-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: use DOCKER_HOST as the default #1910
base: main
Are you sure you want to change the base?
Conversation
db3cfa8
to
2ec6a60
Compare
Could we default to
This would be more backward compatible. |
Do you mean, it's not used when the |
I mean for |
Otherwise this will break things for people using |
related: buildpacks#1338 Signed-off-by: till <[email protected]>
2ec6a60
to
9833d11
Compare
Oh, you mean — employ a validator for what's "in" |
So as a summary, these are the cases you would like to address — where a value from
What happens then? Empty it in code and let the current logic pick up the OS-specific binds for the socket? Add a log line? |
@till sorry for late reply. I think that we perhaps should keep default to Draft of what it could look like (note I did not test this code at all): diff --git a/internal/build/phase_config_provider.go b/internal/build/phase_config_provider.go
index 93861633..042087c3 100644
--- a/internal/build/phase_config_provider.go
+++ b/internal/build/phase_config_provider.go
@@ -3,9 +3,15 @@ package build
import (
"fmt"
"io"
+ "net"
+ "net/url"
"os"
+ "path/filepath"
+ "runtime"
+ "strconv"
"strings"
+ "github.com/docker/cli/cli/config"
"github.com/docker/docker/api/types/container"
pcontainer "github.com/buildpacks/pack/internal/container"
@@ -152,17 +158,62 @@ func WithBinds(binds ...string) PhaseConfigProviderOperation {
}
}
+func mightUseClientCertTLS() bool {
+ tlsVerifyStr, tlsVerifyChanged := os.LookupEnv("DOCKER_TLS_VERIFY")
+ if !tlsVerifyChanged {
+ return false
+ }
+ tlsVerify := true
+ if b, err := strconv.ParseBool(tlsVerifyStr); err == nil {
+ tlsVerify = b
+ }
+ if !tlsVerify {
+ return false
+ }
+ dockerCertPath := os.Getenv("DOCKER_CERT_PATH")
+ if dockerCertPath == "" {
+ dockerCertPath = config.Dir()
+ }
+ certPath := filepath.Join(dockerCertPath, "cert.pem")
+ keyPath := filepath.Join(dockerCertPath, "key.pem")
+ _, err := os.Stat(certPath)
+ if err != nil {
+ return false
+ }
+ _, err = os.Stat(keyPath)
+ if err != nil {
+ return false
+ }
+ return true
+}
+
func WithDaemonAccess(dockerHost string) PhaseConfigProviderOperation {
return func(provider *PhaseConfigProvider) {
WithRoot()(provider)
+ localDockerHost := strings.TrimSpace(os.Getenv("DOCKER_HOST"))
if dockerHost == "inherit" {
- dockerHost = os.Getenv("DOCKER_HOST")
+ dockerHost = localDockerHost
}
var bind string
if dockerHost == "" {
- bind = "/var/run/docker.sock:/var/run/docker.sock"
- if provider.os == "windows" {
- bind = `\\.\pipe\docker_engine:\\.\pipe\docker_engine`
+ switch {
+ case strings.HasPrefix(localDockerHost, "unix://"):
+ if runtime.GOOS == "linux" {
+ dockerHost = localDockerHost
+ }
+ case strings.HasPrefix(localDockerHost, "tcp://"):
+ if u, err := url.Parse(localDockerHost); err == nil {
+ var addr *net.IPAddr
+ addr, err = net.ResolveIPAddr("tcp", u.Host)
+ if err == nil && !addr.IP.IsLoopback() && !mightUseClientCertTLS() {
+ dockerHost = localDockerHost
+ }
+ }
+ default:
+ bind = "/var/run/docker.sock:/var/run/docker.sock"
+ if provider.os == "windows" {
+ bind = `\\.\pipe\docker_engine:\\.\pipe\docker_engine`
+ }
}
} else {
switch { |
Any further updates here? |
Not yet, I can add a commit some time to address the tls settings. Is there anything else that needs to be addressed? |
@till we discussed this in Slack here: https://cloud-native.slack.com/archives/C0331B61A1Y/p1725391083581559?thread_ts=1724932960.525119&cid=C0331B61A1Y I'm not sure if we have a clear way forward with this. Do you have any thoughts about it? |
Summary
Make
--docker-host=inherit
the default behavior.Before
The default was to use a variant of /var/run/docker.sock (depending on OS/environment).
After
The default is to check
DOCKER_HOST
and fall back to the old default before.Documentation
--docker-host
. #1338Related
Resolves #1338