@@ -21,33 +21,49 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) {
21
21
host = sys .DockerDaemonHost
22
22
}
23
23
24
- // Sadly, unix:// sockets don't work transparently with dockerclient.NewClient.
25
- // They work fine with a nil httpClient; with a non-nil httpClient, the transport’s
26
- // TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket
27
- // regardless of the values in the *tls.Config), and we would have to call sockets.ConfigureTransport.
24
+ opts := []dockerclient.Opt {
25
+ dockerclient .WithHost (host ),
26
+ dockerclient .WithVersion (defaultAPIVersion ),
27
+ }
28
+
29
+ // We conditionalize building the TLS configuration only to TLS sockets:
30
+ //
31
+ // The dockerclient.Client implementation differentiates between
32
+ // - Client.proto, which is ~how the connection is establishe (IP / AF_UNIX/Windows)
33
+ // - Client.scheme, which is what is sent over the connection (HTTP with/without TLS).
34
+ //
35
+ // Only Client.proto is set from the URL in dockerclient.WithHost(),
36
+ // Client.scheme is detected based on a http.Client.TLSClientConfig presence;
37
+ // dockerclient.WithHTTPClient with a client that has TLSClientConfig set
38
+ // will, by default, trigger an attempt to use TLS.
39
+ //
40
+ // So, don’t use WithHTTPClient for unix:// sockets at all.
28
41
//
29
- // We don't really want to configure anything for unix:// sockets, so just pass a nil *http.Client.
42
+ // Similarly, if we want to communicate over plain HTTP on a TCP socket (http://),
43
+ // we also should not set TLSClientConfig. We continue to use WithHTTPClient
44
+ // with our slightly non-default settings to avoid a behavior change on updates of c/image.
30
45
//
31
- // Similarly, if we want to communicate over plain HTTP on a TCP socket, we also need to set
32
- // TLSClientConfig to nil. This can be achieved by using the form `http://`
46
+ // Alternatively we could use dockerclient.WithScheme to drive the TLS/non-TLS logic
47
+ // explicitly, but we would still want to set WithHTTPClient (differently) for https:// and http:// ;
48
+ // so that would not be any simpler.
33
49
serverURL , err := dockerclient .ParseHostURL (host )
34
50
if err != nil {
35
51
return nil , err
36
52
}
37
- var httpClient * http.Client
38
- if serverURL .Scheme != "unix" {
39
- if serverURL .Scheme == "http" {
40
- httpClient = httpConfig ()
41
- } else {
42
- hc , err := tlsConfig (sys )
43
- if err != nil {
44
- return nil , err
45
- }
46
- httpClient = hc
53
+ switch serverURL .Scheme {
54
+ case "unix" : // Nothing
55
+ case "http" :
56
+ hc := httpConfig ()
57
+ opts = append (opts , dockerclient .WithHTTPClient (hc ))
58
+ default :
59
+ hc , err := tlsConfig (sys )
60
+ if err != nil {
61
+ return nil , err
47
62
}
63
+ opts = append (opts , dockerclient .WithHTTPClient (hc ))
48
64
}
49
65
50
- return dockerclient .NewClient ( host , defaultAPIVersion , httpClient , nil )
66
+ return dockerclient .NewClientWithOpts ( opts ... )
51
67
}
52
68
53
69
func tlsConfig (sys * types.SystemContext ) (* http.Client , error ) {
0 commit comments