Ignore invalid host header between go1.6 and old docker clients#22000
Ignore invalid host header between go1.6 and old docker clients#22000vdemeester merged 1 commit intomoby:masterfrom
Conversation
16f0627 to
1caaf5a
Compare
|
we're not using Go 1.6 and I'd rather not scan the connection in each request looking for that header. |
any other idea on how to do this then? I understand you're not using go1.6 now but then 1.7 will have the same issue and old clients will be broken. |
|
I think our downstreams would appreciate having some official solution to this sooner rather than later. 😢 (Since they're going to be increasingly bit by this the further away from Go 1.6's release we get.) I ran into it on Gentoo and was thankful to see this patch which does fix the issue for me locally (and I don't mind the minor perf hit of the header scanning). IMO since we'll need it eventually, we might as well be working on ways to work around it so we're prepared. |
There was a problem hiding this comment.
Wouldn't this be slightly simpler with:
if strings.HasPrefix(parts[1], "Host: /") {
# old docker stuff
} else {
head = parts
}There was a problem hiding this comment.
The first if just skips any other clients except the docker client itself. I don't think we want to fix other clients that could send invalid host header - we're just interested in the docker client case. so if you use curl with an invalid host header not at parts[1](like the docker client) you'll be getting the invalid host header error and we shouldn't care, curl|users should.
There was a problem hiding this comment.
They both have the same logic. What case am I missing?
| parts[1] | current code | new code |
|---|---|---|
| foo | head=parts | head=parts |
| Host: bar | head=parts | head=parts |
| Host: /baz | handle stuff | handle stuff |
|
ping @icecrime |
|
Wondering if we really think this will be a problem in the 1.12 time-frame. |
|
ppl could have the old docker client built in an image and suddenly it stops working. |
|
Let's add a Docker envvar that allows people to add the hacky workaround. Let's document it properly and warn that we will remove it in 2 releases. |
|
This seems like an untenable amount of technical debt to take on, especially considering that the Host header is clearly invalid. This fix is a future bug waiting to happen. What's wrong with requiring old clients to connect over http? Can we not backport a fix to correctly set the host header? |
|
@stevvooe concerns were raised that even if we would back port a fix to older versions (which we basically don't do), there would be containers around containing older docker clients that connect using a socket ( |
|
I'm modifying this patch to use an env variable daemon side and activate this behavior, as @tibor said, we'll remove it in 2 releases |
untenable? Supporting this as an env variable is IMO anything but untenable. People who needs this will provide the variable, people who doesn't won't. We'll remove these specific files in two releases and it'll be straightforward... |
f71ec21 to
35c2cd1
Compare
|
I've moved everything docker-side so when/if this will be removed it will be straightforward to do so and we don't clutter |
cmd/dockerd/daemon_unix.go
Outdated
There was a problem hiding this comment.
naming here is greatly welcome 😄
|
ping @tiborvass @tianon @cpuguy83 Starting the daemon w/o and w/ ( |
cmd/dockerd/daemon_windows.go
Outdated
35c2cd1 to
fe95987
Compare
|
how should we name the environment var? |
|
code looks good to me so far - if we can just get the docs and perhaps a testcase? |
|
Note that the environment variable is removed in #22888, and this is now the default |
|
🎉 |
…ents upstream reference: moby#22000 BenchmarkWithHack-4 50000 37082 ns/op 44.50 MB/s 1920 B/op 30 allocs/op BenchmarkNoHack-4 50000 30829 ns/op 53.52 MB/s 0 B/op 0 allocs/op Signed-off-by: Brian Goff <cpuguy83@gmail.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com>
…ents Upstream reference: moby#22000 Upstream reference: moby#23046 Upstream reference: moby#22888 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
BenchmarkWithHack-4 50000 37082 ns/op 44.50 MB/s 1920 B/op 30 allocs/op BenchmarkNoHack-4 50000 30829 ns/op 53.52 MB/s 0 B/op 0 allocs/op bump go version to v1.7 will hit issue: moby#20865 backport this patch for fix this. cherry-pick from: moby#22000 Use a 1.9.1 client connect to a 1.11.2 daemon which is build by golang 1.7.1 before this patch: ``` $ ./docker-1.9.1 version WARNING: Error loading config file:Invalid auth configuration file Client: Version: 1.9.1 API version: 1.21 Go version: go1.4.3 Git commit: a34a1d5 Built: Fri Nov 20 17:56:04 UTC 2015 OS/Arch: linux/amd64 Error response from daemon: 400 Bad Request: malformed Host header ``` after this patch ``` $ ./docker-1.9.1 version WARNING: Error loading config file:Invalid auth configuration file Client: Version: 1.9.1 API version: 1.21 Go version: go1.4.3 Git commit: a34a1d5 Built: Fri Nov 20 17:56:04 UTC 2015 OS/Arch: linux/amd64 Server: Version: 1.11.2 API version: 1.23 Go version: go1.7.1 Git commit: 69f8a6b-unsupported Built: 2017-01-10T03:03:45.940523050+00:00 OS/Arch: linux/amd64 ``` Signed-off-by: Brian Goff <cpuguy83@gmail.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com> Signed-off-by: Lei Jitang <leijitang@huawei.com>
