1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Add the possibility of specifying a subnet for --insecure-registry

Signed-off-by: Tibor Vass <teabee89@gmail.com>

Conflicts:
	registry/endpoint.go
This commit is contained in:
Tibor Vass 2014-11-11 16:31:15 -05:00
parent eb3738347a
commit 5e2d02ab73
5 changed files with 103 additions and 15 deletions

View file

@ -56,7 +56,7 @@ func (config *Config) InstallFlags() {
flag.StringVar(&config.BridgeIP, []string{"#bip", "-bip"}, "", "Use this CIDR notation address for the network bridge's IP, not compatible with -b") flag.StringVar(&config.BridgeIP, []string{"#bip", "-bip"}, "", "Use this CIDR notation address for the network bridge's IP, not compatible with -b")
flag.StringVar(&config.BridgeIface, []string{"b", "-bridge"}, "", "Attach containers to a pre-existing network bridge\nuse 'none' to disable container networking") flag.StringVar(&config.BridgeIface, []string{"b", "-bridge"}, "", "Attach containers to a pre-existing network bridge\nuse 'none' to disable container networking")
flag.StringVar(&config.FixedCIDR, []string{"-fixed-cidr"}, "", "IPv4 subnet for fixed IPs (ex: 10.20.0.0/16)\nthis subnet must be nested in the bridge subnet (which is defined by -b or --bip)") flag.StringVar(&config.FixedCIDR, []string{"-fixed-cidr"}, "", "IPv4 subnet for fixed IPs (ex: 10.20.0.0/16)\nthis subnet must be nested in the bridge subnet (which is defined by -b or --bip)")
opts.ListVar(&config.InsecureRegistries, []string{"-insecure-registry"}, "Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback)") opts.ListVar(&config.InsecureRegistries, []string{"-insecure-registry"}, "Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16)")
flag.BoolVar(&config.InterContainerCommunication, []string{"#icc", "-icc"}, true, "Enable inter-container communication") flag.BoolVar(&config.InterContainerCommunication, []string{"#icc", "-icc"}, true, "Enable inter-container communication")
flag.StringVar(&config.GraphDriver, []string{"s", "-storage-driver"}, "", "Force the Docker runtime to use a specific storage driver") flag.StringVar(&config.GraphDriver, []string{"s", "-storage-driver"}, "", "Force the Docker runtime to use a specific storage driver")
flag.StringVar(&config.ExecDriver, []string{"e", "-exec-driver"}, "native", "Force the Docker runtime to use a specific exec driver") flag.StringVar(&config.ExecDriver, []string{"e", "-exec-driver"}, "native", "Force the Docker runtime to use a specific exec driver")
@ -68,6 +68,14 @@ func (config *Config) InstallFlags() {
opts.IPListVar(&config.Dns, []string{"#dns", "-dns"}, "Force Docker to use specific DNS servers") opts.IPListVar(&config.Dns, []string{"#dns", "-dns"}, "Force Docker to use specific DNS servers")
opts.DnsSearchListVar(&config.DnsSearch, []string{"-dns-search"}, "Force Docker to use specific DNS search domains") opts.DnsSearchListVar(&config.DnsSearch, []string{"-dns-search"}, "Force Docker to use specific DNS search domains")
opts.MirrorListVar(&config.Mirrors, []string{"-registry-mirror"}, "Specify a preferred Docker registry mirror") opts.MirrorListVar(&config.Mirrors, []string{"-registry-mirror"}, "Specify a preferred Docker registry mirror")
// Localhost is by default considered as an insecure registry
// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
//
// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
// daemon flags on boot2docker?
// If so, do not forget to check the TODO in TestIsSecure
config.InsecureRegistries = append(config.InsecureRegistries, "127.0.0.0/8")
} }
func GetDefaultNetworkMtu() int { func GetDefaultNetworkMtu() int {

View file

@ -70,7 +70,7 @@ expect an integer, and they can only be specified once.
-g, --graph="/var/lib/docker" Path to use as the root of the Docker runtime -g, --graph="/var/lib/docker" Path to use as the root of the Docker runtime
-H, --host=[] The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. -H, --host=[] The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
--icc=true Enable inter-container communication --icc=true Enable inter-container communication
--insecure-registry=[] Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) --insecure-registry=[] Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) (ex: localhost:5000 or 10.20.0.0/16)
--ip=0.0.0.0 Default IP address to use when binding container ports --ip=0.0.0.0 Default IP address to use when binding container ports
--ip-forward=true Enable net.ipv4.ip_forward --ip-forward=true Enable net.ipv4.ip_forward
--ip-masq=true Enable IP masquerading for bridge's IP range --ip-masq=true Enable IP masquerading for bridge's IP range

