ctrd/daemon: support PlainHttp pull/push image

ctrd/client.go

@@ -40,6 +40,9 @@ type Client struct {
 	watch *watch
 	lock  *containerLock
 
+	// insecureRegistries stores the insecure registries
+	insecureRegistries []string
+
 	// containerd grpc pool
 	pool      []scheduler.Factory
 	scheduler scheduler.Scheduler
@@ -64,6 +67,7 @@ func NewClient(opts ...ClientOpt) (APIClient, error) {
 		rpcAddr:                unixSocketPath,
 		grpcClientPoolCapacity: defaultGrpcClientPoolCapacity,
 		maxStreamsClient:       defaultMaxStreamsClient,
+		insecureRegistries:     []string{},
 	}
 
 	for _, opt := range opts {
@@ -79,6 +83,7 @@ func NewClient(opts ...ClientOpt) (APIClient, error) {
 		watch: &watch{
 			containers: make(map[string]*containerPack),
 		},
+		insecureRegistries: copts.insecureRegistries,
 	}
 
 	for i := 0; i < copts.grpcClientPoolCapacity; i++ {

ctrd/client_opts.go

@@ -1,12 +1,18 @@
 package ctrd
 
-import "fmt"
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+)
 
 type clientOpts struct {
 	rpcAddr                string
 	grpcClientPoolCapacity int
 	maxStreamsClient       int
 	defaultns              string
+	insecureRegistries     []string
 }
 
 // ClientOpt allows caller to set options for containerd client.
@@ -59,3 +65,43 @@ func WithDefaultNamespace(ns string) ClientOpt {
 		return nil
 	}
 }
+
+// WithInsecureRegistries sets the insecure registries to allow http request
+// and skip secure verify.
+func WithInsecureRegistries(endpoints []string) ClientOpt {
+	return func(c *clientOpts) error {
+		registries := make([]string, 0, len(endpoints))
+
+		for _, r := range endpoints {
+			if strings.Contains(strings.ToLower(r), "://") {
+				return fmt.Errorf("insecure registry %s should not contain any '://'", r)
+			}
+
+			if err := validateHostPort(r); err != nil {
+				return err
+			}
+			registries = append(registries, r)
+		}
+		c.insecureRegistries = registries
+		return nil
+	}
+}
+
+func validateHostPort(s string) error {
+	_, port, err := net.SplitHostPort(s)
+	if err != nil {
+		port = ""
+	}
+
+	if port != "" {
+		v, err := strconv.Atoi(port)
+		if err != nil {
+			return err
+		}
+
+		if v < 0 || v > 65535 {
+			return fmt.Errorf("invalid port %q", port)
+		}
+	}
+	return nil
+}

ctrd/client_opts_test.go

@@ -0,0 +1,50 @@
+package ctrd
+
+import "testing"
+
+func TestWithInsecureRegistries(t *testing.T) {
+	testCases := []struct {
+		endpoints []string
+		hasError  bool
+	}{
+		{
+			endpoints: []string{"localhost:5000"},
+			hasError:  false,
+		},
+		{
+			endpoints: []string{"localhost:5000/v1"},
+			hasError:  true,
+		},
+		{
+			endpoints: []string{"myregistry.com"},
+			hasError:  false,
+		},
+		{
+			endpoints: []string{"myregistry.com:5000"},
+			hasError:  false,
+		},
+		{
+			endpoints: []string{"myregistry.com:5000/v1"},
+			hasError:  true,
+		},
+		{
+			endpoints: []string{"http://myregistry.com:5000"},
+			hasError:  true,
+		},
+		{
+			endpoints: []string{"dummy://myregistry.com:5000"},
+			hasError:  true,
+		},
+		{
+			endpoints: []string{"myregistry.com:65536"},
+			hasError:  true,
+		},
+	}
+
+	for _, tc := range testCases {
+		err := WithInsecureRegistries(tc.endpoints)(&clientOpts{})
+		if (err != nil) != tc.hasError {
+			t.Fatalf("expected hasError = %v, but got error = %v", tc.hasError, err)
+		}
+	}
+}

ctrd/image.go

@@ -199,7 +199,7 @@ func (c *Client) PushImage(ctx context.Context, ref string, authConfig *types.Au
 
 	pushTracker := docker.NewInMemoryTracker()
 
-	resolver, err := resolver(authConfig, docker.ResolverOptions{
+	resolver, err := c.getResolver(authConfig, ref, docker.ResolverOptions{
 		Tracker: pushTracker,
 	})
 	if err != nil {
@@ -248,7 +248,7 @@ func (c *Client) FetchImage(ctx context.Context, ref string, authConfig *types.A
 		return nil, fmt.Errorf("failed to get a containerd grpc client: %v", err)
 	}
 
