burble/nomad-driver-containerd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Docker registry auth support via driver config.

Browse Source 
Signed-off-by: Shishir Mahajan <smahajan@roblox.com>
This commit is contained in:
Shishir Mahajan 2021-06-22 10:26:50 -07:00
parent 6f20bcf872
commit 65bdeec138
5 changed files with 43 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -87,6 +87,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
| **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. | | **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
| **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. | | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
| **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. | | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
| **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
**Task Config** **Task Config**
@ -111,7 +112,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
| **cap_add** | []string | no | Add individual capabilities. | | **cap_add** | []string | no | Add individual capabilities. |
| **cap_drop** | []string | no | Drop invidual capabilities. | | **cap_drop** | []string | no | Drop invidual capabilities. |
| **devices** | []string | no | A list of devices to be exposed to the container. | | **devices** | []string | no | A list of devices to be exposed to the container. |
| **auth** | block | no | Provide authentication for a private registry. See [Auth](#auth) for more details. | | **auth** | block | no | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
| **mounts** | []block | no | A list of mounts to be mounted in the container. Volume, bind and tmpfs type mounts are supported. fstab style [`mount options`](https://github.com/containerd/containerd/blob/master/mount/mount_linux.go#L211-L235) are supported. | | **mounts** | []block | no | A list of mounts to be mounted in the container. Volume, bind and tmpfs type mounts are supported. fstab style [`mount options`](https://github.com/containerd/containerd/blob/master/mount/mount_linux.go#L211-L235) are supported. |
**Mount block**<br/> **Mount block**<br/>
@ -163,18 +164,19 @@ config {
} }
``` ```
### auth ## Authentication (Private registry)
If you want to pull from a private repository e.g. docker hub, you can specify `username` and `password` in the `auth` stanza. See example below. `auth` stanza allow you to set credentials for your private registry e.g. if you want to pull
an image from a private repository in docker hub.<br/>
`auth` stanza can be set either in `Driver Config` or `Task Config` or both.<br/>
If set at both places, `Task Config` auth will take precedence over `Driver Config` auth.
**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. **NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. Below `auth` stanza can be used for both `Driver Config` and `Task Config`.
``` ```
config { auth {
auth {
username = "user" username = "user"
password = "pass" password = "pass"
}
} }
``` ```

18
containerd/containerd.go
View File

@ -65,12 +65,20 @@ func (d *Driver) getContainerdVersion() (containerd.Version, error) {
type CredentialsOpt func(string) (string, string, error) type CredentialsOpt func(string) (string, string, error)
func parshAuth(auth *RegistryAuth) CredentialsOpt { func (d *Driver) parshAuth(auth *RegistryAuth) CredentialsOpt {
return func(string) (string, string, error) { return func(string) (string, string, error) {
if auth == nil { var username, password string
return "", "", nil if d.config.Auth.Username != "" && d.config.Auth.Password != "" {
username = d.config.Auth.Username
password = d.config.Auth.Password
} }
return auth.Username, auth.Password, nil
// Job auth will take precedence over plugin auth options.
if auth.Username != "" && auth.Password != "" {
username = auth.Username
password = auth.Password
}
return username, password, nil
} }
} }
@ -98,7 +106,7 @@ func (d *Driver) pullImage(imageName, imagePullTimeout string, auth *RegistryAut
pullOpts := []containerd.RemoteOpt{ pullOpts := []containerd.RemoteOpt{
containerd.WithPullUnpack, containerd.WithPullUnpack,
withResolver(parshAuth(auth)), withResolver(d.parshAuth(auth)),
} }
return d.client.Pull(ctxWithTimeout, named.String(), pullOpts...) return d.client.Pull(ctxWithTimeout, named.String(), pullOpts...)

17
containerd/driver.go
View File

@ -84,6 +84,10 @@ var (
hclspec.NewAttr("allow_privileged", "bool", false), hclspec.NewAttr("allow_privileged", "bool", false),
hclspec.NewLiteral("true"), hclspec.NewLiteral("true"),
), ),
"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
"username": hclspec.NewAttr("username", "string", true),
"password": hclspec.NewAttr("password", "string", true),
})),
}) })
// taskConfigSpec is the specification of the plugin's configuration for // taskConfigSpec is the specification of the plugin's configuration for
@ -117,8 +121,8 @@ var (
"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false), "readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
"host_network": hclspec.NewAttr("host_network", "bool", false), "host_network": hclspec.NewAttr("host_network", "bool", false),
"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{ "auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
"username": hclspec.NewAttr("username", "string", false), "username": hclspec.NewAttr("username", "string", true),
"password": hclspec.NewAttr("password", "string", false), "password": hclspec.NewAttr("password", "string", true),
})), })),
"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{ "mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
"type": hclspec.NewDefault( "type": hclspec.NewDefault(
@ -144,10 +148,11 @@ var (
// Config contains configuration information for the plugin // Config contains configuration information for the plugin
type Config struct { type Config struct {
Enabled bool `codec:"enabled"` Enabled bool `codec:"enabled"`
ContainerdRuntime string `codec:"containerd_runtime"` ContainerdRuntime string `codec:"containerd_runtime"`
StatsInterval string `codec:"stats_interval"` StatsInterval string `codec:"stats_interval"`
AllowPrivileged bool `codec:"allow_privileged"` AllowPrivileged bool `codec:"allow_privileged"`
Auth RegistryAuth `codec:"auth"`
} }
// Volume, bind, and tmpfs type mounts are supported. // Volume, bind, and tmpfs type mounts are supported.

10
tests/004-test-privileged.sh
View File

@ -33,7 +33,17 @@ test_privileged_nomad_job() {
# Check if container is running in privileged mode. # Check if container is running in privileged mode.
echo "INFO: Checking if container is running in privileged mode." echo "INFO: Checking if container is running in privileged mode."
# If you are running the tests locally in the vagrant VM (Ubuntu 18.04.03)
# the capability set (capsh --print) consists of 37 capabilities.
# However, GHA environment is showing 39 capabilities.
# The below check will set the expected_capabilities to 37 or 39
# depending on the execution environment.
expected_capabilities="37" expected_capabilities="37"
if [[ "$GITHUB_ACTIONS" == "true" ]]; then
expected_capabilities="39"
fi
actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}') actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}')
if [ "$expected_capabilities" != "$actual_capabilities" ]; then if [ "$expected_capabilities" != "$actual_capabilities" ]; then
echo "ERROR: container is not running in privileged mode." echo "ERROR: container is not running in privileged mode."

14
tests/run_tests.sh
View File

@ -80,20 +80,6 @@ setup() {
return 0 return 0
fi fi
sudo systemctl stop apt-daily-upgrade apt-daily >/dev/null 2>&1
set +e
sudo pkill --signal SIGKILL -P $(ps faux | grep 'daily' | awk '{print $2}')
set -e
# Remove docker daemon and containerd.
sudo systemctl stop docker
sudo systemctl stop containerd
sudo apt-get purge -y docker-ce docker-ce-cli containerd.io
sudo apt-get update
sudo apt-get install -y apt-utils curl runc unzip make build-essential
# Change $(pwd) to /tmp # Change $(pwd) to /tmp
pushd /tmp pushd /tmp