Registries proxy config: initial impl

cyqsimon · cyqsimon · commit 27a56435b92e · 2026-02-10T13:58:17.000+08:00
diff --git a/image/docker/docker_client.go b/image/docker/docker_client.go
@@ -114,6 +114,9 @@ type dockerClient struct {
 	// tlsClientConfig is setup by newDockerClient and will be used and updated
 	// by detectProperties(). Callers can edit tlsClientConfig.InsecureSkipVerify in the meantime.
 	tlsClientConfig *tls.Config
+	// registryProxyURL is the proxy URL from the registry configuration, if any.
+	// It has the lowest priority and can be overridden by either DockerProxyURL or environment variables.
+	registryProxyURL *url.URL
 	// The following members are not set by newDockerClient and must be set by callers if needed.
 	auth                   types.DockerAuthConfig
 	registryToken          string
@@ -262,18 +265,26 @@ func newDockerClient(sys *types.SystemContext, registry, reference string) (*doc
 		return nil, err
 	}
 
-	// Check if TLS verification shall be skipped (default=false) which can
-	// be specified in the sysregistriesv2 configuration.
-	skipVerify := false
+	// Fetch and load sysregistriesv2 configurations.
 	reg, err := sysregistriesv2.FindRegistry(sys, reference)
 	if err != nil {
 		return nil, fmt.Errorf("loading registries: %w", err)
 	}
+	skipVerify := false
+	var registryProxyURL *url.URL
 	if reg != nil {
 		if reg.Blocked {
 			return nil, fmt.Errorf("registry %s is blocked in %s or %s", reg.Prefix, sysregistriesv2.ConfigPath(sys), sysregistriesv2.ConfigDirPath(sys))
 		}
+		// Check if TLS verification shall be skipped (default=false).
 		skipVerify = reg.Insecure
+		// Set registry proxy.
+		if reg.Proxy != "" {
+			registryProxyURL, err = url.Parse(reg.Proxy)
+			if err != nil {
+				return nil, fmt.Errorf("parsing proxy URL %q: %w", reg.Proxy, err)
+			}
+		}
 	}
 	tlsClientConfig.InsecureSkipVerify = skipVerify
 
@@ -287,6 +298,7 @@ func newDockerClient(sys *types.SystemContext, registry, reference string) (*doc
 		registry:         registry,
 		userAgent:        userAgent,
 		tlsClientConfig:  tlsClientConfig,
+		registryProxyURL: registryProxyURL,
 		tokenCache:       map[string]*bearerToken{},
 		reportedWarnings: set.New[string](),
 	}, nil
@@ -968,6 +980,16 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
 	}
 	tr := tlsclientconfig.NewTransport()
 	tr.TLSClientConfig = c.tlsClientConfig
+	// Set registry-specific proxy with lowest priority, which can be overridden by environment variables.
+	if c.registryProxyURL != nil {
+		registryProxy := c.registryProxyURL
+		tr.Proxy = func(req *http.Request) (*url.URL, error) {
+			if envProxy, err := http.ProxyFromEnvironment(req); err != nil || envProxy != nil {
+				return envProxy, err
+			}
+			return registryProxy, nil
+		}
+	}
 	// if set DockerProxyURL explicitly, use the DockerProxyURL instead of system proxy
 	if c.sys != nil && c.sys.DockerProxyURL != nil {
 		tr.Proxy = http.ProxyURL(c.sys.DockerProxyURL)
diff --git a/image/pkg/sysregistriesv2/system_registries_v2.go b/image/pkg/sysregistriesv2/system_registries_v2.go
@@ -59,6 +59,8 @@ type Endpoint struct {
 	// If true, certs verification will be skipped and HTTP (non-TLS)
 	// connections will be allowed.
 	Insecure bool `toml:"insecure,omitempty"`
+	// The forwarding proxy to be used for accessing this endpoint.
+	Proxy string `toml:"proxy,omitempty"`
 	// PullFromMirror is used for adding restrictions to image pull through the mirror.
 	// Set to "all", "digest-only", or "tag-only".
 	// If "digest-only"， mirrors will only be used for digest pulls. Pulling images by
@@ -341,6 +343,27 @@ func parseLocation(input string) (string, error) {
 	return trimmed, nil
 }
 
+// validateProxy validates the input string for a proxy configuration.
+// Errors if a scheme is unsupported or unspecified.
+func validateProxy(input string) error {
+	if input == "" {
+		return nil
+	}
+
+	var hasSupportedScheme bool
+	for _, scheme := range []string{"http://", "https://", "socks5://", "socks5h://"} {
+		if strings.HasPrefix(input, scheme) {
+			hasSupportedScheme = true
+			break
+		}
+	}
+	if !hasSupportedScheme {
+		return &InvalidRegistries{s: "invalid proxy: proxy URL must specify one of the supported schemes: http://, https://, socks5://, socks5h://"}
+	}
+
+	return nil
+}
+
 // ConvertToV2 returns a v2 config corresponding to a v1 one.
 func (config *V1RegistriesConf) ConvertToV2() (*V2RegistriesConf, error) {
 	regMap := make(map[string]*Registry)
@@ -409,6 +432,10 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
 			return err
 		}
 
+		if err = validateProxy(reg.Proxy); err != nil {
+			return err
+		}
+
 		if reg.Prefix == "" {
 			if reg.Location == "" {
 				return &InvalidRegistries{s: "invalid condition: both location and prefix are unset"}
@@ -438,6 +465,10 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
 				return err
 			}
 
+			if err = validateProxy(mir.Proxy); err != nil {
+				return err
+			}
+
 			// FIXME: unqualifiedSearchRegistries now also accepts empty values
 			// and shouldn't
 			// https://github.com/containers/image/pull/1191#discussion_r610623216
@@ -483,6 +514,11 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
 				return &InvalidRegistries{s: msg}
 			}
 
+			if reg.Proxy != other.Proxy {
+				msg := fmt.Sprintf("registry '%s' is defined multiple times with conflicting 'proxy' setting", reg.Location)
+				return &InvalidRegistries{s: msg}
+			}
+
 			if reg.Blocked != other.Blocked {
 				msg := fmt.Sprintf("registry '%s' is defined multiple times with conflicting 'blocked' setting", reg.Location)
 				return &InvalidRegistries{s: msg}
