arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #331 from supereagle/insecure-tls

Browse Source 
configurable for TLS check when pulling layers
This commit is contained in:
Jimmy Zelinskie 2017-02-27 18:50:48 -05:00 committed by GitHub
commit 9ef4db26d4
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/clair/main.go
View File

@ -30,6 +30,7 @@ import (
"github.com/coreos/clair" "github.com/coreos/clair"
"github.com/coreos/clair/api" "github.com/coreos/clair/api"
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
"github.com/coreos/clair/ext/imagefmt"
"github.com/coreos/clair/pkg/stopper" "github.com/coreos/clair/pkg/stopper"
// Register database driver. // Register database driver.
@ -123,6 +124,7 @@ func main() {
flagConfigPath := flag.String("config", "/etc/clair/config.yaml", "Load configuration from the specified file.") flagConfigPath := flag.String("config", "/etc/clair/config.yaml", "Load configuration from the specified file.")
flagCPUProfilePath := flag.String("cpu-profile", "", "Write a CPU profile to the specified file before exiting.") flagCPUProfilePath := flag.String("cpu-profile", "", "Write a CPU profile to the specified file before exiting.")
flagLogLevel := flag.String("log-level", "info", "Define the logging level.") flagLogLevel := flag.String("log-level", "info", "Define the logging level.")
flagInsecureTLS := flag.Bool("insecure-tls", false, "Disable TLS server's certificate chain and hostname verification when pulling layers.")
flag.Parse() flag.Parse()
// Check for dependencies. // Check for dependencies.
@ -149,5 +151,11 @@ func main() {
defer stopCPUProfiling(startCPUProfiling(*flagCPUProfilePath)) defer stopCPUProfiling(startCPUProfiling(*flagCPUProfilePath))
} }
// Enable TLS server's certificate chain and hostname verification
// when pulling layers if specified
if *flagInsecureTLS {
imagefmt.SetInsecureTLS(*flagInsecureTLS)
}
Boot(config) Boot(config)
} }

17
ext/imagefmt/driver.go
View File

@ -21,6 +21,7 @@
package imagefmt package imagefmt
import ( import (
"crypto/tls"
"fmt" "fmt"
"io" "io"
"math" "math"
@ -38,6 +39,10 @@ var (
// ErrCouldNotFindLayer is returned when we could not download or open the layer file. // ErrCouldNotFindLayer is returned when we could not download or open the layer file.
ErrCouldNotFindLayer = commonerr.NewBadRequestError("could not find layer") ErrCouldNotFindLayer = commonerr.NewBadRequestError("could not find layer")
// insecureTLS controls whether TLS server's certificate chain and hostname are verified
// when pulling layers, verified in default.
insecureTLS = false
log = capnslog.NewPackageLogger("github.com/coreos/clair", "ext/imagefmt") log = capnslog.NewPackageLogger("github.com/coreos/clair", "ext/imagefmt")
extractorsM sync.RWMutex extractorsM sync.RWMutex
@ -116,7 +121,11 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
} }
// Send the request and handle the response. // Send the request and handle the response.
r, err := http.DefaultClient.Do(request) tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS},
}
client := &http.Client{Transport: tr}
r, err := client.Do(request)
if err != nil { if err != nil {
log.Warningf("could not download layer: %s", err) log.Warningf("could not download layer: %s", err)
return nil, ErrCouldNotFindLayer return nil, ErrCouldNotFindLayer
@ -148,3 +157,9 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
return nil, commonerr.NewBadRequestError(fmt.Sprintf("unsupported image format '%s'", format)) return nil, commonerr.NewBadRequestError(fmt.Sprintf("unsupported image format '%s'", format))
} }
// SetInsecureTLS sets the insecureTLS to control whether TLS server's certificate chain
// and hostname are verified when pulling layers.
func SetInsecureTLS(insecure bool) {
insecureTLS = insecure
}