daemon: only create trust-key if DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE is set
The libtrust trust-key is only used for pushing legacy image manifests; pushing these images has been deprecated, and we only need to be able to push them in our CI. This patch disables generating the trust-key (and related paths) unless the DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE env-var is set (which we do in our CI). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
bb1208639b
commit
070da63310
2 changed files with 15 additions and 12 deletions
|
|
@ -985,17 +985,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
|||
logrus.WithError(err).Warnf("unable to migrate engine ID; a new engine ID will be generated")
|
||||
}
|
||||
|
||||
trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
trustDir := filepath.Join(config.Root, "trust")
|
||||
|
||||
if err := system.MkdirAll(trustDir, 0700); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// We have a single tag/reference store for the daemon globally. However, it's
|
||||
// stored under the graphdriver. On host platforms which only support a single
|
||||
// container OS, but multiple selectable graphdrivers, this means depending on which
|
||||
|
|
@ -1057,10 +1046,22 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
|||
MaxDownloadAttempts: *config.MaxDownloadAttempts,
|
||||
ReferenceStore: rs,
|
||||
RegistryService: registryService,
|
||||
TrustKey: trustKey,
|
||||
ContentNamespace: config.ContainerdNamespace,
|
||||
}
|
||||
|
||||
// This is a temporary environment variables used in CI to allow pushing
|
||||
// manifest v2 schema 1 images to test-registries used for testing *pulling*
|
||||
// these images.
|
||||
if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
|
||||
imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err = system.MkdirAll(filepath.Join(config.Root, "trust"), 0700); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// containerd is not currently supported with Windows.
|
||||
// So sometimes d.containerdCli will be nil
|
||||
// In that case we'll create a local content store... but otherwise we'll use containerd
|
||||
|
|
|
|||
|
|
@ -559,6 +559,7 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *testing.T) {
|
|||
func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) {
|
||||
// TODO: skip or update for Windows daemon
|
||||
os.Remove("/etc/docker/key.json")
|
||||
c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
||||
s.d.Start(c)
|
||||
s.d.Stop(c)
|
||||
|
||||
|
|
@ -1212,6 +1213,7 @@ func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *testing.T) {
|
|||
}
|
||||
|
||||
os.Remove("/etc/docker/key.json")
|
||||
c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
||||
s.d.Start(c)
|
||||
s.d.Stop(c)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue