From a185b301fce67caadc9ddbccf3f8adf03e053b4f Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 14 Feb 2022 17:26:10 -0800 Subject: [PATCH 1/6] models, containerd, ecs-agent: add 'container-registry.credentials' This adds support for configuring registry auth credentials when pulling images. The setting is used to render containerd, ecs-agent configuration to enable authenticated pulls with the configured auth information. --- .../containerd/containerd-config-toml_k8s | 22 +++++++++++++++++++ .../containerd-config-toml_k8s_nvidia | 22 +++++++++++++++++++ packages/ecs-agent/ecs.config | 16 ++++++++++++++ .../shared-defaults/docker-services.toml | 11 +++++++++- .../{50-aws-ecs-1.toml => 52-aws-ecs-1.toml} | 4 ++++ sources/models/src/lib.rs | 12 ++++++++++ 6 files changed, 86 insertions(+), 1 deletion(-) rename sources/models/src/aws-ecs-1/defaults.d/{50-aws-ecs-1.toml => 52-aws-ecs-1.toml} (82%) diff --git a/packages/containerd/containerd-config-toml_k8s b/packages/containerd/containerd-config-toml_k8s index c3aecedd754..58bb6c83ba8 100644 --- a/packages/containerd/containerd-config-toml_k8s +++ b/packages/containerd/containerd-config-toml_k8s @@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d" endpoint = [{{join_array ", " endpoint }}] {{/each}} {{/if}} + +{{#if settings.container-registry.credentials}} +{{#each settings.container-registry.credentials}} +{{#if (eq registry "docker.io" )}} +[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth] +{{else}} +[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth] +{{/if}} +{{#if username}} +username = "{{{username}}}" +{{/if}} +{{#if password}} +password = "{{{password}}}" +{{/if}} +{{#if auth}} +auth = "{{{auth}}}" +{{/if}} +{{#if identitytoken}} +identitytoken = "{{{identitytoken}}}" +{{/if}} +{{/each}} +{{/if}} diff --git a/packages/containerd/containerd-config-toml_k8s_nvidia b/packages/containerd/containerd-config-toml_k8s_nvidia index 75c9b267e7c..2c593a8b584 100644 --- a/packages/containerd/containerd-config-toml_k8s_nvidia +++ b/packages/containerd/containerd-config-toml_k8s_nvidia @@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d" endpoint = [{{join_array ", " endpoint }}] {{/each}} {{/if}} + +{{#if settings.container-registry.credentials}} +{{#each settings.container-registry.credentials}} +{{#if (eq registry "docker.io" )~}} +[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth] +{{else}} +[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth] +{{/if}} +{{#if username}} +username = "{{{username}}}" +{{/if}} +{{#if password}} +password = "{{{password}}}" +{{/if}} +{{#if auth}} +auth = "{{{auth}}}" +{{/if}} +{{#if identitytoken}} +identitytoken = "{{{identitytoken}}}" +{{/if}} +{{/each}} +{{/if}} diff --git a/packages/ecs-agent/ecs.config b/packages/ecs-agent/ecs.config index 402e67cfdf8..12fa033b031 100644 --- a/packages/ecs-agent/ecs.config +++ b/packages/ecs-agent/ecs.config @@ -1,2 +1,18 @@ ECS_LOGFILE=/var/log/ecs/ecs-agent.log ECS_LOGLEVEL="{{settings.ecs.loglevel}}" +{{#if settings.container-registry.credentials~}} +ECS_ENGINE_AUTH_TYPE=dockercfg +ECS_ENGINE_AUTH_DATA='{ + {{~#each settings.container-registry.credentials~}} + {{~#unless @first~}},{{~/unless~}} + {{~#if (eq registry "docker.io" )~}} + "https://index.docker.io/v1/": + {{~else~}} + "{{registry}}": + {{~/if~}} + {"email": "." + {{~#if auth~}},"auth": "{{{auth}}}"{{/if}} + {{~#if username~}},"username": "{{{username}}}"{{/if}} + {{~#if password~}},"password": "{{{password}}}"}{{/if}} + {{~/each~}}}}' +{{/if}} diff --git a/sources/models/shared-defaults/docker-services.toml b/sources/models/shared-defaults/docker-services.toml index 799670ee17d..2d3f0c661c0 100644 --- a/sources/models/shared-defaults/docker-services.toml +++ b/sources/models/shared-defaults/docker-services.toml @@ -6,6 +6,15 @@ configuration-files = ["docker-daemon-config", "proxy-env"] path = "/etc/docker/daemon.json" template-path = "/usr/share/templates/docker-daemon-json" -# Image registries +# Image registries. Retained for backwards compatibility, but superseded by the +# more specific metadata for mirrors and credentials. [metadata.settings.container-registry] affected-services = ["docker", "host-containers", "bootstrap-containers"] + +# Image registry mirrors +[metadata.settings.container-registry.mirrors] +affected-services = ["docker", "host-containers", "bootstrap-containers"] + +# Image registry credentials +[metadata.settings.container-registry.credentials] +affected-services = ["host-containers", "bootstrap-containers"] diff --git a/sources/models/src/aws-ecs-1/defaults.d/50-aws-ecs-1.toml b/sources/models/src/aws-ecs-1/defaults.d/52-aws-ecs-1.toml similarity index 82% rename from sources/models/src/aws-ecs-1/defaults.d/50-aws-ecs-1.toml rename to sources/models/src/aws-ecs-1/defaults.d/52-aws-ecs-1.toml index 4339cbc2cf3..0eb26a9b4f8 100644 --- a/sources/models/src/aws-ecs-1/defaults.d/50-aws-ecs-1.toml +++ b/sources/models/src/aws-ecs-1/defaults.d/52-aws-ecs-1.toml @@ -22,3 +22,7 @@ service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "dock # Network [metadata.settings.network] affected-services = ["containerd", "docker", "ecs", "host-containerd", "host-containers"] + +# Image registry credentials +[metadata.settings.container-registry.credentials] +affected-services = ["ecs", "host-containers", "bootstrap-containers"] diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs index 39ab11f7011..af03235e8b2 100644 --- a/sources/models/src/lib.rs +++ b/sources/models/src/lib.rs @@ -202,6 +202,16 @@ struct RegistryMirror { endpoint: Vec, } +#[model] +struct RegistryCredential { + registry: SingleLineString, + username: SingleLineString, + password: SingleLineString, + // This is the base64 encoding of "username:password" + auth: ValidBase64, + identitytoken: SingleLineString, +} + // Image registry settings for the container runtimes. #[model] struct RegistrySettings { @@ -211,6 +221,8 @@ struct RegistrySettings { deserialize_with = "deserialize_mirrors" )] mirrors: Vec, + #[serde(alias = "creds", default, skip_serializing_if = "Option::is_none")] + credentials: Vec, } // Update settings. Taken from userdata. The 'seed' setting is generated From 068bb47b6951c9d2a207341a8d39419e6128a6eb Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 14 Feb 2022 16:20:38 -0800 Subject: [PATCH 2/6] host-ctr: move registryHosts to the registry pkg --- sources/host-ctr/cmd/host-ctr/main.go | 54 +------------------ sources/host-ctr/cmd/host-ctr/main_test.go | 4 +- sources/host-ctr/cmd/host-ctr/registry.go | 61 ++++++++++++++++++++++ 3 files changed, 65 insertions(+), 54 deletions(-) diff --git a/sources/host-ctr/cmd/host-ctr/main.go b/sources/host-ctr/cmd/host-ctr/main.go index 059cc1e257c..523a286620b 100644 --- a/sources/host-ctr/cmd/host-ctr/main.go +++ b/sources/host-ctr/cmd/host-ctr/main.go @@ -6,7 +6,6 @@ import ( "fmt" "io/ioutil" "math/rand" - "net/url" "os" "os/signal" "regexp" @@ -916,7 +915,7 @@ func withDynamicResolver(ctx context.Context, ref string, registryConfig *Regist if registryConfig != nil { defaultResolver = func(_ *containerd.Client, c *containerd.RemoteContext) error { resolver := docker.NewResolver(docker.ResolverOptions{ - Hosts: registryHosts(registryConfig, docker.NewDockerAuthorizer()), + Hosts: registryHosts(registryConfig, nil), }) c.Resolver = resolver return nil @@ -974,7 +973,7 @@ func withDynamicResolver(ctx context.Context, ref string, registryConfig *Regist }) authorizer := docker.NewDockerAuthorizer(authOpt) resolverOpt := docker.ResolverOptions{ - Hosts: registryHosts(registryConfig, authorizer), + Hosts: registryHosts(registryConfig, &authorizer), } return func(_ *containerd.Client, c *containerd.RemoteContext) error { @@ -988,52 +987,3 @@ func withDynamicResolver(ctx context.Context, ref string, registryConfig *Regist return defaultResolver } } - -// registryHosts returns the registry hosts to be used by the resolver. -// Heavily borrowed from containerd CRI plugin's implementation with the auth related configuration omitted. -// See /~https://github.com/containerd/cri/blob/f6026296a3991010429db91e7e677f9c9d4861ab/pkg/server/image_pull.go#L314-L315 -// FIXME Replace this once there's a public containerd client interface that supports registry mirrors -func registryHosts(registryConfig *RegistryConfig, authorizer docker.Authorizer) docker.RegistryHosts { - return func(host string) ([]docker.RegistryHost, error) { - var ( - registries []docker.RegistryHost - endpoints []string - ) - if _, ok := registryConfig.Mirrors[host]; ok { - endpoints = registryConfig.Mirrors[host].Endpoints - } else { - endpoints = registryConfig.Mirrors["*"].Endpoints - } - defaultHost, err := docker.DefaultHost(host) - if err != nil { - return nil, errors.Wrap(err, "get default host") - } - endpoints = append(endpoints, defaultHost) - - for _, endpoint := range endpoints { - // Prefix the endpoint with an appropriate URL scheme if the endpoint does not have one. - if !strings.Contains(endpoint, "://") { - if endpoint == "localhost" || endpoint == "127.0.0.1" || endpoint == "::1" { - endpoint = "http://" + endpoint - } else { - endpoint = "https://" + endpoint - } - } - url, err := url.Parse(endpoint) - if err != nil { - return nil, errors.Wrapf(err, "parse registry endpoint %q from mirrors", endpoint) - } - if url.Path == "" { - url.Path = "/v2" - } - registries = append(registries, docker.RegistryHost{ - Authorizer: authorizer, - Host: url.Host, - Scheme: url.Scheme, - Path: url.Path, - Capabilities: docker.HostCapabilityResolve | docker.HostCapabilityPull, - }) - } - return registries, nil - } -} diff --git