From bc90bb68558dcc3c860a20c8699a18a2e1e40df5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 8 Mar 2025 16:03:45 +0100 Subject: [PATCH] container create: combine client-side warning with daemon-side Use a consistent approach for producing warnings, but add a TODO for moving this warning to the daemon, which can make a better call if it will work or not (depending on networking mode). This warning was originally added in [moby@afa92a9], before integration with libnetwork, and this warning may be incorrect in many scenarios. While updating, also removing the custom regular expression used to detect if the IP is a loopback address, and using go's netip package instead. [moby@afa92a9]: https://github.com/moby/moby/commit/afa92a9af0f1a77ef25aab73b11aa855a1823666 Signed-off-by: Sebastiaan van Stijn --- cli/command/container/create.go | 31 +++++++------------ ...container-create-localhost-dns-ipv6.golden | 2 +- .../container-create-localhost-dns.golden | 2 +- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/cli/command/container/create.go b/cli/command/container/create.go index 9930e5f8e7..486d2852f9 100644 --- a/cli/command/container/create.go +++ b/cli/command/container/create.go @@ -4,8 +4,8 @@ import ( "context" "fmt" "io" + "net/netip" "os" - "regexp" "github.com/containerd/platforms" "github.com/distribution/reference" @@ -207,8 +207,6 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c hostConfig := containerCfg.HostConfig networkingConfig := containerCfg.NetworkingConfig - warnOnLocalhostDNS(*hostConfig, dockerCli.Err()) - var ( trustedRef reference.Canonical namedRef reference.Named @@ -291,6 +289,9 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c } } + if warn := localhostDNSWarning(*hostConfig); warn != "" { + response.Warnings = append(response.Warnings, warn) + } for _, w := range response.Warnings { _, _ = fmt.Fprintln(dockerCli.Err(), "WARNING:", w) } @@ -299,26 +300,16 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c } // check the DNS settings passed via --dns against localhost regexp to warn if -// they are trying to set a DNS to a localhost address -func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) { +// they are trying to set a DNS to a localhost address. +// +// TODO(thaJeztah): move this to the daemon, which can make a better call if it will work or not (depending on networking mode). +func localhostDNSWarning(hostConfig container.HostConfig) string { for _, dnsIP := range hostConfig.DNS { - if isLocalhost(dnsIP) { - _, _ = fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP) - return + if addr, err := netip.ParseAddr(dnsIP); err == nil && addr.IsLoopback() { + return fmt.Sprintf("Localhost DNS (%s) may fail in containers.", addr) } } -} - -// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range. -const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)` - -var localhostIPRegexp = regexp.MustCompile(ipLocalhost) - -// IsLocalhost returns true if ip matches the localhost IP regular expression. -// Used for determining if nameserver settings are being passed which are -// localhost addresses -func isLocalhost(ip string) bool { - return localhostIPRegexp.MatchString(ip) + return "" } func validatePullOpt(val string) error { diff --git a/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden b/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden index 5c98b97716..bb07a137dc 100644 --- a/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden +++ b/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden @@ -1 +1 @@ -WARNING: Localhost DNS setting (--dns=::1) may fail in containers. +WARNING: Localhost DNS (::1) may fail in containers. diff --git a/cli/command/container/testdata/container-create-localhost-dns.golden b/cli/command/container/testdata/container-create-localhost-dns.golden index 1c8b0e1f7f..409082ad6a 100644 --- a/cli/command/container/testdata/container-create-localhost-dns.golden +++ b/cli/command/container/testdata/container-create-localhost-dns.golden @@ -1 +1 @@ -WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers. +WARNING: Localhost DNS (127.0.0.11) may fail in containers.