@@ -2,8 +2,6 @@ package containerd

 import (

 	"context"

-	"crypto/tls"

-	"errors"

 	"net/http"

 	"github.com/containerd/containerd/remotes"

@@ -33,11 +31,12 @@ func (i *ImageService) newResolverFromAuthConfig(ctx context.Context, authConfig

 }

 func hostsWrapper(hostsFn docker.RegistryHosts, optAuthConfig *registrytypes.AuthConfig, ref reference.Named, regService registryResolver) docker.RegistryHosts {

-	var authorizer docker.Authorizer

-	if optAuthConfig != nil {

-		authorizer = authorizerFromAuthConfig(*optAuthConfig, ref)

+	if optAuthConfig == nil {

+		return hostsFn

 	}

+	authorizer := authorizerFromAuthConfig(*optAuthConfig, ref)

+

 	return func(n string) ([]docker.RegistryHost, error) {

 		hosts, err := hostsFn(n)

 		if err != nil {

@@ -45,13 +44,7 @@ func hostsWrapper(hostsFn docker.RegistryHosts, optAuthConfig *registrytypes.Aut

 		}

 		for i := range hosts {

-			if hosts[i].Authorizer == nil {

-				hosts[i].Authorizer = authorizer

-				isInsecure := regService.IsInsecureRegistry(hosts[i].Host)

-				if hosts[i].Client.Transport != nil && isInsecure {

-					hosts[i].Client.Transport = httpFallback{super: hosts[i].Client.Transport}

-				}

-			}

+			hosts[i].Authorizer = authorizer

 		}

 		return hosts, nil

 	}

@@ -111,24 +104,3 @@ func (a *bearerAuthorizer) AddResponses(context.Context, []*http.Response) error

 	// Return not implemented to prevent retry of the request when bearer did not succeed

 	return cerrdefs.ErrNotImplemented

 }

-

-type httpFallback struct {

-	super http.RoundTripper

-}

-

-func (f httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {

-	resp, err := f.super.RoundTrip(r)

-	var tlsErr tls.RecordHeaderError

-	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {

-		// server gave HTTP response to HTTPS client

-		plainHttpUrl := *r.URL

-		plainHttpUrl.Scheme = "http"

-

-		plainHttpRequest := *r

-		plainHttpRequest.URL = &plainHttpUrl

-

-		return http.DefaultTransport.RoundTrip(&plainHttpRequest)

-	}

-

-	return resp, err

-}

@@ -1,10 +1,10 @@

 package daemon // import "github.com/docker/docker/daemon"

 import (

+	"context"

 	"crypto/tls"

 	"crypto/x509"

 	"fmt"

-	"net"

 	"net/http"

 	"net/url"

 	"os"

@@ -12,13 +12,11 @@ import (

 	"path/filepath"

 	"runtime"

 	"strings"

-	"time"

 	"github.com/containerd/containerd/remotes/docker"

+	hostconfig "github.com/containerd/containerd/remotes/docker/config"

+	cerrdefs "github.com/containerd/errdefs"

 	"github.com/docker/docker/registry"

-	"github.com/moby/buildkit/util/resolver/config"

-	resolverconfig "github.com/moby/buildkit/util/resolver/config"

-	"github.com/moby/buildkit/util/tracing"

 	"github.com/pkg/errors"

 )

@@ -29,159 +27,120 @@ const (

 // RegistryHosts returns the registry hosts configuration for the host component

 // of a distribution image reference.

 func (daemon *Daemon) RegistryHosts(host string) ([]docker.RegistryHost, error) {

-	m := map[string]resolverconfig.RegistryConfig{

-		"docker.io": {Mirrors: daemon.registryService.ServiceConfig().Mirrors},

+	hosts, err := hostconfig.ConfigureHosts(context.Background(), hostconfig.HostOptions{

+		// TODO: Also check containerd path when updating containerd to use multiple host directories

+		HostDir: hostconfig.HostDirFromRoot(registry.CertsDir()),

+	})(host)

+	if err != nil {

+		return nil, err

 	}

-	conf := daemon.registryService.ServiceConfig().IndexConfigs

-	for k, v := range conf {

-		c := m[k]

-		if !v.Secure {

-			t := true

-			c.PlainHTTP = &t

-			c.Insecure = &t

+

+	// Merge in legacy configuration if provided and only a single configuration

+	if sc := daemon.registryService.ServiceConfig(); len(hosts) == 1 && sc != nil {

+		hosts, err = daemon.mergeLegacyConfig(host, hosts)

+		if err != nil {

+			return nil, err

 		}

-		m[k] = c

-	}

-	if c, ok := m[host]; !ok && daemon.registryService.IsInsecureRegistry(host) {

-		t := true

-		c.PlainHTTP = &t

-		c.Insecure = &t

-		m[host] = c

 	}

-	for k, v := range m {

-		v.TLSConfigDir = []string{registry.HostCertsDir(k)}

-		m[k] = v

+	return hosts, nil

+}

+

+func (daemon *Daemon) mergeLegacyConfig(host string, hosts []docker.RegistryHost) ([]docker.RegistryHost, error) {

+	if len(hosts) == 0 {

+		return hosts, nil

 	}

+	sc := daemon.registryService.ServiceConfig()

+	if host == "docker.io" && len(sc.Mirrors) > 0 {

+		var mirrorHosts []docker.RegistryHost

+		for _, mirror := range sc.Mirrors {

+			h := hosts[0]

+			h.Capabilities = docker.HostCapabilityPull | docker.HostCapabilityResolve

-	certsDir := registry.CertsDir()

-	if fis, err := os.ReadDir(certsDir); err == nil {

-		for _, fi := range fis {

-			if _, ok := m[fi.Name()]; !ok {

-				m[fi.Name()] = resolverconfig.RegistryConfig{

-					TLSConfigDir: []string{filepath.Join(certsDir, fi.Name())},

+			u, err := url.Parse(mirror)

+			if err != nil || u.Host == "" {

+				u, err = url.Parse(fmt.Sprintf("//%s", mirror))

+			}

+			if err == nil && u.Host != "" {

+				h.Host = u.Host

+				h.Path = strings.TrimRight(u.Path, "/")

+				if !strings.HasSuffix(h.Path, defaultPath) {

+					h.Path = path.Join(defaultPath, h.Path)

 				}

+			} else {

+				h.Host = mirror

+				h.Path = defaultPath

 			}

+

+			mirrorHosts = append(mirrorHosts, h)

 		}

+		hosts = append(mirrorHosts, hosts[0])

 	}

-

-	return newRegistryConfig(m)(host)

-}

-

-// newRegistryConfig converts registry config to docker.RegistryHosts callback

-func newRegistryConfig(m map[string]resolverconfig.RegistryConfig) docker.RegistryHosts {

-	return docker.Registries(

-		func(host string) ([]docker.RegistryHost, error) {

-			c, ok := m[host]

-			if !ok {

-				return nil, nil

-			}

-

-			var out []docker.RegistryHost

-

-			for _, rawMirror := range c.Mirrors {

-				h := newMirrorRegistryHost(rawMirror)

-				mirrorHost := h.Host

-				host, err := fillInsecureOpts(mirrorHost, m[mirrorHost], h)

+	hostDir := hostconfig.HostDirFromRoot(registry.CertsDir())

+	for i := range hosts {

+		t, ok := hosts[i].Client.Transport.(*http.Transport)

+		if !ok {

+			continue

+		}

+		if t.TLSClientConfig == nil {

+			certsDir, err := hostDir(host)

+			if err != nil && !cerrdefs.IsNotFound(err) {

+				return nil, err

+			} else if err == nil {

+				c, err := loadTLSConfig(certsDir)

 				if err != nil {

 					return nil, err

 				}

-

-				out = append(out, *host)

+				t.TLSClientConfig = c

 			}

-

-			if host == "docker.io" {

-				host = "registry-1.docker.io"

-			}

-

-			h := docker.RegistryHost{

-				Scheme:       "https",

-				Client:       newDefaultClient(),

-				Host:         host,

-				Path:         "/v2",

-				Capabilities: docker.HostCapabilityPush | docker.HostCapabilityPull | docker.HostCapabilityResolve,

