Merge pull request #44329 from thaJeztah/remove_trustkey_id_migration

Remove trustkey id migration and config.TrustKeyPath

cmd/dockerd/config.go

@@ -7,9 +7,6 @@ import (
 	"github.com/spf13/pflag"
 )
 
-// defaultTrustKeyFile is the default filename for the trust key
-const defaultTrustKeyFile = "key.json"
-
 // installCommonConfigFlags adds flags to the pflag.FlagSet to configure the daemon
 func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	var (

cmd/dockerd/daemon.go

@@ -414,14 +414,6 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
 		conf.CommonTLSOptions = config.CommonTLSOptions{}
 	}
 
-	if conf.TrustKeyPath == "" {
-		daemonConfDir, err := getDaemonConfDir(conf.Root)
-		if err != nil {
-			return nil, err
-		}
-		conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)
-	}
-
 	if opts.configFile != "" {
 		c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
 		if err != nil {

cmd/dockerd/daemon_unix.go

@@ -56,10 +56,6 @@ func setDefaultUmask() error {
 	return nil
 }
 
-func getDaemonConfDir(_ string) (string, error) {
-	return getDefaultDaemonConfigDir()
-}
-
 func (cli *DaemonCli) getPlatformContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {
 	opts := []supervisor.DaemonOpt{
 		// TODO(thaJeztah) change this to use /proc/self/oom_score_adj instead,

cmd/dockerd/daemon_windows.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
 	"time"
 
 	"github.com/docker/docker/daemon/config"
@@ -23,10 +22,6 @@ func setDefaultUmask() error {
 	return nil
 }
 
-func getDaemonConfDir(root string) (string, error) {
-	return filepath.Join(root, "config"), nil
-}
-
 // preNotifyReady sends a message to the host when the API is active, but before the daemon is
 func preNotifyReady() {
 	// start the service now to prevent timeouts waiting for daemon to start

cmd/dockerd/docker_windows.go

@@ -24,11 +24,7 @@ func runDaemon(opts *daemonOptions) error {
 
 	// Windows specific settings as these are not defaulted.
 	if opts.configFile == "" {
-		configDir, err := getDaemonConfDir(opts.daemonConfig.Root)
-		if err != nil {
-			return err
-		}
-		opts.configFile = filepath.Join(configDir, "daemon.json")
+		opts.configFile = filepath.Join(opts.daemonConfig.Root, "config", "daemon.json")
 	}
 	if runAsService {
 		// If Windows SCM manages the service - no need for PID files

cmd/dockerd/options.go

@@ -65,8 +65,6 @@ func (o *daemonOptions) installFlags(flags *pflag.FlagSet) {
 	flags.BoolVar(&o.TLS, FlagTLS, DefaultTLSValue, "Use TLS; implied by --tlsverify")
 	flags.BoolVar(&o.TLSVerify, FlagTLSVerify, dockerTLSVerify || DefaultTLSValue, "Use TLS and verify the remote")
 
-	// TODO use flag flags.String("identity"}, "i", "", "Path to libtrust key file")
-
 	o.TLSOptions = &tlsconfig.Options{}
 	tlsOptions := o.TLSOptions
 	flags.StringVar(&tlsOptions.CAFile, "tlscacert", filepath.Join(dockerCertPath, DefaultCaFile), "Trust certs signed only by this CA")

daemon/config/config.go

@@ -168,12 +168,6 @@ type CommonConfig struct {
 	// Proxies holds the proxies that are configured for the daemon.
 	Proxies `json:"proxies"`
 
-	// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
-	// when pushing to a registry which does not support schema 2. This field is marked as
-	// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
-	// daemon ID will use a dedicated identifier not shared with exported signatures.
-	TrustKeyPath string `json:"deprecated-key-path,omitempty"`
-
 	// LiveRestoreEnabled determines whether we should keep containers
 	// alive upon daemon shutdown/start
 	LiveRestoreEnabled bool `json:"live-restore,omitempty"`

daemon/daemon.go

@@ -935,14 +935,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		return nil, err
 	}
 
-	// Try to preserve the daemon ID (which is the trust-key's ID) when upgrading
-	// an existing installation; this is a "best-effort".
-	idPath := filepath.Join(config.Root, "engine-id")
-	err = migrateTrustKeyID(config.TrustKeyPath, idPath)
-	if err != nil {
-		logrus.WithError(err).Warnf("unable to migrate engine ID; a new engine ID will be generated")
-	}
-
 	// Check if Devices cgroup is mounted, it is hard requirement for container security,
 	// on Linux.
 	//
@@ -955,7 +947,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		return nil, errors.New("Devices cgroup isn't mounted")
 	}
 
-	d.id, err = loadOrCreateID(idPath)
+	d.id, err = loadOrCreateID(filepath.Join(config.Root, "engine-id"))
 	if err != nil {
 		return nil, err
 	}
@@ -1070,19 +1062,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 			ContentNamespace:          config.ContainerdNamespace,
 		}
 
