Merge pull request #10234 from dmcgowan/libtrust-key-fix
Fix daemon key file location
This commit is contained in:
commit
10ab6dcb4f
|
@ -3,6 +3,11 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
log "github.com/Sirupsen/logrus"
|
log "github.com/Sirupsen/logrus"
|
||||||
"github.com/docker/docker/builder"
|
"github.com/docker/docker/builder"
|
||||||
"github.com/docker/docker/builtins"
|
"github.com/docker/docker/builtins"
|
||||||
|
@ -14,6 +19,7 @@ import (
|
||||||
flag "github.com/docker/docker/pkg/mflag"
|
flag "github.com/docker/docker/pkg/mflag"
|
||||||
"github.com/docker/docker/pkg/signal"
|
"github.com/docker/docker/pkg/signal"
|
||||||
"github.com/docker/docker/registry"
|
"github.com/docker/docker/registry"
|
||||||
|
"github.com/docker/docker/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
const CanDaemon = true
|
const CanDaemon = true
|
||||||
|
@ -28,6 +34,46 @@ func init() {
|
||||||
registryCfg.InstallFlags()
|
registryCfg.InstallFlags()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func migrateKey() (err error) {
|
||||||
|
// Migrate trust key if exists at ~/.docker/key.json and owned by current user
|
||||||
|
oldPath := filepath.Join(getHomeDir(), ".docker", defaultTrustKeyFile)
|
||||||
|
newPath := filepath.Join(getDaemonConfDir(), defaultTrustKeyFile)
|
||||||
|
if _, statErr := os.Stat(newPath); os.IsNotExist(statErr) && utils.IsFileOwner(oldPath) {
|
||||||
|
defer func() {
|
||||||
|
// Ensure old path is removed if no error occurred
|
||||||
|
if err == nil {
|
||||||
|
err = os.Remove(oldPath)
|
||||||
|
} else {
|
||||||
|
log.Warnf("Key migration failed, key file not removed at %s", oldPath)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
if err := os.MkdirAll(getDaemonConfDir(), os.FileMode(0644)); err != nil {
|
||||||
|
return fmt.Errorf("Unable to create daemon configuration directory: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
newFile, err := os.OpenFile(newPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("error creating key file %q: %s", newPath, err)
|
||||||
|
}
|
||||||
|
defer newFile.Close()
|
||||||
|
|
||||||
|
oldFile, err := os.Open(oldPath)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("error opening key file %q: %s", oldPath, err)
|
||||||
|
}
|
||||||
|
defer oldFile.Close()
|
||||||
|
|
||||||
|
if _, err := io.Copy(newFile, oldFile); err != nil {
|
||||||
|
return fmt.Errorf("error copying key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("Migrated key from %s to %s", oldPath, newPath)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func mainDaemon() {
|
func mainDaemon() {
|
||||||
if flag.NArg() != 0 {
|
if flag.NArg() != 0 {
|
||||||
flag.Usage()
|
flag.Usage()
|
||||||
|
@ -36,6 +82,9 @@ func mainDaemon() {
|
||||||
eng := engine.New()
|
eng := engine.New()
|
||||||
signal.Trap(eng.Shutdown)
|
signal.Trap(eng.Shutdown)
|
||||||
|
|
||||||
|
if err := migrateKey(); err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
daemonCfg.TrustKeyPath = *flTrustKey
|
daemonCfg.TrustKeyPath = *flTrustKey
|
||||||
|
|
||||||
// Load builtins
|
// Load builtins
|
||||||
|
|
|
@ -67,6 +67,8 @@ func main() {
|
||||||
flHosts = append(flHosts, defaultHost)
|
flHosts = append(flHosts, defaultHost)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
setDefaultConfFlag(flTrustKey, defaultTrustKeyFile)
|
||||||
|
|
||||||
if *flDaemon {
|
if *flDaemon {
|
||||||
mainDaemon()
|
mainDaemon()
|
||||||
return
|
return
|
||||||
|
|
|
@ -28,6 +28,14 @@ func getHomeDir() string {
|
||||||
return os.Getenv("HOME")
|
return os.Getenv("HOME")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getDaemonConfDir() string {
|
||||||
|
// TODO: update for Windows daemon
|
||||||
|
if runtime.GOOS == "windows" {
|
||||||
|
return filepath.Join(os.Getenv("USERPROFILE"), ".docker")
|
||||||
|
}
|
||||||
|
return "/etc/docker"
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
flVersion = flag.Bool([]string{"v", "-version"}, false, "Print version information and quit")
|
flVersion = flag.Bool([]string{"v", "-version"}, false, "Print version information and quit")
|
||||||
flDaemon = flag.Bool([]string{"d", "-daemon"}, false, "Enable daemon mode")
|
flDaemon = flag.Bool([]string{"d", "-daemon"}, false, "Enable daemon mode")
