99cd23cefd
This reverts commit98fc09128b
in order to keep registry v2 schema1 handling and libtrust-key-based engine ID. Because registry v2 schema1 was not officially deprecated and registries are still relying on it, this patch puts its logic back. However, registry v1 relics are not added back since v1 logic has been removed a while ago. This also fixes an engine upgrade issue in a swarm cluster. It was relying on the Engine ID to be the same upon upgrade, but the mentioned commit modified the logic to use UUID and from a different file. Since the libtrust key is always needed to support v2 schema1 pushes, that the old engine ID is based on the libtrust key, and that the engine ID needs to be conserved across upgrades, adding a UUID-based engine ID logic seems to add more complexity than it solves the problems. Hence reverting the engine ID changes as well. Signed-off-by: Tibor Vass <tibor@docker.com> (cherry picked from commitf695e98cb7
) Signed-off-by: Tibor Vass <tibor@docker.com>
57 lines
1.8 KiB
Go
57 lines
1.8 KiB
Go
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/docker/docker/pkg/ioutils"
|
|
"github.com/docker/docker/pkg/system"
|
|
"github.com/docker/libtrust"
|
|
)
|
|
|
|
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
|
|
// otherwise generates a new one
|
|
// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
|
|
// a refactor or this function to be moved into libtrust
|
|
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
|
|
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
|
|
if err == libtrust.ErrKeyFileDoesNotExist {
|
|
trustKey, err = libtrust.GenerateECP256PrivateKey()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error generating key: %s", err)
|
|
}
|
|
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error serializing key: %s", err)
|
|
}
|
|
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
|
|
return nil, fmt.Errorf("Error saving key file: %s", err)
|
|
}
|
|
} else if err != nil {
|
|
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
|
|
}
|
|
return trustKey, nil
|
|
}
|
|
|
|
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
|
|
if ext == ".json" || ext == ".jwk" {
|
|
encoded, err = json.Marshal(key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
|
|
}
|
|
} else {
|
|
pemBlock, err := key.PEMBlock()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
|
|
}
|
|
encoded = pem.EncodeToMemory(pemBlock)
|
|
}
|
|
return
|
|
}
|