Skip to content

Containers: insecure registries: allow https (ignore cert errors), and accept config from envvar. #41506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Jun 19, 2024
Merged

Containers: insecure registries: allow https (ignore cert errors), and accept config from envvar. #41506

merged 16 commits into from
Jun 19, 2024

Conversation

tmds
Copy link
Member

@tmds tmds commented Jun 10, 2024
edited
Loading

Implements dotnet/sdk-container-builds#338 (comment), dotnet/sdk-container-builds#576.

@dotnet/sdk-container-builds-maintainers ptal.

@tmds tmds requested a review from a team as a code owner June 10, 2024 13:15
@ghost ghost added Area-Containers Related to dotnet SDK containers functionality untriaged Request triage from a team member labels Jun 10, 2024
@build-analysis build-analysis bot mentioned this pull request Jun 10, 2024
Closed
@tmds tmds force-pushed the insecure_registries branch from b09505b to 70a2773 Compare June 11, 2024 11:32
@build-analysis build-analysis bot mentioned this pull request Jun 14, 2024
Open
@tmds tmds force-pushed the insecure_registries branch from a33f5b6 to b21f93b Compare June 14, 2024 21:53
@kasperk81 kasperk81 mentioned this pull request Jun 15, 2024
Closed
@build-analysis build-analysis bot mentioned this pull request Jun 15, 2024
Closed
@tmds tmds force-pushed the insecure_registries branch from 2d5cde2 to b457f5e Compare June 15, 2024 13:47
@build-analysis build-analysis bot mentioned this pull request Jun 17, 2024
Open
@baronfel baronfel mentioned this pull request Jun 17, 2024
Closed
@tmds
Copy link
Member Author

tmds commented Jun 18, 2024

@baronfel @dotnet/sdk-container-builds-maintainers this is up for review.

baronfel
baronfel approved these changes Jun 18, 2024
View reviewed changes
Copy link
Member

@baronfel baronfel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. Thanks for expanding this functionality and bringing us more into alignment with the container ecosystem tooling!

I'll log an issue to expand the docs around insecure registries on the docs repo.

@baronfel baronfel mentioned this pull request Jun 18, 2024
Closed
@baronfel
Copy link
Member

We should also backport this to 8.0.4xx since the initial insecure registry support was backported there as well.

@baronfel baronfel enabled auto-merge (squash) June 18, 2024 15:11
@baronfel
Copy link
Member

This failing test is killing me 😓

@tmds
Copy link
Member Author

tmds commented Jun 18, 2024

This failing test is killing me 😓

I see a failure of:

InsecureRegistry(isInsecureRegistry: False, serverIsHttps: False, httpServerCloseAbortive: True) on FullFramework: windows (x64).

The way it fails tells me that when an https connection is made on .NET framework and the peer does an abortive TCP close, then HttpClient isn't throwing HttpRequestException with HttpRequestError.SecureConnectionError.

The http fallback doesn't kick in, and the auth handler throws ApplicationException after a number of retries.

One option is to extend ShouldAttemptFallbackToHttp so it includes this exception (System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.). If we assume it is netfx only we can include that as a condition.

wdyt @baronfel?

@tmds
Copy link
Member Author

tmds commented Jun 18, 2024

The http fallback doesn't kick in

Actually, the fallback shouldn't kick in when isInsecureRegistry: False.
I'll take a fresh look at this tomorrow.

@tmds
Copy link
Member Author

tmds commented Jun 18, 2024

There's definitely a bug in the test in that it doesn't account for the AuthHandshakeMessageHandler to turn HttpRequestException into ApplicationException after retries. I'll fix that first, and then give it another go.

auto-merge was automatically disabled June 18, 2024 21:09

Head branch was pushed to by a user without write access

@tmds
Copy link
Member Author

tmds commented Jun 19, 2024

The test bug is fixed.

The test for this feature was more challenging than the implementation. Fortunately, the logging from the test provided a good understanding of why it failed.

@baronfel
Copy link
Member

Lovely work. Thank you for the effort!

@baronfel baronfel merged commit 00becb5 into dotnet:main Jun 19, 2024
36 checks passed
@baronfel
Copy link
Member

/backport to release/8.04xx

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/8.04xx: https://github.com/dotnet/sdk/actions/runs/9583676452

@github-actions GitHub Actions
Copy link
Contributor

@baronfel an error occurred while backporting to release/8.04xx, please check the run log for details!

Error: The specified backport target branch release/8.04xx wasn't found in the repo.

@baronfel
Copy link
Member

/backport to release/8.0.4xx

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/8.0.4xx: https://github.com/dotnet/sdk/actions/runs/9583690663

@github-actions GitHub Actions
Copy link
Contributor

@baronfel backporting to release/8.0.4xx failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: Containers: insecure registries: allow https (ignore cert errors), and accept config from envvar.
Using index info to reconstruct a base tree...
M	src/Containers/Microsoft.NET.Build.Containers/ContainerHelpers.cs
M	src/Containers/Microsoft.NET.Build.Containers/LocalDaemons/DockerCli.cs
M	src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
A	test/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryManager.cs
A	test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Auto-merging src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryManager.cs
Auto-merging src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
Auto-merging src/Containers/Microsoft.NET.Build.Containers/LocalDaemons/DockerCli.cs
Auto-merging src/Containers/Microsoft.NET.Build.Containers/ContainerHelpers.cs
Applying: Add tests.
Using index info to reconstruct a base tree...
M	src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
A	test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Auto-merging src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
Applying: Fix Windows test issue.
Using index info to reconstruct a base tree...
A	test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Applying: Try fix tests on Windows.
Using index info to reconstruct a base tree...
A	test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs
Applying: PR feedback.
Applying: Fix EnsureRegistryLoaded.
Using index info to reconstruct a base tree...
A	test/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryManager.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryManager.cs
Applying: Update WriteToPrivateBasicRegistry test.
Using index info to reconstruct a base tree...
A	test/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryTests.cs
CONFLICT (content): Merge conflict in src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0007 Update WriteToPrivateBasicRegistry test.
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@github-actions GitHub Actions
Copy link
Contributor

@baronfel an error occurred while backporting to release/8.0.4xx, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.

baronfel pushed a commit to baronfel/sdk that referenced this pull request Jun 19, 2024
@tmds @baronfel
Containers: insecure registries: allow https (ignore cert errors), an…
2ef5ea9 
…d accept config from envvar. (dotnet#41506)
@baronfel baronfel mentioned this pull request Jun 19, 2024
Merged
baronfel added a commit that referenced this pull request Jun 20, 2024
@baronfel @tmds
[release/8.0.4xx] Backport #41506 (#41682)
a831327 
Co-authored-by: Tom Deseyn <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baronfel baronfel baronfel approved these changes

Assignees
No one assigned
Labels
Area-Containers Related to dotnet SDK containers functionality untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tmds @baronfel