|
||||||
|
@ -47,10 +55,20 @@ var (
|
||||||
flHosts []string
|
flHosts []string
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func setDefaultConfFlag(flag *string, def string) {
|
||||||
|
if *flag == "" {
|
||||||
|
if *flDaemon {
|
||||||
|
*flag = filepath.Join(getDaemonConfDir(), def)
|
||||||
|
} else {
|
||||||
|
*flag = filepath.Join(getHomeDir(), ".docker", def)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
// placeholder for trust key flag
|
var placeholderTrustKey string
|
||||||
trustKeyDefault := filepath.Join(dockerCertPath, defaultTrustKeyFile)
|
// TODO use flag flag.String([]string{"i", "-identity"}, "", "Path to libtrust key file")
|
||||||
flTrustKey = &trustKeyDefault
|
flTrustKey = &placeholderTrustKey
|
||||||
|
|
||||||
flCa = flag.String([]string{"-tlscacert"}, filepath.Join(dockerCertPath, defaultCaFile), "Trust only remotes providing a certificate signed by the CA given here")
|
flCa = flag.String([]string{"-tlscacert"}, filepath.Join(dockerCertPath, defaultCaFile), "Trust only remotes providing a certificate signed by the CA given here")
|
||||||
flCert = flag.String([]string{"-tlscert"}, filepath.Join(dockerCertPath, defaultCertFile), "Path to TLS certificate file")
|
flCert = flag.String([]string{"-tlscert"}, filepath.Join(dockerCertPath, defaultCertFile), "Path to TLS certificate file")
|
||||||
|
|
|
@ -8,8 +8,11 @@ import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/docker/libtrust"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestDaemonRestartWithRunningContainersPorts(t *testing.T) {
|
func TestDaemonRestartWithRunningContainersPorts(t *testing.T) {
|
||||||
|
@ -350,3 +353,53 @@ func TestDaemonVolumesBindsRefs(t *testing.T) {
|
||||||
|
|
||||||
logDone("daemon - bind refs in data-containers survive daemon restart")
|
logDone("daemon - bind refs in data-containers survive daemon restart")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestDaemonKeyGeneration(t *testing.T) {
|
||||||
|
// TODO: skip or update for Windows daemon
|
||||||
|
os.Remove("/etc/docker/key.json")
|
||||||
|
d := NewDaemon(t)
|
||||||
|
if err := d.Start(); err != nil {
|
||||||
|
t.Fatalf("Could not start daemon: %v", err)
|
||||||
|
}
|
||||||
|
d.Stop()
|
||||||
|
|
||||||
|
k, err := libtrust.LoadKeyFile("/etc/docker/key.json")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error opening key file")
|
||||||
|
}
|
||||||
|
kid := k.KeyID()
|
||||||
|
// Test Key ID is a valid fingerprint (e.g. QQXN:JY5W:TBXI:MK3X:GX6P:PD5D:F56N:NHCS:LVRZ:JA46:R24J:XEFF)
|
||||||
|
if len(kid) != 59 {
|
||||||
|
t.Fatalf("Bad key ID: %s", kid)
|
||||||
|
}
|
||||||
|
|
||||||
|
logDone("daemon - key generation")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestDaemonKeyMigration(t *testing.T) {
|
||||||
|
// TODO: skip or update for Windows daemon
|
||||||
|
os.Remove("/etc/docker/key.json")
|
||||||
|
k1, err := libtrust.GenerateECP256PrivateKey()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error generating private key: %s", err)
|
||||||
|
}
|
||||||
|
if err := libtrust.SaveKey(filepath.Join(os.Getenv("HOME"), ".docker", "key.json"), k1); err != nil {
|
||||||
|
t.Fatalf("Error saving private key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
d := NewDaemon(t)
|
||||||
|
if err := d.Start(); err != nil {
|
||||||
|
t.Fatalf("Could not start daemon: %v", err)
|
||||||
|
}
|
||||||
|
d.Stop()
|
||||||
|
|
||||||
|
k2, err := libtrust.LoadKeyFile("/etc/docker/key.json")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error opening key file")
|
||||||
|
}
|
||||||
|
if k1.KeyID() != k2.KeyID() {
|
||||||
|
t.Fatalf("Key not migrated")
|
||||||
|
}
|
||||||
|
|
||||||
|
logDone("daemon - key migration")
|
||||||
|
}
|
||||||
|
|
|
@ -37,3 +37,13 @@ func TreeSize(dir string) (size int64, err error) {
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsFileOwner checks whether the current user is the owner of the given file.
|
||||||
|
func IsFileOwner(f string) bool {
|
||||||
|
if fileInfo, err := os.Stat(f); err == nil && fileInfo != nil {
|
||||||
|
if stat, ok := fileInfo.Sys().(*syscall.Stat_t); ok && int(stat.Uid) == os.Getuid() {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue