Merge pull request #790 from Zheaoli/manjusaka/fix-775

AkihiroSuda · web-flow · commit 41ceb2944209 · 2022-02-16T14:29:25.000+09:00
Fix --insecure-registry not working in some circumstances for #775
diff --git a/cmd/nerdctl/image_encrypt_linux_test.go b/cmd/nerdctl/image_encrypt_linux_test.go
@@ -74,7 +74,7 @@ func TestImageEncryptJWE(t *testing.T) {
 	defer keyPair.cleanup()
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 	base.Cmd("pull", testutil.CommonImage).AssertOK()
 	encryptImageRef := fmt.Sprintf("127.0.0.1:%d/%s:encrypted", reg.ListenPort, tID)
diff --git a/cmd/nerdctl/multi_platform_linux_test.go b/cmd/nerdctl/multi_platform_linux_test.go
@@ -57,7 +57,7 @@ func TestMultiPlatformBuildPush(t *testing.T) {
 	testutil.RequireExecPlatform(t, "linux/amd64", "linux/arm64", "linux/arm/v7")
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 
 	imageName := fmt.Sprintf("localhost:%d/%s:latest", reg.ListenPort, tID)
@@ -80,7 +80,7 @@ func TestMultiPlatformPullPushAllPlatforms(t *testing.T) {
 	testutil.DockerIncompatible(t)
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 
 	pushImageName := fmt.Sprintf("localhost:%d/%s:latest", reg.ListenPort, tID)
diff --git a/cmd/nerdctl/pull_linux_test.go b/cmd/nerdctl/pull_linux_test.go
@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/containerd/nerdctl/pkg/testutil"
@@ -67,7 +68,7 @@ func TestImageVerifyWithCosign(t *testing.T) {
 	defer keyPair.cleanup()
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 	localhostIP := "127.0.0.1"
 	t.Logf("localhost IP=%q", localhostIP)
@@ -88,6 +89,28 @@ CMD ["echo", "nerdctl-build-test-string"]
 	base.Cmd("pull", testImageRef, "--verify=cosign", "--cosign-key="+keyPair.publicKey).AssertOK()
 }
 
+func TestImagePullPlainHttpWithDefaultPort(t *testing.T) {
+	testutil.DockerIncompatible(t)
+	testutil.RequiresBuild(t)
+	base := testutil.NewBase(t)
+	reg := testregistry.NewPlainHTTP(base, 80)
+	defer reg.Cleanup()
+	testImageRef := fmt.Sprintf("%s/%s:%s",
+		reg.IP.String(), testutil.Identifier(t), strings.Split(testutil.CommonImage, ":")[1])
+	t.Logf("testImageRef=%q", testImageRef)
+	t.Logf("testImageRef=%q", testImageRef)
+	dockerfile := fmt.Sprintf(`FROM %s
+CMD ["echo", "nerdctl-build-test-string"]
+	`, testutil.CommonImage)
+
+	buildCtx, err := createBuildContext(dockerfile)
+	assert.NilError(t, err)
+	defer os.RemoveAll(buildCtx)
+	base.Cmd("build", "-t", testImageRef, buildCtx).AssertOK()
+	base.Cmd("--insecure-registry", "push", testImageRef).AssertOK()
+	base.Cmd("--insecure-registry", "pull", testImageRef).AssertOK()
+}
+
 func TestImageVerifyWithCosignShouldFailWhenKeyIsNotCorrect(t *testing.T) {
 	if _, err := exec.LookPath("cosign"); err != nil {
 		t.Skip()
@@ -99,7 +122,7 @@ func TestImageVerifyWithCosignShouldFailWhenKeyIsNotCorrect(t *testing.T) {
 	defer keyPair.cleanup()
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 	localhostIP := "127.0.0.1"
 	t.Logf("localhost IP=%q", localhostIP)
diff --git a/cmd/nerdctl/push.go b/cmd/nerdctl/push.go
@@ -183,7 +183,8 @@ func pushAction(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	if err = pushFunc(resolver); err != nil {
-		if !imgutil.IsErrHTTPResponseToHTTPSClient(err) {
+		// In some circumstance (e.g. people just use 80 port to support pure http), the error will contain message like "dial tcp <port>: connection refused"
+		if !imgutil.IsErrHTTPResponseToHTTPSClient(err) && !imgutil.IsErrConnectionRefused(err) {
 			return err
 		}
 		if insecure {
diff --git a/cmd/nerdctl/push_linux_test.go b/cmd/nerdctl/push_linux_test.go
@@ -28,7 +28,7 @@ import (
 
 func TestPushPlainHTTPFails(t *testing.T) {
 	base := testutil.NewBase(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 
 	base.Cmd("pull", testutil.CommonImage).AssertOK()
@@ -46,7 +46,7 @@ func TestPushPlainHTTPFails(t *testing.T) {
 
 func TestPushPlainHTTPLocalhost(t *testing.T) {
 	base := testutil.NewBase(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 	localhostIP := "127.0.0.1"
 	t.Logf("localhost IP=%q", localhostIP)
@@ -65,7 +65,7 @@ func TestPushPlainHTTPInsecure(t *testing.T) {
 	testutil.DockerIncompatible(t)
 
 	base := testutil.NewBase(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 
 	base.Cmd("pull", testutil.CommonImage).AssertOK()
@@ -77,6 +77,23 @@ func TestPushPlainHTTPInsecure(t *testing.T) {
 	base.Cmd("--insecure-registry", "push", testImageRef).AssertOK()
 }
 
