-
Notifications
You must be signed in to change notification settings - Fork 18.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "Remove the rest of v1 manifest support"
This reverts commit 98fc091 in order to keep registry v2 schema1 handling and libtrust-key-based engine ID. Because registry v2 schema1 was not officially deprecated and registries are still relying on it, this patch puts its logic back. However, registry v1 relics are not added back since v1 logic has been removed a while ago. This also fixes an engine upgrade issue in a swarm cluster. It was relying on the Engine ID to be the same upon upgrade, but the mentioned commit modified the logic to use UUID and from a different file. Since the libtrust key is always needed to support v2 schema1 pushes, that the old engine ID is based on the libtrust key, and that the engine ID needs to be conserved across upgrades, adding a UUID-based engine ID logic seems to add more complexity than it solves the problems. Hence reverting the engine ID changes as well. Signed-off-by: Tibor Vass <tibor@docker.com>
- Loading branch information
Tibor Vass
committed
Jun 18, 2019
1 parent
0811297
commit f695e98
Showing
17 changed files
with
247 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package daemon // import "github.com/docker/docker/daemon" | ||
|
||
import ( | ||
"encoding/json" | ||
"encoding/pem" | ||
"fmt" | ||
"os" | ||
"path/filepath" | ||
|
||
"github.com/docker/docker/pkg/ioutils" | ||
"github.com/docker/docker/pkg/system" | ||
"github.com/docker/libtrust" | ||
) | ||
|
||
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path, | ||
// otherwise generates a new one | ||
// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need | ||
// a refactor or this function to be moved into libtrust | ||
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) { | ||
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "") | ||
if err != nil { | ||
return nil, err | ||
} | ||
trustKey, err := libtrust.LoadKeyFile(trustKeyPath) | ||
if err == libtrust.ErrKeyFileDoesNotExist { | ||
trustKey, err = libtrust.GenerateECP256PrivateKey() | ||
if err != nil { | ||
return nil, fmt.Errorf("Error generating key: %s", err) | ||
} | ||
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath)) | ||
if err != nil { | ||
return nil, fmt.Errorf("Error serializing key: %s", err) | ||
} | ||
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil { | ||
return nil, fmt.Errorf("Error saving key file: %s", err) | ||
} | ||
} else if err != nil { | ||
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err) | ||
} | ||
return trustKey, nil | ||
} | ||
|
||
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) { | ||
if ext == ".json" || ext == ".jwk" { | ||
encoded, err = json.Marshal(key) | ||
if err != nil { | ||
return nil, fmt.Errorf("unable to encode private key JWK: %s", err) | ||
} | ||
} else { | ||
pemBlock, err := key.PEMBlock() | ||
if err != nil { | ||
return nil, fmt.Errorf("unable to encode private key PEM: %s", err) | ||
} | ||
encoded = pem.EncodeToMemory(pemBlock) | ||
} | ||
return | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
package daemon // import "github.com/docker/docker/daemon" | ||
|
||
import ( | ||
"io/ioutil" | ||
"os" | ||
"path/filepath" | ||
"testing" | ||
|
||
"gotest.tools/assert" | ||
is "gotest.tools/assert/cmp" | ||
"gotest.tools/fs" | ||
) | ||
|
||
// LoadOrCreateTrustKey | ||
func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) { | ||
tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test") | ||
assert.NilError(t, err) | ||
defer os.RemoveAll(tmpKeyFolderPath) | ||
|
||
tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile") | ||
assert.NilError(t, err) | ||
|
||
_, err = loadOrCreateTrustKey(tmpKeyFile.Name()) | ||
assert.Check(t, is.ErrorContains(err, "Error loading key file")) | ||
} | ||
|
||
func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) { | ||
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test") | ||
defer tmpKeyFolderPath.Remove() | ||
|
||
// Without the need to create the folder hierarchy | ||
tmpKeyFile := tmpKeyFolderPath.Join("keyfile") | ||
|
||
key, err := loadOrCreateTrustKey(tmpKeyFile) | ||
assert.NilError(t, err) | ||
assert.Check(t, key != nil) | ||
|
||
_, err = os.Stat(tmpKeyFile) | ||
assert.NilError(t, err, "key file doesn't exist") | ||
} | ||
|
||
func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) { | ||
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test") | ||
defer tmpKeyFolderPath.Remove() | ||
tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile") | ||
|
||
key, err := loadOrCreateTrustKey(tmpKeyFile) | ||
assert.NilError(t, err) | ||
assert.Check(t, key != nil) | ||
|
||
_, err = os.Stat(tmpKeyFile) | ||
assert.NilError(t, err, "key file doesn't exist") | ||
} | ||
|
||
func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) { | ||
defer os.Remove("keyfile") | ||
key, err := loadOrCreateTrustKey("keyfile") | ||
assert.NilError(t, err) | ||
assert.Check(t, key != nil) | ||
|
||
_, err = os.Stat("keyfile") | ||
assert.NilError(t, err, "key file doesn't exist") | ||
} | ||
|
||
func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) { | ||
tmpKeyFile := filepath.Join("testdata", "keyfile") | ||
key, err := loadOrCreateTrustKey(tmpKeyFile) | ||
assert.NilError(t, err) | ||
expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY" | ||
assert.Check(t, is.Contains(key.String(), expected)) | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.