-			}

-

-			hosts, err := fillInsecureOpts(host, c, h)

-			if err != nil {

-				return nil, err

+		}

+		if daemon.registryService.IsInsecureRegistry(hosts[i].Host) {

+			if t.TLSClientConfig != nil {

+				isLocalhost, err := docker.MatchLocalhost(hosts[i].Host)

+				if err != nil {

+					continue

+				}

+				if isLocalhost {

+					hosts[i].Client.Transport = docker.NewHTTPFallback(hosts[i].Client.Transport)

+				}

+				t.TLSClientConfig.InsecureSkipVerify = true

+			} else {

+				hosts[i].Scheme = "http"

 			}

-

-			out = append(out, *hosts)

-

-			return out, nil

-		},

-		docker.ConfigureDefaultRegistries(

-			docker.WithClient(newDefaultClient()),

-			docker.WithPlainHTTP(docker.MatchLocalhost),

-		),

-	)

-}

-

-func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHost) (*docker.RegistryHost, error) {

-	tc, err := loadTLSConfig(c)

-	if err != nil {

-		return nil, err

-	}

-	var isHTTP bool

-

-	if c.PlainHTTP != nil && *c.PlainHTTP {

-		isHTTP = true

-	}

-	if c.PlainHTTP == nil {

-		if ok, _ := docker.MatchLocalhost(host); ok {

-			isHTTP = true

 		}

 	}

+	return hosts, nil

+}

-	httpsTransport := newDefaultTransport()

-	httpsTransport.TLSClientConfig = tc

-

-	if c.Insecure != nil && *c.Insecure {

-		h2 := h

-

-		var transport http.RoundTripper = httpsTransport

-		if isHTTP {

-			transport = &httpFallback{super: transport}

-		}

-		h2.Client = &http.Client{

-			Transport: tracing.NewTransport(transport),

-		}

-		tc.InsecureSkipVerify = true

-		return &h2, nil

-	} else if isHTTP {

-		h2 := h

-		h2.Scheme = "http"

-		return &h2, nil

+func loadTLSConfig(d string) (*tls.Config, error) {

+	fs, err := os.ReadDir(d)

+	if err != nil && !errors.Is(err, os.ErrNotExist) && !errors.Is(err, os.ErrPermission) {

+		return nil, errors.WithStack(err)

 	}

-

-	h.Client = &http.Client{

-		Transport: tracing.NewTransport(httpsTransport),

+	type keyPair struct {

+		Certificate string

+		Key         string

 	}

-	return &h, nil

-}

-

-func loadTLSConfig(c config.RegistryConfig) (*tls.Config, error) {

-	for _, d := range c.TLSConfigDir {

-		fs, err := os.ReadDir(d)

-		if err != nil && !errors.Is(err, os.ErrNotExist) && !errors.Is(err, os.ErrPermission) {

-			return nil, errors.WithStack(err)

+	var (

+		rootCAs  []string

+		keyPairs []keyPair

+	)

+	for _, f := range fs {

+		if strings.HasSuffix(f.Name(), ".crt") {

+			rootCAs = append(rootCAs, filepath.Join(d, f.Name()))

 		}

-		for _, f := range fs {

-			if strings.HasSuffix(f.Name(), ".crt") {

-				c.RootCAs = append(c.RootCAs, filepath.Join(d, f.Name()))

-			}

-			if strings.HasSuffix(f.Name(), ".cert") {

-				c.KeyPairs = append(c.KeyPairs, config.TLSKeyPair{

-					Certificate: filepath.Join(d, f.Name()),

-					Key:         filepath.Join(d, strings.TrimSuffix(f.Name(), ".cert")+".key"),

-				})

-			}

+		if strings.HasSuffix(f.Name(), ".cert") {

+			keyPairs = append(keyPairs, keyPair{

+				Certificate: filepath.Join(d, f.Name()),

+				Key:         filepath.Join(d, strings.TrimSuffix(f.Name(), ".cert")+".key"),

+			})

