From 65bdeec1381b8cb36c85ef60579f5e8d1acd41a7 Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Tue, 22 Jun 2021 10:26:50 -0700 Subject: [PATCH] Docker registry auth support via driver config. Signed-off-by: Shishir Mahajan --- README.md | 16 +++++++++------- containerd/containerd.go | 18 +++++++++++++----- containerd/driver.go | 17 +++++++++++------ tests/004-test-privileged.sh | 10 ++++++++++ tests/run_tests.sh | 14 -------------- 5 files changed, 43 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index cf73793..0f43fdc 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R | **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. | | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. | | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. | +| **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. | **Task Config** @@ -111,7 +112,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R | **cap_add** | []string | no | Add individual capabilities. | | **cap_drop** | []string | no | Drop invidual capabilities. | | **devices** | []string | no | A list of devices to be exposed to the container. | -| **auth** | block | no | Provide authentication for a private registry. See [Auth](#auth) for more details. | +| **auth** | block | no | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. | | **mounts** | []block | no | A list of mounts to be mounted in the container. Volume, bind and tmpfs type mounts are supported. fstab style [`mount options`](https://github.com/containerd/containerd/blob/master/mount/mount_linux.go#L211-L235) are supported. | **Mount block**
@@ -163,18 +164,19 @@ config { } ``` -### auth +## Authentication (Private registry) -If you want to pull from a private repository e.g. docker hub, you can specify `username` and `password` in the `auth` stanza. See example below. +`auth` stanza allow you to set credentials for your private registry e.g. if you want to pull +an image from a private repository in docker hub.
+`auth` stanza can be set either in `Driver Config` or `Task Config` or both.
+If set at both places, `Task Config` auth will take precedence over `Driver Config` auth. -**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. +**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. Below `auth` stanza can be used for both `Driver Config` and `Task Config`. ``` -config { - auth { +auth { username = "user" password = "pass" - } } ``` diff --git a/containerd/containerd.go b/containerd/containerd.go index 50c1cdd..f67a676 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -65,12 +65,20 @@ func (d *Driver) getContainerdVersion() (containerd.Version, error) { type CredentialsOpt func(string) (string, string, error) -func parshAuth(auth *RegistryAuth) CredentialsOpt { +func (d *Driver) parshAuth(auth *RegistryAuth) CredentialsOpt { return func(string) (string, string, error) { - if auth == nil { - return "", "", nil + var username, password string + if d.config.Auth.Username != "" && d.config.Auth.Password != "" { + username = d.config.Auth.Username + password = d.config.Auth.Password } - return auth.Username, auth.Password, nil + + // Job auth will take precedence over plugin auth options. + if auth.Username != "" && auth.Password != "" { + username = auth.Username + password = auth.Password + } + return username, password, nil } } @@ -98,7 +106,7 @@ func (d *Driver) pullImage(imageName, imagePullTimeout string, auth *RegistryAut pullOpts := []containerd.RemoteOpt{ containerd.WithPullUnpack, - withResolver(parshAuth(auth)), + withResolver(d.parshAuth(auth)), } return d.client.Pull(ctxWithTimeout, named.String(), pullOpts...) diff --git a/containerd/driver.go b/containerd/driver.go index 6ecd340..8adf45a 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -84,6 +84,10 @@ var ( hclspec.NewAttr("allow_privileged", "bool", false), hclspec.NewLiteral("true"), ), + "auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{ + "username": hclspec.NewAttr("username", "string", true), + "password": hclspec.NewAttr("password", "string", true), + })), }) // taskConfigSpec is the specification of the plugin's configuration for @@ -117,8 +121,8 @@ var ( "readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false), "host_network": hclspec.NewAttr("host_network", "bool", false), "auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{ - "username": hclspec.NewAttr("username", "string", false), - "password": hclspec.NewAttr("password", "string", false), + "username": hclspec.NewAttr("username", "string", true), + "password": hclspec.NewAttr("password", "string", true), })), "mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{ "type": hclspec.NewDefault( @@ -144,10 +148,11 @@ var ( // Config contains configuration information for the plugin type Config struct { - Enabled bool `codec:"enabled"` - ContainerdRuntime string `codec:"containerd_runtime"` - StatsInterval string `codec:"stats_interval"` - AllowPrivileged bool `codec:"allow_privileged"` + Enabled bool `codec:"enabled"` + ContainerdRuntime string `codec:"containerd_runtime"` + StatsInterval string `codec:"stats_interval"` + AllowPrivileged bool `codec:"allow_privileged"` + Auth RegistryAuth `codec:"auth"` } // Volume, bind, and tmpfs type mounts are supported. diff --git a/tests/004-test-privileged.sh b/tests/004-test-privileged.sh index ab5bcfa..03df39f 100755 --- a/tests/004-test-privileged.sh +++ b/tests/004-test-privileged.sh @@ -33,7 +33,17 @@ test_privileged_nomad_job() { # Check if container is running in privileged mode. echo "INFO: Checking if container is running in privileged mode." + + # If you are running the tests locally in the vagrant VM (Ubuntu 18.04.03) + # the capability set (capsh --print) consists of 37 capabilities. + # However, GHA environment is showing 39 capabilities. + # The below check will set the expected_capabilities to 37 or 39 + # depending on the execution environment. expected_capabilities="37" + if [[ "$GITHUB_ACTIONS" == "true" ]]; then + expected_capabilities="39" + fi + actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}') if [ "$expected_capabilities" != "$actual_capabilities" ]; then echo "ERROR: container is not running in privileged mode." diff --git a/tests/run_tests.sh b/tests/run_tests.sh index 470e479..475d3e0 100755 --- a/tests/run_tests.sh +++ b/tests/run_tests.sh @@ -80,20 +80,6 @@ setup() { return 0 fi - sudo systemctl stop apt-daily-upgrade apt-daily >/dev/null 2>&1 - - set +e - sudo pkill --signal SIGKILL -P $(ps faux | grep 'daily' | awk '{print $2}') - set -e - - # Remove docker daemon and containerd. - sudo systemctl stop docker - sudo systemctl stop containerd - sudo apt-get purge -y docker-ce docker-ce-cli containerd.io - - sudo apt-get update - sudo apt-get install -y apt-utils curl runc unzip make build-essential - # Change $(pwd) to /tmp pushd /tmp