From a70d7aaf282948c6873c03031cee0704cbe86476 Mon Sep 17 00:00:00 2001 From: Tibor Vass Date: Thu, 18 Dec 2014 19:13:02 -0500 Subject: [PATCH 1/2] registry: add tests for unresolvable domain names in isSecure Signed-off-by: Tibor Vass --- registry/registry_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/registry/registry_test.go b/registry/registry_test.go index 5fd80da100c10..06619aef431b0 100644 --- a/registry/registry_test.go +++ b/registry/registry_test.go @@ -348,6 +348,9 @@ func TestIsSecure(t *testing.T) { {"example.com:5000", []string{"42.42.42.42/8"}, false}, {"127.0.0.1:5000", []string{"127.0.0.0/8"}, false}, {"42.42.42.42:5000", []string{"42.1.1.1/8"}, false}, + {"invalid.domain.com", []string{"42.42.0.0/16"}, true}, + {"invalid.domain.com", []string{"invalid.domain.com"}, false}, + {"invalid.domain.com:5000", []string{"invalid.domain.com"}, false}, } for _, tt := range tests { // TODO: remove this once we remove localhost insecure by default From ff4bfcc0e9f171a95dac5cc2650faacf73943057 Mon Sep 17 00:00:00 2001 From: Tibor Vass Date: Thu, 18 Dec 2014 19:13:56 -0500 Subject: [PATCH 2/2] registry: handle unresolvable domain names in isSecure to allow HTTP proxies to work as expected. Fixes #9708 Signed-off-by: Tibor Vass --- registry/endpoint.go | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/registry/endpoint.go b/registry/endpoint.go index c485a13d8f2fe..8609486a2d766 100644 --- a/registry/endpoint.go +++ b/registry/endpoint.go @@ -163,7 +163,10 @@ func (e Endpoint) Ping() (RegistryInfo, error) { // If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered // insecure. // -// hostname should be a URL.Host (`host:port` or `host`) +// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name +// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained +// in a subnet. If the resolving is not successful, isSecure will only try to match hostname to any element +// of insecureRegistries. func isSecure(hostname string, insecureRegistries []string) (bool, error) { if hostname == IndexServerURL.Host { return true, nil @@ -177,29 +180,30 @@ func isSecure(hostname string, insecureRegistries []string) (bool, error) { addrs, err := lookupIP(host) if err != nil { ip := net.ParseIP(host) - if ip == nil { - // if resolving `host` fails, error out, since host is to be net.Dial-ed anyway - return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err) + if ip != nil { + addrs = []net.IP{ip} } - addrs = []net.IP{ip} - } - if len(addrs) == 0 { - return true, fmt.Errorf("issecure: could not resolve %q", host) + + // if ip == nil, then `host` is neither an IP nor it could be looked up, + // either because the index is unreachable, or because the index is behind an HTTP proxy. + // So, len(addrs) == 0 and we're not aborting. } - for _, addr := range addrs { - for _, r := range insecureRegistries { + for _, r := range insecureRegistries { + if hostname == r || host == r { // hostname matches insecure registry - if hostname == r { - return false, nil - } + return false, nil + } + + // Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined. + for _, addr := range addrs { // now assume a CIDR was passed to --insecure-registry _, ipnet, err := net.ParseCIDR(r) if err != nil { - // if could not parse it as a CIDR, even after removing + // if we could not parse it as a CIDR, even after removing // assume it's not a CIDR and go on with the next candidate - continue + break } // check if the addr falls in the subnet