Merge pull request #43555 from thaJeztah/separate_engine_id

daemon: separate daemon ID from trust-key, and disable generating

daemon/daemon.go

@@ -977,15 +977,12 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		return nil, err
 	}
 
-	trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)
+	// Try to preserve the daemon ID (which is the trust-key's ID) when upgrading
+	// an existing installation; this is a "best-effort".
+	idPath := filepath.Join(config.Root, "engine-id")
+	err = migrateTrustKeyID(config.TrustKeyPath, idPath)
 	if err != nil {
-		return nil, err
-	}
-
-	trustDir := filepath.Join(config.Root, "trust")
-
-	if err := system.MkdirAll(trustDir, 0700); err != nil {
-		return nil, err
+		logrus.WithError(err).Warnf("unable to migrate engine ID; a new engine ID will be generated")
 	}
 
 	// We have a single tag/reference store for the daemon globally. However, it's
@@ -1019,7 +1016,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		return nil, errors.New("Devices cgroup isn't mounted")
 	}
 
-	d.id = trustKey.PublicKey().KeyID()
+	d.id, err = loadOrCreateID(idPath)
+	if err != nil {
+		return nil, err
+	}
 	d.repository = daemonRepo
 	d.containers = container.NewMemoryStore()
 	if d.containersReplica, err = container.NewViewDB(); err != nil {
@@ -1046,10 +1046,22 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		MaxDownloadAttempts:       config.MaxDownloadAttempts,
 		ReferenceStore:            rs,
 		RegistryService:           registryService,
-		TrustKey:                  trustKey,
 		ContentNamespace:          config.ContainerdNamespace,
 	}
 
+	// This is a temporary environment variables used in CI to allow pushing
+	// manifest v2 schema 1 images to test-registries used for testing *pulling*
+	// these images.
+	if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
+		imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
+		if err != nil {
+			return nil, err
+		}
+		if err = system.MkdirAll(filepath.Join(config.Root, "trust"), 0700); err != nil {
+			return nil, err
+		}
+	}
+
 	// containerd is not currently supported with Windows.
 	// So sometimes d.containerdCli will be nil
 	// In that case we'll create a local content store... but otherwise we'll use containerd

daemon/id.go

@@ -0,0 +1,61 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"os"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/libtrust"
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// loadOrCreateID loads the engine's ID from idPath, or generates a new ID
+// if it doesn't exist. It returns the ID, and any error that occurred when
+// saving the file.
+//
+// Note that this function expects the daemon's root directory to already have
+// been created with the right permissions and ownership (usually this would
+// be done by daemon.CreateDaemonRoot().
+func loadOrCreateID(idPath string) (string, error) {
+	var id string
+	idb, err := os.ReadFile(idPath)
+	if os.IsNotExist(err) {
+		id = uuid.New().String()
+		if err := ioutils.AtomicWriteFile(idPath, []byte(id), os.FileMode(0600)); err != nil {
+			return "", errors.Wrap(err, "error saving ID file")
+		}
+	} else if err != nil {
+		return "", errors.Wrapf(err, "error loading ID file %s", idPath)
+	} else {
+		id = string(idb)
+	}
+	return id, nil
+}
+
+// migrateTrustKeyID migrates the daemon ID of existing installations. It returns
+// an error when a trust-key was found, but we failed to read it, or failed to
+// complete the migration.
+//
+// We migrate the ID so that engines don't get a new ID generated on upgrades,
+// which may be unexpected (and users may be using the ID for various purposes).
+func migrateTrustKeyID(deprecatedTrustKeyPath, idPath string) error {
+	if _, err := os.Stat(idPath); err == nil {
+		// engine ID file already exists; no migration needed
+		return nil
+	}
+	trustKey, err := libtrust.LoadKeyFile(deprecatedTrustKeyPath)
+	if err != nil {
+		if err == libtrust.ErrKeyFileDoesNotExist {
+			// no existing trust-key found; no migration needed
+			return nil
+		}
+		return err
+	}
+	id := trustKey.PublicKey().KeyID()
+	if err := ioutils.AtomicWriteFile(idPath, []byte(id), os.FileMode(0600)); err != nil {
+		return errors.Wrap(err, "error saving ID file")
+	}
+	logrus.Info("successfully migrated engine ID")
+	return nil
+}

integration-cli/docker_cli_daemon_test.go

@@ -559,6 +559,7 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *testing.T) {
 func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) {
 	// TODO: skip or update for Windows daemon
 	os.Remove("/etc/docker/key.json")
+	c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
 	s.d.Start(c)
 	s.d.Stop(c)
 
@@ -1212,6 +1213,7 @@ func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *testing.T) {
 	}
 
 	os.Remove("/etc/docker/key.json")
+	c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
 	s.d.Start(c)
 	s.d.Stop(c)
 

integration/daemon/daemon_test.go

@@ -22,6 +22,11 @@ import (
 	"gotest.tools/v3/skip"
 )
 
+const (
+	libtrustKey   = `{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`
+	libtrustKeyID = "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB"
+)
+
 func TestConfigDaemonLibtrustID(t *testing.T) {
 	skip.If(t, runtime.GOOS == "windows")
 
@@ -29,16 +34,53 @@ func TestConfigDaemonLibtrustID(t *testing.T) {
 	defer d.Stop(t)
 
 	trustKey := filepath.Join(d.RootDir(), "key.json")
-	err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644)
+	err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
+	assert.NilError(t, err)
+
+	cfg := filepath.Join(d.RootDir(), "daemon.json")
+	err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
+	assert.NilError(t, err)
+
+	d.Start(t, "--config-file", cfg)
+	info := d.Info(t)
+	assert.Equal(t, info.ID, libtrustKeyID)
+}
+
+func TestConfigDaemonID(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+
+	d := daemon.New(t)
+	defer d.Stop(t)
+
+	trustKey := filepath.Join(d.RootDir(), "key.json")
+	err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
 	assert.NilError(t, err)
 
-	config := filepath.Join(d.RootDir(), "daemon.json")
-	err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
+	cfg := filepath.Join(d.RootDir(), "daemon.json")
+	err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
 	assert.NilError(t, err)
 
-	d.Start(t, "--config-file", config)
+	// Verify that on an installation with a trust-key present, the ID matches
+	// the trust-key ID, and that the ID has been migrated to the engine-id file.
+	d.Start(t, "--config-file", cfg, "--iptables=false")
 	info := d.Info(t)
-	assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB")
+	assert.Equal(t, info.ID, libtrustKeyID)
+
+	idFile := filepath.Join(d.RootDir(), "engine-id")
+	id, err := os.ReadFile(idFile)
+	assert.NilError(t, err)
+	assert.Equal(t, string(id), libtrustKeyID)
+	d.Stop(t)
+
+	// Verify that (if present) the engine-id file takes precedence
+	const engineID = "this-is-the-engine-id"
+	err = os.WriteFile(idFile, []byte(engineID), 0600)
+	assert.NilError(t, err)
+
+	d.Start(t, "--config-file", cfg, "--iptables=false")
+	info = d.Info(t)
+	assert.Equal(t, info.ID, engineID)
+	d.Stop(t)
 }
 
 func TestDaemonConfigValidation(t *testing.T) {