-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose trust key path in config #32587
Conversation
2ef65ea
to
3021157
Compare
In the future as we talked before we could get rid of the |
@rogaha I did look at that, I forgot we need to still do something when pushing old v1 manifests. Although the key we use for pushing those manifests can be completely ephemeral, it would require generating some sort of key. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wasn't sure if the path should now be configurable through the daemon.json, but if so, it may need some more changes
daemon/config/config.go
Outdated
@@ -101,7 +101,7 @@ type CommonConfig struct { | |||
RootDeprecated string `json:"graph,omitempty"` | |||
Root string `json:"data-root,omitempty"` | |||
SocketGroup string `json:"group,omitempty"` | |||
TrustKeyPath string `json:"-"` | |||
TrustKeyPath string `json:"key-path,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this actually work?
echo '{"debug":true,"key-path":"/hello-world.json"}' > /etc/docker/daemon.json
dockerd
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives don't match any configuration option: key-path
3021157
to
e0757be
Compare
@thaJeztah ugh, updated to add a flag as the config code requires. It is unfortunate adding a flag for this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some questions 😊
cli/flags/common.go
Outdated
@@ -69,6 +69,8 @@ func (commonOpts *CommonOptions) InstallFlags(flags *pflag.FlagSet) { | |||
flags.Var(opts.NewQuotedString(&tlsOptions.CertFile), "tlscert", "Path to TLS certificate file") | |||
flags.Var(opts.NewQuotedString(&tlsOptions.KeyFile), "tlskey", "Path to TLS key file") | |||
|
|||
flags.Var(opts.NewQuotedString(&commonOpts.TrustKey), "key-path", "Path to key file for ID and image signing") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we mention (default: /etc/docker/key.json
)? Not sure what the default is on Windows
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also; this is in common flags, so this allows me to use;
docker --key-path=/foobar info
But doing so doesn't make a difference for the ID
printed in docker info
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah that's very unusual use-case. I think we are going to use the key-path
as a dockerd
parameter only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes discussed with @dmcgowan earlier this week; and it needs to be moved to a different location so that it doesn't show up in the client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 thanks for the update @thaJeztah!
74f1450
to
7030c90
Compare
Updated, option and flag are now daemon only |
👍 |
moving to code review |
@thaJeztah PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
ping @dnephin PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cli/flags/common.go
is in docker/cli
as well. It looks like we set cli.keyFile
but never use it. Can we delete this code from docker/cli
as well?
cmd/dockerd/config.go
Outdated
@@ -53,6 +55,8 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) { | |||
|
|||
flags.StringVar(&conf.MetricsAddress, "metrics-addr", "", "Set default address and port to serve the metrics api on") | |||
|
|||
flags.Var(opts.NewQuotedString(&conf.TrustKeyPath), "key-path", "Path to key file for ID and image signing") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the flag key-path
might not provide enough context to the user. Could this be trust-key-path
, or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Problem is that it is not really used for trust anymore since the signatures are not checked and the ID is not in Swarm mode for cryptographic identity. It is basically just used for deprecated features and not something users will want to set themselves. I only added a flag because the config parser required having the flag as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case could we make the name deprecated-key-path
, and Also add
flags.MarkHidden("deprecated-key-path")
So we hide it from help.
If we expect it to be removed at some point we could use MarkDeprecated()
instead of hidden
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping @dmcgowan.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much prefer it to be MarkDeprecated()
. That would have probably saved me two days of head banging and hair pulling trying to find a way around a read-only /etc/docker
before I discovered this 😒
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paddy-hack I am currently banging my head - could you clue me in on what you ended up doing to support read-only /etc
?
It seems like the only solution would be to generate a JWK key manually and point to it with this config option, which seems subpar since dockerd clearly has the ability to generate a key on its own - it just refuses to generate it in any other directory...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "trustkey" has been removed in Docker 23.0 and up; support for pushing the legacy images was removed already (the only remaining purpose for libtrust), and Docker 23.0 now stores an "engine-id" file in /var/lib/docker/engine-id
(when using the default data location /var/lib/docker/
), and the daemon will no longer write a file to /etc/docker/
.
ls -l /var/lib/docker
total 88
drwx------ 2 root root 4096 May 25 2019 builder
drwx------ 5 root root 4096 Mar 18 2021 buildkit
drwx--x--- 3 root root 4096 Apr 4 20:45 containers
-rw------- 1 root root 59 Mar 7 12:15 engine-id
drwx------ 3 root root 4096 Jun 27 2022 image
drwxr-x--- 3 root root 4096 May 25 2019 network
drwx--x--- 81 root root 36864 Apr 4 20:49 overlay2
drwx------ 4 root root 4096 May 25 2019 plugins
drwx------ 2 root root 4096 Mar 28 12:19 runtimes
drwx------ 5 root root 4096 Mar 28 12:19 swarm
drwx------ 2 root root 4096 Apr 4 20:50 tmp
drwx------ 2 root root 4096 May 25 2019 trust
drwx-----x 5 root root 4096 Mar 28 12:19 volumes
For existing installations that have a /etc/docker/key.json
and are upgraded to 23.0, the key ID is copied to the engine-id
file (to keep the same "ID" in docker info
output). For fresh installs, or situations where no key.json
is present, a random ID (GUID) is generated, and used as ID.
For details, see these PRs;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@harrisonmg In my case, I was trying to mount a single docker-daemon.json
"file" from a Kubernetes ConfigMap on /etc/docker/
in any container our GitLab Runner would spin up for CI/CD jobs. Doing so resulted in /etc/docker/
becoming read-only so the daemon could no longer create a key.json
file at its default location. I worked around the issue by setting the deprecated-key-path
in my docker-daemon.json
file 😸
Like so
{
"deprecated-key-path": "/var/lib/docker/key.json",
"registry-mirrors": [
"https://docker-registry.mirror.internal"
]
}
@thaJeztah Unfortunately for me, I don't control the Docker versions that many of our CI/CD jobs want to use 😿
Allows storing key under any directory. In the case where the "/etc/docker" directory is not preserved, this file can be specified to a location where it will be preserved to ensure the ID does not change across restarts. Note this key is currently only used today to generate the ID used in Docker info and for manifest schema v1 pushes. The key signature and finger on these manifests are not checked or used any longer for security, deprecated by notary. Removes old key migration from a pre-release of Docker which put the key under the home directory and was used to preserve ID used for swarm v1 after the file moved. closes moby#32135 Signed-off-by: Derek McGowan <derek@mcgstyle.net>
0856d1f
to
e428c82
Compare
Renamed key and marked as hidden. Since it was hidden it will not show up in help, which was desired from the beginning. Thanks @dnephin for pointing out that feature. Further added comments explaining the state of this key and the intention to fully deprecate it. |
Looks like the docker/cli reference needs to be updated? ci is failing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM when CI is green
CI is failing but looks like a Jenkins problem, I restarted and failed with same error |
@thaJeztah thanks for re-triggering the tests. It's all green now! :) |
Yay! |
Allows storing key under any directory. In the case where the "/etc/docker" directory is not preserved, this file can be specified to a location where it will be preserved to ensure the ID does not change across restarts.
Note this key is currently only used today to generate the ID used in Docker info and for manifest schema v1 pushes. The key signature and finger on these manifests are not checked or used any longer for security, deprecated by notary.
Removes old key migration from a pre-release of Docker which put the key under the home directory and was used to preserve ID used for swarm v1 after the file moved.
closes #32135
ping @rogaha