
This commit is contained in:
Iceber Gu 2022-09-13 17:16:08 +08:00
parent 99ee82d0b6
commit 3cfde732e1
3 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/cri/server/image_pull.go
View File

@ -400,7 +400,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
if err != nil { if err != nil {
return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err) return nil, fmt.Errorf("get TLSConfig for registry %q: %w", e, err)
} }
} else if isLocalHost(host) && u.Scheme == "http" { } else if docker.IsLocalhost(host) && u.Scheme == "http" {
// Skipping TLS verification for localhost // Skipping TLS verification for localhost
transport.TLSClientConfig = &tls.Config{ transport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: true,
@ -445,26 +445,12 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
// defaultScheme returns the default scheme for a registry host. // defaultScheme returns the default scheme for a registry host.
func defaultScheme(host string) string { func defaultScheme(host string) string {
if isLocalHost(host) { if docker.IsLocalhost(host) {
return "http" return "http"
} }
return "https" return "https"
} }
// isLocalHost checks if the registry host is local.
func isLocalHost(host string) bool {
if h, _, err := net.SplitHostPort(host); err == nil {
host = h
}
if host == "localhost" {
return true
}
ip := net.ParseIP(host)
return ip.IsLoopback()
}
// addDefaultScheme returns the endpoint with default scheme // addDefaultScheme returns the endpoint with default scheme
func addDefaultScheme(endpoint string) (string, error) { func addDefaultScheme(endpoint string) (string, error) {
if strings.Contains(endpoint, "://") { if strings.Contains(endpoint, "://") {

11
remotes/docker/config/hosts.go
View File

@ -99,6 +99,17 @@ func ConfigureHosts(ctx context.Context, options HostOptions) docker.RegistryHos
if host == "docker.io" { if host == "docker.io" {
hosts[len(hosts)-1].scheme = "https" hosts[len(hosts)-1].scheme = "https"
hosts[len(hosts)-1].host = "registry-1.docker.io" hosts[len(hosts)-1].host = "registry-1.docker.io"
} else if docker.IsLocalhost(host) {
hosts[len(hosts)-1].host = host
if options.DefaultScheme == "" || options.DefaultScheme == "http" {
hosts[len(hosts)-1].scheme = "http"
// Skipping TLS verification for localhost
var skipVerify = true
hosts[len(hosts)-1].skipVerify = &skipVerify
} else {
hosts[len(hosts)-1].scheme = options.DefaultScheme
}
} else { } else {
hosts[len(hosts)-1].host = host hosts[len(hosts)-1].host = host
if options.DefaultScheme != "" { if options.DefaultScheme != "" {

15
remotes/docker/resolver.go
View File

@ -21,6 +21,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"net"
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
@ -667,3 +668,17 @@ func responseFields(resp *http.Response) logrus.Fields {
return logrus.Fields(fields) return logrus.Fields(fields)
} }
// IsLocalhost checks if the registry host is local.
func IsLocalhost(host string) bool {
if h, _, err := net.SplitHostPort(host); err == nil {
host = h
}
if host == "localhost" {
return true
}
ip := net.ParseIP(host)
return ip.IsLoopback()
}