-	resolver, err := resolver(authConfig, docker.ResolverOptions{})
+	resolver, err := c.getResolver(authConfig, ref, docker.ResolverOptions{})
 	if err != nil {
 		return nil, err
 	}

ctrd/utils.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"net"
 	"net/http"
+	"net/url"
 	"syscall"
 	"time"
 
@@ -17,6 +18,7 @@ import (
 	"github.com/containerd/containerd/runtime/linux/runctypes"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 func withExitShimV1CheckpointTaskOpts() containerd.CheckpointTaskOpts {
@@ -28,32 +30,36 @@ func withExitShimV1CheckpointTaskOpts() containerd.CheckpointTaskOpts {
 	}
 }
 
-func resolver(authConfig *types.AuthConfig, resolverOpt docker.ResolverOptions) (remotes.Resolver, error) {
+// isInsecureDomain will return true if the domain of reference is in the
+// insecure registry. The insecure registry will accept HTTP or HTTPS with
+// certificates from unknown CAs.
+func (c *Client) isInsecureDomain(ref string) bool {
+	u, err := url.Parse("dummy://" + ref)
+	if err != nil {
+		logrus.Warning("failed to parse reference(%s) into url: %v", ref, err)
+		return false
+	}
+
+	for _, r := range c.insecureRegistries {
+		if r == u.Host {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Client) getResolver(authConfig *types.AuthConfig, ref string, resolverOpt docker.ResolverOptions) (remotes.Resolver, error) {
 	var (
-		// TODO
 		username = ""
 		secret   = ""
-		refresh  = ""
-		insecure = false
+		insecure = c.isInsecureDomain(ref)
 	)
 
 	if authConfig != nil {
 		username = authConfig.Username
 		secret = authConfig.Password
 	}
 
-	// FIXME
-	_ = refresh
-
-	options := docker.ResolverOptions{
-		PlainHTTP: resolverOpt.PlainHTTP,
-		Tracker:   resolverOpt.Tracker,
-	}
-	options.Credentials = func(host string) (string, string, error) {
-		// Only one host
-		return username, secret, nil
-	}
-
 	tr := &http.Transport{
 		Proxy: proxyFromEnvironment,
 		DialContext: (&net.Dialer{
@@ -70,10 +76,17 @@ func resolver(authConfig *types.AuthConfig, resolverOpt docker.ResolverOptions)
 		ExpectContinueTimeout: 5 * time.Second,
 	}
 
-	options.Client = &http.Client{
-		Transport: tr,
+	options := docker.ResolverOptions{
+		Tracker:   resolverOpt.Tracker,
+		PlainHTTP: insecure,
+		Credentials: func(host string) (string, string, error) {
+			// Only one host
+			return username, secret, nil
+		},
+		Client: &http.Client{
+			Transport: tr,
+		},
 	}
-
 	return docker.NewResolver(options), nil
 }
 

daemon/config/config.go

@@ -127,6 +127,10 @@ type Config struct {
 
 	// CgroupDriver sets cgroup driver for all containers
 	CgroupDriver string `json:"cgroup-driver,omitempty"`
+
+	// InsecureRegistries sets insecure registries to allow to pull
+	// insecure registries.
+	InsecureRegistries []string `json:"insecure-registries,omitempty"`
 }
 
 // GetCgroupDriver gets cgroup driver used in runc.

daemon/daemon.go

@@ -97,6 +97,7 @@ func NewDaemon(cfg *config.Config) *Daemon {
 	ctrdClient, err := ctrd.NewClient(
 		ctrd.WithRPCAddr(cfg.ContainerdAddr),
 		ctrd.WithDefaultNamespace(cfg.DefaultNamespace),
+		ctrd.WithInsecureRegistries(cfg.InsecureRegistries),
 	)
 	if err != nil {
 		logrus.Errorf("failed to new containerd's client: %v", err)

main.go

@@ -137,6 +137,9 @@ func setupFlags(cmd *cobra.Command) {
 	// to k8s.io
 	flagSet.StringVar(&cfg.DefaultNamespace, "default-namespace", namespaces.Default, "default-namespace is passed to containerd, the default value is 'default'")
 	flagSet.StringVar(&cfg.CgroupDriver, "cgroup-driver", "cgroupfs", "Set cgroup driver for all containers(cgroupfs|systemd), default cgroupfs")
+
+	// registry
+	flagSet.StringArrayVar(&cfg.InsecureRegistries, "insecure-registries", []string{}, "enable insecure registry")
 }
 
 // runDaemon prepares configs, setups essential details and runs pouchd daemon.