coder
diff --git a/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 8 additions & 8 deletions b/‎agent/agent.go
Lines changed: 8 additions & 8 deletions
diff --git a/‎agent/statsendpoint.go renamed to ‎agent/api.go
Lines changed: 1 addition & 1 deletion b/‎agent/statsendpoint.go renamed to ‎agent/api.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/agent.go
Lines changed: 33 additions & 1 deletion b/‎cli/agent.go
Lines changed: 33 additions & 1 deletion
diff --git a/‎codersdk/workspaceagentconn.go
Lines changed: 21 additions & 23 deletions b/‎codersdk/workspaceagentconn.go
Lines changed: 21 additions & 23 deletions
diff --git a/‎docs/admin/upgrade.md
Lines changed: 1 addition & 1 deletion b/‎docs/admin/upgrade.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/admin/users.md
Lines changed: 1 addition & 1 deletion b/‎docs/admin/users.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/install/binary.md
Lines changed: 2 additions & 2 deletions b/‎docs/install/binary.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/install/kubernetes.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/kubernetes.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/install/offline.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/offline.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/install/packages.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/packages.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/install/windows.md
Lines changed: 1 addition & 1 deletion b/‎docs/install/windows.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/secrets.md
Lines changed: 1 addition & 1 deletion b/‎docs/secrets.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/templates.md
Lines changed: 1 addition & 1 deletion b/‎docs/templates.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/templates/docker-in-docker.md
Lines changed: 11 additions & 46 deletions b/‎docs/templates/docker-in-docker.md
Lines changed: 11 additions & 46 deletions
diff --git a/‎scaletest/agentconn/run.go
Lines changed: 1 addition & 1 deletion b/‎scaletest/agentconn/run.go
Lines changed: 1 addition & 1 deletion
@@ -6,6 +6,7 @@ MacOS = "macOS"
 AKS = "AKS"
 
 [default.extend-words]
+AKS = "AKS"
 # do as sudo replacement
 doas = "doas"
 darcula = "darcula"
 
@@ -24,7 +24,7 @@
 
 [![discord](https://img.shields.io/discord/747933592273027093?label=discord)](https://discord.gg/coder)
 [![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
-[![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases)
+[![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
 [![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
 [![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder)](https://goreportcard.com/report/github.com/coder/coder)
 [![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)
 
@@ -526,23 +526,23 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (_
 		return nil, err
 	}
 
-	statisticsListener, err := network.Listen("tcp", ":"+strconv.Itoa(codersdk.WorkspaceAgentStatisticsPort))
+	apiListener, err := network.Listen("tcp", ":"+strconv.Itoa(codersdk.WorkspaceAgentHTTPAPIServerPort))
 	if err != nil {
-		return nil, xerrors.Errorf("listen for statistics: %w", err)
+		return nil, xerrors.Errorf("api listener: %w", err)
 	}
 	defer func() {
 		if err != nil {
-			_ = statisticsListener.Close()
+			_ = apiListener.Close()
 		}
 	}()
 	if err = a.trackConnGoroutine(func() {
-		defer statisticsListener.Close()
+		defer apiListener.Close()
 		server := &http.Server{
-			Handler:           a.statisticsHandler(),
+			Handler:           a.apiHandler(),
 			ReadTimeout:       20 * time.Second,
 			ReadHeaderTimeout: 20 * time.Second,
 			WriteTimeout:      20 * time.Second,
-			ErrorLog:          slog.Stdlib(ctx, a.logger.Named("statistics_http_server"), slog.LevelInfo),
+			ErrorLog:          slog.Stdlib(ctx, a.logger.Named("http_api_server"), slog.LevelInfo),
 		}
 		go func() {
 			select {
@@ -552,9 +552,9 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (_
 			_ = server.Close()
 		}()
 
-		err := server.Serve(statisticsListener)
+		err := server.Serve(apiListener)
 		if err != nil && !xerrors.Is(err, http.ErrServerClosed) && !strings.Contains(err.Error(), "use of closed network connection") {
-			a.logger.Critical(ctx, "serve statistics HTTP server", slog.Error(err))
+			a.logger.Critical(ctx, "serve HTTP API server", slog.Error(err))
 		}
 	}); err != nil {
 		return nil, err
 
@@ -11,7 +11,7 @@ import (
 	"github.com/coder/coder/codersdk"
 )
 