 		}

 	}

-	tc := &tls.Config{}

-	if len(c.RootCAs) > 0 {

+	tc := &tls.Config{

+		MinVersion: tls.VersionTLS12,

+	}

+	if len(rootCAs) > 0 {

 		systemPool, err := x509.SystemCertPool()

 		if err != nil {

 			if runtime.GOOS == "windows" {

@@ -193,7 +152,7 @@ func loadTLSConfig(c config.RegistryConfig) (*tls.Config, error) {

 		tc.RootCAs = systemPool

 	}

-	for _, p := range c.RootCAs {

+	for _, p := range rootCAs {

 		dt, err := os.ReadFile(p)

 		if err != nil {

 			return nil, errors.Wrapf(err, "failed to read %s", p)

@@ -201,7 +160,7 @@ func loadTLSConfig(c config.RegistryConfig) (*tls.Config, error) {

 		tc.RootCAs.AppendCertsFromPEM(dt)

 	}

-	for _, kp := range c.KeyPairs {

+	for _, kp := range keyPairs {

 		cert, err := tls.LoadX509KeyPair(kp.Certificate, kp.Key)

 		if err != nil {

 			return nil, errors.Wrapf(err, "failed to load keypair for %s", kp.Certificate)

@@ -210,87 +169,3 @@ func loadTLSConfig(c config.RegistryConfig) (*tls.Config, error) {

 	}

 	return tc, nil

 }

-

-func newMirrorRegistryHost(mirror string) docker.RegistryHost {

-	mirrorHost, mirrorPath := extractMirrorHostAndPath(mirror)

-	path := path.Join(defaultPath, mirrorPath)

-	h := docker.RegistryHost{

-		Scheme:       "https",

-		Client:       newDefaultClient(),

-		Host:         mirrorHost,

-		Path:         path,

-		Capabilities: docker.HostCapabilityPull | docker.HostCapabilityResolve,

-	}

-

-	return h

-}

-

-func newDefaultClient() *http.Client {

-	return &http.Client{

-		Transport: tracing.NewTransport(newDefaultTransport()),

-	}

-}

-

-// newDefaultTransport is for pull or push client

-//

-// NOTE: For push, there must disable http2 for https because the flow control

-// will limit data transfer. The net/http package doesn't provide http2 tunable

-// settings which limits push performance.

-//

-// REF: https://github.com/golang/go/issues/14077

-func newDefaultTransport() *http.Transport {

-	return &http.Transport{

-		Proxy: http.ProxyFromEnvironment,

-		DialContext: (&net.Dialer{

-			Timeout:   30 * time.Second,

-			KeepAlive: 60 * time.Second,

-		}).DialContext,

-		MaxIdleConns:          30,

-		IdleConnTimeout:       120 * time.Second,

-		MaxIdleConnsPerHost:   4,

-		TLSHandshakeTimeout:   10 * time.Second,

-		ExpectContinueTimeout: 5 * time.Second,

-		TLSNextProto:          make(map[string]func(authority string, c *tls.Conn) http.RoundTripper),

-	}

-}

-

-type httpFallback struct {

-	super http.RoundTripper

-	host  string

-}

-

-func (f *httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {

-	// only fall back if the same host had previously fell back

-	if f.host == r.URL.Host {

-		resp, err := f.super.RoundTrip(r)

-		var tlsErr tls.RecordHeaderError

-		if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {

-			f.host = r.URL.Host

-		} else {

-			return resp, err

-		}

-	}

-

-	plainHTTPUrl := *r.URL

-	plainHTTPUrl.Scheme = "http"

-

-	plainHTTPRequest := *r

-	plainHTTPRequest.URL = &plainHTTPUrl

-

-	return f.super.RoundTrip(&plainHTTPRequest)

-}

-

-func extractMirrorHostAndPath(mirror string) (string, string) {

-	var path string

-	host := mirror

-

-	u, err := url.Parse(mirror)

-	if err != nil || u.Host == "" {

-		u, err = url.Parse(fmt.Sprintf("//%s", mirror))

-	}

-	if err != nil || u.Host == "" {

-		return host, path

-	}

-

-	return u.Host, strings.TrimRight(u.Path, "/")

