Fix docker-gen breaking on new docker version (See #335) #336
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Tested on new docker, and this fix the issue. |
jwilder
approved these changes
Apr 3, 2021
|
This comment indicates there is a corner case that might not be handled by this PR. #335 (comment) |
|
@NicolasDorier does the comment in #335 means that |
|
@buchdag I don't really know, I don't use a custom host name, so I did not tried. Just mentioning it here. The comment mention |
buchdag
reviewed
Apr 5, 2021
| @@ -185,7 +186,8 @@ func GetCurrentContainerID() string { | |||
| } | |||
|
|
|||
| func matchDockerCurrentContainerID(lines string) string { | |||
| regex := "/docker[/-]([[:alnum:]]{64})(\\.scope)?$" | |||
| hostname := os.Getenv("HOSTNAME") | |||
| regex := fmt.Sprintf("(%s[[:alnum:]]{52})", hostname) | |||
There was a problem hiding this comment.
@NicolasDorier @jwilder this breaks the tests:
--- FAIL: TestGetCurrentContainerID_DockerCE (0.00s)
context_test.go:49: id mismatch: got 18862cabc2e0d24142cf93c46ccb6e070c2ea7b996c81c0311ec, exp 18862cabc2e0d24142cf93c46ccb6e070c2ea7b996c81c0311ec0309abcbcdfb
FAIL
exit status 1
FAIL github.com/jwilder/docker-gen 0.596s
|
Unfortunately I confirm that this PR broke |
|
Steps to reproduce: $ docker network create nginx-proxy
$ docker run --detach \
> --name nginx-proxy \
> --network nginx-proxy \
> --publish 80:80 \
> --publish 443:443 \
> --volume conf:/etc/nginx/conf.d \
> nginx
$ docker run --detach \
> --name nginx-proxy-gen \
> --network nginx-proxy \
> --hostname dockergen \
> --volumes-from nginx-proxy \
> --volume /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \
> --volume /var/run/docker.sock:/tmp/docker.sock:ro \
> jwilder/docker-gen \
> -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
$ docker run --detach \
> --name proxyed-app \
> --network nginx-proxy \
> --env "VIRTUAL_HOST=domain.tld" \
> nginx
$ sleep 10; docker exec nginx-proxy cat /etc/nginx/conf.d/default.confThe resulting # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# domain.tld
upstream domain.tld {
}
server {
server_name domain.tld;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://domain.tld;
}
} |
|
|
Closed
This was referenced Aug 3, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is scanning for the full container ID by getting the short container id via
HOSTNAME, then trying to fetch the rest of it in "/proc/self/cgroup" or "/proc/self/mountinfo".So no breaking change to old versions of docker.
Alternative to #335
Note I did not tested on new docker, but I tested on old one and nothing break.