a/sources/host-ctr/cmd/host-ctr/main_test.go b/sources/host-ctr/cmd/host-ctr/main_test.go index 877f4199f7f..fdd39d697be 100644 --- a/sources/host-ctr/cmd/host-ctr/main_test.go +++ b/sources/host-ctr/cmd/host-ctr/main_test.go @@ -139,7 +139,7 @@ func TestRegistryHosts(t *testing.T) { for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - f := registryHosts(&tc.config, docker.NewDockerAuthorizer()) + f := registryHosts(&tc.config, nil) result, err := f(tc.host) assert.NoError(t, err) assert.Equal(t, tc.expected, result) @@ -155,7 +155,7 @@ func TestBadRegistryHosts(t *testing.T) { Endpoints: []string{"$#%#$$#%#$"}, }, }, - }, docker.NewDockerAuthorizer()) + }, nil) _, err := f("docker.io") assert.Error(t, err) } diff --git a/sources/host-ctr/cmd/host-ctr/registry.go b/sources/host-ctr/cmd/host-ctr/registry.go index 722a7158f9d..066a134f21e 100644 --- a/sources/host-ctr/cmd/host-ctr/registry.go +++ b/sources/host-ctr/cmd/host-ctr/registry.go @@ -1,8 +1,12 @@ package main import ( + "github.com/containerd/containerd/remotes/docker" "github.com/pelletier/go-toml" + "github.com/pkg/errors" "io/ioutil" + "net/url" + "strings" ) // Mirror contains the config related to the registry mirror @@ -25,3 +29,60 @@ func NewRegistryConfig(registryConfigFile string) (*RegistryConfig, error) { config := RegistryConfig{} return &config, toml.Unmarshal(raw, &config) } + +// registryHosts returns the registry hosts to be used by the resolver. +// Heavily borrowed from containerd CRI plugin's implementation. +// See /~https://github.com/containerd/containerd/blob/1407cab509ff0d96baa4f0eb6ff9980270e6e620/pkg/cri/server/image_pull.go#L332-L405 +// authorizerOverride lets the caller override the generated authorizer with a custom authorizer +// FIXME Replace this once there's a public containerd client interface that supports registry mirrors +func registryHosts(registryConfig *RegistryConfig, authorizerOverride *docker.Authorizer) docker.RegistryHosts { + return func(host string) ([]docker.RegistryHost, error) { + var ( + registries []docker.RegistryHost + endpoints []string + authorizer docker.Authorizer + ) + // Set up endpoints for the registry + if _, ok := registryConfig.Mirrors[host]; ok { + endpoints = registryConfig.Mirrors[host].Endpoints + } else { + endpoints = registryConfig.Mirrors["*"].Endpoints + } + defaultHost, err := docker.DefaultHost(host) + if err != nil { + return nil, errors.Wrap(err, "get default host") + } + endpoints = append(endpoints, defaultHost) + + for _, endpoint := range endpoints { + // Prefix the endpoint with an appropriate URL scheme if the endpoint does not have one. + if !strings.Contains(endpoint, "://") { + if endpoint == "localhost" || endpoint == "127.0.0.1" || endpoint == "::1" { + endpoint = "http://" + endpoint + } else { + endpoint = "https://" + endpoint + } + } + url, err := url.Parse(endpoint) + if err != nil { + return nil, errors.Wrapf(err, "parse registry endpoint %q from mirrors", endpoint) + } + if url.Path == "" { + url.Path = "/v2" + } + if authorizerOverride == nil { + authorizer = docker.NewDockerAuthorizer() + } else { + authorizer = *authorizerOverride + } + registries = append(registries, docker.RegistryHost{ + Authorizer: authorizer, + Host: url.Host, + Scheme: url.Scheme, + Path: url.Path, + Capabilities: docker.HostCapabilityResolve | docker.HostCapabilityPull, + }) + } + return registries, nil + } +} From 3d7b77007abd6d94d731db35a3ad75cdf4474654 Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 14 Feb 2022 17:03:36 -0800 Subject: [PATCH 3/6] host-ctr: configure resolver's registry auth based on registry config host-ctr will set up the custom resolver's authorizer based on the registry credentials information stored in host-ctr.toml. --- packages/host-ctr/clarify.toml | 5 ++ packages/host-ctr/host-ctr.spec | 3 +- packages/os/host-ctr-toml | 22 ++++++++ sources/host-ctr/cmd/host-ctr/registry.go | 61 ++++++++++++++++++++--- sources/host-ctr/go.mod | 1 + sources/host-ctr/go.sum | 40 +++++++++++++++ 6 files changed, 125 insertions(+), 7 deletions(-) create mode 100644 packages/host-ctr/clarify.toml diff --git a/packages/host-ctr/clarify.toml b/packages/host-ctr/clarify.toml new file mode 100644 index 00000000000..3fa231bd3ec --- /dev/null +++ b/packages/host-ctr/clarify.toml @@ -0,0 +1,5 @@ +[clarify."sigs.k8s.io/yaml"] +expression = "MIT AND BSD-3-Clause" +license-files = [ + { path = "LICENSE", hash = 0xcdf3ae00 }, +] diff --git a/packages/host-ctr/host-ctr.spec b/packages/host-ctr/host-ctr.spec index 24134010b7c..bd43bc52f0f 100644 --- a/packages/host-ctr/host-ctr.spec +++ b/packages/host-ctr/host-ctr.spec @@ -12,6 +12,7 @@ Requires: %{_cross_os}containerd Source10: host-containerd.service Source11: host-containerd-tmpfiles.conf Source12: host-containerd-config.toml +Source1000: clarify.toml %description %{summary}. @@ -37,7 +38,7 @@ install -p -m 0644 %{S:11} %{buildroot}%{_cross_tmpfilesdir}/host-containerd.con install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/host-containerd install -p -m 0644 %{S:12} %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/host-containerd/config.toml -%cross_scan_attribution go-vendor vendor +%cross_scan_attribution --clarify %{S:1000} go-vendor vendor %files %{_cross_attribution_vendor_dir} diff --git a/packages/os/host-ctr-toml b/packages/os/host-ctr-toml index 52043c3e8cb..4c847a5bb10 100644 --- a/packages/os/host-ctr-toml +++ b/packages/os/host-ctr-toml @@ -4,3 +4,25 @@ endpoints = [{{join_array ", " endpoint }}] {{/each}} {{/if}} + +{{#if settings.container-registry.credentials}} +{{#each settings.container-registry.credentials}} +{{#if (eq registry "docker.io" )~}} +[creds."registry-1.docker.io"] +{{else}} +[creds."{{registry}}"] +{{/if}} +{{#if username}} +username = "{{{username}}}" +{{/if}} +{{#if password}} +password = "{{{password}}}" +{{/if}} +{{#if auth}} +auth = "{{{auth}}}" +{{/if}} +{{#if identitytoken}} +identitytoken = "{{{identitytoken}}}" +{{/if}} +{{/each}} +{{/if}} diff --git a/sources/host-ctr/cmd/host-ctr/registry.go b/sources/host-ctr/cmd/host-ctr/registry.go index 066a134f21e..76a9bc42d2d 100644 --- a/sources/host-ctr/cmd/host-ctr/registry.go +++ b/sources/host-ctr/cmd/host-ctr/registry.go @@ -1,22 +1,37 @@ package main import ( + "net" + "net/http" + "net/url" + "strings" + "time" + + "github.com/containerd/containerd/pkg/cri/server" "github.com/containerd/containerd/remotes/docker" "github.com/pelletier/go-toml" "github.com/pkg/errors" "io/ioutil" - "net/url" - "strings" + runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" ) // Mirror contains the config related to the registry mirror type Mirror struct { - Endpoints []string + Endpoints []string `toml:"endpoints,omitempty"` +} + +// Credential contains a registry credential +type Credential struct { + Username string `toml:"username,omitempty"` + Password string `toml:"password,omitempty"` + Auth string `toml:"auth,omitempty"` + IdentityToken string `toml:"identitytoken,omitempty"` } // RegistryConfig contains the config related to a image registry type RegistryConfig struct { - Mirrors map[string]Mirror + Mirrors map[string]Mirror `toml:"mirrors,omitempty"` + Credentials map[string]Credential `toml:"creds,omitempty"` } // NewRegistryConfig unmarshalls a registry configuration file and sets up a RegistryConfig @@ -40,7 +55,7 @@ func registryHosts(registryConfig *RegistryConfig, authorizerOverride *docker.Au var ( registries []docker.RegistryHost endpoints []string - authorizer docker.Authorizer + authConfig runtime.AuthConfig ) // Set up endpoints for the registry if _, ok := registryConfig.Mirrors[host]; ok { @@ -70,8 +85,24 @@ func registryHosts(registryConfig *RegistryConfig, authorizerOverride *docker.Au if url.Path == "" { url.Path = "/v2" } + var authorizer docker.Authorizer if authorizerOverride == nil { - authorizer = docker.NewDockerAuthorizer() + // Set up auth for pulling from registry + var authOpts []docker.AuthorizerOpt + if _, ok := registryConfig.Credentials[defaultHost]; ok { + // Convert registry credentials config to runtime auth config, so it can be parsed by `ParseAuth` + authConfig.Username = registryConfig.Credentials[defaultHost].Username + authConfig.Password = registryConfig.Credentials[defaultHost].Password + authConfig.Auth = registryConfig.Credentials[defaultHost].Auth + authConfig.IdentityToken = registryConfig.Credentials[defaultHost].IdentityToken + authOpts = append(authOpts, docker.WithAuthClient(&http.Client{ + Transport: newTransport(), + })) + authOpts = append(authOpts, docker.WithAuthCreds(func(host string) (string, string, error) { + return server.ParseAuth(&authConfig, host) + })) + } + authorizer = docker.NewDockerAuthorizer(authOpts...) } else { authorizer = *authorizerOverride } @@ -86,3 +117,21 @@ func registryHosts(registryConfig *RegistryConfig, authorizerOverride *docker.Au return registries, nil } } + +// newTransport is borrowed from containerd CRI plugin +// See /~https://github.com/containerd/containerd/blob/1407cab509ff0d96baa4f0eb6ff9980270e6e620/pkg/cri/server/image_pull.go#L466-L481 +// FIXME Replace this once containerd creates a library that shares this code with ctr +func newTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + FallbackDelay: 300 * time.Millisecond, + }).DialContext, + MaxIdleConns: 10, + IdleConnTimeout: 30 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 5 * time.Second, + } +} diff --git a/sources/host-ctr/go.mod b/sources/host-ctr/go.mod index 32f7a9ff284..154990a0522 100644 --- a/sources/host-ctr/go.mod +++ b/sources/host-ctr/go.mod @@ -24,6 +24,7 @@ require ( golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 // indirect google.golang.org/genproto v0.0.0-20220202230416-2a053f022f0d // indirect google.golang.org/grpc v1.44.0 // indirect + k8s.io/cri-api v0.20.6 ) replace github.com/Sirupsen/logrus => github.com/sirupsen/logrus v1.6.0 diff --git a/sources/host-ctr/go.sum b/sources/host-ctr/go.sum index af06e41e776..2290d068491 100644 --- a/sources/host-ctr/go.sum +++ b/sources/host-ctr/go.sum @@ -179,6 +179,7 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S github.com/containerd/fifo v1.0.0 h1:6PirWBr9/L7GDamKr+XM0IeUFXu5mf3M/BPpH9gaLBU= github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU= +github.com/containerd/go-cni v1.0.2 h1:YbJAhpTevL2v6u8JC1NhCYRwf+3Vzxcc5vGnYoJ7VeE= github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= @@ -188,9 +189,11 @@ github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDX github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0= github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= +github.com/containerd/imgcrypt v1.1.1 h1:LBwiTfoUsdiEGAR1TpvxE+Gzt7469oVu87iR3mv3Byc= github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= +github.com/containerd/nri v0.1.0 h1:6QioHRlThlKh2RkRTR4kIT3PKAcrLo3gIWnjkM4dQmQ= github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM= github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= @@ -212,11 +215,14 @@ github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1Dv github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI= github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= +github.com/containernetworking/plugins v0.9.1 h1:FD1tADPls2EEi3flPc2OegIY1M9pUa9r2Quag7HMLV8= github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= +github.com/containers/ocicrypt v1.1.1 h1:prL8l9w3ntVqXvNH1CiNn5ENjcCnr38JqpSyvKKB4GI= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -227,9 +233,11 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -265,14 +273,17 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI= github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= +github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 h1:cenwrSVm+Z7QLSV/BsnenAOcDXdX4cMv4wP0B/5QbPg= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -286,6 +297,7 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= @@ -300,6 +312,7 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= @@ -316,9 +329,11 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c= @@ -379,6 +394,7 @@ github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -440,6 +456,7 @@ github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52Cu github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= @@ -480,6 +497,7 @@ github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vq github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/pkcs11 v1.0.3 h1:iMwmD7I5225wv84WxIG/bmxz9AXjWvTWIbM/TYHvWtw= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= @@ -491,11 +509,14 @@ github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= +github.com/moby/sys/symlink v0.1.0 h1:MTFZ74KtNI6qQQpuBxU+uKCim4WtOMokr03hCfJcazE= github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= @@ -639,6 +660,7 @@ github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= +github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOHPEbXzO3vnmx2gok1Tfs31Q8GQqKLc8vVqyQq/I= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -655,6 +677,7 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/tchap/go-patricia v2.2.6+incompatible h1:JvoDL7JSoIP2HDE8AbDH3zC8QBPxmzYe32HHy5yQ+Ck= github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -691,6 +714,7 @@ go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= +go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= @@ -716,6 +740,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -794,6 +819,7 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -881,6 +907,7 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -897,6 +924,7 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s= golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -965,6 +993,7 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -1041,11 +1070,13 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= @@ -1073,15 +1104,19 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= +k8s.io/api v0.20.6 h1:bgdZrW++LqgrLikWYNruIKAtltXbSCX2l5mJu11hrVE= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.6 h1:R5p3SlhaABYShQSO6LpPsYHjV05Q+79eBUR0Ut/f4tk= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= +k8s.io/apiserver v0.20.6 h1:NnVriMMOpqQX+dshbDoZixqmBhfgrPk2uOh2fzp9vHE= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= +k8s.io/client-go v0.20.6 h1:nJZOfolnsVtDtbGJNCxzOtKUAu7zvXjB8+pMo9UNxZo= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= @@ -1090,16 +1125,19 @@ k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMY k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= +k8s.io/cri-api v0.20.6 h1:iXX0K2pRrbR8yXbZtDK/bSnmg/uSqIFiVJK1x4LUOMc= k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= @@ -1108,6 +1146,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyz sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.3 h1:4oyYo8NREp49LBBhKxEqCulFjg26rawYKrnCmg+Sr6c= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= From b70f94592b3a3f066134372afea5b1d58913517b Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 21 Feb 2022 17:38:28 -0800 Subject: [PATCH 4/6] ecs-agent, host-ctr, containerd: add mount units for configuration directories containerd,ecs-agent,host-ctr: add context to configuration directory mounts We set selinux labels to the mount options so that under-privileged processes won't be able to read registry credential secrets from the container runtime configuration files. --- packages/containerd/containerd.spec | 7 ++++++- packages/containerd/etc-containerd.mount | 16 ++++++++++++++++ packages/ecs-agent/ecs-agent.spec | 8 +++++++- packages/ecs-agent/etc-ecs.mount | 16 ++++++++++++++++ packages/host-ctr/etc-host-containers.mount.in | 16 ++++++++++++++++ packages/host-ctr/host-ctr.spec | 7 +++++++ 6 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 packages/containerd/etc-containerd.mount create mode 100644 packages/ecs-agent/etc-ecs.mount create mode 100644 packages/host-ctr/etc-host-containers.mount.in diff --git a/packages/containerd/containerd.spec b/packages/containerd/containerd.spec index e9bdc89a39a..781c5a7000a 100644 --- a/packages/containerd/containerd.spec +++ b/packages/containerd/containerd.spec @@ -20,6 +20,10 @@ Source2: containerd-config-toml_k8s Source3: containerd-config-toml_basic Source4: containerd-config-toml_k8s_nvidia Source5: containerd-tmpfiles.conf + +# Mount for writing containerd configuration +Source100: etc-containerd.mount + Source1000: clarify.toml # TODO: submit this upstream, including a unit test. @@ -72,7 +76,7 @@ do done install -d %{buildroot}%{_cross_unitdir} -install -p -m 0644 %{S:1} %{buildroot}%{_cross_unitdir}/containerd.service +install -p -m 0644 %{S:1} %{S:100} %{buildroot}%{_cross_unitdir} install -d %{buildroot}%{_cross_templatedir} install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/containerd @@ -93,6 +97,7 @@ install -p -m 0644 %{S:5} %{buildroot}%{_cross_tmpfilesdir}/containerd.conf %{_cross_bindir}/containerd-shim-runc-v2 %{_cross_bindir}/ctr %{_cross_unitdir}/containerd.service +%{_cross_unitdir}/etc-containerd.mount %dir %{_cross_factorydir}%{_cross_sysconfdir}/containerd %{_cross_templatedir}/containerd-config-toml* %{_cross_tmpfilesdir}/containerd.conf diff --git a/packages/containerd/etc-containerd.mount b/packages/containerd/etc-containerd.mount new file mode 100644 index 00000000000..36be42424a1 --- /dev/null +++ b/packages/containerd/etc-containerd.mount @@ -0,0 +1,16 @@ +[Unit] +Description=Containerd Configuration Directory (/etc/containerd) +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=selinux-policy-files.service +Wants=selinux-policy-files.service + +[Mount] +What=tmpfs +Where=/etc/containerd +Type=tmpfs +Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0 + +[Install] +WantedBy=preconfigured.target diff --git a/packages/ecs-agent/ecs-agent.spec b/packages/ecs-agent/ecs-agent.spec index 162dee184ab..42b6c5b4d0e 100644 --- a/packages/ecs-agent/ecs-agent.spec +++ b/packages/ecs-agent/ecs-agent.spec @@ -42,6 +42,9 @@ Source108: pause-repositories # Bottlerocket-specific - version data can be set with linker options Source109: version.go +# Mount for writing ECS agent configuration +Source200: etc-ecs.mount + # Patches are numbered according to which source they apply to # Patches 0000 - 0999 apply to Source0 # Patches 1000 - 1999 apply to Source1 @@ -241,7 +244,9 @@ install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-eni %{buildroot}%{_c install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-ipam %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam install -D -p -m 0755 %{vpccni_gorepo}-%{vpccni_gitrev}/vpc-branch-eni %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni -install -D -p -m 0644 %{S:101} %{buildroot}%{_cross_unitdir}/ecs.service +install -d %{buildroot}%{_cross_unitdir} +install -D -p -m 0644 %{S:101} %{S:200} %{buildroot}%{_cross_unitdir} + install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config @@ -288,6 +293,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo} %{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam %{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni %{_cross_unitdir}/ecs.service +%{_cross_unitdir}/etc-ecs.mount %{_cross_tmpfilesdir}/ecs.conf %{_cross_sysctldir}/90-ecs.conf %{_cross_templatedir}/ecs.config diff --git a/packages/ecs-agent/etc-ecs.mount b/packages/ecs-agent/etc-ecs.mount new file mode 100644 index 00000000000..4f72fb14fdc --- /dev/null +++ b/packages/ecs-agent/etc-ecs.mount @@ -0,0 +1,16 @@ +[Unit] +Description=ECS agent Configuration Directory (/etc/ecs) +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=selinux-policy-files.service +Wants=selinux-policy-files.service + +[Mount] +What=tmpfs +Where=/etc/ecs +Type=tmpfs +Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0 + +[Install] +WantedBy=preconfigured.target diff --git a/packages/host-ctr/etc-host-containers.mount.in b/packages/host-ctr/etc-host-containers.mount.in new file mode 100644 index 00000000000..ab90314e528 --- /dev/null +++ b/packages/host-ctr/etc-host-containers.mount.in @@ -0,0 +1,16 @@ +[Unit] +Description=Host containers Configuration Directory (/etc/host-containers) +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=selinux-policy-files.service +Wants=selinux-policy-files.service + +[Mount] +What=tmpfs +Where=/etc/host-containers +Type=tmpfs +Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0 + +[Install] +WantedBy=preconfigured.target diff --git a/packages/host-ctr/host-ctr.spec b/packages/host-ctr/host-ctr.spec index bd43bc52f0f..3c5038c751a 100644 --- a/packages/host-ctr/host-ctr.spec +++ b/packages/host-ctr/host-ctr.spec @@ -12,6 +12,10 @@ Requires: %{_cross_os}containerd Source10: host-containerd.service Source11: host-containerd-tmpfiles.conf Source12: host-containerd-config.toml + +# Mount for writing host-ctr configuration +Source100: etc-host-containers.mount.in + Source1000: clarify.toml %description @@ -31,6 +35,8 @@ install -p -m 0755 host-ctr %{buildroot}%{_cross_bindir} install -d %{buildroot}%{_cross_unitdir} install -p -m 0644 %{S:10} %{buildroot}%{_cross_unitdir} +ETC_HOST_CONTAINERS=$(systemd-escape --path /etc/host-containers) +install -p -m 0644 %{S:100} %{buildroot}%{_cross_unitdir}/${ETC_HOST_CONTAINERS}.mount install -d %{buildroot}%{_cross_tmpfilesdir} install -p -m 0644 %{S:11} %{buildroot}%{_cross_tmpfilesdir}/host-containerd.conf @@ -44,6 +50,7 @@ install -p -m 0644 %{S:12} %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/ %{_cross_attribution_vendor_dir} %{_cross_bindir}/host-ctr %{_cross_unitdir}/host-containerd.service +%{_cross_unitdir}/*.mount %{_cross_tmpfilesdir}/host-containerd.conf %{_cross_factorydir}%{_cross_sysconfdir}/host-containerd/config.toml From 20a7ddde1a5aec97dcf92da8d904be9de558a3e9 Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 28 Feb 2022 18:19:17 -0800 Subject: [PATCH 5/6] README: add info about "settings.container-registry.credentials" --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index fc315fec134..13d48957426 100644 --- a/README.md +++ b/README.md @@ -453,6 +453,30 @@ When pulling an image from a registry, the container runtime will try the endpoi For [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) images from Amazon ECR private repositories, registry mirrors are currently unsupported. +The following setting is optional and allows you to configure image registry credentials. +* `settings.container-registry.credentials`: An array of container images registry credential settings. Each element specifies the registry and the credential information for said registry. +The credential fields map to [containerd's registry credential fields](/~https://github.com/containerd/containerd/blob/v1.6.0/docs/cri/registry.md#configure-registry-credentials), which in turn map to the fields in `.docker/config.json`. +It is recommended to programmatically set these settings via `apiclient` through the Bottlerocket control container and/or custom host-containers. + * An example `apiclient` call to set registry credentials for `gcr.io` and `docker.io` looks like this: + ```bash + apiclient set --json '{ + "container-registry": { + "credentials": [ + { + "registry": "gcr.io", + "username": "example_username", + "password": "example_password" + }, + { + "registry": "docker.io", + "auth": "example_base64_encoded_auth_string" + } + ] + } + }' + ``` +In addition to the container runtime daemons, these credential settings will also apply to [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) image pulls as well. + #### Updates settings * `settings.updates.metadata-base-url`: The common portion of all URIs used to download update metadata. From 6f59a594ca258bea2d68c4c19ee6e9e065cf2cd2 Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Mon, 28 Feb 2022 18:40:20 -0800 Subject: [PATCH 6/6] migrations: add migrations for 'settings.container-registry.credentials' --- Release.toml | 2 ++ sources/Cargo.lock | 14 +++++++++ sources/Cargo.toml | 2 ++ .../Cargo.toml | 10 ++++++ .../src/main.rs | 31 +++++++++++++++++++ .../container-registry-credentials/Cargo.toml | 10 ++++++ .../src/main.rs | 22 +++++++++++++ 7 files changed, 91 