Comments (4)
This is a behavior change from the historical behavior of localhost with containerd that only presents when configuring the new (recommended) format. Note we can do the override for containerd, something like (assuming using the default nodeport of 31999 in Zarf):
/etc/containerd/certs.d/127.0.0.1:31999/hosts.toml
[host."http://127.0.0.1:31999"]
capabilities = ["pull", "resolve"]
insecure_skip_verify = true
but that still breaks Zarf's ability to operate without manipulating K8s nodes directly. Even if we could manipulate the nodes via a daemonset (which is not ideal from a security standpoint), this still would not work because Zarf cannot guarantee an image is available for the daemonset due to being in an air-gapped environment.
The way Zarf accomplishes this today is by mounting a pod with en existing image from the cluster, but there's no guarantee new nodes will have that image, especially when upgrading nodes. This is also true for the pause image.
from containerd.
It requires a TLS server to respond with an http response after the connection is established
The TLS client will see an http response and fail the round trip, which can then be retried as http. If it is a TLS server, the fallback just passes through the response. The error here is that the fallback roundtripper is expecting the TLS client to receive an HTTP response, but in this case gets a handshake timeout. We can treat the handshake timeout as a fallback trigger here. There is also one more optimization to save the last fallback server to continue using http. Otherwise TLS will be attempted on each RoundTrip call. I'm working on these two changes which should solve this issue.
I think that the case mentioned should continue using the fallback and the best way to avoid it would be to add a configuration for the host. The fallback is to match existing expected behavior that Docker does and it is even more common now for services to default to using TLS even on localhost. For just testing/development it makes sense to use TLS on even on localhost since that will be used when moving to another environment. For local services, it makes sense to have a local configuration which could explicitly set the scheme and avoid the fallback.
from containerd.
I'm not sure I understand how the roundTripper fallback is supposed to function. It requires a TLS server to respond with an http
response after the connection is established, so an http-only server wouldn't be compatible with this fallback mechanism. Also since this is against 127.0.0.1
/localhost
, I'm not sure how this would function as-designed without additional out-of-band management either through the host CA Trust or containerd hosts.toml
config because you can't normally issue a valid cert to localhost, at least not on public CAs.
containerd/core/remotes/docker/resolver.go
Line 727 in 0807efb
from containerd.
Thanks for the detailed reply, that does clear some things up with the behavior we were seeing, definitely the timeout issue.
Digging through this a bit more on our side, our behavior in rust uses rouille, which uses tiny-http and that essentially waits until the connection drops looking for the end of line, which it never sees as it's the beginning of the TLS negotiation.
We will also explore on our side alternative libraries or PRs with those libraries to address this behavior. In go, net/http connection is closed automatically it looks like.
go response:
docker run -d -p 5000:5000 --restart always registry:2
openssl s_client -alpn h2,http/1.1 -connect 127.0.0.1:5000
Connecting to 127.0.0.1
CONNECTED(00000003)
C09E7FD901000000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:ssl/record/methods/tls_common.c:655:
C09E7FD901000000:error:0A000139:SSL routines::record layer failure:ssl/record/rec_layer_s3.c:650:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 324 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
curl -kv https://localhost:5000/v2/library/registry/manifests/2.8.3
* Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
our rust response:
openssl s_client -alpn h2,http/1.1 -connect 127.0.0.1:5000
Connecting to 127.0.0.1
CONNECTED(00000003)
***HANGS***
curl -kv https://localhost:5000/v2/library/registry/manifests/2.8.3
* Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
***HANGS***
from containerd.
Related Issues (20)
- ctr exec hang when use containerd 1.6.31 HOT 4
- introspectRuntimeFeatures crashes containerd service startup (untrusted runtime plugin) HOT 4
- container image signature verification at containerd HOT 2
- Can't skip tls cert verify when fetching blob from external urls
- docs: image and registry config guide need to be updated
- Trying to work with spegel for faster image pull times but fails since we have private tls certificates. HOT 1
- In a cgroup2 enviroment, runing a container in a container failed. HOT 2
- NRI plugin registration can trigger a deadlock HOT 11
- Duplicate images coming with <none>:<none> tag
- When a runtime is specified as default_runtime_name, the cri_handler of the runtime cannot be used.
- runc-shim-v2 hold lock cause cri can't delete container HOT 2
- Add support for container restore from a checkpoint in Kubernetes
- ExecSync did not return according to the timeout set in the request HOT 3
- [1.6/1.7] kubernetes ephemeral-storage limits not enforced with remote snapshotters HOT 3
- Executing 'nsenter -at pid' to enter a container does not generate any logs. HOT 1
- imageverifier plugin CLI Arguments format issue HOT 6
- io.containerd.grpc.v1.cri config does not migrate
- `containerd config default` uses `io.containerd.cri.v1.runtime`, while doc uses `io.containerd.grpc.v1.cri` HOT 2
- ctr pull images err archive/tar: invalid tar header: unknown HOT 5
- kubelet and containerd in endless loop for CreateContainer with unexpected media type octet-stream HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from containerd.