View file

@ -4,6 +4,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
@ -11,6 +12,9 @@ import (
"github.com/docker/docker/pkg/log" "github.com/docker/docker/pkg/log"
) )
// for mocking in unit tests
var lookupIP = net.LookupIP
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version. // scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
func scanForApiVersion(hostname string) (string, APIVersion) { func scanForApiVersion(hostname string) (string, APIVersion) {
var ( var (
@ -78,7 +82,10 @@ func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
if err != nil { if err != nil {
return nil, err return nil, err
} }
endpoint.secure = isSecure(endpoint.URL.Host, insecureRegistries) endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
if err != nil {
return nil, err
}
return &endpoint, nil return &endpoint, nil
} }
@ -151,16 +158,56 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
// isSecure returns false if the provided hostname is part of the list of insecure registries. // isSecure returns false if the provided hostname is part of the list of insecure registries.
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
func isSecure(hostname string, insecureRegistries []string) bool { //
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
// insecure.
//
// hostname should be a URL.Host (`host:port` or `host`)
func isSecure(hostname string, insecureRegistries []string) (bool, error) {
if hostname == IndexServerURL.Host { if hostname == IndexServerURL.Host {
return true return true, nil
} }
for _, h := range insecureRegistries { host, _, err := net.SplitHostPort(hostname)
if hostname == h { if err != nil {
return false // assume hostname is of the form `host` without the port and go on.
host = hostname
}
addrs, err := lookupIP(host)
if err != nil {
ip := net.ParseIP(host)
if ip == nil {
// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway
return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
}
addrs = []net.IP{ip}
}
if len(addrs) == 0 {
return true, fmt.Errorf("issecure: could not resolve %q", host)
}
for _, addr := range addrs {
for _, r := range insecureRegistries {
// hostname matches insecure registry
if hostname == r {
return false, nil
}
// now assume a CIDR was passed to --insecure-registry
_, ipnet, err := net.ParseCIDR(r)
if err != nil {
// if could not parse it as a CIDR, even after removing
// assume it's not a CIDR and go on with the next candidate
continue
}
// check if the addr falls in the subnet
if ipnet.Contains(addr) {
return false, nil
}
} }
} }
return true return true, nil
} }

View file

@ -2,9 +2,11 @@ package registry
import ( import (
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"net"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
@ -80,6 +82,11 @@ var (
"latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d", "latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
}, },
} }
mockHosts = map[string][]net.IP{
"": {net.ParseIP("0.0.0.0")},
"localhost": {net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
"example.com": {net.ParseIP("42.42.42.42")},
}
) )
func init() { func init() {
@ -106,6 +113,25 @@ func init() {
panic(err) panic(err)
} }
insecureRegistries = []string{URL.Host} insecureRegistries = []string{URL.Host}
// override net.LookupIP
lookupIP = func(host string) ([]net.IP, error) {
if host == "127.0.0.1" {
// I believe in future Go versions this will fail, so let's fix it later
return net.LookupIP(host)
}
for h, addrs := range mockHosts {
if host == h {
return addrs, nil
}
for _, addr := range addrs {
if addr.String() == host {
return []net.IP{addr}, nil
}
}
}
return nil, errors.New("lookup: no such host")
}
} }
func handlerAccessLog(handler http.Handler) http.Handler { func handlerAccessLog(handler http.Handler) http.Handler {

View file

@ -330,19 +330,26 @@ func TestIsSecure(t *testing.T) {
{"localhost:5000", []string{"localhost:5000"}, false}, {"localhost:5000", []string{"localhost:5000"}, false},
{"localhost", []string{"example.com"}, false}, {"localhost", []string{"example.com"}, false},
{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false}, {"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
{"localhost", []string{}, false}, {"localhost", nil, false},
{"localhost:5000", []string{}, false}, {"localhost:5000", nil, false},
{"127.0.0.1", []string{}, false}, {"127.0.0.1", nil, false},
{"localhost", []string{"example.com"}, false}, {"localhost", []string{"example.com"}, false},
{"127.0.0.1", []string{"example.com"}, false}, {"127.0.0.1", []string{"example.com"}, false},
{"example.com", []string{}, true}, {"example.com", nil, true},
{"example.com", []string{"example.com"}, false}, {"example.com", []string{"example.com"}, false},
{"127.0.0.1", []string{"example.com"}, false}, {"127.0.0.1", []string{"example.com"}, false},
{"127.0.0.1:5000", []string{"example.com"}, false}, {"127.0.0.1:5000", []string{"example.com"}, false},
{"example.com:5000", []string{"42.42.0.0/16"}, false},
{"example.com", []string{"42.42.0.0/16"}, false},
{"example.com:5000", []string{"42.42.42.42/8"}, false},
{"127.0.0.1:5000", []string{"127.0.0.0/8"}, false},
{"42.42.42.42:5000", []string{"42.1.1.1/8"}, false},
} }
for _, tt := range tests { for _, tt := range tests {
if sec := isSecure(tt.addr, tt.insecureRegistries); sec != tt.expected { // TODO: remove this once we remove localhost insecure by default
t.Errorf("isSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec) insecureRegistries := append(tt.insecureRegistries, "127.0.0.0/8")
if sec, err := isSecure(tt.addr, insecureRegistries); err != nil || sec != tt.expected {
t.Fatalf("isSecure failed for %q %v, expected %v got %v. Error: %v", tt.addr, insecureRegistries, tt.expected, sec, err)
} }
} }
} }