@@ -21,33 +21,49 @@ func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) {
2121 host = sys .DockerDaemonHost
2222 }
2323
24- // Sadly, unix:// sockets don't work transparently with dockerclient.NewClient.
25- // They work fine with a nil httpClient; with a non-nil httpClient, the transport’s
26- // TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket
27- // regardless of the values in the *tls.Config), and we would have to call sockets.ConfigureTransport.
24+ opts := []dockerclient.Opt {
25+ dockerclient .WithHost (host ),
26+ dockerclient .WithVersion (defaultAPIVersion ),
27+ }
28+
29+ // We conditionalize building the TLS configuration only to TLS sockets:
30+ //
31+ // The dockerclient.Client implementation differentiates between
32+ // - Client.proto, which is ~how the connection is establishe (IP / AF_UNIX/Windows)
33+ // - Client.scheme, which is what is sent over the connection (HTTP with/without TLS).
34+ //
35+ // Only Client.proto is set from the URL in dockerclient.WithHost(),
36+ // Client.scheme is detected based on a http.Client.TLSClientConfig presence;
37+ // dockerclient.WithHTTPClient with a client that has TLSClientConfig set
38+ // will, by default, trigger an attempt to use TLS.
39+ //
40+ // So, don’t use WithHTTPClient for unix:// sockets at all.
2841 //
29- // We don't really want to configure anything for unix:// sockets, so just pass a nil *http.Client.
42+ // Similarly, if we want to communicate over plain HTTP on a TCP socket (http://),
43+ // we also should not set TLSClientConfig. We continue to use WithHTTPClient
44+ // with our slightly non-default settings to avoid a behavior change on updates of c/image.
3045 //
31- // Similarly, if we want to communicate over plain HTTP on a TCP socket, we also need to set
32- // TLSClientConfig to nil. This can be achieved by using the form `http://`
46+ // Alternatively we could use dockerclient.WithScheme to drive the TLS/non-TLS logic
47+ // explicitly, but we would still want to set WithHTTPClient (differently) for https:// and http:// ;
48+ // so that would not be any simpler.
3349 serverURL , err := dockerclient .ParseHostURL (host )
3450 if err != nil {
3551 return nil , err
3652 }
37- var httpClient * http.Client
38- if serverURL .Scheme != "unix" {
39- if serverURL .Scheme == "http" {
40- httpClient = httpConfig ()
41- } else {
42- hc , err := tlsConfig (sys )
43- if err != nil {
44- return nil , err
45- }
46- httpClient = hc
53+ switch serverURL .Scheme {
54+ case "unix" : // Nothing
55+ case "http" :
56+ hc := httpConfig ()
57+ opts = append (opts , dockerclient .WithHTTPClient (hc ))
58+ default :
59+ hc , err := tlsConfig (sys )
60+ if err != nil {
61+ return nil , err
4762 }
63+ opts = append (opts , dockerclient .WithHTTPClient (hc ))
4864 }
4965
50- return dockerclient .NewClient ( host , defaultAPIVersion , httpClient , nil )
66+ return dockerclient .NewClientWithOpts ( opts ... )
5167}
5268
5369func tlsConfig (sys * types.SystemContext ) (* http.Client , error ) {
0 commit comments