Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Additional Layer Store] Enable Additional Layer Store to perform registry authentication #2417

Merged
merged 2 commits into from
Jun 5, 2024

Conversation

ktock
Copy link
Contributor

@ktock ktock commented May 14, 2024

Implements openshift/enhancements#1600 (comment)

Currently, c/image doesn't share creds to Additional Layer Store so it requires additional configurations for registry authentication. And the current means of registry authentication for Additional Layer Store doesn't seem to meet requirements for the platform: openshift/enhancements#1600 (review)

This commit fixes that issue by allowing c/image directly sharing creds to Additional Layer Store. Additional Layer Store doesn't need to have its own logic to fetch registry creds but it can receive them from c/image.

Additional Layer Store needs to provide a helper binary that is executed from c/image. This helper binary is registered to c/image using registries.conf with the following field (store-helper can be any command name of the helper binary). It receives registry creds via stdin and Additional Layer Store can use that creds for registry authentication.

additional-layer-store-auth-helper = "store-helper"

An example draft implementation of the helper binary is store-helper of stargz-store: containerd/stargz-snapshotter#1674
This binary is executed by c/image and receives the registry creds from stdin and shares them to stargz-store via the unix socket of stargz-store. Then stargz-store uses these creds for registry authentication.

c/image passes DockerAuthConfig structures with keying them with the image reference.

{
  "image-reference": {
    "username": "username",
    "password": "password",
    "identitytoken": "identitytoken"
  }
}

Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

This is plausible, assuming the system is single-purpose; otherwise all other registry operations, including manual skopeo commands, would also be sending credentials.

A possible alternative would be to capture the credentials in ImageSource, and provide a some kind of interface alongside TryReusingBlobOptions.SrcRef. That would only send “relevant” credentials to the helper, at the cost of some extra plumbing.

pkg/sysregistriesv2/system_registries_v2.go Show resolved Hide resolved
pkg/sysregistriesv2/system_registries_v2.go Show resolved Hide resolved
pkg/sysregistriesv2/system_registries_v2.go Show resolved Hide resolved
docker/docker_image_src.go Show resolved Hide resolved
docker/docker_image_src.go Outdated Show resolved Hide resolved
Password string `json:"password,omitempty"`
IdentityToken string `json:"identitytoken,omitempty"`
}{
physicalRef.ref.String(): {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be .ref.Name()? Credentials are, for the most part, repo-scoped.

Admittedly the FUSE interface uses ref.String().

docker/docker_image_src.go Outdated Show resolved Hide resolved
docker/docker_image_src.go Outdated Show resolved Hide resolved
@TomSweeneyRedHat
Copy link
Member

@ktock Skopeo test is failing and you need a rebase.

@ktock
Copy link
Contributor Author

ktock commented May 16, 2024

Rebased. And skopeo error seems to be resolved.

@rhatdan
Copy link
Member

rhatdan commented May 16, 2024

@mtrmac PTAL

pkg/sysregistriesv2/system_registries_v2.go Outdated Show resolved Hide resolved
docker/docker_image_src.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks good overall.

I am still conceptually a bit unsure whether capturing all credentials ever read is a good idea — or whether we should be restricting it to those relevant to LookupAdditionalLayer, at the cost of having to make the special case visible to the c/image/copy top level. I don’t have a good idea of where this is likely to be deployed.

Other than that, the option and the data format just need a man page update.


@giuseppe PTAL as well.

docker/docker_image_src.go Outdated Show resolved Hide resolved
@ktock ktock force-pushed the storeauth branch 2 times, most recently from 7cc7a9d to f5a3117 Compare May 21, 2024 00:18
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Implementation LGTM, this is just missing man page updates. But I’d like to hear what @giuseppe thinks.

@ktock ktock force-pushed the storeauth branch 3 times, most recently from 002cfce to 55844d4 Compare May 22, 2024 01:43
@ktock
Copy link
Contributor Author

ktock commented May 22, 2024

Added docs to docs/containers-registries.conf.5.md

docs/containers-registries.conf.5.md Outdated Show resolved Hide resolved
docs/containers-registries.conf.5.md Outdated Show resolved Hide resolved
@ktock
Copy link
Contributor Author

ktock commented May 27, 2024

Could we move this forward?

@TomSweeneyRedHat
Copy link
Member

@giuseppe thoughts?

@ktock, looks like you need a rebase.

@@ -19,6 +19,12 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
`credential-helpers`
: An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified.

`additional-layer-store-auth-helper`
: A string of helper name. This enables to pass registry credentials to
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
: A string of helper name. This enables to pass registry credentials to
: A string containing the helper binary name. This enables passing registry credentials to an

`additional-layer-store-auth-helper`
: A string of helper name. This enables to pass registry credentials to
Additional Layer Store every time an image is read using the `docker://`
transport so that it can access private registries. See the later section for
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
transport so that it can access private registries. See the later section for
transport so that it can access private registries. See the 'Enabling Additional Layer Store to access to private registries' section below for

@@ -254,6 +260,30 @@ in order, and use the first one that exists.

Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.

### Enabling Additional Layer Store to access to private registries

The `additional-layer-store-auth-helper` option enables to pass registry
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The `additional-layer-store-auth-helper` option enables to pass registry
The `additional-layer-store-auth-helper` option enables passing registry

### Enabling Additional Layer Store to access to private registries

The `additional-layer-store-auth-helper` option enables to pass registry
credentials to Additional Layer Store so that it can access private registries.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
credentials to Additional Layer Store so that it can access private registries.
credentials to an Additional Layer Store so that it can access private registries.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, here and above, you could use "the" instead of "an" if you prefer.

The `additional-layer-store-auth-helper` option enables to pass registry
credentials to Additional Layer Store so that it can access private registries.

Additional Layer Store needs to provide a helper binary. This helper binary is
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is what you're getting at

Suggested change
Additional Layer Store needs to provide a helper binary. This helper binary is
When accessing a private registry via an Additional Layer Store, a helper binary needs to be provided. This helper binary is

credentials to Additional Layer Store so that it can access private registries.

Additional Layer Store needs to provide a helper binary. This helper binary is
registered to `additional-layer-store-auth-helper` option. Every time an image
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
registered to `additional-layer-store-auth-helper` option. Every time an image
registered via the `additional-layer-store-auth-helper` option. Every time an image


The format of `$image_reference` is `$repo{:$tag|@$digest}`.

Additional Layer Store can use this for accessing to the registry.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Additional Layer Store can use this for accessing to the registry.
Additional Layer Stores can use this helper binary to access the private registry.

@ktock ktock force-pushed the storeauth branch 2 times, most recently from f93b7a9 to 9d45ea6 Compare May 30, 2024 00:36
@ktock
Copy link
Contributor Author

ktock commented May 30, 2024

@TomSweeneyRedHat Thanks for the review. FIxed and rebased the patch.

@ktock
Copy link
Contributor Author

ktock commented Jun 5, 2024

@giuseppe PTAL

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ktock added 2 commits June 5, 2024 15:09
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
@mtrmac
Copy link
Collaborator

mtrmac commented Jun 5, 2024

Thanks again!

@mtrmac mtrmac merged commit 63ecb5f into containers:main Jun 5, 2024
9 checks passed
@ktock ktock deleted the storeauth branch June 18, 2024 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants