kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Merge pull request #10234 from dmcgowan/libtrust-key-fix 

Fix daemon key file location
This commit is contained in:
Arnaud Porterie 2015-01-22 11:54:03 -08:00
parent 211513156d d55e977cf5
commit 10ab6dcb4f
5 changed files with 135 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docker/daemon.go
View File

@ -3,6 +3,11 @@
package main package main
import ( import (
"fmt"
"io"
"os"
"path/filepath"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/docker/docker/builder" "github.com/docker/docker/builder"
"github.com/docker/docker/builtins" "github.com/docker/docker/builtins"
@ -14,6 +19,7 @@ import (
flag "github.com/docker/docker/pkg/mflag" flag "github.com/docker/docker/pkg/mflag"
"github.com/docker/docker/pkg/signal" "github.com/docker/docker/pkg/signal"
"github.com/docker/docker/registry" "github.com/docker/docker/registry"
"github.com/docker/docker/utils"
) )
const CanDaemon = true const CanDaemon = true
@ -28,6 +34,46 @@ func init() {
registryCfg.InstallFlags() registryCfg.InstallFlags()
} }
func migrateKey() (err error) {
// Migrate trust key if exists at ~/.docker/key.json and owned by current user
oldPath := filepath.Join(getHomeDir(), ".docker", defaultTrustKeyFile)
newPath := filepath.Join(getDaemonConfDir(), defaultTrustKeyFile)
if _, statErr := os.Stat(newPath); os.IsNotExist(statErr) && utils.IsFileOwner(oldPath) {
defer func() {
// Ensure old path is removed if no error occurred
if err == nil {
err = os.Remove(oldPath)
} else {
log.Warnf("Key migration failed, key file not removed at %s", oldPath)
}
}()
if err := os.MkdirAll(getDaemonConfDir(), os.FileMode(0644)); err != nil {
return fmt.Errorf("Unable to create daemon configuration directory: %s", err)
}
newFile, err := os.OpenFile(newPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("error creating key file %q: %s", newPath, err)
}
defer newFile.Close()
oldFile, err := os.Open(oldPath)
if err != nil {
return fmt.Errorf("error opening key file %q: %s", oldPath, err)
}
defer oldFile.Close()
if _, err := io.Copy(newFile, oldFile); err != nil {
return fmt.Errorf("error copying key: %s", err)
}
log.Infof("Migrated key from %s to %s", oldPath, newPath)
}
return nil
}
func mainDaemon() { func mainDaemon() {
if flag.NArg() != 0 { if flag.NArg() != 0 {
flag.Usage() flag.Usage()
@ -36,6 +82,9 @@ func mainDaemon() {
eng := engine.New() eng := engine.New()
signal.Trap(eng.Shutdown) signal.Trap(eng.Shutdown)
if err := migrateKey(); err != nil {
log.Fatal(err)
}
daemonCfg.TrustKeyPath = *flTrustKey daemonCfg.TrustKeyPath = *flTrustKey
// Load builtins // Load builtins

2
docker/docker.go
View File

@ -67,6 +67,8 @@ func main() {
flHosts = append(flHosts, defaultHost) flHosts = append(flHosts, defaultHost)
} }
setDefaultConfFlag(flTrustKey, defaultTrustKeyFile)
if *flDaemon { if *flDaemon {
mainDaemon() mainDaemon()
return return

24
docker/flags.go
View File

@ -28,6 +28,14 @@ func getHomeDir() string {
return os.Getenv("HOME") return os.Getenv("HOME")
} }
func getDaemonConfDir() string {
// TODO: update for Windows daemon
if runtime.GOOS == "windows" {
return filepath.Join(os.Getenv("USERPROFILE"), ".docker")
}
return "/etc/docker"
}
var ( var (
flVersion = flag.Bool([]string{"v", "-version"}, false, "Print version information and quit") flVersion = flag.Bool([]string{"v", "-version"}, false, "Print version information and quit")
flDaemon = flag.Bool([]string{"d", "-daemon"}, false, "Enable daemon mode") flDaemon = flag.Bool([]string{"d", "-daemon"}, false, "Enable daemon mode")
@ -47,10 +55,20 @@ var (
flHosts []string flHosts []string
) )
func setDefaultConfFlag(flag *string, def string) {
if *flag == "" {
if *flDaemon {
*flag = filepath.Join(getDaemonConfDir(), def)
} else {
*flag = filepath.Join(getHomeDir(), ".docker", def)
}
}
}
func init() { func init() {
// placeholder for trust key flag var placeholderTrustKey string
trustKeyDefault := filepath.Join(dockerCertPath, defaultTrustKeyFile) // TODO use flag flag.String([]string{"i", "-identity"}, "", "Path to libtrust key file")
flTrustKey = &trustKeyDefault flTrustKey = &placeholderTrustKey
flCa = flag.String([]string{"-tlscacert"}, filepath.Join(dockerCertPath, defaultCaFile), "Trust only remotes providing a certificate signed by the CA given here") flCa = flag.String([]string{"-tlscacert"}, filepath.Join(dockerCertPath, defaultCaFile), "Trust only remotes providing a certificate signed by the CA given here")
flCert = flag.String([]string{"-tlscert"}, filepath.Join(dockerCertPath, defaultCertFile), "Path to TLS certificate file") flCert = flag.String([]string{"-tlscert"}, filepath.Join(dockerCertPath, defaultCertFile), "Path to TLS certificate file")

53
integration-cli/docker_cli_daemon_test.go
View File

@ -8,8 +8,11 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"os/exec" "os/exec"
"path/filepath"
"strings" "strings"
"testing" "testing"
"github.com/docker/libtrust"
) )
func TestDaemonRestartWithRunningContainersPorts(t *testing.T) { func TestDaemonRestartWithRunningContainersPorts(t *testing.T) {
@ -350,3 +353,53 @@ func TestDaemonVolumesBindsRefs(t *testing.T) {
logDone("daemon - bind refs in data-containers survive daemon restart") logDone("daemon - bind refs in data-containers survive daemon restart")
} }
func TestDaemonKeyGeneration(t *testing.T) {
// TODO: skip or update for Windows daemon
os.Remove("/etc/docker/key.json")
d := NewDaemon(t)
if err := d.Start(); err != nil {
t.Fatalf("Could not start daemon: %v", err)
}
d.Stop()
k, err := libtrust.LoadKeyFile("/etc/docker/key.json")
if err != nil {
t.Fatalf("Error opening key file")
}
kid := k.KeyID()
// Test Key ID is a valid fingerprint (e.g. QQXN:JY5W:TBXI:MK3X:GX6P:PD5D:F56N:NHCS:LVRZ:JA46:R24J:XEFF)
if len(kid) != 59 {
t.Fatalf("Bad key ID: %s", kid)
}
logDone("daemon - key generation")
}
func TestDaemonKeyMigration(t *testing.T) {
// TODO: skip or update for Windows daemon
os.Remove("/etc/docker/key.json")
k1, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
t.Fatalf("Error generating private key: %s", err)
}
if err := libtrust.SaveKey(filepath.Join(os.Getenv("HOME"), ".docker", "key.json"), k1); err != nil {
t.Fatalf("Error saving private key: %s", err)
}
d := NewDaemon(t)
if err := d.Start(); err != nil {
t.Fatalf("Could not start daemon: %v", err)
}
d.Stop()
k2, err := libtrust.LoadKeyFile("/etc/docker/key.json")
if err != nil {
t.Fatalf("Error opening key file")
}
if k1.KeyID() != k2.KeyID() {
t.Fatalf("Key not migrated")
}
logDone("daemon - key migration")
}

10
utils/utils_daemon.go
View File

@ -37,3 +37,13 @@ func TreeSize(dir string) (size int64, err error) {
}) })
return return
} }
// IsFileOwner checks whether the current user is the owner of the given file.
func IsFileOwner(f string) bool {
if fileInfo, err := os.Stat(f); err == nil && fileInfo != nil {
if stat, ok := fileInfo.Sys().(*syscall.Stat_t); ok && int(stat.Uid) == os.Getuid() {
return true
}
}
return false
}