fix: disable tls on http #9269

vsiravar · 2023-10-19T01:26:39Z

Bug fix to disable tls when http and tls is not configured.

k8s-ci-robot · 2023-10-19T01:26:48Z

Hi @vsiravar. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Signed-off-by: Vishwas Siravara <[email protected]>

thaJeztah · 2023-10-19T16:44:45Z

Wondering if this was intentional / by design to match the original behavior in docker, where explicitly enabling or disabling verify meant: enable TLS, but with/without tls-verify. So disabling tis-verify still expects TLS to be configured (but maybe it's not! my eye just dropped on this PR, and I recall that behavior in docker)

/cc @dmcgowan perhaps you know if that was the original intent.

dmcgowan · 2023-10-19T17:08:57Z

@vsiravar Can you explain the bug in more detail? I know there is currently an issue we should probably fix where we shouldn't do the fallback when using a default port (for example don't try http on 443 or tls on 80). Not sure of the case you are describing here though.

vsiravar · 2023-10-19T20:15:10Z

I get a 401 forbidden error when I try to push an image to a localhost docker registry using basic auth. The repro steps using nerdctl using version 1.6.2

$ sudo nerdctl run --entrypoint htpasswd   httpd:2 -Bbn testuser testpassword > auth/htpasswd

$ sudo nerdctl run -d   -p 5000:5000   --restart=always   --name registry   -v "$(pwd)"/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  registry:2

$ sudo nerdctl login -u testuser -p testpassword localhost:5000
WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin. 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded


$ sudo nerdctl pull ubuntu

$ sudo nerdctl image tag ubuntu localhost:5000/myfirstimage

$ sudo nerdctl image push localhost:5000/myfirstimage 
INFO[0000] pushing as a reduced-platform image (application/vnd.oci.image.index.v1+json, sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5) 
index-sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5:    waiting        |--------------------------------------| 
manifest-sha256:02410fbfad7f2842cce3cf7655828424f4f7f6b5105b0016e24f1676f3bd15f5: waiting        |--------------------------------------| 
config-sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.1 s                                                                    total:  2.3 Ki (22.5 KiB/s)                                      
FATA[0000] failed commit on ref "config-sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766": unexpected status from PUT request to http://localhost:5000/v2/myfirstimage/blobs/uploads/0f829b14-53cc-46b1-a151-dbdd3b9d4991?_state=DWt_yemFoeoznOHITw7Gbz5NAjxo-00R24jswo9HBAx7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiMGY4MjliMTQtNTNjYy00NmIxLWExNTEtZGJkZDNiOWQ0OTkxIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA0LjcyNzAzMzc3WiJ9&digest=sha256%3Ae343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766: 401 Unauthorized 
[siravara@lima-finch nerdctl]$ sudo nerdctl image push localhost:5000/myfirstimage --debug
DEBU[0000] converted                                     new="<nil>" old="{application/vnd.oci.image.layer.v1.tar+gzip sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107 27351048 [] map[] [] <nil> }"
DEBU[0000] converted                                     new="<nil>" old="{application/vnd.oci.image.config.v1+json sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766 2316 [] map[] [] <nil> }"
DEBU[0000] converted                                     new="<nil>" old="{application/vnd.oci.image.manifest.v1+json sha256:02410fbfad7f2842cce3cf7655828424f4f7f6b5105b0016e24f1676f3bd15f5 424 [] map[] [] 0x40009d74a0 }"
DEBU[0000] converted                                     new="&{application/vnd.oci.image.index.v1+json sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5 304 [] map[] [] <nil> }" old="{application/vnd.oci.image.index.v1+json sha256:2b7412e6465c3c7fc5bb21d3e6f1917c167358449fecac8176c6e496e5c1f05f 1133 [] map[] [] <nil> }"
INFO[0000] pushing as a reduced-platform image (application/vnd.oci.image.index.v1+json, sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5) 
DEBU[0000] Ignoring hosts dir "/etc/containerd/certs.d"  error="stat /etc/containerd/certs.d: no such file or directory"
DEBU[0000] Ignoring hosts dir "/etc/docker/certs.d"      error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0000] pushing                                       digest="sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5" image="localhost:5000/myfirstimage:latest"
DEBU[0000] push                                          digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip size=27351048
DEBU[0000] checking and pushing to                       digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] do request                                    digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip request.header.accept="application/vnd.oci.image.layer.v1.tar+gzip, */*" request.header.user-agent=containerd/1.7.7+unknown request.method=HEAD size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] push                                          digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json size=2316
DEBU[0000] checking and pushing to                       digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] do request                                    digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json request.header.accept="application/vnd.oci.image.config.v1+json, */*" request.header.user-agent=containerd/1.7.7+unknown request.method=HEAD size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] fetch response received                       digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip response.header.content-length=155 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Basic realm=\"Registry Realm\"" response.header.x-content-type-options=nosniff response.status="401 Unauthorized" size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] Unauthorized                                  digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" header="Basic realm=\"Registry Realm\"" mediatype=application/vnd.oci.image.layer.v1.tar+gzip size=27351048
DEBU[0000] do request                                    digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip request.header.accept="application/vnd.oci.image.layer.v1.tar+gzip, */*" request.header.user-agent=containerd/1.7.7+unknown request.method=HEAD size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] fetch response received                       digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json response.header.content-length=155 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Basic realm=\"Registry Realm\"" response.header.x-content-type-options=nosniff response.status="401 Unauthorized" size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] Unauthorized                                  digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" header="Basic realm=\"Registry Realm\"" mediatype=application/vnd.oci.image.config.v1+json size=2316
DEBU[0000] do request                                    digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json request.header.accept="application/vnd.oci.image.config.v1+json, */*" request.header.user-agent=containerd/1.7.7+unknown request.method=HEAD size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] fetch response received                       digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json response.header.content-length=157 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.x-content-type-options=nosniff response.status="404 Not Found" size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] do request                                    digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json request.header.user-agent=containerd/1.7.7+unknown request.method=POST size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/uploads/"
DEBU[0000] fetch response received                       digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip response.header.content-length=157 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.x-content-type-options=nosniff response.status="404 Not Found" size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] do request                                    digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip request.header.user-agent=containerd/1.7.7+unknown request.method=POST size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/uploads/"
DEBU[0000] fetch response received                       digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip response.header.content-length=0 response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.docker-upload-uuid=8460f195-de98-40be-a748-31deb66c8c26 response.header.location="http://localhost:5000/v2/myfirstimage/blobs/uploads/8460f195-de98-40be-a748-31deb66c8c26?_state=FROUPT5gdOiXBiRHSsdDmAlxhYW84LLijI1YL2TAkvl7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiODQ2MGYxOTUtZGU5OC00MGJlLWE3NDgtMzFkZWI2NmM4YzI2IiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODI2NzkyNloifQ%3D%3D" response.header.range=0-0 response.header.x-content-type-options=nosniff response.status="202 Accepted" size=27351048 url="https://localhost:5000/v2/myfirstimage/blobs/uploads/"
