Explorar el Código

Fix error checking when pulling from an insecure registry

The call to an unsecure registry doesn't return an error saying that the
"server gave an HTTP response to an HTTPS client" but a
tls.RecordHeaderError saying that the "first record does not look like a
TLS handshake", this changeset looks for the right error for that case.

This fixes the http fallback when using an insecure registry

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Djordje Lukic hace 2 años
padre
commit
f696a1b3b3
Se han modificado 1 ficheros con 12 adiciones y 7 borrados
  1. 12 7
      daemon/containerd/resolver.go

+ 12 - 7
daemon/containerd/resolver.go

@@ -1,8 +1,9 @@
 package containerd
 
 import (
+	"crypto/tls"
+	"errors"
 	"net/http"
-	"strings"
 
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
@@ -72,12 +73,16 @@ type httpFallback struct {
 
 func (f httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
 	resp, err := f.super.RoundTrip(r)
-	if err != nil {
-		if strings.Contains(err.Error(), "http: server gave HTTP response to HTTPS client") {
-			plain := r.Clone(r.Context())
-			plain.URL.Scheme = "http"
-			return http.DefaultTransport.RoundTrip(plain)
-		}
+	var tlsErr tls.RecordHeaderError
+	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+		// server gave HTTP response to HTTPS client
+		plainHttpUrl := *r.URL
+		plainHttpUrl.Scheme = "http"
+
+		plainHttpRequest := *r
+		plainHttpRequest.URL = &plainHttpUrl
+
+		return http.DefaultTransport.RoundTrip(&plainHttpRequest)
 	}
 
 	return resp, err