models, containerd, ecs-agent, host-ctr: support registry credentials #1955
Conversation
etungsten
changed the title
etungsten
force-pushed
the
registry-credentials
branch
4 times, most recently
from
ec21e6e
to
313109f
Compare
etungsten
changed the title
etungsten
force-pushed
the
registry-credentials
branch
3 times, most recently
from
fe8ed66
to
b970624
Compare
|
@etungsten how much more work do you think is required to get this production ready? I'm just about to look at the steps to make Bottlerocket a production ready option for our clusters and #1227 is the final real hurdle. Our current pattern for AL2 is to persist a read only set of Docker credentials to /var/lib/kubelet/config.json as part of the bootstrap, these credentials are rotated in the LT which will be applied to new instances. Our nodes are usually replaced within 2 weeks and always updated within 4 weeks. We'd like to follow the same pattern with Bottlerocket including the full node replacement (we're not going to use the built in OS update). |
|
Hi @stevehipwell , thanks for reaching out. Unfortunately I can't give a firm date on when this feature will be in a formal release. There are still discussions to be had on these changes. Feel free to subscribe to notifications as I update this PR. I'll also try to be as detailed as I can in the PR description to give a sense of what the progress is. In general, once this PR gets merged, it would most likely be in the next minor release after that. |
|
Push above sets up mount points for directories for where we write out configuration files that might contain secrets so we can set up selinux labels for them |
etungsten
force-pushed
the
registry-credentials
branch
5 times, most recently
from
0fa9f03
to
bd66dc7
Compare
etungsten
force-pushed
the
registry-credentials
branch
from
bd66dc7
to
a170cef
Compare
|
Push above fixes the mount unit so that the SElinux labels actually apply to the mount directory. Tested things and they all still work as expected. Also tried accessing the container runtime configuration files from an unprivileged container and it fails as expected: Checked |
|
Push above adds settings descriptions to the README and the migrations for the new setting. |
etungsten
force-pushed
the
registry-credentials
branch
from
81c18ee
to
6cad549
Compare
etungsten
force-pushed
the
registry-credentials
branch
from
6cad549
to
0679f0b
Compare
|
Push above fixes a typo caught by @webern |
etungsten
force-pushed
the
registry-credentials
branch
from
0679f0b
to
5208e2a
Compare
etungsten
force-pushed
the
registry-credentials
branch
from
5208e2a
to
fee9e86
Compare
|
Push above fixes the key name for |
| {{#if (eq registry "docker.io" )}} | ||
| [plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth] | ||
| {{else}} | ||
| [plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth] | ||
| {{/if}} |
There was a problem hiding this comment.
There's a potential edge case if someone specifies docker.io and registry-1.docker.io, where we'd end up with two entries. Not sure if that's worth handling though, especially if it doesn't cause an error in the client. I'd be OK with undefined or non-deterministic behavior.
There was a problem hiding this comment.
Good call out. I tested this and containerd does complain about duplicate entries and then refuse to start:
Mar 04 00:27:32 containerd[124031]: containerd: failed to load TOML: /etc/containerd/config.toml: (37, 2): duplicated tables
Mar 04 00:27:32 systemd[1]: containerd.service: Main process exited, code=exited, status=1/FAILURE
Mar 04 00:27:32 systemd[1]: containerd.service: Failed with result 'exit-code'.
Mar 04 00:27:32 systemd[1]: Failed to start containerd container runtime.
But I kinda see setting both docker.io and registry-1.docker.io akin to setting the same registry twice which would also make containerd fail.
We do not enforce uniqueness of the registries in the container-registry.credentials settings model. We would essentially need to wrap Vec<RegistryCredential> into its own settings model type that would special case docker.io and enforce uniqueness of the registry field. Lemme know what you think!
There was a problem hiding this comment.
Alternatively, I can remove this conditional and we can just make users specify registry-1.docker.io when they want to set up credentials for dockerhub. And for ECS variants, https://index.docker.io/v1/.
There was a problem hiding this comment.
I'm good with your current approach, after further thought and based on our discussion out of band.
Without the conditional, on aws-ecs-1 to override registry credentials for Docker Hub, you'd need to specify both so that host-ctr and ecs-agent both get the form they expect (and ignore the other form). That's awkward and confusing enough that it's worth the extra bit implementation effort to paper over it.
sources/api/migration/migrations/v1.7.0/container-registry-credentials-metadata/src/main.rs
Outdated
Show resolved
Hide resolved
etungsten
force-pushed
the
registry-credentials
branch
from
fee9e86
to
4e7ee35
Compare
|
Push above rebases onto latest develop. |
etungsten
force-pushed
the
registry-credentials
branch
2 times, most recently
from
b3659de
to
eaf229b
Compare
etungsten
force-pushed
the
registry-credentials
branch
from
eaf229b
to
7c8add9
Compare
etungsten
force-pushed
the
registry-credentials
branch
from
7c8add9
to
cefccdf
Compare
|
Push above moves the migrations to |
The title is truncated because it was too long, but the message is still there. |
etungsten
force-pushed
the
registry-credentials
branch
from
cefccdf
to
ff0d7db
Compare
|
Push above fixes typo found by @arnaldo2792 |
|
Tested migration again and it still works as expected |
This adds support for configuring registry auth credentials when pulling images. The setting is used to render containerd, ecs-agent configuration to enable authenticated pulls with the configured auth information.
host-ctr will set up the custom resolver's authorizer based on the registry credentials information stored in host-ctr.toml.
…rectories containerd,ecs-agent,host-ctr: add context to configuration directory mounts We set selinux labels to the mount options so that under-privileged processes won't be able to read registry credential secrets from the container runtime configuration files.
etungsten
force-pushed
the
registry-credentials
branch
from
ff0d7db
to
6f59a59
Compare
|
Push above rebases to fix conflicts in |
Issue number:
Resolves #1227
Description of changes:
Testing done:
I created a private docker image registry, "docker.io/etungsten/nginx", that's just a clone of the nginx image repository.
Registry credentials is provided via apiclient in the control container like so:
For ECS variants:
The affected-services all restart as expected.
The rendered ECS configuration file:
Ran an ECS tasks that runs the nginx image from my private registry. The task runs successfully.
Checking ECS agent logs. The image gets pulled successfully using the creds I provided
For K8s variants:
The affected-services all restart as expected.
The rendered containerd configuration:
I'm able to run a K8s pod that has a nginx container that pulls from my private registry, the manifest:
containerd logs shows it gets pulled successfully:
The pod runs successfully:
For host-containers:
The rendered host-ctr configuration:
I specified an nginx host-container via user-data:
After configuring my registry credentials via apiclient, the host-container is able to pull the image and start:
To test selinux changes, I tried accessing the container runtime configuration files from an unprivileged container and it fails as expected:
Checked
dmesgon the host and I see AVC denials as expected:Tested migration and they worked as expected. On downgrade the new credential settings gets deleted as expected and the OS boots up fine.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.