Expose trust key path in config #32587
Conversation
dmcgowan
force-pushed
the
trust-key-config
branch
from
2ef65ea
to
3021157
Compare
|
In the future as we talked before we could get rid of the |
|
@rogaha I did look at that, I forgot we need to still do something when pushing old v1 manifests. Although the key we use for pushing those manifests can be completely ephemeral, it would require generating some sort of key. |
daemon/config/config.go
Outdated
| @@ -101,7 +101,7 @@ type CommonConfig struct { | |||
| RootDeprecated string `json:"graph,omitempty"` | |||
| Root string `json:"data-root,omitempty"` | |||
| SocketGroup string `json:"group,omitempty"` | |||
| TrustKeyPath string `json:"-"` | |||
| TrustKeyPath string `json:"key-path,omitempty"` | |||
There was a problem hiding this comment.
Does this actually work?
echo '{"debug":true,"key-path":"/hello-world.json"}' > /etc/docker/daemon.json
dockerd
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives don't match any configuration option: key-path
3021157
to
e0757be
Compare
|
@thaJeztah ugh, updated to add a flag as the config code requires. It is unfortunate adding a flag for this. |
cli/flags/common.go
Outdated
| @@ -69,6 +69,8 @@ func (commonOpts *CommonOptions) InstallFlags(flags *pflag.FlagSet) { | |||
| flags.Var(opts.NewQuotedString(&tlsOptions.CertFile), "tlscert", "Path to TLS certificate file") | |||
| flags.Var(opts.NewQuotedString(&tlsOptions.KeyFile), "tlskey", "Path to TLS key file") | |||
|
|
|||
| flags.Var(opts.NewQuotedString(&commonOpts.TrustKey), "key-path", "Path to key file for ID and image signing") | |||
There was a problem hiding this comment.
should we mention (default: /etc/docker/key.json)? Not sure what the default is on Windows
There was a problem hiding this comment.
Also; this is in common flags, so this allows me to use;
docker --key-path=/foobar info
But doing so doesn't make a difference for the ID printed in docker info
There was a problem hiding this comment.
@thaJeztah that's very unusual use-case. I think we are going to use the key-path as a dockerd parameter only.
There was a problem hiding this comment.
Yes discussed with @dmcgowan earlier this week; and it needs to be moved to a different location so that it doesn't show up in the client
There was a problem hiding this comment.
👍 thanks for the update @thaJeztah!
dmcgowan
force-pushed
the
trust-key-config
branch
2 times, most recently
from
74f1450
to
7030c90
Compare
|
Updated, option and flag are now daemon only |
|
👍 |
|
moving to code review |
|
@thaJeztah PTAL |
cmd/dockerd/config.go
Outdated
| @@ -53,6 +55,8 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) { | |||
|
|
|||
| flags.StringVar(&conf.MetricsAddress, "metrics-addr", "", "Set default address and port to serve the metrics api on") | |||
|
|
|||
| flags.Var(opts.NewQuotedString(&conf.TrustKeyPath), "key-path", "Path to key file for ID and image signing") | |||
There was a problem hiding this comment.
I think the flag key-path might not provide enough context to the user. Could this be trust-key-path, or something like that?
There was a problem hiding this comment.
Problem is that it is not really used for trust anymore since the signatures are not checked and the ID is not in Swarm mode for cryptographic identity. It is basically just used for deprecated features and not something users will want to set themselves. I only added a flag because the config parser required having the flag as well.
There was a problem hiding this comment.
In that case could we make the name deprecated-key-path, and Also add
flags.MarkHidden("deprecated-key-path")So we hide it from help.
If we expect it to be removed at some point we could use MarkDeprecated() instead of hidden
There was a problem hiding this comment.
Much prefer it to be MarkDeprecated(). That would have probably saved me two days of head banging and hair pulling trying to find a way around a read-only /etc/docker before I discovered this 😒
There was a problem hiding this comment.
@paddy-hack I am currently banging my head - could you clue me in on what you ended up doing to support read-only /etc?
It seems like the only solution would be to generate a JWK key manually and point to it with this config option, which seems subpar since dockerd clearly has the ability to generate a key on its own - it just refuses to generate it in any other directory...
There was a problem hiding this comment.
The "trustkey" has been removed in Docker 23.0 and up; support for pushing the legacy images was removed already (the only remaining purpose for libtrust), and Docker 23.0 now stores an "engine-id" file in /var/lib/docker/engine-id (when using the default data location /var/lib/docker/), and the daemon will no longer write a file to /etc/docker/.
ls -l /var/lib/docker
total 88
drwx------ 2 root root 4096 May 25 2019 builder
drwx------ 5 root root 4096 Mar 18 2021 buildkit
drwx--x--- 3 root root 4096 Apr 4 20:45 containers
-rw------- 1 root root 59 Mar 7 12:15 engine-id
drwx------ 3 root root 4096 Jun 27 2022 image
drwxr-x--- 3 root root 4096 May 25 2019 network
drwx--x--- 81 root root 36864 Apr 4 20:49 overlay2
drwx------ 4 root root 4096 May 25 2019 plugins
drwx------ 2 root root 4096 Mar 28 12:19 runtimes
drwx------ 5 root root 4096 Mar 28 12:19 swarm
drwx------ 2 root root 4096 Apr 4 20:50 tmp
drwx------ 2 root root 4096 May 25 2019 trust
drwx-----x 5 root root 4096 Mar 28 12:19 volumesFor existing installations that have a /etc/docker/key.json and are upgraded to 23.0, the key ID is copied to the engine-id file (to keep the same "ID" in docker info output). For fresh installs, or situations where no key.json is present, a random ID (GUID) is generated, and used as ID.
For details, see these PRs;
There was a problem hiding this comment.
@harrisonmg In my case, I was trying to mount a single docker-daemon.json "file" from a Kubernetes ConfigMap on /etc/docker/ in any container our GitLab Runner would spin up for CI/CD jobs. Doing so resulted in /etc/docker/ becoming read-only so the daemon could no longer create a key.json file at its default location. I worked around the issue by setting the deprecated-key-path in my docker-daemon.json file 😸
Like so
{
"deprecated-key-path": "/var/lib/docker/key.json",
"registry-mirrors": [
"https://docker-registry.mirror.internal"
]
}@thaJeztah Unfortunately for me, I don't control the Docker versions that many of our CI/CD jobs want to use 😿
Allows storing key under any directory. In the case where the "/etc/docker" directory is not preserved, this file can be specified to a location where it will be preserved to ensure the ID does not change across restarts. Note this key is currently only used today to generate the ID used in Docker info and for manifest schema v1 pushes. The key signature and finger on these manifests are not checked or used any longer for security, deprecated by notary. Removes old key migration from a pre-release of Docker which put the key under the home directory and was used to preserve ID used for swarm v1 after the file moved. closes moby#32135 Signed-off-by: Derek McGowan <derek@mcgstyle.net>
dmcgowan
force-pushed
the
trust-key-config
branch
from
0856d1f
to
e428c82
Compare
|
Renamed key and marked as hidden. Since it was hidden it will not show up in help, which was desired from the beginning. Thanks @dnephin for pointing out that feature. Further added comments explaining the state of this key and the intention to fully deprecate it. |
|
Looks like the docker/cli reference needs to be updated? ci is failing |
|
CI is failing but looks like a Jenkins problem, I restarted and failed with same error |
|
@thaJeztah thanks for re-triggering the tests. It's all green now! :) |
|
Yay! |
Allows storing key under any directory. In the case where the "/etc/docker" directory is not preserved, this file can be specified to a location where it will be preserved to ensure the ID does not change across restarts.
Note this key is currently only used today to generate the ID used in Docker info and for manifest schema v1 pushes. The key signature and finger on these manifests are not checked or used any longer for security, deprecated by notary.
Removes old key migration from a pre-release of Docker which put the key under the home directory and was used to preserve ID used for swarm v1 after the file moved.
closes #32135
ping @rogaha