client: define a "dummy" hostname to use for local connections#45942
Merged
thaJeztah merged 4 commits intomoby:masterfrom Jul 14, 2023
Merged
client: define a "dummy" hostname to use for local connections#45942thaJeztah merged 4 commits intomoby:masterfrom
thaJeztah merged 4 commits intomoby:masterfrom
Conversation
This was referenced Jul 12, 2023
Merged
Member
Author
|
I also opened #45943 to verify the combination of this patch with go1.20.6. |
Member
Author
|
Ah, looks like I overlooked a test; |
9ae0fb8 to
859ef78
Compare
Member
Author
|
Looks like we need more code updated; From #45943 |
thaJeztah
commented
Jul 12, 2023
pkg/plugins/client.go
Outdated
Comment on lines
+48
to
+54
| return transport.NewHTTPTransport(tr, scheme, socket), nil | ||
| return transport.NewHTTPTransport(tr, scheme, dummyHost), nil |
Member
Author
There was a problem hiding this comment.
Arf.. this needs more work;
=== FAIL: pkg/plugins TestFailOnce (15.02s)
time="2023-07-12T13:13:54Z" level=warning msg="Unable to connect to plugin: plugin.moby.localhost/Test.FailOnce: Post \"http://plugin.moby.localhost/Test.FailOnce\": dial tcp: lookup plugin.moby.localhost on 10.100.0.2:53: no such host, retrying in 1s"
time="2023-07-12T13:13:55Z" level=warning msg="Unable to connect to plugin: plugin.moby.localhost/Test.FailOnce: Post \"http://plugin.moby.localhost/Test.FailOnce\": dial tcp: lookup plugin.moby.localhost on 10.100.0.2:53: no such host, retrying in 2s"
time="2023-07-12T13:13:57Z" level=warning msg="Unable to connect to plugin: plugin.moby.localhost/Test.FailOnce: Post \"http://plugin.moby.localhost/Test.FailOnce\": dial tcp: lookup plugin.moby.localhost on 10.100.0.2:53: no such host, retrying in 4s"
time="2023-07-12T13:14:01Z" level=warning msg="Unable to connect to plugin: plugin.moby.localhost/Test.FailOnce: Post \"http://plugin.moby.localhost/Test.FailOnce\": dial tcp: lookup plugin.moby.localhost on 10.100.0.2:53: no such host, retrying in 8s"
client_test.go:62: Post "http://plugin.moby.localhost/Test.FailOnce": dial tcp: lookup plugin.moby.localhost on 10.100.0.2:53: no such host
a8b2770 to
9d24ef4
Compare
Member
Author
|
And more to fix; |
9d24ef4 to
61a41ba
Compare
Member
Author
|
Some more; |
61a41ba to
08aaec1
Compare
corhere
requested changes
Jul 12, 2023
Contributor
corhere
left a comment
There was a problem hiding this comment.
There is a more standards-compliant choice of Host header value for local communications: the empty string.
client/client.go
Outdated
Comment on lines
+61
to
+62
| // For local communications (npipe://, unix://), the hostname is not used, | ||
| // but we need valid and meaningful hostname. |
Contributor
There was a problem hiding this comment.
If the authority component is missing or undefined for the target URI, then a client MUST send a Host header field with an empty field-value.
The authority component is undefined for the unix scheme, therefore the empty string is the valid and meaningful host name to use.
08aaec1 to
d565fe6
Compare
corhere
reviewed
Jul 12, 2023
corhere
reviewed
Jul 12, 2023
Contributor
corhere
left a comment
There was a problem hiding this comment.
Getting Go's HTTP client infrastructure to cooperate with sending an empty Host request header is going to be a big uphill battle which likely would require substituting a non-trivial amount of the machinery with custom implementations. Let's just stick with the *.localhost dummy strings for now. localhost is a reserved TLD, and UNIX domain sockets are only accessible on the local host, so it is a logical, future-proof and fairly self-documenting choice.
2df6195 to
c025300
Compare
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 18, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
dongsupark
added a commit
to flatcar/scripts
that referenced
this pull request
Jul 18, 2023
Docker daemon started to fail at handling most local connections when being compiled with Go 1.19.11, which addresses CVE-2023-29406 by blocking invalid host headers of HTTP/1. As a workaround, Docker started to define a dummy host header, and to use it for local connections. Backport the fixes to Flatcar to avoid failures. See also moby/moby#45935, moby/moby#45942.
dongsupark
added a commit
to flatcar/scripts
that referenced
this pull request
Jul 18, 2023
Docker daemon started to fail at handling most local connections when being compiled with Go 1.19.11, which addresses CVE-2023-29406 by blocking invalid host headers of HTTP/1. As a workaround, Docker started to define a dummy host header, and to use it for local connections. Backport the fixes to Flatcar to avoid failures. See also moby/moby#45935, moby/moby#45942.
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 19, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 19, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
dongsupark
added a commit
to flatcar/scripts
that referenced
this pull request
Jul 20, 2023
Docker client and daemon started to fail at sending or handling most local connections when being compiled with Go 1.19.11, which addresses CVE-2023-29406 by blocking invalid host headers of HTTP/1. As a workaround, Docker started to define a dummy host header, and to use it for local connections. Backport the fixes to Flatcar to fix the runtime failures. See also moby/moby#45935, moby/moby#45942.
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 23, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 23, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
paralin
added a commit
to skiffos/buildroot
that referenced
this pull request
Jul 24, 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
julianbrost
added a commit
to Icinga/icingadb
that referenced
this pull request
Jul 24, 2023
As a security fix, Go implemented stricter checks for the Host header in the http package. This breaks the Go Docker client library [1] resulting in "http: invalid Host header" errors in our integration tests. A fix [2] was merged to the 24.0 branch, but is not yet included in a release. Therefore, this commit updates the dependency to a specific commit (`go get -u github.com/docker/docker@24.0`). Once it's included in a release, this can be switched back to using a release version. [1] moby/moby#45935 [2] moby/moby#45942
DavSanchez
added a commit
to newrelic/nri-statsd
that referenced
this pull request
Jul 25, 2023
DavSanchez
added a commit
to newrelic/nri-statsd
that referenced
this pull request
Jul 25, 2023
* NR-100933 chore: upgrade to Go 1.20 * ci: set high severity threshold for snyk (#40) * fix: pin to 1.20.5 for test image see testcontainers/testcontainers-go#1359 and moby/moby#45942 --------- Co-authored-by: Roger Coll <rogercoll@protonmail.com>
12 tasks
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname.
The current code used the client's
addras hostname in some cases, which could contain the path for the unix-socket (/var/run/docker.sock), which gets rejected by go1.20.6 and go1.19.11 because of a security fix for CVE-2023-29406 , which was implemented in https://go.dev/issue/60374.Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header.
This patch introduces a
DummyHostconst, and uses this dummy host for cases where we don't need an actual hostname.Before this patch (using go1.20.6):
With this patch applied:
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)