-func (*agent) statisticsHandler() http.Handler {
+func (*agent) apiHandler() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{
 
@@ -3,13 +3,15 @@ package cli
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/pprof"
 	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"sync"
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
@@ -91,11 +93,14 @@ func workspaceAgent() *cobra.Command {
 			// reaper.
 			go dumpHandler(ctx)
 
-			logWriter := &lumberjack.Logger{
+			ljLogger := &lumberjack.Logger{
 				Filename: filepath.Join(logDir, "coder-agent.log"),
 				MaxSize:  5, // MB
 			}
+			defer ljLogger.Close()
+			logWriter := &closeWriter{w: ljLogger}
 			defer logWriter.Close()
+
 			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
 
 			version := buildinfo.Version()
@@ -229,3 +234,30 @@ func serveHandler(ctx context.Context, logger slog.Logger, handler http.Handler,
 		_ = srv.Close()
 	}
 }
+
+// closeWriter is a wrapper around an io.WriteCloser that prevents
+// writes after Close. This is necessary because lumberjack will
+// re-open the file on write.
+type closeWriter struct {
+	w      io.WriteCloser
+	mu     sync.Mutex // Protects following.
+	closed bool
+}
+
+func (c *closeWriter) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.closed = true
+	return c.w.Close()
+}
+
+func (c *closeWriter) Write(p []byte) (int, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.closed {
+		return 0, io.ErrClosedPipe
+	}
+	return c.w.Write(p)
+}
@@ -23,20 +23,18 @@ import (
 	"github.com/coder/coder/tailnet"
 )
 
-var (
-	// WorkspaceAgentIP is a static IPv6 address with the Tailscale prefix that is used to route
-	// connections from clients to this node. A dynamic address is not required because a Tailnet
-	// client only dials a single agent at a time.
-	WorkspaceAgentIP = netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")
-)
+// WorkspaceAgentIP is a static IPv6 address with the Tailscale prefix that is used to route
+// connections from clients to this node. A dynamic address is not required because a Tailnet
+// client only dials a single agent at a time.
+var WorkspaceAgentIP = netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")
 
 const (
 	WorkspaceAgentSSHPort             = 1
 	WorkspaceAgentReconnectingPTYPort = 2
 	WorkspaceAgentSpeedtestPort       = 3
-	// WorkspaceAgentStatisticsPort serves a HTTP server with endpoints for gathering
-	// agent statistics.
-	WorkspaceAgentStatisticsPort = 4
+	// WorkspaceAgentHTTPAPIServerPort serves a HTTP server with endpoints for e.g.
+	// gathering agent statistics.
+	WorkspaceAgentHTTPAPIServerPort = 4
 
 	// WorkspaceAgentMinimumListeningPort is the minimum port that the listening-ports
 	// endpoint will return to the client, and the minimum port that is accepted
@@ -282,7 +280,7 @@ type WorkspaceAgentListeningPort struct {
 func (c *WorkspaceAgentConn) ListeningPorts(ctx context.Context) (WorkspaceAgentListeningPortsResponse, error) {
 	ctx, span := tracing.StartSpan(ctx)
 	defer span.End()
-	res, err := c.requestStatisticsServer(ctx, http.MethodGet, "/api/v0/listening-ports", nil)
+	res, err := c.apiRequest(ctx, http.MethodGet, "/api/v0/listening-ports", nil)
 	if err != nil {
 		return WorkspaceAgentListeningPortsResponse{}, xerrors.Errorf("do request: %w", err)
 	}
@@ -295,30 +293,30 @@ func (c *WorkspaceAgentConn) ListeningPorts(ctx context.Context) (WorkspaceAgent
 	return resp, json.NewDecoder(res.Body).Decode(&resp)
 }
 
-// requestStatisticsServer makes a request to the workspace agent's statistics server.
-func (c *WorkspaceAgentConn) requestStatisticsServer(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
+// apiRequest makes a request to the workspace agent's HTTP API server.
+func (c *WorkspaceAgentConn) apiRequest(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
 	ctx, span := tracing.StartSpan(ctx)
 	defer span.End()
-	host := net.JoinHostPort(WorkspaceAgentIP.String(), strconv.Itoa(WorkspaceAgentStatisticsPort))
+	host := net.JoinHostPort(WorkspaceAgentIP.String(), strconv.Itoa(WorkspaceAgentHTTPAPIServerPort))
 	url := fmt.Sprintf("http://%s%s", host, path)
 
 	req, err := http.NewRequestWithContext(ctx, method, url, body)
 	if err != nil {
-		return nil, xerrors.Errorf("new statistics server request to %q: %w", url, err)
+		return nil, xerrors.Errorf("new http api request to %q: %w", url, err)
 	}
 
