Merge pull request #43555 from thaJeztah/separate_engine_id
daemon: separate daemon ID from trust-key, and disable generating
This commit is contained in:
commit
3228dbaaa9
|
@ -977,15 +977,12 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)
|
// Try to preserve the daemon ID (which is the trust-key's ID) when upgrading
|
||||||
|
// an existing installation; this is a "best-effort".
|
||||||
|
idPath := filepath.Join(config.Root, "engine-id")
|
||||||
|
err = migrateTrustKeyID(config.TrustKeyPath, idPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
logrus.WithError(err).Warnf("unable to migrate engine ID; a new engine ID will be generated")
|
||||||
}
|
|
||||||
|
|
||||||
trustDir := filepath.Join(config.Root, "trust")
|
|
||||||
|
|
||||||
if err := system.MkdirAll(trustDir, 0700); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// We have a single tag/reference store for the daemon globally. However, it's
|
// We have a single tag/reference store for the daemon globally. However, it's
|
||||||
|
@ -1019,7 +1016,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
return nil, errors.New("Devices cgroup isn't mounted")
|
return nil, errors.New("Devices cgroup isn't mounted")
|
||||||
}
|
}
|
||||||
|
|
||||||
d.id = trustKey.PublicKey().KeyID()
|
d.id, err = loadOrCreateID(idPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
d.repository = daemonRepo
|
d.repository = daemonRepo
|
||||||
d.containers = container.NewMemoryStore()
|
d.containers = container.NewMemoryStore()
|
||||||
if d.containersReplica, err = container.NewViewDB(); err != nil {
|
if d.containersReplica, err = container.NewViewDB(); err != nil {
|
||||||
|
@ -1046,10 +1046,22 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
MaxDownloadAttempts: config.MaxDownloadAttempts,
|
MaxDownloadAttempts: config.MaxDownloadAttempts,
|
||||||
ReferenceStore: rs,
|
ReferenceStore: rs,
|
||||||
RegistryService: registryService,
|
RegistryService: registryService,
|
||||||
TrustKey: trustKey,
|
|
||||||
ContentNamespace: config.ContainerdNamespace,
|
ContentNamespace: config.ContainerdNamespace,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This is a temporary environment variables used in CI to allow pushing
|
||||||
|
// manifest v2 schema 1 images to test-registries used for testing *pulling*
|
||||||
|
// these images.
|
||||||
|
if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
|
||||||
|
imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err = system.MkdirAll(filepath.Join(config.Root, "trust"), 0700); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// containerd is not currently supported with Windows.
|
// containerd is not currently supported with Windows.
|
||||||
// So sometimes d.containerdCli will be nil
|
// So sometimes d.containerdCli will be nil
|
||||||
// In that case we'll create a local content store... but otherwise we'll use containerd
|
// In that case we'll create a local content store... but otherwise we'll use containerd
|
||||||
|
|
|
@ -0,0 +1,61 @@
|
||||||
|
package daemon // import "github.com/docker/docker/daemon"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
|
||||||
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
|
"github.com/docker/libtrust"
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
|
)
|
||||||
|
|
||||||
|
// loadOrCreateID loads the engine's ID from idPath, or generates a new ID
|
||||||
|
// if it doesn't exist. It returns the ID, and any error that occurred when
|
||||||
|
// saving the file.
|
||||||
|
//
|
||||||
|
// Note that this function expects the daemon's root directory to already have
|
||||||
|
// been created with the right permissions and ownership (usually this would
|
||||||
|
// be done by daemon.CreateDaemonRoot().
|
||||||
|
func loadOrCreateID(idPath string) (string, error) {
|
||||||
|
var id string
|
||||||
|
idb, err := os.ReadFile(idPath)
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
id = uuid.New().String()
|
||||||
|
if err := ioutils.AtomicWriteFile(idPath, []byte(id), os.FileMode(0600)); err != nil {
|
||||||
|
return "", errors.Wrap(err, "error saving ID file")
|
||||||
|
}
|
||||||
|
} else if err != nil {
|
||||||
|
return "", errors.Wrapf(err, "error loading ID file %s", idPath)
|
||||||
|
} else {
|
||||||
|
id = string(idb)
|
||||||
|
}
|
||||||
|
return id, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// migrateTrustKeyID migrates the daemon ID of existing installations. It returns
|
||||||
|
// an error when a trust-key was found, but we failed to read it, or failed to
|
||||||
|
// complete the migration.
|
||||||
|
//
|
||||||
|
// We migrate the ID so that engines don't get a new ID generated on upgrades,
|
||||||
|
// which may be unexpected (and users may be using the ID for various purposes).
|
||||||
|
func migrateTrustKeyID(deprecatedTrustKeyPath, idPath string) error {
|
||||||
|
if _, err := os.Stat(idPath); err == nil {
|
||||||
|
// engine ID file already exists; no migration needed
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
trustKey, err := libtrust.LoadKeyFile(deprecatedTrustKeyPath)
|
||||||
|
if err != nil {
|
||||||
|
if err == libtrust.ErrKeyFileDoesNotExist {
|
||||||
|
// no existing trust-key found; no migration needed
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
id := trustKey.PublicKey().KeyID()
|
||||||
|
if err := ioutils.AtomicWriteFile(idPath, []byte(id), os.FileMode(0600)); err != nil {
|
||||||
|
return errors.Wrap(err, "error saving ID file")
|
||||||
|
}
|
||||||
|
logrus.Info("successfully migrated engine ID")
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -559,6 +559,7 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *testing.T) {
|
||||||
func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) {
|
func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) {
|
||||||
// TODO: skip or update for Windows daemon
|
// TODO: skip or update for Windows daemon
|
||||||
os.Remove("/etc/docker/key.json")
|
os.Remove("/etc/docker/key.json")
|
||||||
|
c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
||||||
s.d.Start(c)
|
s.d.Start(c)
|
||||||
s.d.Stop(c)
|
s.d.Stop(c)
|
||||||
|
|
||||||
|
@ -1212,6 +1213,7 @@ func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
os.Remove("/etc/docker/key.json")
|
os.Remove("/etc/docker/key.json")
|
||||||
|
c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
||||||
s.d.Start(c)
|
s.d.Start(c)
|
||||||
s.d.Stop(c)
|
s.d.Stop(c)
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,11 @@ import (
|
||||||
"gotest.tools/v3/skip"
|
"gotest.tools/v3/skip"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
libtrustKey = `{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`
|
||||||
|
libtrustKeyID = "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB"
|
||||||
|
)
|
||||||
|
|
||||||
func TestConfigDaemonLibtrustID(t *testing.T) {
|
func TestConfigDaemonLibtrustID(t *testing.T) {
|
||||||
skip.If(t, runtime.GOOS == "windows")
|
skip.If(t, runtime.GOOS == "windows")
|
||||||
|
|
||||||
|
@ -29,16 +34,53 @@ func TestConfigDaemonLibtrustID(t *testing.T) {
|
||||||
defer d.Stop(t)
|
defer d.Stop(t)
|
||||||
|
|
||||||
trustKey := filepath.Join(d.RootDir(), "key.json")
|
trustKey := filepath.Join(d.RootDir(), "key.json")
|
||||||
err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644)
|
err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
||||||
config := filepath.Join(d.RootDir(), "daemon.json")
|
cfg := filepath.Join(d.RootDir(), "daemon.json")
|
||||||
err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
|
err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
||||||
d.Start(t, "--config-file", config)
|
d.Start(t, "--config-file", cfg)
|
||||||
info := d.Info(t)
|
info := d.Info(t)
|
||||||
assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB")
|
assert.Equal(t, info.ID, libtrustKeyID)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestConfigDaemonID(t *testing.T) {
|
||||||
|
skip.If(t, runtime.GOOS == "windows")
|
||||||
|
|
||||||
|
d := daemon.New(t)
|
||||||
|
defer d.Stop(t)
|
||||||
|
|
||||||
|
trustKey := filepath.Join(d.RootDir(), "key.json")
|
||||||
|
err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
|
||||||
|
assert.NilError(t, err)
|
||||||
|
|
||||||
|
cfg := filepath.Join(d.RootDir(), "daemon.json")
|
||||||
|
err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
|
||||||
|
assert.NilError(t, err)
|
||||||
|
|
||||||
|
// Verify that on an installation with a trust-key present, the ID matches
|
||||||
|
// the trust-key ID, and that the ID has been migrated to the engine-id file.
|
||||||
|
d.Start(t, "--config-file", cfg, "--iptables=false")
|
||||||
|
info := d.Info(t)
|
||||||
|
assert.Equal(t, info.ID, libtrustKeyID)
|
||||||
|
|
||||||
|
idFile := filepath.Join(d.RootDir(), "engine-id")
|
||||||
|
id, err := os.ReadFile(idFile)
|
||||||
|
assert.NilError(t, err)
|
||||||
|
assert.Equal(t, string(id), libtrustKeyID)
|
||||||
|
d.Stop(t)
|
||||||
|
|
||||||
|
// Verify that (if present) the engine-id file takes precedence
|
||||||
|
const engineID = "this-is-the-engine-id"
|
||||||
|
err = os.WriteFile(idFile, []byte(engineID), 0600)
|
||||||
|
assert.NilError(t, err)
|
||||||
|
|
||||||
|
d.Start(t, "--config-file", cfg, "--iptables=false")
|
||||||
|
info = d.Info(t)
|
||||||
|
assert.Equal(t, info.ID, engineID)
|
||||||
|
d.Stop(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDaemonConfigValidation(t *testing.T) {
|
func TestDaemonConfigValidation(t *testing.T) {
|
||||||
|
|
Loading…
Reference in New Issue