Even when explicitly passing https, registry requests to localhost are downgraded to http
apostasie opened this issue · comments
Description
nerdctl login https://127.0.0.1:5000 will always be downgraded to http://127.0.0.1:5000
It seems to be because of the faulty logic in remotes/docker/config/hosts.go that apparently considers "the scheme is ambiguous" as the port is non-standard and the host is localhost.
Whether they fixed it for 2.0 is unclear to me at this point.
Steps to reproduce the issue
nerdctl login https://127.0.0.1:5000
Describe the results you received and expected
Seeing: request downgraded to http://127.0.0.1:5000
Should see: not downgraded, the scheme is explicit
What version of nerdctl are you using?
1.7.6 / main
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
No response
I believe we should rewrite / cleanup our whole login/logout workflow.
Specifically:
- we should clearly isolate docker stuff in a separate package (auth file manipulation)
- remove duplication
- we keep parsing the address (or extracting the host part of it) - we should instead parse it once into a
*url.URL, normalize what has to be, and carry that around instead of dropping the scheme and passing half-complete strings around - we should also explicitly set the port if ommitted (to simplify
hosts.tomlresolution - see #3047 for eg).
Overall, the whole Docker approach "downgrade to http if XYZ" has always been a problem since 2014 (stemming from a deeply flawed understanding of TLS security model) and we should clean up the remnants of it so that we have a clear, documented path for it that we can reason about and that makes sense.