-	return c.statisticsServerClient().Do(req)
+	return c.apiClient().Do(req)
 }
 
-// statisticsServerClient returns an HTTP client that can be used to make
-// requests to the workspace agent's statistics server.
-func (c *WorkspaceAgentConn) statisticsServerClient() *http.Client {
+// apiClient returns an HTTP client that can be used to make
+// requests to the workspace agent's HTTP API server.
+func (c *WorkspaceAgentConn) apiClient() *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
 			// Disable keep alives as we're usually only making a single
 			// request, and this triggers goleak in tests
 			DisableKeepAlives: true,
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			DialContext: func(_ context.Context, network, addr string) (net.Conn, error) {
 				if network != "tcp" {
 					return nil, xerrors.Errorf("network must be tcp")
 				}
@@ -328,13 +326,13 @@ func (c *WorkspaceAgentConn) statisticsServerClient() *http.Client {
 				}
 				// Verify that host is TailnetIP and port is
 				// TailnetStatisticsPort.
-				if host != WorkspaceAgentIP.String() || port != strconv.Itoa(WorkspaceAgentStatisticsPort) {
-					return nil, xerrors.Errorf("request %q does not appear to be for statistics server", addr)
+				if host != WorkspaceAgentIP.String() || port != strconv.Itoa(WorkspaceAgentHTTPAPIServerPort) {
+					return nil, xerrors.Errorf("request %q does not appear to be for http api", addr)
 				}
 
-				conn, err := c.DialContextTCP(context.Background(), netip.AddrPortFrom(WorkspaceAgentIP, WorkspaceAgentStatisticsPort))
+				conn, err := c.DialContextTCP(context.Background(), netip.AddrPortFrom(WorkspaceAgentIP, WorkspaceAgentHTTPAPIServerPort))
 				if err != nil {
-					return nil, xerrors.Errorf("dial statistics: %w", err)
+					return nil, xerrors.Errorf("dial http api: %w", err)
 				}
 
 				return conn, nil
 
@@ -45,7 +45,7 @@ See [Upgrading Coder via Helm](../install/kubernetes.md#upgrading-coder-via-helm
 
 ## Via Windows
 
-Download the latest Windows installer or binary from [GitHub releases](https://github.com/coder/coder/releases), or upgrade from Winget.
+Download the latest Windows installer or binary from [GitHub releases](https://github.com/coder/coder/releases/latest), or upgrade from Winget.
 
 ```sh
 winget install Coder.Coder
 
@@ -46,7 +46,7 @@ with the user so that they can log into Coder:
 
 ```console
 Download the Coder command line for your operating system:
-https://github.com/coder/coder/releases
+https://github.com/coder/coder/releases/latest
 
 Run  coder login https://<accessURL>.coder.app  to authenticate.
 
 
@@ -1,6 +1,6 @@
-Coder publishes self-contained .zip and .tar.gz archives in [GitHub releases](https://github.com/coder/coder/releases). The archives bundle `coder` binary.
+Coder publishes self-contained .zip and .tar.gz archives in [GitHub releases](https://github.com/coder//latest). The archives bundle `coder` binary.
 
-1. Download the [release archive](https://github.com/coder/coder/releases) appropriate for your operating system
+1. Download the [release archive](https://github.com/coder/coder/releases/latest) appropriate for your operating system
 
 1. Unzip the folder you just downloaded, and move the `coder` executable to a location that's on your `PATH`
 
 
@@ -2,7 +2,7 @@
 
 Before proceeding, please ensure that you have a Kubernetes cluster running K8s 1.19+ and have Helm 3.5+ installed.
 
-You'll also want to install the [latest version of Coder](https://github.com/coder/coder/releases) locally in order
+You'll also want to install the [latest version of Coder](https://github.com/coder/coder/releases/latest) locally in order
 to log in and manage templates.
 
