Utility package to work with network connections
Home Page: https://pkg.go.dev/github.com/docker/go-connections
License: Apache License 2.0
go-connections provides common package to work with network connections.
See the docs in godoc for examples and documentation.
go-connections is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.
I think if this is a separated repo, we can not make sure sock will be created under root role. So I propose changing 0 to os.Getuid(), or like gid assigned by custom
TestConfigServerExclusiveRootPools: see go-connections/tlsconfig/config_test.go
Lines 202 to 205 in 5cc4da5
TestConfigClientExclusiveRootPools: see go-connections/tlsconfig/config_test.go
Lines 566 to 569 in 5cc4da5
Both tests break with the following error:
Unable to verify certificate 1: x509: certificate signed by unknown authority
certificate 1 being systemRootTrustedCert:
go-connections/tlsconfig/config_test.go
Lines 20 to 41 in 5cc4da5
As noted in d5807de commit message:
The
(*Certificate).Verify()method fromcrypto/x509special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.
So either the syscall made by Verify() to retrieve the system-wide cert bundle return an empty set, it's out-of-date, or something else happen.
SortPortMap function in sort.go file invalid sorts ports array in case if binding is empty array. This leads to incorrect behaviour in Docker and ErrPortAlreadyAllocated (“Bind for %s:%d failed: port is already allocated”) error during container startup.
This may happen, for example, if following HostConfig has been sent to Docker API during container creation:
"HostConfig":{"PortBindings":{"443/tcp":null,"80/tcp":null,"8443/tcp":[{"HostIp":"10.4.62.92","HostPort":"32768"}]}
In this case empty bindings will be created for 443 and 80 ports.
I’m ready to provide patch for this issue (just add && len(binding) > 0 check), but want to discuss this first.
In this https://github.com/docker/go-connections/blob/master/tlsconfig/config.go#L43, is said 'CBC cipher suites - will phase out in the future'. I want to know can the CBC cipher suites be phase out now. Or if it is removed, what the influence it is?
According to this comment in the code:
go-connections/tlsconfig/config_test.go
Line 14 in 851a7fc
The certificate expired Mar 17, 2021. Due to that, TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools are failing. Take a look at this test log in the Ubuntu infrastructure:
If a server, such as grpc, is trying to set an app protocol and uses this lib for the socket then it will be overridden by
go-connections/sockets/tcp_socket.go
Line 18 in 58542c7
This was probably unnoticed until go 1.17 when enforcement became strict https://golang.org/doc/go1.17#ALPN
The issue we are experiencing is when a security scan is issued against our docker hosts, they are found vulnerable to TLS version 1.0 and 1.1 on port 2376. We are using a self signed certificate.
Perhaps a daemon configuration option could be added to disable/enable TLS versions or just remove support for the vulnerable versions of TLS for the daemon.
openssl s_client -connect dockerhost01:2376 -tls1
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
**Secure Renegotiation IS supported**
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
~~~~ output omitted ~~~~
_openssl s_client -connect dockerhost01:2376 -tls1_1_
~~~~ output omitted ~~~~
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
**Secure Renegotiation IS supported**
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
~~~~ output omitted ~~~~
broker := func(to, from *net.TCPConn) {
written, err := io.Copy(to, from)
if err != nil {
// If the socket we are writing to is shutdown with
// SHUT_WR, forward it to the other end of the pipe:
if err, ok := err.(*net.OpError); ok && err.Err == syscall.EPIPE {
_ = from.CloseRead()
}
}
_ = to.CloseWrite()
event <- written
}net.OpError.Err is *os.SyscallError, os.SyscallError.Err can not be syscall.Errno
maybe this is expected behavior
broker := func(to, from *net.TCPConn) {
written, err := io.Copy(to, from)
if err != nil {
// If the socket we are writing to is shutdown with
// SHUT_WR, forward it to the other end of the pipe:
var errno syscall.Errno
if errors.As(err, &errno) && errno == syscall.EPIPE {
_ = from.CloseRead()
}
}
_ = to.CloseWrite()
event <- written
} read, err := proxyConn.Read(readBuf)
// ....
for i := 0; i != read; {
written, err := proxy.listener.WriteToUDP(readBuf[i:read], clientAddr)
if err != nil {
return
}
i += written
}udp is datagram protocol, this code looks like readBuf is a stream of bytes. Sending a 10 byte datagram is different from sending two 5-byte datagrams
Hi,
After last update an issue appear during my application compilation:
sockets_unix.go:24:28: undefined: context
in sockets_unix.go you are using context.Context but context package is not imported.
usage:
tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
return dialer.DialContext(ctx, proto, addr)
}import:
import (
"fmt"
"net"
"net/http"
"syscall"
"time"
)Here is a demo repo that demonstrates the bug. You can toggle on/off the replace in the go.mod in order to switch the bug on and off. The example uses the docker client. This problem doesn't exist in 0.4.0.
There's a problem in master currently where it overrides the proto and doesn't reset it when a new scheme is applied. This had the effect of making request to a unix socket even though an http endpoint was specified for the docker engine.
A debugging session indicated the problem was from a removal of piece of code in sockets.go, which was changed here: https://github.com/docker/go-connections/pull/61/files#r923998601
The issue seems possibly related to the following which also had trouble making TCP connections:
This error is reproducible with 0.3.0:
=== RUN TestConfigServerTLSClientCASet
--- FAIL: TestConfigServerTLSClientCASet (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x548ecb]
goroutine 8 [running]:
testing.tRunner.func1(0xc4200a63c0)
/usr/lib/go-1.9/src/testing/testing.go:711 +0x2d2
panic(0x58f140, 0x69df40)
/usr/lib/go-1.9/src/runtime/panic.go:491 +0x283
crypto/x509.(*CertPool).AddCert(0x0, 0xc4200ea000)
/usr/lib/go-1.9/src/crypto/x509/cert_pool.go:95 +0x6b
crypto/x509.(*CertPool).AppendCertsFromPEM(0x0, 0xc4200e0900, 0x620, 0x820, 0x820)
/usr/lib/go-1.9/src/crypto/x509/cert_pool.go:128 +0x13a
github.com/docker/go-connections/tlsconfig.certPool(0x5c74d6, 0x2e, 0x5c7100, 0x2c, 0xc4200dca40, 0x1)
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/github.com/docker/go-connections/tlsconfig/config.go:105 +0x283
github.com/docker/go-connections/tlsconfig.Server(0x5c74d6, 0x2e, 0x5c728d, 0x2d, 0x5c712d, 0x2c, 0x0, 0x3, 0x0, 0x0, ...)
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/github.com/docker/go-connections/tlsconfig/config.go:232 +0x564
github.com/docker/go-connections/tlsconfig.TestConfigServerTLSClientCASet(0xc4200a63c0)
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/github.com/docker/go-connections/tlsconfig/config_test.go:175 +0x109
testing.tRunner(0xc4200a63c0, 0x5ca8d8)
/usr/lib/go-1.9/src/testing/testing.go:746 +0xd0
created by testing.(*T).Run
/usr/lib/go-1.9/src/testing/testing.go:789 +0x2de
exit status 2
FAIL github.com/docker/go-connections/tlsconfig 0.027s
Here's the full log (originally at buildd.debian.org). See also Debian bug #871651
This tag will have go.mod, updated dependencies, etc.
Hey folks,
Thanks for keep maintaining this!
Can you publish a new release? The latest tagged release is v0.4.0 which is released on 28 Feb 2018.
Thanks in advance.
Go 1.7 added x509.SystemCertPool().
It'd be nice to support this in the TLS configs instead of the empty cert pool (perhaps optionally?) on go 1.7 builds using a build tag.
Not sure if we should default to the TLS config being an empty cert pool or the system cert pool - should there be an extra option in the config options?
A minor inconsistency in error handling between two functions in the Port type.
In the Int function, there is a comment suggesting that the error should be ignored:
Lines 80 to 87 in fa09c95
However, in the Range function, there is no similar comment, and the error is returned, even though the same case applies here:
Lines 89 to 92 in fa09c95
For consistency and to adhere to the principle of least surprise, it would be beneficial to add a similar comment in the Range function and ignore the error.
We have this comment:
go-connections/tlsconfig/config.go
Line 43 in 58542c7
Perhaps it is time to go ahead and make good on that comment?
"A little copying is better than a little dependency."
This package contains a large amount of boilerplate that should just become part of the target project, rather than used across projects.
Please see https://go-proverbs.github.io/ for a full list.
Currently, tlsconfig only works by loading PEM data from files. In some scenarios, we might not want to let tlsconfig load PEM data itself (e.g.: because it is not stored in separate files), but provide it with already loaded PEM data.
A PR is coming to fix this issue.
We should tag the v0.3.0 (or v0.2.1) release (and update vendoring in docker/docker)
/ping @calavera @thaJeztah @icecrime @dnephin
faddat@debian:~/.gvm/pkgsets/go1.8/global/src/github.com/sg3des/goatee$ make
go build -ldflags="-s -w"
could not determine kind of name for C.toGFontSelection
Makefile:9: recipe for target 'build' failed
make: *** [build] Error 2
go1.8
While trying to vendor go-connections in docker, as a follow up to #31, I get compilation errors.
This is because of a change to 'NewUnixSocket', changing the type of group argument from string to int.
go-connections/sockets/unix_socket.go
Lines 11 to 12 in 1b14b2d
// NewUnixSocket creates a unix socket with the specified path and group. func NewUnixSocket(path string, gid int) (net.Listener, error) { if err := syscall.Unlink(path); err != nil && !os.IsNotExist(err) {
The NewUnixSocket interface now expects an integer as gid, instead of group name, which was the previous signature of 'NewUnixSocket'.
This breaks docker/docker, as the code depends on the version that accepted a string as group:
l, err := sockets.NewUnixSocket(addr, socketGroup)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.