daemon/config: remove TrustKeyPath, and local utilities

Turned out that the loadOrCreateTrustKey() utility was doing exactly the same as libtrust.LoadOrCreateTrustKey(), so making it a thin wrapped. I kept the tests to verify the behavior, but we could remove them as we only need this for our integration tests. The storage location for the generated key was changed (again as we only need this for some integration tests), so we can remove the TrustKeyPath from the config. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-19 15:29:16 +02:00 · 2022-10-19 15:29:16 +02:00 · 5cdd6ab7cd
commit 5cdd6ab7cd
parent 1981706196
9 changed files with 13 additions and 103 deletions
--- a/cmd/dockerd/config.go
+++ b/cmd/dockerd/config.go
@ -7,9 +7,6 @@ import (
 	"github.com/spf13/pflag"
 )

-// defaultTrustKeyFile is the default filename for the trust key
-const defaultTrustKeyFile = "key.json"
-
 // installCommonConfigFlags adds flags to the pflag.FlagSet to configure the daemon
 func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	var (
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@ -414,14 +414,6 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
 		conf.CommonTLSOptions = config.CommonTLSOptions{}
 	}

-	if conf.TrustKeyPath == "" {
-		daemonConfDir, err := getDaemonConfDir(conf.Root)
-		if err != nil {
-			return nil, err
-		}
-		conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)
-	}
-
 	if opts.configFile != "" {
 		c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
 		if err != nil {
--- a/cmd/dockerd/daemon_unix.go
+++ b/cmd/dockerd/daemon_unix.go
@ -56,10 +56,6 @@ func setDefaultUmask() error {
 	return nil
 }

-func getDaemonConfDir(_ string) (string, error) {
-	return getDefaultDaemonConfigDir()
-}
-
 func (cli *DaemonCli) getPlatformContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {
 	opts := []supervisor.DaemonOpt{
 		// TODO(thaJeztah) change this to use /proc/self/oom_score_adj instead,
--- a/cmd/dockerd/daemon_windows.go
+++ b/cmd/dockerd/daemon_windows.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
 	"time"

 	"github.com/docker/docker/daemon/config"
@ -23,10 +22,6 @@ func setDefaultUmask() error {
 	return nil
 }

-func getDaemonConfDir(root string) (string, error) {
-	return filepath.Join(root, "config"), nil
-}
-
 // preNotifyReady sends a message to the host when the API is active, but before the daemon is
 func preNotifyReady() {
 	// start the service now to prevent timeouts waiting for daemon to start
--- a/cmd/dockerd/docker_windows.go
+++ b/cmd/dockerd/docker_windows.go
@ -24,11 +24,7 @@ func runDaemon(opts *daemonOptions) error {

 	// Windows specific settings as these are not defaulted.
 	if opts.configFile == "" {
-		configDir, err := getDaemonConfDir(opts.daemonConfig.Root)
-		if err != nil {
-			return err
-		}
-		opts.configFile = filepath.Join(configDir, "daemon.json")
+		opts.configFile = filepath.Join(opts.daemonConfig.Root, "config", "daemon.json")
 	}
 	if runAsService {
 		// If Windows SCM manages the service - no need for PID files
--- a/daemon/config/config.go
+++ b/daemon/config/config.go
@ -168,12 +168,6 @@ type CommonConfig struct {
 	// Proxies holds the proxies that are configured for the daemon.
 	Proxies `json:"proxies"`

-	// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
-	// when pushing to a registry which does not support schema 2. This field is marked as
-	// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
-	// daemon ID will use a dedicated identifier not shared with exported signatures.
-	TrustKeyPath string `json:"deprecated-key-path,omitempty"`
-
 	// LiveRestoreEnabled determines whether we should keep containers
 	// alive upon daemon shutdown/start
 	LiveRestoreEnabled bool `json:"live-restore,omitempty"`
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@ -1062,13 +1062,13 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		// manifest v2 schema 1 images to test-registries used for testing *pulling*
 		// these images.
 		if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
-			imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
+			// Previously, this was stored in the daemon's config-directory, but
+			// as pushing V1 is deprecated, and we only need this file during
+			// our integration tests, just store it within the "trust" directory.
+			imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(filepath.Join(config.Root, "trust", "key.json"))
 			if err != nil {
 				return nil, err
 			}
-			if err = os.Mkdir(filepath.Join(config.Root, "trust"), 0o700); err != nil && !errors.Is(err, os.ErrExist) {
-				return nil, err
-			}
 		}

 		// containerd is not currently supported with Windows.
--- a/daemon/trustkey.go
+++ b/daemon/trustkey.go
@ -1,57 +1,9 @@
 package daemon // import "github.com/docker/docker/daemon"

-import (
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/system"
-	"github.com/docker/libtrust"
-)
+import "github.com/docker/libtrust"

 // LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
-// otherwise generates a new one
-// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
-// a refactor or this function to be moved into libtrust
+// otherwise generates a new one.
 func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
-	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755)
-	if err != nil {
-		return nil, err
-	}
-	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
-	if err == libtrust.ErrKeyFileDoesNotExist {
-		trustKey, err = libtrust.GenerateECP256PrivateKey()
-		if err != nil {
-			return nil, fmt.Errorf("Error generating key: %s", err)
-		}
-		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
-		if err != nil {
-			return nil, fmt.Errorf("Error serializing key: %s", err)
-		}
-		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
-			return nil, fmt.Errorf("Error saving key file: %s", err)
-		}
-	} else if err != nil {
-		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
-	}
-	return trustKey, nil
-}
-
-func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
-	if ext == ".json" || ext == ".jwk" {
-		encoded, err = json.Marshal(key)
-		if err != nil {
-			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
-		}
-	} else {
-		pemBlock, err := key.PEMBlock()
-		if err != nil {
-			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
-		}
-		encoded = pem.EncodeToMemory(pemBlock)
-	}
-	return
+	return libtrust.LoadOrCreateTrustKey(trustKeyPath)
 }
--- a/daemon/trustkey_test.go
+++ b/daemon/trustkey_test.go
@ -7,29 +7,20 @@ import (

 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
-	"gotest.tools/v3/fs"
 )

 // LoadOrCreateTrustKey
 func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
-	tmpKeyFolderPath, err := os.MkdirTemp("", "api-trustkey-test")
+	tmpKeyFile, err := os.CreateTemp(t.TempDir(), "keyfile")
 	assert.NilError(t, err)
-	defer os.RemoveAll(tmpKeyFolderPath)
-
-	tmpKeyFile, err := os.CreateTemp(tmpKeyFolderPath, "keyfile")
-	assert.NilError(t, err)
-	defer tmpKeyFile.Close()
+	_ = tmpKeyFile.Close()

 	_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
-	assert.Check(t, is.ErrorContains(err, "Error loading key file"))
+	assert.Check(t, is.ErrorContains(err, "error loading key file"))
 }

 func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
-	defer tmpKeyFolderPath.Remove()
-
-	// Without the need to create the folder hierarchy
-	tmpKeyFile := tmpKeyFolderPath.Join("keyfile")
+	tmpKeyFile := filepath.Join(t.TempDir(), "keyfile")

 	key, err := loadOrCreateTrustKey(tmpKeyFile)
 	assert.NilError(t, err)
@ -40,10 +31,7 @@ func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
 }

 func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
-	defer tmpKeyFolderPath.Remove()
-	tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")
-
+	tmpKeyFile := filepath.Join(t.TempDir(), "folder/hierarchy/keyfile")
 	key, err := loadOrCreateTrustKey(tmpKeyFile)
 	assert.NilError(t, err)
 	assert.Check(t, key != nil)