-}

new file mode 100644

@@ -0,0 +1,42 @@

+//go:build !windows

+

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package config

+

+import (

+	"crypto/x509"

+	"path/filepath"

+)

+

+func hostPaths(root, host string) (hosts []string) {

+	ch := hostDirectory(host)

+	if ch != host {

+		hosts = append(hosts, filepath.Join(root, ch))

+	}

+

+	hosts = append(hosts,

+		filepath.Join(root, host),

+		filepath.Join(root, "_default"),

+	)

+

+	return

+}

+

+func rootSystemPool() (*x509.CertPool, error) {

+	return x509.SystemCertPool()

+}

new file mode 100644

@@ -0,0 +1,41 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package config

+

+import (

+	"crypto/x509"

+	"path/filepath"

+	"strings"

+)

+

+func hostPaths(root, host string) (hosts []string) {

+	ch := hostDirectory(host)

+	if ch != host {

+		hosts = append(hosts, filepath.Join(root, strings.Replace(ch, ":", "", -1)))

+	}

+

+	hosts = append(hosts,

+		filepath.Join(root, strings.Replace(host, ":", "", -1)),

+		filepath.Join(root, "_default"),

+	)

+

+	return

+}

+

+func rootSystemPool() (*x509.CertPool, error) {

+	return x509.NewCertPool(), nil

+}

new file mode 100644

@@ -0,0 +1,44 @@

+//go:build gofuzz

+

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package config

+

+import (

+	"os"

+

+	fuzz "github.com/AdaLogics/go-fuzz-headers"

+)

+

+func FuzzParseHostsFile(data []byte) int {

+	f := fuzz.NewConsumer(data)

+	dir, err := os.MkdirTemp("", "fuzz-")

+	if err != nil {

+		return 0

+	}

+	err = f.CreateFiles(dir)

+	if err != nil {

+		return 0

+	}

+	defer os.RemoveAll(dir)

+	b, err := f.GetBytes()

+	if err != nil {

+		return 0

+	}

+	_, _ = parseHostsFile(dir, b)

+	return 1

+}

new file mode 100644

@@ -0,0 +1,612 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+// Package config contains utilities for helping configure the Docker resolver

+package config

+

+import (

+	"context"

+	"crypto/tls"

+	"errors"

+	"fmt"

+	"net"

+	"net/http"

+	"net/url"

+	"os"

+	"path"

+	"path/filepath"

+	"sort"

+	"strings"

+	"time"

+

+	"github.com/containerd/containerd/remotes/docker"

+	"github.com/containerd/errdefs"

+	"github.com/containerd/log"

+	"github.com/pelletier/go-toml"

+)

+

+// UpdateClientFunc is a function that lets you to amend http Client behavior used by registry clients.

+type UpdateClientFunc func(client *http.Client) error

+

+type hostConfig struct {

+	scheme string

+	host   string

+	path   string

+

+	capabilities docker.HostCapabilities

+

+	caCerts     []string

+	clientPairs [][2]string

+	skipVerify  *bool

+

+	header http.Header

+

+	// TODO: Add credential configuration (domain alias, username)

+}

+

+// HostOptions is used to configure registry hosts

+type HostOptions struct {

+	HostDir       func(string) (string, error)

+	Credentials   func(host string) (string, string, error)

+	DefaultTLS    *tls.Config

+	DefaultScheme string

+	// UpdateClient will be called after creating http.Client object, so clients can provide extra configuration

+	UpdateClient   UpdateClientFunc

+	AuthorizerOpts []docker.AuthorizerOpt

+}

+

+// ConfigureHosts creates a registry hosts function from the provided

+// host creation options. The host directory can read hosts.toml or

+// certificate files laid out in the Docker specific layout.

+// If a `HostDir` function is not required, defaults are used.

