From 67f029ec02ed3391df8d895240b06e9bda5c319e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Tue, 11 Dec 2018 16:25:24 +0100
Subject: [PATCH] Don't use TLS for socket connections

Before this patch:

    mkdir -p ./tempconfig && touch ./tempconfig/ca.pem ./tempconfig/cert.pem ./tempconfig/key.pem

    DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info
    Failed to initialize: failed to retrieve context tls info: ca.pem seems invalid

With this patch:

    DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info
    Client:
      Version:    28.1.1-25-g2dfe7b558.m
      Context:    default
    ...

Note that the above is just to illustrate; there's still parts in context-
related code that will check for, and load TLS-related files ahead of time.
We should make some of that code lazy-loading (i.e., don't load these until
we're actually gonna make an API connection). For example, if the TLS files
are missing;

    rm ./tempconfig/*.pem
    DOCKER_TLS_VERIFY=1 DOCKER_CONFIG=./tempconfig DOCKER_HOST=unix:///var/run/docker.sock docker info
    Failed to initialize: unable to resolve docker endpoint: open tempconfig/ca.pem: no such file or directory

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 cli/context/docker/load.go | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/cli/context/docker/load.go b/cli/context/docker/load.go
index 700b73c940..89d43e2e32 100644
--- a/cli/context/docker/load.go
+++ b/cli/context/docker/load.go
@@ -6,6 +6,7 @@ import (
 	"encoding/pem"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/docker/cli/cli/connhelper"
@@ -90,14 +91,19 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 			return nil, err
 		}
 		if helper == nil {
-			tlsConfig, err := ep.tlsConfig()
-			if err != nil {
-				return nil, err
+			// Check if we're connecting over a socket, because there's no
+			// need to configure TLS for a socket connection.
+			//
+			// TODO(thaJeztah); make resolveDockerEndpoint and resolveDefaultDockerEndpoint not load TLS data,
+			//  and load TLS files lazily; see https://github.com/docker/cli/pull/1581
+			if !isSocket(ep.Host) {
+				tlsConfig, err := ep.tlsConfig()
+				if err != nil {
+					return nil, err
+				}
+				result = append(result, withHTTPClient(tlsConfig))
 			}
-			result = append(result,
-				withHTTPClient(tlsConfig),
-				client.WithHost(ep.Host),
-			)
+			result = append(result, client.WithHost(ep.Host))
 		} else {
 			result = append(result,
 				client.WithHTTPClient(&http.Client{
@@ -116,6 +122,17 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 	return result, nil
 }
 
+// isSocket checks if the given address is a Unix-socket (linux),
+// named pipe (Windows), or file-descriptor.
+func isSocket(addr string) bool {
+	switch proto, _, _ := strings.Cut(addr, "://"); proto {
+	case "unix", "npipe", "fd":
+		return true
+	default:
+		return false
+	}
+}
+
 func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 	return func(c *client.Client) error {
 		if tlsConfig == nil {