Fix error checking when pulling from an insecure registry

The call to an unsecure registry doesn't return an error saying that the "server gave an HTTP response to an HTTPS client" but a tls.RecordHeaderError saying that the "first record does not look like a TLS handshake", this changeset looks for the right error for that case. This fixes the http fallback when using an insecure registry Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-04-12 13:00:48 +02:00 · 2023-04-12 13:00:48 +02:00 · f696a1b3b3
commit f696a1b3b3
parent 0154746b9f
1 changed files with 12 additions and 7 deletions
--- a/daemon/containerd/resolver.go
+++ b/daemon/containerd/resolver.go
@ -1,8 +1,9 @@
 package containerd

 import (
+	"crypto/tls"
+	"errors"
 	"net/http"
-	"strings"

 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
@ -72,12 +73,16 @@ type httpFallback struct {

 func (f httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
 	resp, err := f.super.RoundTrip(r)
-	if err != nil {
-		if strings.Contains(err.Error(), "http: server gave HTTP response to HTTPS client") {
-			plain := r.Clone(r.Context())
-			plain.URL.Scheme = "http"
-			return http.DefaultTransport.RoundTrip(plain)
-		}
+	var tlsErr tls.RecordHeaderError
+	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+		// server gave HTTP response to HTTPS client
+		plainHttpUrl := *r.URL
+		plainHttpUrl.Scheme = "http"
+
+		plainHttpRequest := *r
+		plainHttpRequest.URL = &plainHttpUrl
+
+		return http.DefaultTransport.RoundTrip(&plainHttpRequest)
 	}

 	return resp, err