Skip to content

Commit 36087ad

Browse files
committed
daemon: store auth to keyring and send it to nydusd via env
Signed-off-by: Bin Tang <[email protected]>
1 parent ccaf5b9 commit 36087ad

File tree

6 files changed

+80
-11
lines changed

6 files changed

+80
-11
lines changed

config/daemonconfig/daemonconfig.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ func DumpConfigString(c interface{}) (string, error) {
141141

142142
// Achieve a daemon configuration from template or snapshotter's configuration
143143
func SupplementDaemonConfig(c DaemonConfig, imageID, snapshotID string,
144-
vpcRegistry bool, labels map[string]string, params map[string]string) error {
144+
vpcRegistry bool, labels map[string]string, params map[string]string, fn func(string, *auth.PassKeyChain)) error {
145145

146146
image, err := registry.ParseImage(imageID)
147147
if err != nil {
@@ -169,7 +169,11 @@ func SupplementDaemonConfig(c DaemonConfig, imageID, snapshotID string,
169169
// when repository is public.
170170
keyChain := auth.GetRegistryKeyChain(registryHost, imageID, labels)
171171
c.Supplement(registryHost, image.Repo, snapshotID, params)
172-
c.FillAuth(keyChain)
172+
if config.IsKeyringEnabled() && fn != nil {
173+
fn(registryHost, keyChain)
174+
} else {
175+
c.FillAuth(keyChain)
176+
}
173177

174178
// Localfs and OSS backends don't need any update,
175179
// just use the provided config in template

pkg/daemon/command/command.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,10 @@ func BuildCommand(opts []Opt) ([]string, error) {
9999
return args, nil
100100
}
101101

102+
func (dc *DaemonCommand) GetConfigPath() string {
103+
return dc.Config
104+
}
105+
102106
func WithMode(m string) Opt {
103107
return func(cmd *DaemonCommand) {
104108
cmd.Mode = m

pkg/daemon/daemon.go

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,16 +17,19 @@ import (
1717
"time"
1818

1919
"github.com/pkg/errors"
20+
"github.com/sirupsen/logrus"
2021

2122
"github.com/containerd/containerd/log"
2223

2324
"github.com/containerd/nydus-snapshotter/config"
2425
"github.com/containerd/nydus-snapshotter/config/daemonconfig"
26+
"github.com/containerd/nydus-snapshotter/pkg/auth"
2527
"github.com/containerd/nydus-snapshotter/pkg/daemon/types"
2628
"github.com/containerd/nydus-snapshotter/pkg/errdefs"
2729
"github.com/containerd/nydus-snapshotter/pkg/supervisor"
2830
"github.com/containerd/nydus-snapshotter/pkg/utils/erofs"
2931
"github.com/containerd/nydus-snapshotter/pkg/utils/mount"
32+
"github.com/containerd/nydus-snapshotter/pkg/utils/registry"
3033
"github.com/containerd/nydus-snapshotter/pkg/utils/retry"
3134
)
3235

@@ -66,6 +69,7 @@ type Daemon struct {
6669
// fusedev shared mode: zero, one or more RAFS instances
6770
// fscache shared mode: zero, one or more RAFS instances
6871
Instances rafsSet
72+
// authCache *lru.Cache
6973

7074
// Protect nydusd http client
7175
cmu sync.Mutex
@@ -82,6 +86,7 @@ type Daemon struct {
8286
Version types.BuildTimeInfo
8387

8488
ref int32
89+
8590
// Cache the nydusd daemon state to avoid frequently querying nydusd by API.
8691
state types.DaemonState
8792
}
@@ -222,7 +227,7 @@ func (d *Daemon) IsSharedDaemon() bool {
222227
return d.HostMountpoint() == config.GetRootMountpoint()
223228
}
224229

225-
func (d *Daemon) SharedMount(rafs *Rafs) error {
230+
func (d *Daemon) SharedMount(rafs *Rafs, authCache *auth.Cache) error {
226231
defer d.SendStates()
227232

228233
switch d.States.FsDriver {
@@ -232,13 +237,13 @@ func (d *Daemon) SharedMount(rafs *Rafs) error {
232237
}
233238
return nil
234239
case config.FsDriverFusedev:
235-
return d.sharedFusedevMount(rafs)
240+
return d.sharedFusedevMount(rafs, authCache)
236241
default:
237242
return errors.Errorf("unsupported fs driver %s", d.States.FsDriver)
238243
}
239244
}
240245

241-
func (d *Daemon) sharedFusedevMount(rafs *Rafs) error {
246+
func (d *Daemon) sharedFusedevMount(rafs *Rafs, authCache *auth.Cache) error {
242247
client, err := d.GetClient()
243248
if err != nil {
244249
return errors.Wrapf(err, "mount instance %s", rafs.SnapshotID)
@@ -255,6 +260,25 @@ func (d *Daemon) sharedFusedevMount(rafs *Rafs) error {
255260
d.ConfigFile(rafs.SnapshotID))
256261
}
257262

263+
if config.IsKeyringEnabled() {
264+
image, err := registry.ParseImage(rafs.ImageID)
265+
if err != nil {
266+
return errors.Wrapf(err, "parse image %s", rafs.ImageID)
267+
}
268+
269+
logrus.Debugf("get key for %s", image.Host)
270+
cachedAuth, err := authCache.GetAuth(image.Host)
271+
if err != nil {
272+
return err
273+
}
274+
275+
keyChain, err := auth.FromBase64(cachedAuth)
276+
if err != nil {
277+
return err
278+
}
279+
c.FillAuth(&keyChain)
280+
}
281+
258282
cfg, err := c.DumpString()
259283
if err != nil {
260284
return errors.Wrap(err, "dump instance configuration")
@@ -624,7 +648,7 @@ func (d *Daemon) CloneInstances(src *Daemon) {
624648
}
625649

626650
// Daemon must be started and reach RUNNING state before call this method
627-
func (d *Daemon) RecoveredMountInstances() error {
651+
func (d *Daemon) RecoveredMountInstances(authCache *auth.Cache) error {
628652
if d.IsSharedDaemon() {
629653
d.Instances.Lock()
630654
defer d.Instances.Unlock()
@@ -641,7 +665,7 @@ func (d *Daemon) RecoveredMountInstances() error {
641665
for _, i := range instances {
642666
if d.HostMountpoint() != i.GetMountpoint() {
643667
log.L.Infof("Recovered mount instance %s", i.SnapshotID)
644-
if err := d.SharedMount(i); err != nil {
668+
if err := d.SharedMount(i, authCache); err != nil {
645669
return err
646670
}
647671
}
@@ -657,6 +681,7 @@ func NewDaemon(opt ...NewDaemonOpt) (*Daemon, error) {
657681
d.States.ID = newID()
658682
d.States.DaemonMode = config.DaemonModeDedicated
659683
d.Instances = rafsSet{instances: make(map[string]*Rafs)}
684+
// d.authCache = lru.New(32)
660685

661686
for _, o := range opt {
662687
err := o(d)

pkg/filesystem/fs.go

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,15 @@ import (
1818
"github.com/mohae/deepcopy"
1919
"github.com/opencontainers/go-digest"
2020
"github.com/pkg/errors"
21+
"github.com/sirupsen/logrus"
2122

2223
"github.com/containerd/containerd/log"
2324
"github.com/containerd/containerd/snapshots"
2425

2526
snpkg "github.com/containerd/containerd/pkg/snapshotters"
2627
"github.com/containerd/nydus-snapshotter/config"
2728
"github.com/containerd/nydus-snapshotter/config/daemonconfig"
29+
"github.com/containerd/nydus-snapshotter/pkg/auth"
2830
"github.com/containerd/nydus-snapshotter/pkg/cache"
2931
"github.com/containerd/nydus-snapshotter/pkg/daemon"
3032
"github.com/containerd/nydus-snapshotter/pkg/daemon/types"
@@ -132,7 +134,7 @@ func NewFileSystem(ctx context.Context, opt ...NewFSOpt) (*Filesystem, error) {
132134
if err := d.WaitUntilState(types.DaemonStateRunning); err != nil {
133135
return nil, errors.Wrapf(err, "wait for daemon %s", d.ID())
134136
}
135-
if err := d.RecoveredMountInstances(); err != nil {
137+
if err := d.RecoveredMountInstances(fsManager.AuthCache); err != nil {
136138
return nil, errors.Wrapf(err, "recover mounts for daemon %s", d.ID())
137139
}
138140
fs.TryRetainSharedDaemon(d)
@@ -298,7 +300,14 @@ func (fs *Filesystem) Mount(snapshotID string, labels map[string]string) (err er
298300
daemonconfig.CacheDir: cacheDir,
299301
}
300302
cfg := deepcopy.Copy(fsManager.DaemonConfig).(daemonconfig.DaemonConfig)
301-
err = daemonconfig.SupplementDaemonConfig(cfg, imageID, snapshotID, false, labels, params)
303+
var updateErr error
304+
err = daemonconfig.SupplementDaemonConfig(cfg, imageID, snapshotID, false, labels, params, func(imageHost string, keyChain *auth.PassKeyChain) {
305+
logrus.Debugf("add key for %s", imageHost)
306+
updateErr = fsManager.AuthCache.UpdateAuth(imageHost, keyChain.ToBase64())
307+
})
308+
if updateErr != nil {
309+
return updateErr
310+
}
302311
if err != nil {
303312
return errors.Wrap(err, "supplement configuration")
304313
}
@@ -490,7 +499,7 @@ func (fs *Filesystem) mountRemote(fsManager *manager.Manager, useSharedDaemon bo
490499
} else {
491500
r.SetMountpoint(path.Join(r.GetSnapshotDir(), "mnt"))
492501
}
493-
if err := d.SharedMount(r); err != nil {
502+
if err := d.SharedMount(r, fsManager.AuthCache); err != nil {
494503
return errors.Wrapf(err, "failed to mount")
495504
}
496505
} else {

