-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(http): add support for listening on a unix socket #1193
base: main
Are you sure you want to change the base?
Conversation
var listener net.Listener | ||
var err error | ||
|
||
if strings.HasPrefix(c.Config.HTTP.Address, "unix:") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be a test to cover this type of configuration.
As a separate note, commits need to be signed using "git commit -s -S"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, why not just listen on localhost?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, why not just listen on localhost?
Any process on the system can reach a 'localhost' endpoint while unix sockets are protected by filesystem permissions. I agree that this isn't a huge win, as I could protect access to the zot via httpasswd auth and a randomly generated username/key, but that comes for free with a unix socket.
I'll accept that unix socket support isn't needed at the moment, but rejecting the use of unix sockets due to the availability of 'localhost' isn't an idea that would stand on its own very long. I really did this as a proof of concept.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And in addition to protecting unix socket with file perms, this also opens the door for potential zot configs saying "only uid 100000-165536 can connect", using SO_PEERCRED.
This adds support for listening on a local unix socket by specifying in config http.address of "unix:/path/to/name.socket". You can then interact with the api over that socket with: curl --unix-socket /tmp/zot.socket http://example.com/v2/tags/list Signed-off-by: Scott Moser <smoser@brickies.net>
f8a73f5
to
02df863
Compare
This adds support for listening on a local unix socket by specifying in config http.address of "unix:/path/to/name.socket".
You can then interact with the api over that socket with:
curl --unix-socket /tmp/zot.socket http://ignored.example.com/v2/name/tags/list
What type of PR is this?
feature - enable listening on a unix socket.
Which issue does this PR fix:
N/A
What does this PR do / Why do we need it:
I'm looking at a use case where I populate zot storage by running a zot and loading content to it. In this scenario there is no need for networking or exposing the zot to even localhost network.
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.