models, containerd, ecs-agent, host-ctr: support registry credentials

README.md

@@ -453,6 +453,30 @@ When pulling an image from a registry, the container runtime will try the endpoi
 
 For [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) images from Amazon ECR private repositories, registry mirrors are currently unsupported.
 
+The following setting is optional and allows you to configure image registry credentials.
+* `settings.container-registry.credentials`: An array of container images registry credential settings. Each element specifies the registry and the credential information for said registry.
+The credential fields map to [containerd's registry credential fields](/~https://github.com/containerd/containerd/blob/v1.6.0/docs/cri/registry.md#configure-registry-credentials), which in turn map to the fields in `.docker/config.json`.
+It is recommended to programmatically set these settings via `apiclient` through the Bottlerocket control container and/or custom host-containers.
+  * An example `apiclient` call to set registry credentials for `gcr.io` and `docker.io` looks like this:
+  ```bash
+  apiclient set --json '{
+    "container-registry": {
+      "credentials": [
+        {
+          "registry": "gcr.io",
+          "username": "example_username",
+          "password": "example_password"
+        },
+        {
+          "registry": "docker.io",
+          "auth": "example_base64_encoded_auth_string"
+        }
+      ]
+    }
+  }'
+  ```
+In addition to the container runtime daemons, these credential settings will also apply to [host-container](#host-containers-settings) and [bootstrap-container](#bootstrap-containers-settings) image pulls as well.
+
 #### Updates settings
 
 * `settings.updates.metadata-base-url`: The common portion of all URIs used to download update metadata.

Release.toml

@@ -103,4 +103,6 @@ version = "1.6.1"
 "(1.6.0, 1.6.1)" = []
 "(1.6.1, 1.6.2)" = [
     "migrate_v1.6.2_add-cfsignal.lz4",
+    "migrate_v1.6.2_container-registry-credentials.lz4",
+    "migrate_v1.6.2_container-registry-credentials-metadata.lz4",
 ]

packages/containerd/containerd-config-toml_k8s

@@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d"
 endpoint = [{{join_array ", " endpoint }}]
 {{/each}}
 {{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth]
+{{else}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}

packages/containerd/containerd-config-toml_k8s_nvidia

@@ -37,3 +37,25 @@ conf_dir = "/etc/cni/net.d"
 endpoint = [{{join_array ", " endpoint }}]
 {{/each}}
 {{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )~}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."registry-1.docker.io".auth]
+{{else}}
+[plugins."io.containerd.grpc.v1.cri".registry.configs."{{registry}}".auth]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}

packages/containerd/containerd.spec

@@ -20,6 +20,10 @@ Source2: containerd-config-toml_k8s
 Source3: containerd-config-toml_basic
 Source4: containerd-config-toml_k8s_nvidia
 Source5: containerd-tmpfiles.conf
+
+# Mount for writing containerd configuration
+Source100: etc-containerd.mount
+
 Source1000: clarify.toml
 
 # TODO: submit this upstream, including a unit test.
@@ -72,7 +76,7 @@ do
 done
 
 install -d %{buildroot}%{_cross_unitdir}
-install -p -m 0644 %{S:1} %{buildroot}%{_cross_unitdir}/containerd.service
+install -p -m 0644 %{S:1} %{S:100} %{buildroot}%{_cross_unitdir}
 
 install -d %{buildroot}%{_cross_templatedir}
 install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/containerd
@@ -93,6 +97,7 @@ install -p -m 0644 %{S:5} %{buildroot}%{_cross_tmpfilesdir}/containerd.conf
 %{_cross_bindir}/containerd-shim-runc-v2
 %{_cross_bindir}/ctr
 %{_cross_unitdir}/containerd.service
+%{_cross_unitdir}/etc-containerd.mount
 %dir %{_cross_factorydir}%{_cross_sysconfdir}/containerd
 %{_cross_templatedir}/containerd-config-toml*
 %{_cross_tmpfilesdir}/containerd.conf

packages/containerd/etc-containerd.mount

@@ -0,0 +1,16 @@
+[Unit]
+Description=Containerd Configuration Directory (/etc/containerd)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/containerd
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target

packages/ecs-agent/ecs-agent.spec

@@ -42,6 +42,9 @@ Source108: pause-repositories
 # Bottlerocket-specific - version data can be set with linker options
 Source109: version.go
 
