From 06ab9cd1ed3bb7bec5f4fd3b17ff05dba9f9be15 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Thu, 19 Jun 2025 13:57:10 +0200
Subject: [PATCH] daemon/config: Validate: add missing validation for registry
 mirrors

Validation of registry mirrors was performed during daemon startup,
but after the config-file was validated. As a result, the `--validate`
option would incorrectly print that the configuration was valid, but
the daemon would fail to start;

    echo '{"registry-mirrors":["example.com"]}' > my-config.json
    dockerd --config-file ./my-config.json --validate
    configuration OK

    dockerd --config-file ./my-config.json
    # ...
    failed to start daemon: invalid mirror: no scheme specified for "example.com": must use either 'https://' or 'http://'

With this patch applied, validation is also performed as part of the
daemon config validation;

    echo '{"registry-mirrors":["example.com"]}' > my-config.json
    dockerd --config-file ./my-config.json --validate
    unable to configure the Docker daemon with file ./my-config.json: merged configuration validation from file and command line flags failed: invalid mirror: no scheme specified for "example.com": must use either 'https://' or 'http://'

    # fix the invalid config
    echo '{"registry-mirrors":["https://example.com"]}' > my-config.json
    dockerd --config-file ./my-config.json --validate
    configuration OK

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1d8545d60c3e5500ad1ebc9fce15725bef07a92a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 daemon/config/config.go      |  6 ++++++
 daemon/config/config_test.go | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/daemon/config/config.go b/daemon/config/config.go
index 66a0c76db8..c2d464f8c3 100644
--- a/daemon/config/config.go
+++ b/daemon/config/config.go
@@ -748,6 +748,12 @@ func Validate(config *Config) error {
 		}
 	}
 
+	for _, mirror := range config.ServiceOptions.Mirrors {
+		if _, err := registry.ValidateMirror(mirror); err != nil {
+			return err
+		}
+	}
+
 	if config.CorsHeaders != "" {
 		// TODO(thaJeztah): option is used to produce error when used; remove in next release
 		return errors.New(`DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option have been removed; use a reverse proxy if you need CORS headers`)
diff --git a/daemon/config/config_test.go b/daemon/config/config_test.go
index bf89f672c3..20514404a0 100644
--- a/daemon/config/config_test.go
+++ b/daemon/config/config_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/libnetwork/ipamutils"
 	"github.com/docker/docker/opts"
+	"github.com/docker/docker/registry"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/spf13/pflag"
@@ -428,6 +429,17 @@ func TestValidateConfigurationErrors(t *testing.T) {
 			platform:    "windows",
 			expectedErr: "invalid exec-opt (native.cgroupdriver=systemd): option 'native.cgroupdriver' is only supported on linux",
 		},
+		{
+			name: "invalid mirror",
+			config: &Config{
+				CommonConfig: CommonConfig{
+					ServiceOptions: registry.ServiceOptions{
+						Mirrors: []string{"ftp://example.com"},
+					},
+				},
+			},
+			expectedErr: `invalid mirror: unsupported scheme "ftp" in "ftp://example.com": must use either 'https://' or 'http://'`,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {