From 508e9eb89bdbee95823699d3f321842617de2c50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 2 May 2023 21:29:34 +0200 Subject: [PATCH 1/6] Directly replace deprecated dockerclient.NewClient MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... with its current exact equivalent. Simplifications will follow. Should not change behavior. Signed-off-by: Miloslav Trmač --- docker/daemon/client.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docker/daemon/client.go b/docker/daemon/client.go index 7d2a98d684..edfa301e10 100644 --- a/docker/daemon/client.go +++ b/docker/daemon/client.go @@ -47,7 +47,12 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { } } - return dockerclient.NewClient(host, defaultAPIVersion, httpClient, nil) + return dockerclient.NewClientWithOpts( + dockerclient.WithHost(host), + dockerclient.WithVersion(defaultAPIVersion), + dockerclient.WithHTTPClient(httpClient), + dockerclient.WithHTTPHeaders(nil), + ) } func tlsConfig(sys *types.SystemContext) (*http.Client, error) { From 6cd6416a4060dc0183fc132a60af10a1e2d07cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 2 May 2023 21:32:26 +0200 Subject: [PATCH 2/6] Remove a do-nothing WithHTTPHeaders(nil) option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is the default, so this should not change behavior. Signed-off-by: Miloslav Trmač --- docker/daemon/client.go | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/daemon/client.go b/docker/daemon/client.go index edfa301e10..ebdc6607e6 100644 --- a/docker/daemon/client.go +++ b/docker/daemon/client.go @@ -51,7 +51,6 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { dockerclient.WithHost(host), dockerclient.WithVersion(defaultAPIVersion), dockerclient.WithHTTPClient(httpClient), - dockerclient.WithHTTPHeaders(nil), ) } From 0857b77993a5ebddcf562deebcf67074619787ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 2 May 2023 21:36:08 +0200 Subject: [PATCH 3/6] Refactor building dockerclient options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... to allow conditionalizing how we set the HTTP client. Signed-off-by: Miloslav Trmač --- docker/daemon/client.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docker/daemon/client.go b/docker/daemon/client.go index ebdc6607e6..93a3d705d6 100644 --- a/docker/daemon/client.go +++ b/docker/daemon/client.go @@ -21,6 +21,11 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { host = sys.DockerDaemonHost } + opts := []dockerclient.Opt{ + dockerclient.WithHost(host), + dockerclient.WithVersion(defaultAPIVersion), + } + // Sadly, unix:// sockets don't work transparently with dockerclient.NewClient. // They work fine with a nil httpClient; with a non-nil httpClient, the transport’s // TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket @@ -46,12 +51,9 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { httpClient = hc } } + opts = append(opts, dockerclient.WithHTTPClient(httpClient)) - return dockerclient.NewClientWithOpts( - dockerclient.WithHost(host), - dockerclient.WithVersion(defaultAPIVersion), - dockerclient.WithHTTPClient(httpClient), - ) + return dockerclient.NewClientWithOpts(opts...) } func tlsConfig(sys *types.SystemContext) (*http.Client, error) { From e528c8a27239614c9e881493c76900437d047341 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 2 May 2023 21:40:25 +0200 Subject: [PATCH 4/6] Don't call dockerclient.WithHTTPClient(nil) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It has no effect. Should not change behavior. Signed-off-by: Miloslav Trmač --- docker/daemon/client.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docker/daemon/client.go b/docker/daemon/client.go index 93a3d705d6..eb677825f0 100644 --- a/docker/daemon/client.go +++ b/docker/daemon/client.go @@ -39,19 +39,18 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { if err != nil { return nil, err } - var httpClient *http.Client if serverURL.Scheme != "unix" { if serverURL.Scheme == "http" { - httpClient = httpConfig() + hc := httpConfig() + opts = append(opts, dockerclient.WithHTTPClient(hc)) } else { hc, err := tlsConfig(sys) if err != nil { return nil, err } - httpClient = hc + opts = append(opts, dockerclient.WithHTTPClient(hc)) } } - opts = append(opts, dockerclient.WithHTTPClient(httpClient)) return dockerclient.NewClientWithOpts(opts...) } From ea6543de26d5e1b53ee12f04bb3d4d5db4b17ab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 2 May 2023 21:55:01 +0200 Subject: [PATCH 5/6] Simplify, and better document, newDockerClient MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use a switch instead of nested ifs. Update the documentation, both to be a bit more specific about the mechanism, and also to say that we keep the HTTP special-case now that it exists, and document an alternative. Signed-off-by: Miloslav Trmač --- docker/daemon/client.go | 45 +++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/docker/daemon/client.go b/docker/daemon/client.go index eb677825f0..2c245f54f9 100644 --- a/docker/daemon/client.go +++ b/docker/daemon/client.go @@ -26,30 +26,41 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) { dockerclient.WithVersion(defaultAPIVersion), } - // Sadly, unix:// sockets don't work transparently with dockerclient.NewClient. - // They work fine with a nil httpClient; with a non-nil httpClient, the transport’s - // TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket - // regardless of the values in the *tls.Config), and we would have to call sockets.ConfigureTransport. + // We conditionalize building the TLS configuration only to TLS sockets: // - // We don't really want to configure anything for unix:// sockets, so just pass a nil *http.Client. + // The dockerclient.Client implementation differentiates between + // - Client.proto, which is ~how the connection is establishe (IP / AF_UNIX/Windows) + // - Client.scheme, which is what is sent over the connection (HTTP with/without TLS). // - // Similarly, if we want to communicate over plain HTTP on a TCP socket, we also need to set - // TLSClientConfig to nil. This can be achieved by using the form `http://` + // Only Client.proto is set from the URL in dockerclient.WithHost(), + // Client.scheme is detected based on a http.Client.TLSClientConfig presence; + // dockerclient.WithHTTPClient with a client that has TLSClientConfig set + // will, by default, trigger an attempt to use TLS. + // + // So, don’t use WithHTTPClient for unix:// sockets at all. + // + // Similarly, if we want to communicate over plain HTTP on a TCP socket (http://), + // we also should not set TLSClientConfig. We continue to use WithHTTPClient + // with our slightly non-default settings to avoid a behavior change on updates of c/image. + // + // Alternatively we could use dockerclient.WithScheme to drive the TLS/non-TLS logic + // explicitly, but we would still want to set WithHTTPClient (differently) for https:// and http:// ; + // so that would not be any simpler. serverURL, err := dockerclient.ParseHostURL(host) if err != nil { return nil, err } - if serverURL.Scheme != "unix" { - if serverURL.Scheme == "http" { - hc := httpConfig() - opts = append(opts, dockerclient.WithHTTPClient(hc)) - } else { - hc, err := tlsConfig(sys) - if err != nil { - return nil, err - } - opts = append(opts, dockerclient.WithHTTPClient(hc)) + switch serverURL.Scheme { + case "unix": // Nothing + case "http": + hc := httpConfig() + opts = append(opts, dockerclient.WithHTTPClient(hc)) + default: + hc, err := tlsConfig(sys) + if err != nil { + return nil, err } + opts = append(opts, dockerclient.WithHTTPClient(hc)) } return dockerclient.NewClientWithOpts(opts...) From 2aed0f2b706fac48a05134db25aa0e47710c4594 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 May 2023 11:05:46 +0000 Subject: [PATCH 6/6] fix(deps): update module github.com/docker/docker to v23.0.5+incompatible Signed-off-by: Renovate Bot --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 64d65c3300..a7e873dbe5 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/containers/storage v1.46.1 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 github.com/docker/distribution v2.8.1+incompatible - github.com/docker/docker v23.0.4+incompatible + github.com/docker/docker v23.0.5+incompatible github.com/docker/docker-credential-helpers v0.7.0 github.com/docker/go-connections v0.4.0 github.com/go-openapi/strfmt v0.21.7 diff --git a/go.sum b/go.sum index 36b436db9e..d49797bebe 100644 --- a/go.sum +++ b/go.sum @@ -274,8 +274,8 @@ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek= -github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k= +github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=