 ## Install Coder with Helm
 
@@ -133,7 +133,7 @@ services:
 
 ## Run offline via Kubernetes
 
-We publish the Helm chart for download on [GitHub Releases](https://github.com/coder/coder/releases). Follow our [Kubernetes](./kubernetes.md) documentation and modify the Helm values to specify your custom Coder image.
+We publish the Helm chart for download on [GitHub Releases](https://github.com/coder/coder/releases/latest). Follow our [Kubernetes](./kubernetes.md) documentation and modify the Helm values to specify your custom Coder image.
 
 ```yaml
 # values.yaml
 
@@ -1,4 +1,4 @@
-1. Download and install one of the following system packages from [GitHub releases](https://github.com/coder/coder/releases):
+1. Download and install one of the following system packages from [GitHub releases](https://github.com/coder/coder/releases/latest):
 
    - .deb (Debian, Ubuntu)
    - .rpm (Fedora, CentOS, RHEL, SUSE)
 
@@ -2,7 +2,7 @@
 
 Use the Windows installer to download the CLI and add Coder to `PATH`. Alternatively, you can install Coder on Windows via a [standalone binary](./binary.md).
 
-1. Download the Windows installer from [GitHub releases](https://github.com/coder/coder/releases) or from `winget`
+1. Download the Windows installer from [GitHub releases](https://github.com/coder/coder/releases/latest) or from `winget`
 
    ```powershell
     winget install Coder.Coder
 
@@ -2,7 +2,7 @@
 
 <blockquote class="info">
 This article explains how to use secrets in a workspace. To authenticate the
-workspace provisioner, see [this](./admin/auth.md).
+workspace provisioner, see <a href="/admin/auth">this</a>.
 </blockquote>
 
 Coder is open-minded about how you get your secrets into your workspaces.
 
@@ -15,7 +15,7 @@ The CLI and the server are the same binary. We did this to encourage virality so
 individuals can start their own Coder deployments.
 
 From your local machine, download the CLI for your operating system from the
-[releases](https://github.com/coder/coder/releases) or run:
+[releases](https://github.com/coder/coder/releases/latest) or run:
 
 ```console
 curl -fsSL https://coder.com/install.sh | sh
 
@@ -1,10 +1,15 @@
+# Docker in Docker
+
 There are a few ways to run Docker within container-based Coder workspaces.
 
-## Sysbox runtime (recommended)
+| Method                                                     | Description                                                                                                          | Limitations                                                                                                                                                                                                 |
+| ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Sysbox container runtime](#sysbox-container-runtime)      | Install sysbox on your Kubernetes nodes for secure docker-in-docker and systemd-in-docker. Works with GKE, EKS, AKS. | Requires [compatible nodes](https://github.com/nestybox/sysbox#host-requirements). Max of 16 sysbox pods per node. [See all](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/limitations.md) |
+| [Privileged docker sidecar](#privileged-sidecar-container) | Run docker as a privilged sidecar container.                                                                         | Requires a privileged container. Workspaces can break out to root on the host machine.                                                                                                                      |
 
-The [Sysbox](https://github.com/nestybox/sysbox) container runtime allows unprivileged users to run system-level applications, such as Docker, securely from the workspace containers. Sysbox requires a [compatible Linux distribution](https://github.com/nestybox/sysbox/blob/master/docs/distro-compat.md) to implement these security features.
+## Sysbox container runtime
 
-> Sysbox can also be used to run systemd inside Coder workspaces. See [Systemd in Docker](#systemd-in-docker).
+The [Sysbox](https://github.com/nestybox/sysbox) container runtime allows unprivileged users to run system-level applications, such as Docker, securely from the workspace containers. Sysbox requires a [compatible Linux distribution](https://github.com/nestybox/sysbox/blob/master/docs/distro-compat.md) to implement these security features. Sysbox can also be used to run systemd inside Coder workspaces. See [Systemd in Docker](#systemd-in-docker).
 
 ### Use Sysbox in Docker-based templates
 
@@ -106,7 +111,9 @@ resource "kubernetes_pod" "dev" {
 
 ## Privileged sidecar container
 
-While less secure, you can attach a [privileged container](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) to your templates. This may come in handy if your nodes cannot run Sysbox.
+A [privileged container](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) can be added to your templates to add docker support. This may come in handy if your nodes cannot run Sysbox.
+
+> ⚠️ **Warning**: This is insecure. Workspaces will be able to gain root access to the host machine.
 