Ignore invalid host header between go1.6 and old docker clients to bump go to v1.7.1 ``` BenchmarkWithHack-4 50000 37082 ns/op 44.50 MB/s 1920 B/op 30 allocs/op BenchmarkNoHack-4 50000 30829 ns/op 53.52 MB/s 0 B/op 0 allocs/op ``` bump go version to v1.7 will hit issue: moby#20865 backport this patch for fix this. cherry-pick from: moby#22000 Use a 1.9.1 client connect to a 1.11.2 daemon which is build by golang 1.7.1 before this patch: ``` $ ./docker-1.9.1 version WARNING: Error loading config file:Invalid auth configuration file Client: Version: 1.9.1 API version: 1.21 Go version: go1.4.3 Git commit: a34a1d5 Built: Fri Nov 20 17:56:04 UTC 2015 OS/Arch: linux/amd64 Error response from daemon: 400 Bad Request: malformed Host header ``` after this patch ``` $ ./docker-1.9.1 version WARNING: Error loading config file:Invalid auth configuration file Client: Version: 1.9.1 API version: 1.21 Go version: go1.4.3 Git commit: a34a1d5 Built: Fri Nov 20 17:56:04 UTC 2015 OS/Arch: linux/amd64 Server: Version: 1.11.2 API version: 1.23 Go version: go1.7.1 Git commit: 69f8a6b-unsupported Built: 2017-01-10T03:03:45.940523050+00:00 OS/Arch: linux/amd64 ``` Signed-off-by: Brian Goff <cpuguy83@gmail.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com> Signed-off-by: Lei Jitang <leijitang@huawei.com> See merge request docker/docker!244
This hack was added to fix a compatibility with clients that were built using Go 1.5 and older (added in 3d6f598) This hack causes some problems with current clients; with Go 1.5 and older no longer being supported for some time, and being several years old, it should now be ok to remove this hack altogether. People using tools that are built with those versions of Go wouldn't have updated those for years, and are probably out of date anyway; that's not something we can continue taking into account. This will affect docker clients (the docker cli) for docker 1.12 and older. Those versions have reached EOL a long time ago (and have known unpatched vulnerabilities), so should no longer be used anyway, but We should add a nebtuib in the release notes, just in case someone, somewhere, still has such old tools. For those affected, using a more recent client (and if needed, setting the DOCKER_API_VERSION environment variable to the needed API version) should provide a way out. This reverts the changes originally made in; moby#22000 and moby#22888, which were to address moby#20865. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This hack was added to fix a compatibility with clients that were built using Go 1.5 and older (added in 3d6f598) This hack causes some problems with current clients; with Go 1.5 and older no longer being supported for some time, and being several years old, it should now be ok to remove this hack altogether. People using tools that are built with those versions of Go wouldn't have updated those for years, and are probably out of date anyway; that's not something we can continue taking into account. This will affect docker clients (the docker cli) for docker 1.12 and older. Those versions have reached EOL a long time ago (and have known unpatched vulnerabilities), so should no longer be used anyway, but We should add a nebtuib in the release notes, just in case someone, somewhere, still has such old tools. For those affected, using a more recent client (and if needed, setting the DOCKER_API_VERSION environment variable to the needed API version) should provide a way out. This reverts the changes originally made in; moby#22000 and moby#22888, which were to address moby#20865. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This hack was added to fix a compatibility with clients that were built using Go 1.5 and older (added in 3d6f598) This hack causes some problems with current clients; with Go 1.5 and older no longer being supported for some time, and being several years old, it should now be ok to remove this hack altogether. People using tools that are built with those versions of Go wouldn't have updated those for years, and are probably out of date anyway; that's not something we can continue taking into account. This will affect docker clients (the docker cli) for docker 1.12 and older. Those versions have reached EOL a long time ago (and have known unpatched vulnerabilities), so should no longer be used anyway, but We should add a nebtuib in the release notes, just in case someone, somewhere, still has such old tools. For those affected, using a more recent client (and if needed, setting the DOCKER_API_VERSION environment variable to the needed API version) should provide a way out. This reverts the changes originally made in; moby#22000 and moby#22888, which were to address moby#20865. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: zach <Zachary.Joyner@linux.com>
between go1.6 and old docker clients Origin: moby#22000
Fix: #20865
reworked the patch from @ibuildthecloud just in case Docker still needs this or something like this
ping @cpuguy83
Signed-off-by: Antonio Murdaca runcom@redhat.com