DEBU[0000] upload changed destination                    digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" host="localhost:5000" mediatype=application/vnd.oci.image.layer.v1.tar+gzip scheme=http size=27351048
DEBU[0000] do request                                    digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip request.header.content-type=application/octet-stream request.header.user-agent=containerd/1.7.7+unknown request.method=PUT size=27351048 url="http://localhost:5000/v2/myfirstimage/blobs/uploads/8460f195-de98-40be-a748-31deb66c8c26?_state=FROUPT5gdOiXBiRHSsdDmAlxhYW84LLijI1YL2TAkvl7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiODQ2MGYxOTUtZGU5OC00MGJlLWE3NDgtMzFkZWI2NmM4YzI2IiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODI2NzkyNloifQ%3D%3D&digest=sha256%3Abfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] fetch response received                       digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json response.header.content-length=0 response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.docker-upload-uuid=e1bb35ef-7b2f-439d-ad5c-90c043d6507c response.header.location="http://localhost:5000/v2/myfirstimage/blobs/uploads/e1bb35ef-7b2f-439d-ad5c-90c043d6507c?_state=-QRSPzKGdPkOHHewybT2VOzt5gGJ-m1XAAHytLHN6wB7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiZTFiYjM1ZWYtN2IyZi00MzlkLWFkNWMtOTBjMDQzZDY1MDdjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODg1NTgwM1oifQ%3D%3D" response.header.range=0-0 response.header.x-content-type-options=nosniff response.status="202 Accepted" size=2316 url="https://localhost:5000/v2/myfirstimage/blobs/uploads/"
DEBU[0000] upload changed destination                    digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" host="localhost:5000" mediatype=application/vnd.oci.image.config.v1+json scheme=http size=2316
DEBU[0000] do request                                    digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json request.header.content-type=application/octet-stream request.header.user-agent=containerd/1.7.7+unknown request.method=PUT size=2316 url="http://localhost:5000/v2/myfirstimage/blobs/uploads/e1bb35ef-7b2f-439d-ad5c-90c043d6507c?_state=-QRSPzKGdPkOHHewybT2VOzt5gGJ-m1XAAHytLHN6wB7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiZTFiYjM1ZWYtN2IyZi00MzlkLWFkNWMtOTBjMDQzZDY1MDdjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODg1NTgwM1oifQ%3D%3D&digest=sha256%3Ae343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] fetch response received                       digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip response.header.content-length=226 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Basic realm=\"Registry Realm\"" response.header.x-content-type-options=nosniff response.status="401 Unauthorized" size=27351048 url="http://localhost:5000/v2/myfirstimage/blobs/uploads/8460f195-de98-40be-a748-31deb66c8c26?_state=FROUPT5gdOiXBiRHSsdDmAlxhYW84LLijI1YL2TAkvl7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiODQ2MGYxOTUtZGU5OC00MGJlLWE3NDgtMzFkZWI2NmM4YzI2IiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODI2NzkyNloifQ%3D%3D&digest=sha256%3Abfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107"
DEBU[0000] Unauthorized                                  digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" header="Basic realm=\"Registry Realm\"" mediatype=application/vnd.oci.image.layer.v1.tar+gzip size=27351048
DEBU[0000] unexpected response                           body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"myfirstimage\",\"Action\":\"pull\"},{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"myfirstimage\",\"Action\":\"push\"}]}]}\n" digest="sha256:bfbe77e41a78ee38147c5761aa8bc896d9f6e1e648b23468f294065ffe03c107" mediatype=application/vnd.oci.image.layer.v1.tar+gzip resp="&{401 Unauthorized 401 HTTP/1.1 1 1 map[Content-Length:[226] Content-Type:[application/json; charset=utf-8] Date:[Thu, 19 Oct 2023 20:07:09 GMT] Docker-Distribution-Api-Version:[registry/2.0] Www-Authenticate:[Basic realm=\"Registry Realm\"] X-Content-Type-Options:[nosniff]] 0x4000a09f00 226 [] true false map[] 0x4000143700 <nil>}" size=27351048
DEBU[0000] fetch response received                       digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json response.header.content-length=226 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 19 Oct 2023 20:07:09 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Basic realm=\"Registry Realm\"" response.header.x-content-type-options=nosniff response.status="401 Unauthorized" size=2316 url="http://localhost:5000/v2/myfirstimage/blobs/uploads/e1bb35ef-7b2f-439d-ad5c-90c043d6507c?_state=-QRSPzKGdPkOHHewybT2VOzt5gGJ-m1XAAHytLHN6wB7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiZTFiYjM1ZWYtN2IyZi00MzlkLWFkNWMtOTBjMDQzZDY1MDdjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODg1NTgwM1oifQ%3D%3D&digest=sha256%3Ae343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766"
DEBU[0000] Unauthorized                                  digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" header="Basic realm=\"Registry Realm\"" mediatype=application/vnd.oci.image.config.v1+json size=2316
DEBU[0000] unexpected response                           body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"myfirstimage\",\"Action\":\"pull\"},{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"myfirstimage\",\"Action\":\"push\"}]}]}\n" digest="sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766" mediatype=application/vnd.oci.image.config.v1+json resp="&{401 Unauthorized 401 HTTP/1.1 1 1 map[Content-Length:[226] Content-Type:[application/json; charset=utf-8] Date:[Thu, 19 Oct 2023 20:07:09 GMT] Docker-Distribution-Api-Version:[registry/2.0] Www-Authenticate:[Basic realm=\"Registry Realm\"] X-Content-Type-Options:[nosniff]] 0x40009240c0 226 [] false false map[] 0x4000a6e400 <nil>}" size=2316
index-sha256:773fdfaa932f4f2af1c74043d024daf711b3b599f0a15597d5470e759a92e2d5:    waiting        |--------------------------------------| 
manifest-sha256:02410fbfad7f2842cce3cf7655828424f4f7f6b5105b0016e24f1676f3bd15f5: waiting        |--------------------------------------| 
config-sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.1 s                                                                    total:  2.3 Ki (22.4 KiB/s)                                      
FATA[0000] failed commit on ref "config-sha256:e343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766": unexpected status from PUT request to http://localhost:5000/v2/myfirstimage/blobs/uploads/e1bb35ef-7b2f-439d-ad5c-90c043d6507c?_state=-QRSPzKGdPkOHHewybT2VOzt5gGJ-m1XAAHytLHN6wB7Ik5hbWUiOiJteWZpcnN0aW1hZ2UiLCJVVUlEIjoiZTFiYjM1ZWYtN2IyZi00MzlkLWFkNWMtOTBjMDQzZDY1MDdjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTEwLTE5VDIwOjA3OjA5LjY0ODg1NTgwM1oifQ%3D%3D&digest=sha256%3Ae343402cadef796b4f12c2ee20b7346978a42a8d95516619c36c6397c4b0c766: 401 Unauthorized

