feat(http): add support for listening on a unix socket #1193
Conversation
| var listener net.Listener | ||
| var err error | ||
|
|
||
| if strings.HasPrefix(c.Config.HTTP.Address, "unix:") { |
There was a problem hiding this comment.
There should be a test to cover this type of configuration.
As a separate note, commits need to be signed using "git commit -s -S"
There was a problem hiding this comment.
Wait, why not just listen on localhost?
There was a problem hiding this comment.
Wait, why not just listen on localhost?
Any process on the system can reach a 'localhost' endpoint while unix sockets are protected by filesystem permissions. I agree that this isn't a huge win, as I could protect access to the zot via httpasswd auth and a randomly generated username/key, but that comes for free with a unix socket.
I'll accept that unix socket support isn't needed at the moment, but rejecting the use of unix sockets due to the availability of 'localhost' isn't an idea that would stand on its own very long. I really did this as a proof of concept.
There was a problem hiding this comment.
And in addition to protecting unix socket with file perms, this also opens the door for potential zot configs saying "only uid 100000-165536 can connect", using SO_PEERCRED.
This adds support for listening on a local unix socket by specifying in config http.address of "unix:/path/to/name.socket". You can then interact with the api over that socket with: curl --unix-socket /tmp/zot.socket http://example.com/v2/tags/list Signed-off-by: Scott Moser <smoser@brickies.net>
smoser
force-pushed
the
feature/add-unix-socket-address
branch
from
f8a73f5
to
02df863
Compare
This adds support for listening on a local unix socket by specifying in config http.address of "unix:/path/to/name.socket".
You can then interact with the api over that socket with:
curl --unix-socket /tmp/zot.socket http://ignored.example.com/v2/name/tags/list
What type of PR is this?
feature - enable listening on a unix socket.
Which issue does this PR fix:
N/A
What does this PR do / Why do we need it:
I'm looking at a use case where I populate zot storage by running a zot and loading content to it. In this scenario there is no need for networking or exposing the zot to even localhost network.
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.