Skip to content

Fix A2A agent card advertising unroutable wildcard address#1685

Merged
dgageot merged 1 commit intodocker:mainfrom
dgageot:fix-1679
Feb 11, 2026
Merged

Fix A2A agent card advertising unroutable wildcard address#1685
dgageot merged 1 commit intodocker:mainfrom
dgageot:fix-1679

Conversation

@dgageot
Copy link
Member

@dgageot dgageot commented Feb 10, 2026

Replace wildcard listen addresses (::, 0.0.0.0) with localhost in the agent card URL so clients can actually reach the server. Also switch TCP listeners to tcp4 to avoid binding to IPv6 on dual-stack systems.

Fixes #1679

Assisted-By: cagent

@dgageot
Fix A2A agent card advertising unroutable wildcard address
ee47fa0 
Replace wildcard listen addresses (::, 0.0.0.0) with localhost in the
agent card URL so clients can actually reach the server. Also switch
TCP listeners to tcp4 to avoid binding to IPv6 on dual-stack systems.

Fixes docker#1679

Assisted-By: cagent
@dgageot dgageot requested a review from a team as a code owner February 10, 2026 18:26
docker-agent[bot]
docker-agent bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

The routableAddr() function is well-implemented with good test coverage. However, there's a concern about the tcp4 change in listen.go that removes IPv6 support, potentially breaking existing users without clear error messages.

See inline comment for details.

pkg/server/listen.go
func listenTCP(ctx context.Context, addr string) (net.Listener, error) {
var lc net.ListenConfig
return lc.Listen(ctx, "tcp", addr)
return lc.Listen(ctx, "tcp4", addr)
Copy link

@docker-agent docker-agent bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential Breaking Change: IPv6 Support Removed

Changing from "tcp" to "tcp4" restricts socket binding to IPv4 only. While this aligns with the PR description ("avoid binding to IPv6 on dual-stack systems"), it introduces a breaking change:

  • Impact: If users pass IPv6 addresses like [::1]:8080 or [2001:db8::1]:8080, binding will fail with a cryptic error: "listen tcp4: address ::1: no suitable address found"
  • No validation: There's no check to prevent IPv6 addresses from being passed or to provide a clear error message
  • Tests consider IPv6: The routableAddr() tests include IPv6 cases ("[::]:8080"), suggesting IPv6 was considered in the design

Alternative approach: Consider keeping "tcp" for backward compatibility and let routableAddr() handle the agent card URL transformation. This would:

  • Fix the wildcard address advertising issue (the original bug)
  • Maintain IPv6 support for explicit addresses
  • Avoid a breaking change

If tcp4 is the desired approach: Consider adding validation to detect IPv6 addresses and return a clear error message like "IPv6 addresses are not supported, please use IPv4".

Thoughts?

@dgageot dgageot merged commit 9ed1daa into docker:main Feb 11, 2026
8 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Feb 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trungutt trungutt trungutt approved these changes

+1 more reviewer

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A2A agent card advertises http://[::]:PORT/invoke — breaks clients using the url field

2 participants

@dgageot @trungutt