Contributing guidelines
I've found a bug and checked that ...
Description
Summary
The Docker buildx remote driver sends gRPC requests with :authority: localhost regardless of the configured TCP endpoint. This breaks any HTTP/2 reverse proxy (e.g., Envoy) that routes based on the :authority pseudo-header.
Root cause
The remote driver's Client() method in driver/remote/driver.go passes an empty string as the address to client.New():
// driver/remote/driver.go, line 96
c, err := client.New(ctx, "", opts...)
In client/client.go, when address == "":
- Line 120-121: address defaults to appdefaults.Address → unix:///run/buildkit/buildkitd.sock
- Line 135-138: creds is nil (remote driver handles TLS itself via d.Dial(), not via grpc-go transport credentials), so authority is not set from creds.serverName
- Line 139-141: authority = uri.Host → empty for a unix socket URI
- Line 149: grpc.WithAuthority("") → grpc-go defaults to localhost
The actual TCP connection works correctly — the remote driver's WithContextDialer + d.Dial() connects to the right host with proper TLS (the servername driver-opt correctly sets TLS SNI). But the gRPC :authority pseudo-header is derived from the empty address, not from the endpoint.
Expected behaviour
:authority should be my-buildkit.example.com:443 (or my-buildkit.example.com), matching the configured endpoint. This would allow HTTP/2 proxies to route based on :authority, which is the standard mechanism for virtual hosting in HTTP/2.
Actual behaviour
With GRPC_GO_LOG_SEVERITY_LEVEL=info, grpc-go logs:
original dial target is: "unix:///run/buildkit/buildkitd.sock"
[Channel #1] Channel authority set to "localhost"
The outgoing request bears "localhost" as :authority instead of the endpoint name.
Buildx version
buildx: v0.30.1 (9e66234)
Docker info
Builders list
Configuration
d=$(mktemp -d)
BUILDX_CONFIG=$d buildx create \
--name repro \
--driver remote \
--platform linux/amd64 \
--driver-opt cacert=/path/to/ca.pem,cert=/path/to/client.pem,key=/path/to/client.pem,servername=my-buildkit.example.com \
tcp://my-buildkit.example.com:443
BUILDX_CONFIG=$d buildx inspect --bootstrap repro
# Result: "context deadline exceeded" after 20s
BUILDX_CONFIG=$d buildx rm repro
rm -rf "$d"Build logs
Additional info
No response
Contributing guidelines
I've found a bug and checked that ...
Description
Summary
The Docker buildx remote driver sends gRPC requests with
:authority:localhost regardless of the configured TCP endpoint. This breaks any HTTP/2 reverse proxy (e.g., Envoy) that routes based on the:authoritypseudo-header.Root cause
The remote driver's Client() method in driver/remote/driver.go passes an empty string as the address to client.New():
In client/client.go, when address == "":
The actual TCP connection works correctly — the remote driver's WithContextDialer + d.Dial() connects to the right host with proper TLS (the servername driver-opt correctly sets TLS SNI). But the gRPC :authority pseudo-header is derived from the empty address, not from the endpoint.
Expected behaviour
:authorityshould be my-buildkit.example.com:443 (or my-buildkit.example.com), matching the configured endpoint. This would allow HTTP/2 proxies to route based on:authority, which is the standard mechanism for virtual hosting in HTTP/2.Actual behaviour
With GRPC_GO_LOG_SEVERITY_LEVEL=info, grpc-go logs:
The outgoing request bears "localhost" as
:authorityinstead of the endpoint name.Buildx version
buildx: v0.30.1 (9e66234)
Docker info
Builders list
Configuration
Build logs
Additional info
No response