+func ConfigureHosts(ctx context.Context, options HostOptions) docker.RegistryHosts {

+	return func(host string) ([]docker.RegistryHost, error) {

+		var hosts []hostConfig

+		if options.HostDir != nil {

+			dir, err := options.HostDir(host)

+			if err != nil && !errdefs.IsNotFound(err) {

+				return nil, err

+			}

+			if dir != "" {

+				log.G(ctx).WithField("dir", dir).Debug("loading host directory")

+				hosts, err = loadHostDir(ctx, dir)

+				if err != nil {

+					return nil, err

+				}

+			}

+		}

+

+		// If hosts was not set, add a default host

+		// NOTE: Check nil here and not empty, the host may be

+		// intentionally configured to not have any endpoints

+		if hosts == nil {

+			hosts = make([]hostConfig, 1)

+		}

+		if len(hosts) > 0 && hosts[len(hosts)-1].host == "" {

+			if host == "docker.io" {

+				hosts[len(hosts)-1].scheme = "https"

+				hosts[len(hosts)-1].host = "registry-1.docker.io"

+			} else if docker.IsLocalhost(host) {

+				hosts[len(hosts)-1].host = host

+				if options.DefaultScheme == "" {

+					_, port, _ := net.SplitHostPort(host)

+					if port == "" || port == "443" {

+						// If port is default or 443, only use https

+						hosts[len(hosts)-1].scheme = "https"

+					} else {

+						// HTTP fallback logic will be used when protocol is ambiguous

+						hosts[len(hosts)-1].scheme = "http"

+					}

+

+					// When port is 80, protocol is not ambiguous

+					if port != "80" {

+						// Skipping TLS verification for localhost

+						var skipVerify = true

+						hosts[len(hosts)-1].skipVerify = &skipVerify

+					}

+				} else {

+					hosts[len(hosts)-1].scheme = options.DefaultScheme

+				}

+			} else {

+				hosts[len(hosts)-1].host = host

+				if options.DefaultScheme != "" {

+					hosts[len(hosts)-1].scheme = options.DefaultScheme

+				} else {

+					hosts[len(hosts)-1].scheme = "https"

+				}

+			}

+			hosts[len(hosts)-1].path = "/v2"

+			hosts[len(hosts)-1].capabilities = docker.HostCapabilityPull | docker.HostCapabilityResolve | docker.HostCapabilityPush

+		}

+

+		// tlsConfigured indicates that TLS was configured and HTTP endpoints should

+		// attempt to use the TLS configuration before falling back to HTTP

+		var tlsConfigured bool

+

+		var defaultTLSConfig *tls.Config

+		if options.DefaultTLS != nil {

+			tlsConfigured = true

+			defaultTLSConfig = options.DefaultTLS

+		} else {

+			defaultTLSConfig = &tls.Config{}

+		}

+

+		defaultTransport := &http.Transport{

+			Proxy: http.ProxyFromEnvironment,

+			DialContext: (&net.Dialer{

+				Timeout:       30 * time.Second,

+				KeepAlive:     30 * time.Second,

+				FallbackDelay: 300 * time.Millisecond,

+			}).DialContext,

+			MaxIdleConns:          10,

+			IdleConnTimeout:       30 * time.Second,

+			TLSHandshakeTimeout:   10 * time.Second,

+			TLSClientConfig:       defaultTLSConfig,

+			ExpectContinueTimeout: 5 * time.Second,

+		}

+

+		client := &http.Client{

+			Transport: defaultTransport,

+		}

+		if options.UpdateClient != nil {

+			if err := options.UpdateClient(client); err != nil {

+				return nil, err

+			}

+		}

+

+		authOpts := []docker.AuthorizerOpt{docker.WithAuthClient(client)}

+		if options.Credentials != nil {

+			authOpts = append(authOpts, docker.WithAuthCreds(options.Credentials))

+		}

+		authOpts = append(authOpts, options.AuthorizerOpts...)

+		authorizer := docker.NewDockerAuthorizer(authOpts...)

