Don't use TLS for socket connections

Before this patch: mkdir -p ./tempconfig && touch ./tempconfig/ca.pem ./tempconfig/cert.pem ./tempconfig/key.pem DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info Failed to initialize: failed to retrieve context tls info: ca.pem seems invalid With this patch: DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info Client: Version: 28.1.1-25-g2dfe7b558.m Context: default ... Note that the above is just to illustrate; there's still parts in context- related code that will check for, and load TLS-related files ahead of time. We should make some of that code lazy-loading (i.e., don't load these until we're actually gonna make an API connection). For example, if the TLS files are missing; rm ./tempconfig/*.pem DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info Failed to initialize: unable to resolve docker endpoint: open tempconfig/ca.pem: no such file or directory Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-01-13 18:22:35 +03:00 · 2018-12-11 16:25:24 +01:00
parent 77fbbc38de
commit 67f029ec02
1 changed files with 24 additions and 7 deletions
--- a/cli/context/docker/load.go
+++ b/cli/context/docker/load.go
@@ -6,6 +6,7 @@ import (
 	"encoding/pem"
 	"net"
 	"net/http"
+	"strings"
 	"time"

 	"github.com/docker/cli/cli/connhelper"
@@ -90,14 +91,19 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 			return nil, err
 		}
 		if helper == nil {
-			tlsConfig, err := ep.tlsConfig()
-			if err != nil {
-				return nil, err
+			// Check if we're connecting over a socket, because there's no
+			// need to configure TLS for a socket connection.
+			//
+			// TODO(thaJeztah); make resolveDockerEndpoint and resolveDefaultDockerEndpoint not load TLS data,
+			//  and load TLS files lazily; see https://github.com/docker/cli/pull/1581
+			if !isSocket(ep.Host) {
+				tlsConfig, err := ep.tlsConfig()
+				if err != nil {
+					return nil, err
+				}
+				result = append(result, withHTTPClient(tlsConfig))
 			}
-			result = append(result,
-				withHTTPClient(tlsConfig),
-				client.WithHost(ep.Host),
-			)
+			result = append(result, client.WithHost(ep.Host))
 		} else {
 			result = append(result,
 				client.WithHTTPClient(&http.Client{
@@ -116,6 +122,17 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 	return result, nil
 }

+// isSocket checks if the given address is a Unix-socket (linux),
+// named pipe (Windows), or file-descriptor.
+func isSocket(addr string) bool {
+	switch proto, _, _ := strings.Cut(addr, "://"); proto {
+	case "unix", "npipe", "fd":
+		return true
+	default:
+		return false
+	}
+}
+
 func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 	return func(c *client.Client) error {
 		if tlsConfig == nil {