-		// This is a temporary environment variables used in CI to allow pushing
-		// manifest v2 schema 1 images to test-registries used for testing *pulling*
-		// these images.
-		if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
-			imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
-			if err != nil {
-				return nil, err
-			}
-			if err = os.Mkdir(filepath.Join(config.Root, "trust"), 0o700); err != nil && !errors.Is(err, os.ErrExist) {
-				return nil, err
-			}
-		}
-
 		// containerd is not currently supported with Windows.
 		// So sometimes d.containerdCli will be nil
 		// In that case we'll create a local content store... but otherwise we'll use containerd

daemon/id.go

@@ -4,10 +4,8 @@ import (
 	"os"
 
 	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/libtrust"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
 // loadOrCreateID loads the engine's ID from idPath, or generates a new ID
@@ -32,30 +30,3 @@ func loadOrCreateID(idPath string) (string, error) {
 	}
 	return id, nil
 }
-
-// migrateTrustKeyID migrates the daemon ID of existing installations. It returns
-// an error when a trust-key was found, but we failed to read it, or failed to
-// complete the migration.
-//
-// We migrate the ID so that engines don't get a new ID generated on upgrades,
-// which may be unexpected (and users may be using the ID for various purposes).
-func migrateTrustKeyID(deprecatedTrustKeyPath, idPath string) error {
-	if _, err := os.Stat(idPath); err == nil {
-		// engine ID file already exists; no migration needed
-		return nil
-	}
-	trustKey, err := libtrust.LoadKeyFile(deprecatedTrustKeyPath)
-	if err != nil {
-		if err == libtrust.ErrKeyFileDoesNotExist {
-			// no existing trust-key found; no migration needed
-			return nil
-		}
-		return err
-	}
-	id := trustKey.PublicKey().KeyID()
-	if err := ioutils.AtomicWriteFile(idPath, []byte(id), os.FileMode(0600)); err != nil {
-		return errors.Wrap(err, "error saving ID file")
-	}
-	logrus.Info("successfully migrated engine ID")
-	return nil
-}

daemon/images/image_push.go

@@ -54,7 +54,6 @@ func (i *ImageService) PushImage(ctx context.Context, image, tag string, metaHea
 		},
 		ConfigMediaType: schema2.MediaTypeImageConfig,
 		LayerStores:     distribution.NewLayerProvidersFromStore(i.layerStore),
-		TrustKey:        i.trustKey,
 		UploadManager:   i.uploadManager,
 	}
 

daemon/images/service.go

@@ -14,7 +14,6 @@ import (
 	"github.com/docker/docker/layer"
 	dockerreference "github.com/docker/docker/reference"
 	"github.com/docker/docker/registry"
-	"github.com/docker/libtrust"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 )
@@ -41,7 +40,6 @@ type ImageServiceConfig struct {
 	MaxDownloadAttempts       int
 	ReferenceStore            dockerreference.Store
 	RegistryService           registry.Service
-	TrustKey                  libtrust.PrivateKey
 	ContentStore              content.Store
 	Leases                    leases.Manager
 	ContentNamespace          string
@@ -58,7 +56,6 @@ func NewImageService(config ImageServiceConfig) *ImageService {
 		layerStore:                config.LayerStore,
 		referenceStore:            config.ReferenceStore,
 		registryService:           config.RegistryService,
-		trustKey:                  config.TrustKey,
 		uploadManager:             xfer.NewLayerUploadManager(config.MaxConcurrentUploads),
 		leases:                    config.Leases,
 		content:                   config.ContentStore,
@@ -77,7 +74,6 @@ type ImageService struct {
 	pruneRunning              int32
 	referenceStore            dockerreference.Store
 	registryService           registry.Service
-	trustKey                  libtrust.PrivateKey
 	uploadManager             *xfer.LayerUploadManager
 	leases                    leases.Manager
 	content                   content.Store

distribution/config.go

@@ -17,7 +17,6 @@ import (
 	"github.com/docker/docker/pkg/system"
 	refstore "github.com/docker/docker/reference"
 	registrypkg "github.com/docker/docker/registry"
-	"github.com/docker/libtrust"
 	"github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -47,8 +46,6 @@ type Config struct {
 	// ReferenceStore manages tags. This value is optional, when excluded
 	// content will not be tagged.
 	ReferenceStore refstore.Store
-	// RequireSchema2 ensures that only schema2 manifests are used.
-	RequireSchema2 bool
 }
 
 // ImagePullConfig stores pull configuration.
@@ -74,9 +71,6 @@ type ImagePushConfig struct {
 	ConfigMediaType string
 	// LayerStores manages layers.
 	LayerStores PushLayerProvider
-	// TrustKey is the private key for legacy signatures. This is typically
-	// an ephemeral key, since these signatures are no longer verified.
-	TrustKey libtrust.PrivateKey
 	// UploadManager dispatches uploads.
 	UploadManager *xfer.LayerUploadManager
 }

distribution/pull_v2.go

@@ -438,10 +438,6 @@ func (p *puller) pullTag(ctx context.Context, ref reference.Named, platform *spe
 
 	switch v := manifest.(type) {
 	case *schema1.SignedManifest:
-		if p.config.RequireSchema2 {
-			return false, fmt.Errorf("invalid manifest: not schema2")
-		}
-
 		// give registries time to upgrade to schema2 and only warn if we know a registry has been upgraded long time ago
 		// TODO: condition to be removed
 		if reference.Domain(ref) == "docker.io" {