 ### Use a privileged sidecar container in Docker-based templates
 
@@ -212,48 +219,6 @@ resource "kubernetes_pod" "main" {
 
 Additionally, [Sysbox](https://github.com/nestybox/sysbox) can be used to give workspaces full `systemd` capabilities.
 
-### Use systemd in Docker-based templates
-
-After [installing Sysbox](https://github.com/nestybox/sysbox#installation) on the Coder host, modify your template to use the sysbox-runc runtime and start systemd:
-
-```hcl
-resource "docker_container" "workspace" {
-  image = "codercom/enterprise-base:ubuntu"
-  name = "coder-${data.coder_workspace.me.owner}-${lower(data.coder_workspace.me.name)}"
-
-  # Use Sysbox container runtime (required)
-  runtime = "sysbox-runc"
-  # Run as root in order to start systemd (required)
-  user    = "0:0"
-
-  # Start systemd and the Coder agent
-  command = ["sh", "-c", <<EOF
-    # Start the Coder agent as the "coder" user
-    # once systemd has started up
-    sudo -u coder --preserve-env=CODER_AGENT_TOKEN /bin/bash -- <<-'    EOT' &
-    while [[ ! $(systemctl is-system-running) =~ ^(running|degraded) ]]
-    do
-      echo "Waiting for system to start... $(systemctl is-system-running)"
-      sleep 2
-    done
-    ${coder_agent.main.init_script}
-    EOT
-
-    exec /sbin/init
-    EOF
-    ,
-  ]
-  env     = ["CODER_AGENT_TOKEN=${coder_agent.main.token}"]
-}
-
-resource "coder_agent" "main" {
-  arch = data.coder_provisioner.me.arch
-  os   = "linux"
-}
-```
-
-### Use systemd in Kubernetes-based templates
-
 After [installing Sysbox on Kubernetes](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install-k8s.md),
 modify your template to use the sysbox-runc RuntimeClass. This requires the Kubernetes Terraform provider version 2.16.0 or greater.
 
 
@@ -218,7 +218,7 @@ func verifyConnection(ctx context.Context, logs io.Writer, conn *codersdk.Worksp
 
 		u := &url.URL{
 			Scheme: "http",
-			Host:   net.JoinHostPort("localhost", strconv.Itoa(codersdk.WorkspaceAgentStatisticsPort)),
+			Host:   net.JoinHostPort("localhost", strconv.Itoa(codersdk.WorkspaceAgentHTTPAPIServerPort)),
 			Path:   "/",
 		}
 		req, err := http.NewRequestWithContext(verifyCtx, http.MethodGet, u.String(), nil)
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`"github.com/coder/coder/codersdk"`
`12`	`12`	`)`
`13`	`13`
`14`		`-func (*agent) statisticsHandler() http.Handler {`
	`14`	`+func (*agent) apiHandler() http.Handler {`
`15`	`15`	`r := chi.NewRouter()`
`16`	`16`	`r.Get("/", func(rw http.ResponseWriter, r *http.Request) {`
`17`	`17`	`httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-1. Download and install one of the following system packages from [GitHub releases](https://github.com/coder/coder/releases):`
	`1`	`+1. Download and install one of the following system packages from [GitHub releases](https://github.com/coder/coder/releases/latest):`
`2`	`2`
`3`	`3`	`- .deb (Debian, Ubuntu)`
`4`	`4`	`- .rpm (Fedora, CentOS, RHEL, SUSE)`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ func verifyConnection(ctx context.Context, logs io.Writer, conn *codersdk.Worksp`
`218`	`218`
`219`	`219`	`u := &url.URL{`
`220`	`220`	`Scheme: "http",`
`221`		`- Host: net.JoinHostPort("localhost", strconv.Itoa(codersdk.WorkspaceAgentStatisticsPort)),`
	`221`	`+ Host: net.JoinHostPort("localhost", strconv.Itoa(codersdk.WorkspaceAgentHTTPAPIServerPort)),`
`222`	`222`	`Path: "/",`
`223`	`223`	`}`
`224`	`224`	`req, err := http.NewRequestWithContext(verifyCtx, http.MethodGet, u.String(), nil)`