Merge pull request #12564 from LK4D4/remove_jobs_trust

Remove engine from trust

daemon/daemon.go

@@ -108,7 +108,6 @@ type Daemon struct {
 	containerGraph   *graphdb.Database
 	driver           graphdriver.Driver
 	execDriver       execdriver.Driver
-	trustStore       *trust.TrustStore
 	statsCollector   *statsCollector
 	defaultLogConfig runconfig.LogConfig
 	RegistryService  *registry.Service
@@ -129,9 +128,6 @@ func (daemon *Daemon) Install(eng *engine.Engine) error {
 	if err := daemon.Repositories().Install(eng); err != nil {
 		return err
 	}
-	if err := daemon.trustStore.Install(eng); err != nil {
-		return err
-	}
 	// FIXME: this hack is necessary for legacy integration tests to access
 	// the daemon object.
 	eng.HackSetGlobalVar("httpapi.daemon", daemon)
@@ -901,22 +897,29 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine, registryService
 		return nil, err
 	}
 
-	eventsService := events.New()
-	logrus.Debug("Creating repository list")
-	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, trustKey, registryService, eventsService)
-	if err != nil {
-		return nil, fmt.Errorf("Couldn't create Tag store: %s", err)
-	}
-
 	trustDir := path.Join(config.Root, "trust")
 	if err := os.MkdirAll(trustDir, 0700); err != nil && !os.IsExist(err) {
 		return nil, err
 	}
-	t, err := trust.NewTrustStore(trustDir)
+	trustService, err := trust.NewTrustStore(trustDir)
 	if err != nil {
 		return nil, fmt.Errorf("could not create trust store: %s", err)
 	}
 
+	eventsService := events.New()
+	logrus.Debug("Creating repository list")
+	tagCfg := &graph.TagStoreConfig{
+		Graph:    g,
+		Key:      trustKey,
+		Registry: registryService,
+		Events:   eventsService,
+		Trust:    trustService,
+	}
+	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), tagCfg)
+	if err != nil {
+		return nil, fmt.Errorf("Couldn't create Tag store: %s", err)
+	}
+
 	if !config.DisableNetwork {
 		if err := bridge.InitDriver(&config.Bridge); err != nil {
 			return nil, fmt.Errorf("Error initializing Bridge: %v", err)
@@ -978,7 +981,6 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine, registryService
 		sysInitPath:      sysInitPath,
 		execDriver:       ed,
 		eng:              eng,
-		trustStore:       t,
 		statsCollector:   newStatsCollector(1 * time.Second),
 		defaultLogConfig: config.LogConfig,
 		RegistryService:  registryService,

graph/manifest.go

@@ -1,7 +1,6 @@
 package graph
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 
@@ -9,6 +8,7 @@ import (
 	"github.com/docker/distribution/digest"
 	"github.com/docker/docker/engine"
 	"github.com/docker/docker/registry"
+	"github.com/docker/docker/trust"
 	"github.com/docker/docker/utils"
 	"github.com/docker/libtrust"
 )
@@ -69,32 +69,28 @@ func (s *TagStore) loadManifest(eng *engine.Engine, manifestBytes []byte, dgst,
 
 	var verified bool
 	for _, key := range keys {
-		job := eng.Job("trust_key_check")
-		b, err := key.MarshalJSON()
-		if err != nil {
-			return nil, false, fmt.Errorf("error marshalling public key: %s", err)
-		}
 		namespace := manifest.Name
 		if namespace[0] != '/' {
 			namespace = "/" + namespace
 		}
-		stdoutBuffer := bytes.NewBuffer(nil)
+		b, err := key.MarshalJSON()
-
+		if err != nil {
-		job.Args = append(job.Args, namespace)
+			return nil, false, fmt.Errorf("error marshalling public key: %s", err)
-		job.Setenv("PublicKey", string(b))
-		// Check key has read/write permission (0x03)
-		job.SetenvInt("Permission", 0x03)
-		job.Stdout.Add(stdoutBuffer)
-		if err = job.Run(); err != nil {
-			return nil, false, fmt.Errorf("error running key check: %s", err)
 		}
-		result := engine.Tail(stdoutBuffer, 1)
+		// Check key has read/write permission (0x03)
-		logrus.Debugf("Key check result: %q", result)
+		v, err := s.trustService.CheckKey(namespace, b, 0x03)
-		if result == "verified" {
+		if err != nil {
-			verified = true
+			vErr, ok := err.(trust.NotVerifiedError)
+			if !ok {
+				return nil, false, fmt.Errorf("error running key check: %s", err)
+			}
+			logrus.Debugf("Key check result: %v", vErr)
+		}
+		verified = v
+		if verified {
+			logrus.Debug("Key check result: verified")
 		}
 	}
-
 	return &manifest, verified, nil
 }
 

graph/pull.go

@@ -70,10 +70,7 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf
 
 	if len(repoInfo.Index.Mirrors) == 0 && (repoInfo.Index.Official || endpoint.Version == registry.APIVersion2) {
 		if repoInfo.Official {
-			j := eng.Job("trust_update_base")
+			s.trustService.UpdateBase()
-			if err = j.Run(); err != nil {
-				logrus.Errorf("error updating trust base graph: %s", err)
-			}
 		}
 
 		logrus.Debugf("pulling v2 repository with local name %q", repoInfo.LocalName)

graph/tags.go

@@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/registry"
+	"github.com/docker/docker/trust"
 	"github.com/docker/docker/utils"
 	"github.com/docker/libtrust"
 )
@@ -42,6 +43,7 @@ type TagStore struct {
 	pushingPool     map[string]chan struct{}
 	registryService *registry.Service
 	eventsService   *events.Events
+	trustService    *trust.TrustStore
 }
 
 type Repository map[string]string
@@ -64,7 +66,15 @@ func (r Repository) Contains(u Repository) bool {
 	return true
 }
 