+# Mount for writing ECS agent configuration
+Source200: etc-ecs.mount
+
 # Patches are numbered according to which source they apply to
 # Patches 0000 - 0999 apply to Source0
 # Patches 1000 - 1999 apply to Source1
@@ -241,7 +244,9 @@ install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-eni %{buildroot}%{_c
 install -D -p -m 0755 %{ecscni_gorepo}-%{ecscni_gitrev}/ecs-ipam %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam
 install -D -p -m 0755 %{vpccni_gorepo}-%{vpccni_gitrev}/vpc-branch-eni %{buildroot}%{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni
 
-install -D -p -m 0644 %{S:101} %{buildroot}%{_cross_unitdir}/ecs.service
+install -d %{buildroot}%{_cross_unitdir}
+install -D -p -m 0644 %{S:101} %{S:200} %{buildroot}%{_cross_unitdir}
+
 install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf
 install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf
 install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config
@@ -288,6 +293,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo}
 %{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam
 %{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni
 %{_cross_unitdir}/ecs.service
+%{_cross_unitdir}/etc-ecs.mount
 %{_cross_tmpfilesdir}/ecs.conf
 %{_cross_sysctldir}/90-ecs.conf
 %{_cross_templatedir}/ecs.config

packages/ecs-agent/ecs.config

@@ -1,2 +1,18 @@
 ECS_LOGFILE=/var/log/ecs/ecs-agent.log
 ECS_LOGLEVEL="{{settings.ecs.loglevel}}"
+{{#if settings.container-registry.credentials~}}
+ECS_ENGINE_AUTH_TYPE=dockercfg
+ECS_ENGINE_AUTH_DATA='{
+    {{~#each settings.container-registry.credentials~}}
+    {{~#unless @first~}},{{~/unless~}}
+    {{~#if (eq registry "docker.io" )~}}
+    "https://index.docker.io/v1/":
+    {{~else~}}
+    "{{registry}}":
+    {{~/if~}}
+    {"email": "."
+        {{~#if auth~}},"auth": "{{{auth}}}"{{/if}}
+        {{~#if username~}},"username": "{{{username}}}"{{/if}}
+        {{~#if password~}},"password": "{{{password}}}"}{{/if}}
+    {{~/each~}}}}'
+{{/if}}

packages/ecs-agent/etc-ecs.mount

@@ -0,0 +1,16 @@
+[Unit]
+Description=ECS agent Configuration Directory (/etc/ecs)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/ecs
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target

packages/host-ctr/clarify.toml

@@ -0,0 +1,5 @@
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]

packages/host-ctr/etc-host-containers.mount.in

@@ -0,0 +1,16 @@
+[Unit]
+Description=Host containers Configuration Directory (/etc/host-containers)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
+
+[Mount]
+What=tmpfs
+Where=/etc/host-containers
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime,context=system_u:object_r:secret_t:s0
+
+[Install]
+WantedBy=preconfigured.target

packages/host-ctr/host-ctr.spec

@@ -13,6 +13,11 @@ Source10: host-containerd.service
 Source11: host-containerd-tmpfiles.conf
 Source12: host-containerd-config.toml
 
+# Mount for writing host-ctr configuration
+Source100: etc-host-containers.mount.in
+
+Source1000: clarify.toml
+
 %description
 %{summary}.
 
