From c83fce86d408439618e188bf9c581e4d127f91a3 Mon Sep 17 00:00:00 2001 From: Nicolas De Loof Date: Mon, 12 Sep 2022 10:40:45 +0200 Subject: [PATCH] c8d/resolver: Use hosts from daemon configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Paweł Gronowski Signed-off-by: Nicolas De Loof --- daemon/containerd/image_pull.go | 2 +- daemon/containerd/resolver.go | 64 +++++++++++++++++++++------------ daemon/containerd/service.go | 17 ++++++--- daemon/daemon.go | 2 +- 4 files changed, 56 insertions(+), 29 deletions(-) diff --git a/daemon/containerd/image_pull.go b/daemon/containerd/image_pull.go index d77bc11029..99352457a9 100644 --- a/daemon/containerd/image_pull.go +++ b/daemon/containerd/image_pull.go @@ -44,7 +44,7 @@ func (i *ImageService) PullImage(ctx context.Context, image, tagOrDigest string, } } - resolver, _ := newResolverFromAuthConfig(authConfig) + resolver, _ := i.newResolverFromAuthConfig(authConfig) opts = append(opts, containerd.WithResolver(resolver)) jobs := newJobs() diff --git a/daemon/containerd/resolver.go b/daemon/containerd/resolver.go index 3a16ff2615..e01001437a 100644 --- a/daemon/containerd/resolver.go +++ b/daemon/containerd/resolver.go @@ -8,32 +8,52 @@ import ( "github.com/sirupsen/logrus" ) -func newResolverFromAuthConfig(authConfig *registrytypes.AuthConfig) (remotes.Resolver, docker.StatusTracker) { - opts := []docker.RegistryOpt{} - - if authConfig != nil { - cfgHost := registry.ConvertToHostname(authConfig.ServerAddress) - if cfgHost == registry.IndexHostname { - cfgHost = registry.DefaultRegistryHost - } - authorizer := docker.NewDockerAuthorizer(docker.WithAuthCreds(func(host string) (string, string, error) { - if cfgHost != host { - logrus.WithField("host", host).WithField("cfgHost", cfgHost).Warn("Host doesn't match") - return "", "", nil - } - if authConfig.IdentityToken != "" { - return "", authConfig.IdentityToken, nil - } - return authConfig.Username, authConfig.Password, nil - })) - - opts = append(opts, docker.WithAuthorizer(authorizer)) - } +func (i *ImageService) newResolverFromAuthConfig(authConfig *registrytypes.AuthConfig) (remotes.Resolver, docker.StatusTracker) { + hostsFn := i.registryHosts.RegistryHosts() + hosts := hostsAuthorizerWrapper(hostsFn, authConfig) tracker := docker.NewInMemoryTracker() return docker.NewResolver(docker.ResolverOptions{ - Hosts: docker.ConfigureDefaultRegistries(opts...), + Hosts: hosts, Tracker: tracker, }), tracker } + +func hostsAuthorizerWrapper(hostsFn docker.RegistryHosts, authConfig *registrytypes.AuthConfig) docker.RegistryHosts { + return docker.RegistryHosts(func(n string) ([]docker.RegistryHost, error) { + hosts, err := hostsFn(n) + if err == nil { + for idx, host := range hosts { + if host.Authorizer == nil { + var opts []docker.AuthorizerOpt + if authConfig != nil { + opts = append(opts, authorizationCredsFromAuthConfig(*authConfig)) + } + host.Authorizer = docker.NewDockerAuthorizer(opts...) + hosts[idx] = host + } + } + } + + return hosts, err + }) +} + +func authorizationCredsFromAuthConfig(authConfig registrytypes.AuthConfig) docker.AuthorizerOpt { + cfgHost := registry.ConvertToHostname(authConfig.ServerAddress) + if cfgHost == registry.IndexHostname { + cfgHost = registry.DefaultRegistryHost + } + + return docker.WithAuthCreds(func(host string) (string, string, error) { + if cfgHost != host { + logrus.WithField("host", host).WithField("cfgHost", cfgHost).Warn("Host doesn't match") + return "", "", nil + } + if authConfig.IdentityToken != "" { + return "", authConfig.IdentityToken, nil + } + return authConfig.Username, authConfig.Password, nil + }) +} diff --git a/daemon/containerd/service.go b/daemon/containerd/service.go index ffd56569a6..163bced2b1 100644 --- a/daemon/containerd/service.go +++ b/daemon/containerd/service.go @@ -5,6 +5,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/plugin" + "github.com/containerd/containerd/remotes/docker" "github.com/containerd/containerd/snapshots" "github.com/docker/docker/container" "github.com/docker/docker/daemon/images" @@ -16,15 +17,21 @@ import ( // ImageService implements daemon.ImageService type ImageService struct { - client *containerd.Client - snapshotter string + client *containerd.Client + snapshotter string + registryHosts RegistryHostsProvider +} + +type RegistryHostsProvider interface { + RegistryHosts() docker.RegistryHosts } // NewService creates a new ImageService. -func NewService(c *containerd.Client, snapshotter string) *ImageService { +func NewService(c *containerd.Client, snapshotter string, hostsProvider RegistryHostsProvider) *ImageService { return &ImageService{ - client: c, - snapshotter: snapshotter, + client: c, + snapshotter: snapshotter, + registryHosts: hostsProvider, } } diff --git a/daemon/daemon.go b/daemon/daemon.go index 729679bfac..669c3a4995 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -994,7 +994,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S if err := configureKernelSecuritySupport(config, driverName); err != nil { return nil, err } - d.imageService = ctrd.NewService(d.containerdCli, driverName) + d.imageService = ctrd.NewService(d.containerdCli, driverName, d) } else { layerStore, err := layer.NewStoreFromOptions(layer.StoreOptions{ Root: config.Root,