2 年之前 · c83fce86d4
--- a/daemon/containerd/image_pull.go
+++ b/daemon/containerd/image_pull.go
@@ -44,7 +44,7 @@ func (i *ImageService) PullImage(ctx context.Context, image, tagOrDigest string,
 
				 		}
			
 
				 	}
			
 
				 
			
 
				-	resolver, _ := newResolverFromAuthConfig(authConfig)
			
 
				+	resolver, _ := i.newResolverFromAuthConfig(authConfig)
			
 
				 	opts = append(opts, containerd.WithResolver(resolver))
			
 
				 
			
 
				 	jobs := newJobs()
			
--- a/daemon/containerd/resolver.go
+++ b/daemon/containerd/resolver.go
@@ -8,32 +8,52 @@ import (
 
				 	"github.com/sirupsen/logrus"
			
 
				 )
			
 
				 
			
 
				-func newResolverFromAuthConfig(authConfig *registrytypes.AuthConfig) (remotes.Resolver, docker.StatusTracker) {
			
 
				-	opts := []docker.RegistryOpt{}
			
 
				-
			
 
				-	if authConfig != nil {
			
 
				-		cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
			
 
				-		if cfgHost == registry.IndexHostname {
			
 
				-			cfgHost = registry.DefaultRegistryHost
			
 
				-		}
			
 
				-		authorizer := docker.NewDockerAuthorizer(docker.WithAuthCreds(func(host string) (string, string, error) {
			
 
				-			if cfgHost != host {
			
 
				-				logrus.WithField("host", host).WithField("cfgHost", cfgHost).Warn("Host doesn't match")
			
 
				-				return "", "", nil
			
 
				-			}
			
 
				-			if authConfig.IdentityToken != "" {
			
 
				-				return "", authConfig.IdentityToken, nil
			
 
				-			}
			
 
				-			return authConfig.Username, authConfig.Password, nil
			
 
				-		}))
			
 
				-
			
 
				-		opts = append(opts, docker.WithAuthorizer(authorizer))
			
 
				-	}
			
 
				+func (i *ImageService) newResolverFromAuthConfig(authConfig *registrytypes.AuthConfig) (remotes.Resolver, docker.StatusTracker) {
			
 
				+	hostsFn := i.registryHosts.RegistryHosts()
			
 
				+	hosts := hostsAuthorizerWrapper(hostsFn, authConfig)
			
 
				 
			
 
				 	tracker := docker.NewInMemoryTracker()
			
 
				 
			
 
				 	return docker.NewResolver(docker.ResolverOptions{
			
 
				-		Hosts:   docker.ConfigureDefaultRegistries(opts...),
			
 
				+		Hosts:   hosts,
			
 
				 		Tracker: tracker,
			
 
				 	}), tracker
			
 
				 }
			
 
				+
			
 
				+func hostsAuthorizerWrapper(hostsFn docker.RegistryHosts, authConfig *registrytypes.AuthConfig) docker.RegistryHosts {
			
 
				+	return docker.RegistryHosts(func(n string) ([]docker.RegistryHost, error) {
			
 
				+		hosts, err := hostsFn(n)
			
 
				+		if err == nil {
			
 
				+			for idx, host := range hosts {
			
 
				+				if host.Authorizer == nil {
			
 
				+					var opts []docker.AuthorizerOpt
			
 
				+					if authConfig != nil {
			
 
				+						opts = append(opts, authorizationCredsFromAuthConfig(*authConfig))
			
 
				+					}
			
 
				+					host.Authorizer = docker.NewDockerAuthorizer(opts...)
			
 
				+					hosts[idx] = host
			
 
				+				}
			
 
				+			}
			
 
				+		}
			
 
				+
			
 
				+		return hosts, err
			
 
				+	})
			
 
				+}
			
 
				+
			
 
				+func authorizationCredsFromAuthConfig(authConfig registrytypes.AuthConfig) docker.AuthorizerOpt {
			
 
				+	cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
			
 
				+	if cfgHost == registry.IndexHostname {
			
 
				+		cfgHost = registry.DefaultRegistryHost
			
 
				+	}
			
 
				+
			
 
				+	return docker.WithAuthCreds(func(host string) (string, string, error) {
			
 
				+		if cfgHost != host {
			
 
				+			logrus.WithField("host", host).WithField("cfgHost", cfgHost).Warn("Host doesn't match")
			
 
				+			return "", "", nil
			
 
				+		}
			
 
				+		if authConfig.IdentityToken != "" {
			
 
				+			return "", authConfig.IdentityToken, nil
			
 
				+		}
			
 
				+		return authConfig.Username, authConfig.Password, nil
			
 
				+	})
			
 
				+}
			
--- a/daemon/containerd/service.go
+++ b/daemon/containerd/service.go
@@ -5,6 +5,7 @@ import (
 
				 
			
 
				 	"github.com/containerd/containerd"
			
 
				 	"github.com/containerd/containerd/plugin"
			
 
				+	"github.com/containerd/containerd/remotes/docker"
			
 
				 	"github.com/containerd/containerd/snapshots"
			
 
				 	"github.com/docker/docker/container"
			
 
				 	"github.com/docker/docker/daemon/images"
			
@@ -16,15 +17,21 @@ import (
 
				 
			
 
				 // ImageService implements daemon.ImageService
			
 
				 type ImageService struct {
			
 
				-	client      *containerd.Client
			
 
				-	snapshotter string
			
 
				+	client        *containerd.Client
			
 
				+	snapshotter   string
			
 
				+	registryHosts RegistryHostsProvider
			
 
				+}
			
 
				+
			
 
				+type RegistryHostsProvider interface {
			
 
				+	RegistryHosts() docker.RegistryHosts
			
 
				 }
			
 
				 
			
 
				 // NewService creates a new ImageService.
			
 
				-func NewService(c *containerd.Client, snapshotter string) *ImageService {
			
 
				+func NewService(c *containerd.Client, snapshotter string, hostsProvider RegistryHostsProvider) *ImageService {
			
 
				 	return &ImageService{
			
 
				-		client:      c,
			
 
				-		snapshotter: snapshotter,
			
 
				+		client:        c,
			
 
				+		snapshotter:   snapshotter,
			
 
				+		registryHosts: hostsProvider,
			
 
				 	}
			
 
				 }
			
 
				 
			
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -994,7 +994,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 
				 		if err := configureKernelSecuritySupport(config, driverName); err != nil {
			
 
				 			return nil, err
			
 
				 		}
			
 
				-		d.imageService = ctrd.NewService(d.containerdCli, driverName)
			
 
				+		d.imageService = ctrd.NewService(d.containerdCli, driverName, d)
			
 
				 	} else {
			
 
				 		layerStore, err := layer.NewStoreFromOptions(layer.StoreOptions{
			
 
				 			Root:                      config.Root,