-func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey, registryService *registry.Service, eventsService *events.Events) (*TagStore, error) {
+type TagStoreConfig struct {
+	Graph    *Graph
+	Key      libtrust.PrivateKey
+	Registry *registry.Service
+	Events   *events.Events
+	Trust    *trust.TrustStore
+}
+
+func NewTagStore(path string, cfg *TagStoreConfig) (*TagStore, error) {
 	abspath, err := filepath.Abs(path)
 	if err != nil {
 		return nil, err
@@ -72,13 +82,14 @@ func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey, registrySer
 
 	store := &TagStore{
 		path:            abspath,
-		graph:           graph,
+		graph:           cfg.Graph,
-		trustKey:        key,
+		trustKey:        cfg.Key,
 		Repositories:    make(map[string]Repository),
 		pullingPool:     make(map[string]chan struct{}),
 		pushingPool:     make(map[string]chan struct{}),
-		registryService: registryService,
+		registryService: cfg.Registry,
-		eventsService:   eventsService,
+		eventsService:   cfg.Events,
+		trustService:    cfg.Trust,
 	}
 	// Load the json file if it exists, otherwise create it.
 	if err := store.reload(); os.IsNotExist(err) {

graph/tags_unit_test.go

@@ -60,7 +60,11 @@ func mkTestTagStore(root string, t *testing.T) *TagStore {
 	if err != nil {
 		t.Fatal(err)
 	}
-	store, err := NewTagStore(path.Join(root, "tags"), graph, nil, nil, events.New())
+	tagCfg := &TagStoreConfig{
+		Graph:  graph,
+		Events: events.New(),
+	}
+	store, err := NewTagStore(path.Join(root, "tags"), tagCfg)
 	if err != nil {
 		t.Fatal(err)
 	}

trust/service.go

@@ -5,70 +5,49 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/docker/docker/engine"
 	"github.com/docker/libtrust"
 )
 
-func (t *TrustStore) Install(eng *engine.Engine) error {
+type NotVerifiedError string
-	for name, handler := range map[string]engine.Handler{
+
-		"trust_key_check":   t.CmdCheckKey,
+func (e NotVerifiedError) Error() string {
-		"trust_update_base": t.CmdUpdateBase,
+	return string(e)
-	} {
-		if err := eng.Register(name, handler); err != nil {
-			return fmt.Errorf("Could not register %q: %v", name, err)
-		}
-	}
-	return nil
 }
 
-func (t *TrustStore) CmdCheckKey(job *engine.Job) error {
+func (t *TrustStore) CheckKey(ns string, key []byte, perm uint16) (bool, error) {
-	if n := len(job.Args); n != 1 {
+	if len(key) == 0 {
-		return fmt.Errorf("Usage: %s NAMESPACE", job.Name)
+		return false, fmt.Errorf("Missing PublicKey")
 	}
-	var (
+	pk, err := libtrust.UnmarshalPublicKeyJWK(key)
-		namespace = job.Args[0]
-		keyBytes  = job.Getenv("PublicKey")
-	)
-
-	if keyBytes == "" {
-		return fmt.Errorf("Missing PublicKey")
-	}
-	pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
 	if err != nil {
-		return fmt.Errorf("Error unmarshalling public key: %s", err)
+		return false, fmt.Errorf("Error unmarshalling public key: %v", err)
 	}
 
-	permission := uint16(job.GetenvInt("Permission"))
+	if perm == 0 {
-	if permission == 0 {
+		perm = 0x03
-		permission = 0x03
 	}
 
 	t.RLock()
 	defer t.RUnlock()
 	if t.graph == nil {
-		job.Stdout.Write([]byte("no graph"))
+		return false, NotVerifiedError("no graph")
-		return nil
 	}
 
 	// Check if any expired grants
-	verified, err := t.graph.Verify(pk, namespace, permission)
+	verified, err := t.graph.Verify(pk, ns, perm)
 	if err != nil {
-		return fmt.Errorf("Error verifying key to namespace: %s", namespace)
+		return false, fmt.Errorf("Error verifying key to namespace: %s", ns)
 	}
 	if !verified {
-		logrus.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
+		logrus.Debugf("Verification failed for %s using key %s", ns, pk.KeyID())
-		job.Stdout.Write([]byte("not verified"))
+		return false, NotVerifiedError("not verified")
-	} else if t.expiration.Before(time.Now()) {
-		job.Stdout.Write([]byte("expired"))
-	} else {
-		job.Stdout.Write([]byte("verified"))
 	}
-
+	if t.expiration.Before(time.Now()) {
-	return nil
+		return false, NotVerifiedError("expired")
+	}
+	return true, nil
 }
 
-func (t *TrustStore) CmdUpdateBase(job *engine.Job) error {
+func (t *TrustStore) UpdateBase() {
 	t.fetch()
-
-	return nil
 }