+func TestPushPlainHttpInsecureWithDefaultPort(t *testing.T) {
+	// Skip docker, because "dockerd --insecure-registries" requires restarting the daemon
+	testutil.DockerIncompatible(t)
+
+	base := testutil.NewBase(t)
+	reg := testregistry.NewPlainHTTP(base, 80)
+	defer reg.Cleanup()
+
+	base.Cmd("pull", testutil.CommonImage).AssertOK()
+	testImageRef := fmt.Sprintf("%s/%s:%s",
+		reg.IP.String(), testutil.Identifier(t), strings.Split(testutil.CommonImage, ":")[1])
+	t.Logf("testImageRef=%q", testImageRef)
+	base.Cmd("tag", testutil.CommonImage, testImageRef).AssertOK()
+
+	base.Cmd("--insecure-registry", "push", testImageRef).AssertOK()
+}
+
 func TestPushInsecureWithLogin(t *testing.T) {
 	// Skip docker, because "dockerd --insecure-registries" requires restarting the daemon
 	testutil.DockerIncompatible(t)
diff --git a/cmd/nerdctl/run_verify_linux_test.go b/cmd/nerdctl/run_verify_linux_test.go
@@ -38,7 +38,7 @@ func TestRunVerifyCosign(t *testing.T) {
 	defer keyPair.cleanup()
 	base := testutil.NewBase(t)
 	tID := testutil.Identifier(t)
-	reg := testregistry.NewPlainHTTP(base)
+	reg := testregistry.NewPlainHTTP(base, 5000)
 	defer reg.Cleanup()
 	localhostIP := "127.0.0.1"
 	t.Logf("localhost IP=%q", localhostIP)
diff --git a/pkg/imgutil/imgutil.go b/pkg/imgutil/imgutil.go
@@ -144,7 +144,8 @@ func EnsureImage(ctx context.Context, client *containerd.Client, stdout, stderr
 
 	img, err := PullImage(ctx, client, stdout, stderr, snapshotter, resolver, ref, ocispecPlatforms, unpack, quiet)
 	if err != nil {
-		if !IsErrHTTPResponseToHTTPSClient(err) {
+		// In some circumstance (e.g. people just use 80 port to support pure http), the error will contain message like "dial tcp <port>: connection refused".
+		if !IsErrHTTPResponseToHTTPSClient(err) && !IsErrConnectionRefused(err) {
 			return nil, err
 		}
 		if insecure {
@@ -200,6 +201,13 @@ func IsErrHTTPResponseToHTTPSClient(err error) bool {
 	return strings.Contains(err.Error(), unexposed)
 }
 
+// IsErrConnectionRefused return whether err is
+// "connect: connection refused"
+func IsErrConnectionRefused(err error) bool {
+	const errMessage = "connect: connection refused"
+	return strings.Contains(err.Error(), errMessage)
+}
+
 // PullImage pulls an image using the specified resolver.
 func PullImage(ctx context.Context, client *containerd.Client, stdout, stderr io.Writer, snapshotter string, resolver remotes.Resolver, ref string, ocispecPlatforms []ocispec.Platform, unpack *bool, quiet bool) (*EnsuredImage, error) {
 	ctx, done, err := client.WithLease(ctx)
diff --git a/pkg/mountutil/mountutil.go b/pkg/mountutil/mountutil.go
@@ -53,6 +53,7 @@ func ProcessFlagV(s string, volStore volumestore.VolumeStore) (*Processed, error
 		src, dst string
 		options  []string
 	)
+
 	split := strings.Split(s, ":")
 	switch len(split) {
 	case 1:
diff --git a/pkg/testutil/testregistry/testregistry_linux.go b/pkg/testutil/testregistry/testregistry_linux.go
@@ -40,12 +40,12 @@ type TestRegistry struct {
 	Logs       func()
 }
 
-func NewPlainHTTP(base *testutil.Base) *TestRegistry {
+func NewPlainHTTP(base *testutil.Base, port int) *TestRegistry {
 	hostIP, err := nettestutil.NonLoopbackIPv4()
 	assert.NilError(base.T, err)
 	// listen on 0.0.0.0 to enable 127.0.0.1
 	listenIP := net.ParseIP("0.0.0.0")
-	const listenPort = 5000 // TODO: choose random empty port
+	listenPort := port
 	base.T.Logf("hostIP=%q, listenIP=%q, listenPort=%d", hostIP, listenIP, listenPort)
 
 	registryContainerName := "reg-" + testutil.Identifier(base.T)

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,8 @@ func pushAction(cmd *cobra.Command, args []string) error {`
`183`	`183`	`return err`
`184`	`184`	`}`
`185`	`185`	`if err = pushFunc(resolver); err != nil {`
`186`		`- if !imgutil.IsErrHTTPResponseToHTTPSClient(err) {`
	`186`	`+ // In some circumstance (e.g. people just use 80 port to support pure http), the error will contain message like "dial tcp <port>: connection refused"`
	`187`	`+ if !imgutil.IsErrHTTPResponseToHTTPSClient(err) && !imgutil.IsErrConnectionRefused(err) {`
`187`	`188`	`return err`
`188`	`189`	`}`
`189`	`190`	`if insecure {`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ func ProcessFlagV(s string, volStore volumestore.VolumeStore) (*Processed, error`
`53`	`53`	`src, dst string`
`54`	`54`	`options []string`
`55`	`55`	`)`
	`56`	`+`
`56`	`57`	`split := strings.Split(s, ":")`
`57`	`58`	`switch len(split) {`
`58`	`59`	`case 1:`