insertions(+) create mode 100644 sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/Cargo.toml create mode 100644 sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/src/main.rs create mode 100644 sources/api/migration/migrations/v1.6.2/container-registry-credentials/Cargo.toml create mode 100644 sources/api/migration/migrations/v1.6.2/container-registry-credentials/src/main.rs diff --git a/Release.toml b/Release.toml index f69c590bb66..13fe2ced7f0 100644 --- a/Release.toml +++ b/Release.toml @@ -103,4 +103,6 @@ version = "1.6.1" "(1.6.0, 1.6.1)" = [] "(1.6.1, 1.6.2)" = [ "migrate_v1.6.2_add-cfsignal.lz4", + "migrate_v1.6.2_container-registry-credentials.lz4", + "migrate_v1.6.2_container-registry-credentials-metadata.lz4", ] diff --git a/sources/Cargo.lock b/sources/Cargo.lock index 4dbfa34c81b..d0a6014186f 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -708,6 +708,20 @@ dependencies = [ "cargo-readme", ] +[[package]] +name = "container-registry-credentials" +version = "0.1.0" +dependencies = [ + "migration-helpers", +] + +[[package]] +name = "container-registry-credentials-metadata" +version = "0.1.0" +dependencies = [ + "migration-helpers", +] + [[package]] name = "control-container-v0-5-2" version = "0.1.0" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index 00ca69bda57..f1e83b25788 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -41,6 +41,8 @@ members = [ "api/migration/migrations/v1.6.0/public-admin-container-v0-7-4", "api/migration/migrations/v1.6.0/public-control-container-v0-5-5", "api/migration/migrations/v1.6.2/add-cfsignal", + "api/migration/migrations/v1.6.2/container-registry-credentials", + "api/migration/migrations/v1.6.2/container-registry-credentials-metadata", "bottlerocket-release", diff --git a/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/Cargo.toml b/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/Cargo.toml new file mode 100644 index 00000000000..fd549e10c55 --- /dev/null +++ b/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "container-registry-credentials-metadata" +version = "0.1.0" +authors = ["Erikson Tung "] +license = "Apache-2.0 OR MIT" +edition = "2018" +publish = false + +[dependencies] +migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} diff --git a/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/src/main.rs b/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/src/main.rs new file mode 100644 index 00000000000..312d435f24a --- /dev/null +++ b/sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/src/main.rs @@ -0,0 +1,31 @@ +#![deny(rust_2018_idioms)] + +use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We added a new setting and `affected-services` metadata for `container-registry.credentials` +/// We subdivided metadata for `container-registry` into `container-registry.mirrors` and `container-registry.credentials` +/// This is for the docker variants where don't want to restart the docker daemon when credentials settings change. +fn run() -> Result<()> { + migrate(AddMetadataMigration(&[ + SettingMetadata { + metadata: &["affected-services"], + setting: "settings.container-registry.credentials", + }, + SettingMetadata { + metadata: &["affected-services"], + setting: "settings.container-registry.mirrors", + }, + ])) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// /~https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +} diff --git a/sources/api/migration/migrations/v1.6.2/container-registry-credentials/Cargo.toml b/sources/api/migration/migrations/v1.6.2/container-registry-credentials/Cargo.toml new file mode 100644 index 00000000000..a3b01c55bf6 --- /dev/null +++ b/sources/api/migration/migrations/v1.6.2/container-registry-credentials/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "container-registry-credentials" +version = "0.1.0" +authors = ["Erikson Tung "] +license = "Apache-2.0 OR MIT" +edition = "2018" +publish = false + +[dependencies] +migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} diff --git a/sources/api/migration/migrations/v1.6.2/container-registry-credentials/src/main.rs b/sources/api/migration/migrations/v1.6.2/container-registry-credentials/src/main.rs new file mode 100644 index 00000000000..b8fb5033867 --- /dev/null +++ b/sources/api/migration/migrations/v1.6.2/container-registry-credentials/src/main.rs @@ -0,0 +1,22 @@ +#![deny(rust_2018_idioms)] + +use migration_helpers::common_migrations::AddPrefixesMigration; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We added a new setting for configuring image credentials, `settings.container-registry.credentials` +fn run() -> Result<()> { + migrate(AddPrefixesMigration(vec![ + "settings.container-registry.credentials", + ])) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// /~https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +}