vbatts/registry
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

registry: handle unresolvable domain names in isSecure

Browse source 
to allow HTTP proxies to work as expected.

Fixes #9708

Signed-off-by: Tibor Vass <teabee89@gmail.com>
This commit is contained in:
Tibor Vass 2014-12-18 19:13:56 -05:00
parent 807bb5eb18
commit d1fcbd9028
1 changed files with 19 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
docs/endpoint.go
View file

@ -163,7 +163,10 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered // If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
// insecure. // insecure.
// //
// hostname should be a URL.Host (`host:port` or `host`) // hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
// in a subnet. If the resolving is not successful, isSecure will only try to match hostname to any element
// of insecureRegistries.
func isSecure(hostname string, insecureRegistries []string) (bool, error) { func isSecure(hostname string, insecureRegistries []string) (bool, error) {
if hostname == IndexServerURL.Host { if hostname == IndexServerURL.Host {
return true, nil return true, nil
@ -177,29 +180,30 @@ func isSecure(hostname string, insecureRegistries []string) (bool, error) {
addrs, err := lookupIP(host) addrs, err := lookupIP(host)
if err != nil { if err != nil {
ip := net.ParseIP(host) ip := net.ParseIP(host)
if ip == nil { if ip != nil {
// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway addrs = []net.IP{ip}
return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
} }
addrs = []net.IP{ip}
} // if ip == nil, then `host` is neither an IP nor it could be looked up,
if len(addrs) == 0 { // either because the index is unreachable, or because the index is behind an HTTP proxy.
return true, fmt.Errorf("issecure: could not resolve %q", host) // So, len(addrs) == 0 and we're not aborting.
} }
for _, addr := range addrs { for _, r := range insecureRegistries {
for _, r := range insecureRegistries { if hostname == r || host == r {
// hostname matches insecure registry // hostname matches insecure registry
if hostname == r { return false, nil
return false, nil }
}
// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
for _, addr := range addrs {
// now assume a CIDR was passed to --insecure-registry // now assume a CIDR was passed to --insecure-registry
_, ipnet, err := net.ParseCIDR(r) _, ipnet, err := net.ParseCIDR(r)
if err != nil { if err != nil {
// if could not parse it as a CIDR, even after removing // if we could not parse it as a CIDR, even after removing
// assume it's not a CIDR and go on with the next candidate // assume it's not a CIDR and go on with the next candidate
continue break
} }
// check if the addr falls in the subnet // check if the addr falls in the subnet