Store auth in keyring and transfer it to nydusd via environment variable #512
Conversation
sctb512
changed the title
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #512 +/- ##
==========================================
+ Coverage 37.83% 38.37% +0.53%
==========================================
Files 60 62 +2
Lines 7092 7339 +247
==========================================
+ Hits 2683 2816 +133
- Misses 4097 4188 +91
- Partials 312 335 +23
|
sctb512
force-pushed
the
get-auth-from-keyring
branch
6 times, most recently
from
af671f5
to
d03befe
Compare
pkg/manager/daemon_adaptor.go
Outdated
| @@ -192,6 +195,19 @@ func (m *Manager) BuildDaemonCommand(d *daemon.Daemon, bin string, upgrade bool) | |||
|
|
|||
| cmd := exec.Command(nydusdPath, args...) | |||
|
|
|||
| if config.IsKeyringEnabled() && !config.IsFusedevSharedModeEnabled() { | |||
There was a problem hiding this comment.
Daemon has its own working mode which means nydusd daemons can work in the different modes in a single node.
Better to judge by daemon, we already have some helper functions doing this
pkg/filesystem/fs.go
Outdated
| err = daemonconfig.SupplementDaemonConfig(cfg, imageID, snapshotID, false, labels, params) | ||
| var updateErr error | ||
| err = daemonconfig.SupplementDaemonConfig(cfg, imageID, snapshotID, false, labels, params, func(imageHost string, keyChain *auth.PassKeyChain) { | ||
| logrus.Infof("add key for %s", imageHost) |
There was a problem hiding this comment.
It's better to lower the log level to Debug
pkg/manager/daemon_adaptor.go
Outdated
| @@ -192,6 +195,19 @@ func (m *Manager) BuildDaemonCommand(d *daemon.Daemon, bin string, upgrade bool) | |||
|
|
|||
| cmd := exec.Command(nydusdPath, args...) | |||
|
|
|||
| if config.IsKeyringEnabled() && !config.IsFusedevSharedModeEnabled() { | |||
| c, err := daemonconfig.NewDaemonConfig(d.States.FsDriver, configPath) | |||
There was a problem hiding this comment.
I am afraid the current way to identify a container image reference's host is not agile. For the dedicated mode nydusd daemon, it only has a rafs instance in its Instances where we can calculate what host is
pkg/keyring/keyring.go
Outdated
| @@ -0,0 +1,42 @@ | |||
| package keyring | |||
pkg/daemon/daemon.go
Outdated
| @@ -66,6 +71,7 @@ type Daemon struct { | |||
| // fusedev shared mode: zero, one or more RAFS instances | |||
| // fscache shared mode: zero, one or more RAFS instances | |||
| Instances rafsSet | |||
| authCache *lru.Cache | |||
There was a problem hiding this comment.
Auth should be shared among different nydusd daemons. So why to bind the cache to a single nydusd daemon?
There was a problem hiding this comment.
Fixed. Move it to the manager.
pkg/daemon/daemon.go
Outdated
| @@ -151,6 +158,31 @@ func (d *Daemon) RemoveInstance(snapshotID string) { | |||
| d.DecRef() | |||
| } | |||
|
|
|||
| func (d *Daemon) UpdateAuth(imageHost, auth string) error { | |||
| key, err := keyring.Add(imageHost, auth) | |||
There was a problem hiding this comment.
Is it necessary to consider the atomicity when updating?
pkg/daemon/daemon.go
Outdated
| } | ||
|
|
||
| data, err := keyring.Search(imageHost) | ||
| if err == nil { |
There was a problem hiding this comment.
Checking if err is nil looks strange.
|
This approach seems to only solve the nydusd registry credential persistence problem, but when the credential is changed (e.g. registry user/pass dynamically generated by a credential helper), nydusd may not be able to timely detect the update. I think #504 is a better implementation. |
sctb512
force-pushed
the
get-auth-from-keyring
branch
4 times, most recently
from
30ee1e2
to
25b9d09
Compare
I believe this PR does not conflict with #504. It is better to get authentication from the credential server if |
sctb512
force-pushed
the
get-auth-from-keyring
branch
6 times, most recently
from
92d4b96
to
e79e344
Compare
pkg/auth/cache.go
Outdated
|
|
||
| import ( | ||
| "github.com/pkg/errors" | ||
| "k8s.io/utils/lru" |
There was a problem hiding this comment.
It seems we have used github.com/golang/groupcache/lru.
pkg/auth/keyring.go
Outdated
| lock *sync.RWMutex | ||
| } | ||
|
|
||
| func NewKeyRing() *KeyRing { |
There was a problem hiding this comment.
Maybe give some unit test cases for this?
There was a problem hiding this comment.
Agree, please try to add some unit test, especially for keying garbage collection and if the boundary is correctly handled.
| @@ -192,6 +199,25 @@ func (m *Manager) BuildDaemonCommand(d *daemon.Daemon, bin string, upgrade bool) | |||
|
|
|||
| cmd := exec.Command(nydusdPath, args...) | |||
|
|
|||
| if config.IsKeyringEnabled() && !d.IsSharedDaemon() { | |||
There was a problem hiding this comment.
Can we support shared daemon?
There was a problem hiding this comment.
Yes, it calls c.FillAuth(keyChain) to fill auth before sending mount request to nydus daemon.
sctb512
force-pushed
the
get-auth-from-keyring
branch
from
e79e344
to
44b5fee
Compare
sctb512
force-pushed
the
get-auth-from-keyring
branch
27 times, most recently
from
ee9c16d
to
a9c1dd0
Compare
| c.FillAuth(keyChain) | ||
| if config.IsKeyringEnabled() && fn != nil { | ||
| if err := fn(registryHost, keyChain); err != nil { | ||
| if errors.Is(err, unix.EINVAL) { |
There was a problem hiding this comment.
I think the error type should be transparent for the caller
Signed-off-by: Bin Tang <tangbin.bin@bytedance.com>
sctb512
force-pushed
the
get-auth-from-keyring
branch
from
a9c1dd0
to
c317c16
Compare
authfornydusdin the keyring instead of the configuration file.authvia environment variable to avoid displaying it in command parameter.Related to dragonflyoss/nydus#1381 and dragonflyoss/nydus#1382