From 547301cb0c674247f0e506912e1ecb3bae23a15f Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Tue, 31 Mar 2020 21:46:57 -0700 Subject: [PATCH] Update ctr resolver to use new config package Moved registry host configuration to the config package and allows support of loading configurations from a directory when the hosts are being resolved. Signed-off-by: Derek McGowan --- cmd/ctr/commands/commands.go | 4 +- cmd/ctr/commands/resolver.go | 80 ++++++---------------- remotes/certutil/certutil.go | 126 ----------------------------------- 3 files changed, 21 insertions(+), 189 deletions(-) delete mode 100644 remotes/certutil/certutil.go diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go index 253987730..86202414e 100644 --- a/cmd/ctr/commands/commands.go +++ b/cmd/ctr/commands/commands.go @@ -62,9 +62,9 @@ var ( Usage: "refresh token for authorization server", }, cli.StringFlag{ - Name: "certs-dir", + Name: "hosts-dir", // compatible with "/etc/docker/certs.d" - Usage: "custom certificates directory that contains \"/{ca.crt, client.cert, client.key}\"", + Usage: "Custom hosts configuration directory", }, } diff --git a/cmd/ctr/commands/resolver.go b/cmd/ctr/commands/resolver.go index 5f4b11257..bb394625e 100644 --- a/cmd/ctr/commands/resolver.go +++ b/cmd/ctr/commands/resolver.go @@ -21,20 +21,13 @@ import ( gocontext "context" "crypto/tls" "fmt" - "io/ioutil" - "net" - "net/http" - "os" - "path/filepath" "strings" - "time" "github.com/containerd/console" "github.com/containerd/containerd/remotes" - "github.com/containerd/containerd/remotes/certutil" "github.com/containerd/containerd/remotes/docker" + "github.com/containerd/containerd/remotes/docker/config" "github.com/pkg/errors" - "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -65,8 +58,7 @@ func GetResolver(ctx gocontext.Context, clicontext *cli.Context) (remotes.Resolv username = username[0:i] } options := docker.ResolverOptions{ - PlainHTTP: clicontext.Bool("plain-http"), - Tracker: PushTracker, + Tracker: PushTracker, } if username != "" { if secret == "" { @@ -84,60 +76,26 @@ func GetResolver(ctx gocontext.Context, clicontext *cli.Context) (remotes.Resolv secret = rt } - tr := &http.Transport{ - Proxy: http.ProxyFromEnvironment, - DialContext: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - DualStack: true, - }).DialContext, - MaxIdleConns: 10, - IdleConnTimeout: 30 * time.Second, - TLSHandshakeTimeout: 10 * time.Second, - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: clicontext.Bool("skip-verify"), - }, - ExpectContinueTimeout: 5 * time.Second, - } - loadCertsDir(tr.TLSClientConfig, clicontext.String("certs-dir")) - - options.Client = &http.Client{ - Transport: tr, - } - - credentials := func(host string) (string, string, error) { + hostOptions := config.HostOptions{} + hostOptions.Credentials = func(host string) (string, string, error) { + // If host doesn't match... // Only one host return username, secret, nil } - authOpts := []docker.AuthorizerOpt{docker.WithAuthClient(options.Client), docker.WithAuthCreds(credentials)} - options.Authorizer = docker.NewDockerAuthorizer(authOpts...) + if clicontext.Bool("plain-http") { + hostOptions.DefaultScheme = "http" + } + + if clicontext.Bool("skip-verify") { + hostOptions.DefaultTLS = &tls.Config{ + InsecureSkipVerify: true, + } + } + if hostDir := clicontext.String("hosts-dir"); hostDir != "" { + hostOptions.HostDir = config.HostDirFromRoot(hostDir) + } + + options.Hosts = config.ConfigureHosts(ctx, hostOptions) return docker.NewResolver(options), nil } - -// loadCertsDir loads certs from certsDir like "/etc/docker/certs.d" . -func loadCertsDir(config *tls.Config, certsDir string) { - if certsDir == "" { - return - } - fs, err := ioutil.ReadDir(certsDir) - if err != nil && !os.IsNotExist(err) { - logrus.WithError(err).Errorf("cannot read certs directory %q", certsDir) - return - } - for _, f := range fs { - if !f.IsDir() { - continue - } - // TODO: skip loading if f.Name() is not valid FQDN/IP - hostDir := filepath.Join(certsDir, f.Name()) - caCertGlob := filepath.Join(hostDir, "*.crt") - if _, err = certutil.LoadCACerts(config, caCertGlob); err != nil { - logrus.WithError(err).Errorf("cannot load certs from %q", caCertGlob) - } - keyGlob := filepath.Join(hostDir, "*.key") - if _, _, err = certutil.LoadKeyPairs(config, keyGlob, certutil.DockerKeyPairCertLocator); err != nil { - logrus.WithError(err).Errorf("cannot load key pairs from %q", keyGlob) - } - } -} diff --git a/remotes/certutil/certutil.go b/remotes/certutil/certutil.go deleted file mode 100644 index 7755388b3..000000000 --- a/remotes/certutil/certutil.go +++ /dev/null @@ -1,126 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package certutil - -import ( - "crypto/tls" - "crypto/x509" - "io/ioutil" - "path/filepath" - "runtime" - "sort" - "strings" - - "github.com/containerd/containerd/errdefs" - "github.com/pkg/errors" -) - -// SystemCertPool returns a copy of the system cert pool, -// returns an error if failed to load or empty pool on windows. -// -// SystemCertPool was ported from Docker 19.03 -// https://github.com/docker/engine/blob/v19.03.1/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go#L12 -func SystemCertPool() (*x509.CertPool, error) { - certpool, err := x509.SystemCertPool() - if err != nil && runtime.GOOS == "windows" { - return x509.NewCertPool(), nil - } - return certpool, err -} - -// LoadCACerts loads CA certificates into tlsConfig from glob. -// glob should be like "/etc/docker/certs.d/example.com/*.crt" . -// LoadCACerts returns the paths of the loaded certs. -func LoadCACerts(tlsConfig *tls.Config, glob string) ([]string, error) { - if tlsConfig == nil { - tlsConfig = &tls.Config{} - } - files, err := filepath.Glob(glob) - if err != nil { - return nil, err - } - sort.Strings(files) - if tlsConfig.RootCAs == nil { - systemPool, err := SystemCertPool() - if err != nil { - return nil, errors.Wrap(err, "unable to get system cert poolv") - } - tlsConfig.RootCAs = systemPool - } - var loaded []string - for _, f := range files { - data, err := ioutil.ReadFile(f) - if err != nil { - return loaded, errors.Wrapf(err, "unable to read CA cert %q", f) - } - if !tlsConfig.RootCAs.AppendCertsFromPEM(data) { - return loaded, errors.Errorf("unable to load CA cert %q", f) - } - loaded = append(loaded, f) - } - return loaded, nil -} - -// KeyPairCertLocator is used to resolve the cert path from the key path. -type KeyPairCertLocator func(keyPath string) (certPath string, err error) - -// DockerKeyPairCertLocator implements the Docker-style convention. ("*.key" -> "*.cert") -var DockerKeyPairCertLocator KeyPairCertLocator = func(keyPath string) (string, error) { - if !strings.HasSuffix(keyPath, ".key") { - return "", errors.Errorf("expected key path with \".key\" suffix, got %q", keyPath) - } - // Docker convention uses *.crt for CA certs, *.cert for keypair certs. - certPath := keyPath[:len(keyPath)-4] + ".cert" - return certPath, nil -} - -// LoadKeyPairs loads key pairs into tlsConfig from keyGlob. -// keyGlob should be like "/etc/docker/certs.d/example.com/*.key" . -// certLocator is used to resolve the cert path from the key path. -// Use DockerKeyPairCertLocator for the Docker-style convention. ("*.key" -> "*.cert") -// LoadKeyParis returns the paths of the loaded certs and the loaded keys. -func LoadKeyPairs(tlsConfig *tls.Config, keyGlob string, certLocator KeyPairCertLocator) ([]string, []string, error) { - if tlsConfig == nil { - tlsConfig = &tls.Config{} - } - if certLocator == nil { - return nil, nil, errors.Wrap(errdefs.ErrInvalidArgument, "missing cert locator") - } - keyPaths, err := filepath.Glob(keyGlob) - if err != nil { - return nil, nil, err - } - sort.Strings(keyPaths) - var ( - loadedCerts []string - loadedKeys []string - ) - for _, keyPath := range keyPaths { - certPath, err := certLocator(keyPath) - if err != nil { - return loadedCerts, loadedKeys, err - } - keyPair, err := tls.LoadX509KeyPair(certPath, keyPath) - if err != nil { - return loadedCerts, loadedKeys, err - } - tlsConfig.Certificates = append(tlsConfig.Certificates, keyPair) - loadedCerts = append(loadedCerts, certPath) - loadedKeys = append(loadedKeys, keyPath) - } - return loadedCerts, loadedKeys, nil -}