This is an example from docker docs .

This works okay when I change the go module dependency in nerdctl to 1.7.6 and also works fine with docker.

I am out of my depth with docker's original behaviour but is it intentional to always enable TLS for localhost and have the host.scheme set to https

cc @dmcgowan

thaJeztah · 2023-10-19T20:45:21Z

docker engine marks 127.0.0.0/8 as insecure by default, which means that it allows non-TLS connections ((I must admit that I don't know what the behavior is if localhost resolves to ::1 (IPv6)

estesp · 2023-10-20T00:53:36Z

Since it works with 1.7.6, then I assume this change has to be the reason for a different behavior with 1.7.7: 7779ce6

dmcgowan · 2023-10-20T05:20:03Z

I was able to go through the steps but was not able to reproduce with nerdctl 1.6.2. The only case I could reproduce this error message was deleting /root/.docker/config.json. I don't quite understand though how switching the containerd versions would change the behavior of getting the credentials. What is the value you are seeing in /root/.docker/config.json.

vsiravar · 2023-10-20T05:40:49Z

Thanks for trying out the repro steps. I can seem to consistently reproduce this error. My /root/.docker/config.json is

{
        "auths": {
                "localhost:5000": {
                        "auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk"
                }
        }
}

Kern-- · 2023-10-20T20:19:32Z

I think this suggests that it's not intentionally matching Docker behavior since http localhost always sets skipVerify:

containerd/remotes/docker/config/hosts.go

Lines 106 to 108 in 788f7f2

    
           // Skipping TLS verification for localhost 
        
           var skipVerify = true 
        
           hosts[len(hosts)-1].skipVerify = &skipVerify

dmcgowan · 2023-10-21T21:43:05Z

I think this suggests that it's not intentionally matching Docker behavior since http localhost always sets skipVerify:

We could probably just remove the setting of skipVerify when the scheme is requesting http on localhost.

estesp · 2023-11-08T17:57:08Z

@vsiravar can you test whether #9283 (and specifically #9299 for release/1.7) solves the issue? I think the latest 1.7.x should correct this problem and, if so, we can close this PR.

vsiravar · 2023-11-08T19:45:31Z

@vsiravar can you test whether #9283 (and specifically #9299 for release/1.7) solves the issue? I think the latest 1.7.x should correct this problem and, if so, we can close this PR.

Validated, works fine after avoiding tls fallback for http with #9283 . I am closing this PR :)

k8s-ci-robot added the needs-ok-to-test label Oct 19, 2023

vsiravar mentioned this pull request Oct 19, 2023

cannot push to local registry in nerdctl 1.6.2 (401 Unauthorized) containerd/nerdctl#2583

Closed

AkihiroSuda added cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Oct 19, 2023

fix disable tls on http when no tls config

bf07706

Signed-off-by: Vishwas Siravara <[email protected]>

vsiravar force-pushed the vsiravar/fix-tls-http branch from e39ee2e to bf07706 Compare October 19, 2023 03:21

estesp mentioned this pull request Oct 20, 2023

[release/1.7] Prepare release notes for v1.7.8 #9278

Merged

dmcgowan mentioned this pull request Oct 23, 2023

Avoid TLS fallback when protocol is not ambiguous #9283

Merged

vsiravar closed this Nov 8, 2023

austinvazquez removed cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Nov 20, 2024

fix: disable tls on http #9269

fix: disable tls on http #9269

Uh oh!

Conversation

vsiravar commented Oct 19, 2023

Uh oh!

k8s-ci-robot commented Oct 19, 2023

Uh oh!

thaJeztah commented Oct 19, 2023

Uh oh!

dmcgowan commented Oct 19, 2023

Uh oh!

vsiravar commented Oct 19, 2023

Uh oh!

thaJeztah commented Oct 19, 2023

Uh oh!

estesp commented Oct 20, 2023

Uh oh!

dmcgowan commented Oct 20, 2023

Uh oh!

vsiravar commented Oct 20, 2023

Uh oh!

Kern-- commented Oct 20, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dmcgowan commented Oct 21, 2023

Uh oh!

estesp commented Nov 8, 2023

Uh oh!

vsiravar commented Nov 8, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Kern-- commented Oct 20, 2023 •

edited

Loading