Support for non-TLS HTTP

[djettah]

Currently using HTTP registries indroduces severe timeouts as HTTP works only as a fallback from HTTPS:

Thanks for your report. This behavior is currently hard-coded; the “try also non-TLS HTTP” and “do not require a trusted certificate and an authenticated connection when using TLS HTTPS” options are both configured using the same *tls-verify=false, with no way to choose only one of the two.
(from containers/skopeo#1519)

It would be beneficial to have an option disabling TLS.

[mtrmac]

Thanks for your report. Does the option of using explicit :80 not make a difference?

Either way, transferring to c/image, where that new option would need to be implemented.

[djettah]

Thanks for your report. Does the option of using explicit :80 not make a difference?

No, the registry is already on non-standard port.

[mtrmac]

So, to confirm, the delay is in that the registry accepts the connection, but somehow takes a long time to reject the TLS negotiation as an invalid HTTP request?

[djettah]

Yes, it waits 30s until a timeout fires:

...
DEBU[0000] GET https://artifactory-sage-1.ds.sage-next.local:9002/v2/
DEBU[0030] Ping https://artifactory-sage-1.ds.sage-next.local:9002/v2/ err Get "https://artifactory-sage-1.ds.sage-next.local:9002/v2/": dial tcp 10.232.41.14:9002: i/o timeout (&url.Error{Op:"Get", URL:"https://artifactory-sage-1.ds.sage-next.local:9002/v2/", Err:(*net.OpError)(0x400049a190)})
DEBU[0030] GET http://artifactory-sage-1.ds.sage-next.local:9002/v2/

Tweaking such timeouts could be also an option.

[djettah]

It turned out I had only set http_proxy without https_proxy that's why timeout happened. Solved my problem but an option would still be useful.

[mtrmac]

This is also tracked as #2088, and that one includes a bit more discussion; please follow there.