Merge pull request #95 from Roblox/auth

Docker registry auth support via driver config.
2021-06-28 14:55:33 -07:00 · 2021-06-28 14:55:33 -07:00 · 14ccf66295
commit 14ccf66295
parent 6f20bcf872 65bdeec138
5 changed files with 43 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -87,6 +87,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
 | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
 | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
+| **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |

 **Task Config**

@ -111,7 +112,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **cap_add** | []string | no | Add individual capabilities. |
 | **cap_drop** | []string | no | Drop invidual capabilities. |
 | **devices** | []string | no | A list of devices to be exposed to the container. |
-| **auth** | block | no | Provide authentication for a private registry. See [Auth](#auth) for more details. |
+| **auth** | block | no | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
 | **mounts** | []block | no | A list of mounts to be mounted in the container. Volume, bind and tmpfs type mounts are supported. fstab style [`mount options`](https://github.com/containerd/containerd/blob/master/mount/mount_linux.go#L211-L235) are supported. |

 **Mount block**<br/>
@ -163,18 +164,19 @@ config {
 }
 ```

-### auth
+## Authentication (Private registry)

-If you want to pull from a private repository e.g. docker hub, you can specify `username` and `password` in the `auth` stanza. See example below.
+`auth` stanza allow you to set credentials for your private registry e.g. if you want to pull
+an image from a private repository in docker hub.<br/>
+`auth` stanza can be set either in `Driver Config` or `Task Config` or both.<br/>
+If set at both places, `Task Config` auth will take precedence over `Driver Config` auth.

-**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials.
+**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. Below `auth` stanza can be used for both `Driver Config` and `Task Config`.

 ```
-config {
-  auth {
+auth {
    username = "user"
    password = "pass"
-  }
 }
 ```

--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@ -65,12 +65,20 @@ func (d *Driver) getContainerdVersion() (containerd.Version, error) {

 type CredentialsOpt func(string) (string, string, error)

-func parshAuth(auth *RegistryAuth) CredentialsOpt {
+func (d *Driver) parshAuth(auth *RegistryAuth) CredentialsOpt {
 	return func(string) (string, string, error) {
-		if auth == nil {
-			return "", "", nil
+		var username, password string
+		if d.config.Auth.Username != "" && d.config.Auth.Password != "" {
+			username = d.config.Auth.Username
+			password = d.config.Auth.Password
 		}
-		return auth.Username, auth.Password, nil
+
+		// Job auth will take precedence over plugin auth options.
+		if auth.Username != "" && auth.Password != "" {
+			username = auth.Username
+			password = auth.Password
+		}
+		return username, password, nil
 	}
 }

@ -98,7 +106,7 @@ func (d *Driver) pullImage(imageName, imagePullTimeout string, auth *RegistryAut

 	pullOpts := []containerd.RemoteOpt{
 		containerd.WithPullUnpack,
-		withResolver(parshAuth(auth)),
+		withResolver(d.parshAuth(auth)),
 	}

 	return d.client.Pull(ctxWithTimeout, named.String(), pullOpts...)
--- a/containerd/driver.go
+++ b/containerd/driver.go
@ -84,6 +84,10 @@ var (
 			hclspec.NewAttr("allow_privileged", "bool", false),
 			hclspec.NewLiteral("true"),
 		),
+		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
+			"username": hclspec.NewAttr("username", "string", true),
+			"password": hclspec.NewAttr("password", "string", true),
+		})),
 	})

 	// taskConfigSpec is the specification of the plugin's configuration for
@ -117,8 +121,8 @@ var (
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
-			"username": hclspec.NewAttr("username", "string", false),
-			"password": hclspec.NewAttr("password", "string", false),
+			"username": hclspec.NewAttr("username", "string", true),
+			"password": hclspec.NewAttr("password", "string", true),
 		})),
 		"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
 			"type": hclspec.NewDefault(
@ -144,10 +148,11 @@ var (

 // Config contains configuration information for the plugin
 type Config struct {
-	Enabled           bool   `codec:"enabled"`
-	ContainerdRuntime string `codec:"containerd_runtime"`
-	StatsInterval     string `codec:"stats_interval"`
-	AllowPrivileged   bool   `codec:"allow_privileged"`
+	Enabled           bool         `codec:"enabled"`
+	ContainerdRuntime string       `codec:"containerd_runtime"`
+	StatsInterval     string       `codec:"stats_interval"`
+	AllowPrivileged   bool         `codec:"allow_privileged"`
+	Auth              RegistryAuth `codec:"auth"`
 }

 // Volume, bind, and tmpfs type mounts are supported.
--- a/tests/004-test-privileged.sh
+++ b/tests/004-test-privileged.sh
@ -33,7 +33,17 @@ test_privileged_nomad_job() {

    # Check if container is running in privileged mode.
    echo "INFO: Checking if container is running in privileged mode."
+
+    # If you are running the tests locally in the vagrant VM (Ubuntu 18.04.03)
+    # the capability set (capsh --print) consists of 37 capabilities.
+    # However, GHA environment is showing 39 capabilities.
+    # The below check will set the expected_capabilities to 37 or 39
+    # depending on the execution environment.
    expected_capabilities="37"
+    if [[ "$GITHUB_ACTIONS" == "true" ]]; then
+       expected_capabilities="39"
+    fi
+
    actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}')
    if [ "$expected_capabilities" != "$actual_capabilities" ]; then
       echo "ERROR: container is not running in privileged mode."
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@ -80,20 +80,6 @@ setup() {
           return 0
        fi

-        sudo systemctl stop apt-daily-upgrade apt-daily >/dev/null 2>&1
-
-	set +e
-	sudo pkill --signal SIGKILL -P $(ps faux | grep 'daily' | awk '{print $2}')
-	set -e
-
-	# Remove docker daemon and containerd.
-	sudo systemctl stop docker
-	sudo systemctl stop containerd
-	sudo apt-get purge -y docker-ce docker-ce-cli containerd.io
-
-	sudo apt-get update
-	sudo apt-get install -y apt-utils curl runc unzip make build-essential
-
 	# Change $(pwd) to /tmp
 	pushd /tmp