pkg/manager/daemon_adaptor.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,14 @@
77
package manager
88

99
import (
10+
"fmt"
1011
"os"
1112
"os/exec"
1213
"strings"
1314
"time"
1415

1516
"github.com/pkg/errors"
17+
"github.com/sirupsen/logrus"
1618

1719
"github.com/containerd/containerd/log"
1820

@@ -23,6 +25,7 @@ import (
2325
"github.com/containerd/nydus-snapshotter/pkg/errdefs"
2426
"github.com/containerd/nydus-snapshotter/pkg/metrics/collector"
2527
metrics "github.com/containerd/nydus-snapshotter/pkg/metrics/tool"
28+
"github.com/containerd/nydus-snapshotter/pkg/utils/registry"
2629
)
2730

2831
// Fork the nydusd daemon with the process PID decided
@@ -192,6 +195,25 @@ func (m *Manager) BuildDaemonCommand(d *daemon.Daemon, bin string, upgrade bool)
192195

193196
cmd := exec.Command(nydusdPath, args...)
194197

198+
if config.IsKeyringEnabled() && !d.IsSharedDaemon() {
199+
if d.Instances.Len() > 1 {
200+
return nil, errors.New("nydusd is not running in shared mode but the instance length is large than 1")
201+
}
202+
203+
imageID := d.Instances.Head().ImageID
204+
image, err := registry.ParseImage(imageID)
205+
if err != nil {
206+
return nil, errors.Wrapf(err, "parse image %s", imageID)
207+
}
208+
209+
logrus.Debugf("get key for %s", image.Host)
210+
auth, err := m.AuthCache.GetAuth(image.Host)
211+
if err != nil {
212+
return nil, err
213+
}
214+
cmd.Env = append(cmd.Env, fmt.Sprintf("IMAGE_PULL_AUTH=%s", auth))
215+
}
216+
195217
// nydusd standard output and standard error rather than its logs are
196218
// always redirected to snapshotter's respectively
197219
cmd.Stdout = os.Stdout

pkg/manager/manager.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020

2121
"github.com/containerd/nydus-snapshotter/config"
2222
"github.com/containerd/nydus-snapshotter/config/daemonconfig"
23+
"github.com/containerd/nydus-snapshotter/pkg/auth"
2324
"github.com/containerd/nydus-snapshotter/pkg/cgroup"
2425
"github.com/containerd/nydus-snapshotter/pkg/daemon"
2526
"github.com/containerd/nydus-snapshotter/pkg/daemon/types"
@@ -139,6 +140,9 @@ type Manager struct {
139140
// Cgroup manager for nydusd
140141
CgroupMgr *cgroup.Manager
141142

143+
// Cache for registry authorization
144+
AuthCache *auth.Cache
145+
142146
// In order to validate daemon fs driver is consistent with the latest snapshotter boot
143147
FsDriver string
144148

@@ -222,7 +226,7 @@ func (m *Manager) doDaemonRestart(d *daemon.Daemon) {
222226
break
223227
}
224228

225-
if err := d.SharedMount(r); err != nil {
229+
if err := d.SharedMount(r, m.AuthCache); err != nil {
226230
log.L.Warnf("Failed to mount rafs instance, %v", err)
227231
}
228232
}
@@ -284,6 +288,7 @@ func NewManager(opt Opt) (*Manager, error) {
284288
SupervisorSet: supervisorSet,
285289
DaemonConfig: opt.DaemonConfig,
286290
CgroupMgr: opt.CgroupMgr,
291+
AuthCache: auth.NewCache(),
287292
FsDriver: opt.FsDriver,
288293
}
289294

0 commit comments

Comments
 (0)