Fix http client when TLS is enabled.

Signed-off-by: Lantao Liu <lantaol@google.com>
2019-06-11 22:28:48 -07:00 · 2019-06-11 22:28:48 -07:00 · 55e5ce0e95
commit 55e5ce0e95
parent b3f733f0ad
1 changed files with 31 additions and 13 deletions
--- a/pkg/server/image_pull.go
+++ b/pkg/server/image_pull.go
@ -21,9 +21,11 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"

 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/errdefs"
@ -251,8 +253,8 @@ func (c *criService) credentials(auth *runtime.AuthConfig) func(string) (string,
 	}
 }

-// getRegistryTLSTransport returns a http.Transport configured with a CA/Cert/Key specified by registryTLSConfig
-func (c *criService) getRegistryTLSTransport(ctx context.Context, registryTLSConfig config.TLSConfig) (*http.Transport, error) {
+// getTLSConfig returns a TLSConfig configured with a CA/Cert/Key specified by registryTLSConfig
+func (c *criService) getTLSConfig(registryTLSConfig config.TLSConfig) (*tls.Config, error) {
 	cert, err := tls.LoadX509KeyPair(registryTLSConfig.CertFile, registryTLSConfig.KeyFile)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to load cert file")
@ -273,9 +275,7 @@ func (c *criService) getRegistryTLSTransport(ctx context.Context, registryTLSCon
 		RootCAs:      caCertPool,
 	}
 	tlsConfig.BuildNameToCertificate()
-	transport := &http.Transport{TLSClientConfig: tlsConfig}
-
-	return transport, nil
+	return tlsConfig, nil
 }

 // getResolver tries registry mirrors and the default registry, and returns the resolver and descriptor
@ -286,7 +286,10 @@ func (c *criService) getResolver(ctx context.Context, ref string, cred func(stri
 		return nil, imagespec.Descriptor{}, errors.Wrap(err, "parse image reference")
 	}

-	httpClient := http.DefaultClient
+	var (
+		transport  = newTransport()
+		httpClient = &http.Client{Transport: transport}
+	)

 	// Try mirrors in order first, and then try default host name.
 	for _, e := range c.config.Registry.Mirrors[refspec.Hostname()].Endpoints {
@ -296,15 +299,14 @@ func (c *criService) getResolver(ctx context.Context, ref string, cred func(stri
 		}

 		if registryTLSConfig, ok := c.config.Registry.TLSConfigs[u.Host]; ok {
-			tlsTransport, err := c.getRegistryTLSTransport(ctx, registryTLSConfig)
+			transport.TLSClientConfig, err = c.getTLSConfig(registryTLSConfig)
 			if err != nil {
-				return nil, imagespec.Descriptor{}, errors.Wrapf(err, "get tlsTransport for registry %q", refspec.Hostname())
+				return nil, imagespec.Descriptor{}, errors.Wrapf(err, "get TLSConfig for registry %q", refspec.Hostname())
 			}
-			httpClient = &http.Client{Transport: tlsTransport}
 		}

 		resolver := docker.NewResolver(docker.ResolverOptions{
-			Authorizer: docker.NewAuthorizer(http.DefaultClient, cred),
+			Authorizer: docker.NewAuthorizer(httpClient, cred),
 			Client:     httpClient,
 			Host:       func(string) (string, error) { return u.Host, nil },
 			// By default use "https".
@ -323,11 +325,10 @@ func (c *criService) getResolver(ctx context.Context, ref string, cred func(stri
 		return nil, imagespec.Descriptor{}, errors.Wrapf(err, "get host for refspec %q", refspec.Hostname())
 	}
 	if registryTLSConfig, ok := c.config.Registry.TLSConfigs[hostname]; ok {
-		tlsTransport, err := c.getRegistryTLSTransport(ctx, registryTLSConfig)
+		transport.TLSClientConfig, err = c.getTLSConfig(registryTLSConfig)
 		if err != nil {
-			return nil, imagespec.Descriptor{}, errors.Wrapf(err, "get tlsTransport for registry %q", refspec.Hostname())
+			return nil, imagespec.Descriptor{}, errors.Wrapf(err, "get TLSConfig for registry %q", refspec.Hostname())
 		}
-		httpClient = &http.Client{Transport: tlsTransport}
 	}

 	resolver := docker.NewResolver(docker.ResolverOptions{
@ -340,3 +341,20 @@ func (c *criService) getResolver(ctx context.Context, ref string, cred func(stri
 	}
 	return resolver, desc, nil
 }
+
+// newTransport returns a new HTTP transport used to pull image.
+// TODO(random-liu): Create a library and share this code with `ctr`.
+func newTransport() *http.Transport {
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          10,
+		IdleConnTimeout:       30 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 5 * time.Second,
+	}
+}