@@ -30,19 +35,22 @@ install -p -m 0755 host-ctr %{buildroot}%{_cross_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:10} %{buildroot}%{_cross_unitdir}
+ETC_HOST_CONTAINERS=$(systemd-escape --path /etc/host-containers)
+install -p -m 0644 %{S:100} %{buildroot}%{_cross_unitdir}/${ETC_HOST_CONTAINERS}.mount
 
 install -d %{buildroot}%{_cross_tmpfilesdir}
 install -p -m 0644 %{S:11} %{buildroot}%{_cross_tmpfilesdir}/host-containerd.conf
 
 install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/host-containerd
 install -p -m 0644 %{S:12} %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/host-containerd/config.toml
 
-%cross_scan_attribution go-vendor vendor
+%cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files
 %{_cross_attribution_vendor_dir}
 %{_cross_bindir}/host-ctr
 %{_cross_unitdir}/host-containerd.service
+%{_cross_unitdir}/*.mount
 %{_cross_tmpfilesdir}/host-containerd.conf
 %{_cross_factorydir}%{_cross_sysconfdir}/host-containerd/config.toml
 

packages/os/host-ctr-toml

@@ -4,3 +4,25 @@
 endpoints = [{{join_array ", " endpoint }}]
 {{/each}}
 {{/if}}
+
+{{#if settings.container-registry.credentials}}
+{{#each settings.container-registry.credentials}}
+{{#if (eq registry "docker.io" )~}}
+[creds."registry-1.docker.io"]
+{{else}}
+[creds."{{registry}}"]
+{{/if}}
+{{#if username}}
+username = "{{{username}}}"
+{{/if}}
+{{#if password}}
+password = "{{{password}}}"
+{{/if}}
+{{#if auth}}
+auth = "{{{auth}}}"
+{{/if}}
+{{#if identitytoken}}
+identitytoken = "{{{identitytoken}}}"
+{{/if}}
+{{/each}}
+{{/if}}

sources/Cargo.toml

@@ -41,6 +41,8 @@ members = [
     "api/migration/migrations/v1.6.0/public-admin-container-v0-7-4",
     "api/migration/migrations/v1.6.0/public-control-container-v0-5-5",
     "api/migration/migrations/v1.6.2/add-cfsignal",
+    "api/migration/migrations/v1.6.2/container-registry-credentials",
+    "api/migration/migrations/v1.6.2/container-registry-credentials-metadata",
 
     "bottlerocket-release",
 

sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "container-registry-credentials-metadata"
+version = "0.1.0"
+authors = ["Erikson Tung <etung@amazon.com>"]
+license = "Apache-2.0 OR MIT"
+edition = "2018"
+publish = false
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}

sources/api/migration/migrations/v1.6.2/container-registry-credentials-metadata/src/main.rs

@@ -0,0 +1,31 @@
+#![deny(rust_2018_idioms)]
+
+use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We added a new setting and `affected-services` metadata for `container-registry.credentials`
+/// We subdivided metadata for `container-registry` into `container-registry.mirrors` and `container-registry.credentials`
+/// This is for the docker variants where don't want to restart the docker daemon when credentials settings change.
+fn run() -> Result<()> {
+    migrate(AddMetadataMigration(&[
+        SettingMetadata {
+            metadata: &["affected-services"],
+            setting: "settings.container-registry.credentials",
+        },
+        SettingMetadata {
+            metadata: &["affected-services"],
+            setting: "settings.container-registry.mirrors",
+        },
+    ]))
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// /~https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}

sources/api/migration/migrations/v1.6.2/container-registry-credentials/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "container-registry-credentials"
+version = "0.1.0"
+authors = ["Erikson Tung <etung@amazon.com>"]
+license = "Apache-2.0 OR MIT"
+edition = "2018"
+publish = false
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}

sources/api/migration/migrations/v1.6.2/container-registry-credentials/src/main.rs

@@ -0,0 +1,22 @@
+#![deny(rust_2018_idioms)]
+
+use migration_helpers::common_migrations::AddPrefixesMigration;
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We added a new setting for configuring image credentials, `settings.container-registry.credentials`
+fn run() -> Result<()> {
+    migrate(AddPrefixesMigration(vec![
+        "settings.container-registry.credentials",
+    ]))
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// /~https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}