Skip to content

buildkitd: disable TLS for UNIX sockets #1202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonistiigi merged 1 commit into from
Oct 14, 2019
Merged

buildkitd: disable TLS for UNIX sockets #1202

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 18 additions & 16 deletions cmd/buildkitd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ import (
"github.com/urfave/cli"
"golang.org/x/sync/errgroup"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)

func init() {
Expand Down Expand Up @@ -200,13 +199,6 @@ func main() {
}
}
opts := []grpc.ServerOption{unaryInterceptor(ctx), grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer))}
creds, err := serverCredentials(cfg.GRPC.TLS)
if err != nil {
return err
}
if creds != nil {
opts = append(opts, creds)
}
server := grpc.NewServer(opts...)

// relative path does not work with nightlyone/lockfile
Expand Down Expand Up @@ -298,10 +290,14 @@ func serveGRPC(cfg config.GRPCConfig, server *grpc.Server, errCh chan error) err
if len(addrs) == 0 {
return errors.New("--addr cannot be empty")
}
tlsConfig, err := serverCredentials(cfg.TLS)
if err != nil {
return err
}
eg, _ := errgroup.WithContext(context.Background())
listeners := make([]net.Listener, 0, len(addrs))
for _, addr := range addrs {
l, err := getListener(cfg, addr)
l, err := getListener(addr, cfg.UID, cfg.GID, tlsConfig)
if err != nil {
for _, l := range listeners {
l.Close()
Expand Down Expand Up @@ -490,7 +486,7 @@ func groupToGid(group string) (int, error) {
return id, nil
}

func getListener(cfg config.GRPCConfig, addr string) (net.Listener, error) {
func getListener(addr string, uid, gid int, tlsConfig *tls.Config) (net.Listener, error) {
addrSlice := strings.SplitN(addr, "://", 2)
if len(addrSlice) < 2 {
return nil, errors.Errorf("address %s does not contain proto, you meant unix://%s ?",
Expand All @@ -499,11 +495,18 @@ func getListener(cfg config.GRPCConfig, addr string) (net.Listener, error) {
proto := addrSlice[0]
listenAddr := addrSlice[1]
switch proto {
case "unix", "npipe":
return sys.GetLocalListener(listenAddr, cfg.UID, cfg.GID)
case "unix":
if tlsConfig != nil {
logrus.Warnf("TLS is disabled for %s", addr)
}
return sys.GetLocalListener(listenAddr, uid, gid)
case "tcp":
return sockets.NewTCPSocket(listenAddr, nil)
if tlsConfig == nil {
logrus.Warnf("TLS is not enabled for %s. enabling mutual TLS authentication is highly recommended", addr)
}
return sockets.NewTCPSocket(listenAddr, tlsConfig)
default:
// TODO: support npipe (with TLS?)
return nil, errors.Errorf("addr %s not supported", addr)
}
}
Expand Down Expand Up @@ -531,7 +534,7 @@ func unaryInterceptor(globalCtx context.Context) grpc.ServerOption {
})
}

func serverCredentials(cfg config.TLSConfig) (grpc.ServerOption, error) {
func serverCredentials(cfg config.TLSConfig) (*tls.Config, error) {
certFile := cfg.Cert
keyFile := cfg.Key
caFile := cfg.CA
Expand Down Expand Up @@ -565,8 +568,7 @@ func serverCredentials(cfg config.TLSConfig) (grpc.ServerOption, error) {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
tlsConf.ClientCAs = certPool
}
creds := grpc.Creds(credentials.NewTLS(tlsConf))
return creds, nil
return tlsConf, nil
}

func newController(c *cli.Context, cfg *config.Config) (*control.Controller, error) {
Expand Down