+

+		rhosts := make([]docker.RegistryHost, len(hosts))

+		for i, host := range hosts {

+			// Allow setting for each host as well

+			explicitTLS := tlsConfigured

+

+			if host.caCerts != nil || host.clientPairs != nil || host.skipVerify != nil {

+				explicitTLS = true

+				tr := defaultTransport.Clone()

+				tlsConfig := tr.TLSClientConfig

+				if host.skipVerify != nil {

+					tlsConfig.InsecureSkipVerify = *host.skipVerify

+				}

+				if host.caCerts != nil {

+					if tlsConfig.RootCAs == nil {

+						rootPool, err := rootSystemPool()

+						if err != nil {

+							return nil, fmt.Errorf("unable to initialize cert pool: %w", err)

+						}

+						tlsConfig.RootCAs = rootPool

+					}

+					for _, f := range host.caCerts {

+						data, err := os.ReadFile(f)

+						if err != nil {

+							return nil, fmt.Errorf("unable to read CA cert %q: %w", f, err)

+						}

+						if !tlsConfig.RootCAs.AppendCertsFromPEM(data) {

+							return nil, fmt.Errorf("unable to load CA cert %q", f)

+						}

+					}

+				}

+

+				if host.clientPairs != nil {

+					for _, pair := range host.clientPairs {

+						certPEMBlock, err := os.ReadFile(pair[0])

+						if err != nil {

+							return nil, fmt.Errorf("unable to read CERT file %q: %w", pair[0], err)

+						}

+						var keyPEMBlock []byte

+						if pair[1] != "" {

+							keyPEMBlock, err = os.ReadFile(pair[1])

+							if err != nil {

+								return nil, fmt.Errorf("unable to read CERT file %q: %w", pair[1], err)

+							}

+						} else {

+							// Load key block from same PEM file

+							keyPEMBlock = certPEMBlock

+						}

+						cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)

+						if err != nil {

+							return nil, fmt.Errorf("failed to load X509 key pair: %w", err)

+						}

+

+						tlsConfig.Certificates = append(tlsConfig.Certificates, cert)

+					}

+				}

+

+				c := *client

+				c.Transport = tr

+				if options.UpdateClient != nil {

+					if err := options.UpdateClient(&c); err != nil {

+						return nil, err

+					}

+				}

+

+				rhosts[i].Client = &c

+				rhosts[i].Authorizer = docker.NewDockerAuthorizer(append(authOpts, docker.WithAuthClient(&c))...)

+			} else {

+				rhosts[i].Client = client

+				rhosts[i].Authorizer = authorizer

+			}

+

+			// When TLS has been configured for the operation or host and

+			// the protocol from the port number is ambiguous, use the

+			// docker.NewHTTPFallback roundtripper to catch TLS errors and re-attempt the

+			// request as http. This allows preference for https when configured but

+			// also catches TLS errors early enough in the request to avoid sending

+			// the request twice or consuming the request body.

+			if host.scheme == "http" && explicitTLS {

+				_, port, _ := net.SplitHostPort(host.host)

+				if port != "" && port != "80" {

+					log.G(ctx).WithField("host", host.host).Info("host will try HTTPS first since it is configured for HTTP with a TLS configuration, consider changing host to HTTPS or removing unused TLS configuration")

+					host.scheme = "https"

+					rhosts[i].Client.Transport = docker.NewHTTPFallback(rhosts[i].Client.Transport)

+				}

+			}

+

+			rhosts[i].Scheme = host.scheme

+			rhosts[i].Host = host.host

+			rhosts[i].Path = host.path

+			rhosts[i].Capabilities = host.capabilities

+			rhosts[i].Header = host.header

+		}

+

+		return rhosts, nil

+	}

+

+}

+

+// HostDirFromRoot returns a function which finds a host directory

+// based at the given root.

+func HostDirFromRoot(root string) func(string) (string, error) {

+	return func(host string) (string, error) {

+		for _, p := range hostPaths(root, host) {

+			if _, err := os.Stat(p); err == nil {

+				return p, nil

+			} else if !os.IsNotExist(err) {

+				return "", err

+			}

+		}

+		return "", errdefs.ErrNotFound

+	}

+}

+

+// hostDirectory converts ":port" to "_port_" in directory names

+func hostDirectory(host string) string {

+	idx := strings.LastIndex(host, ":")

+	if idx > 0 {

+		return host[:idx] + "_" + host[idx+1:] + "_"

+	}