Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

parse image pull auth from env #1382

Merged
merged 3 commits into from
Jul 27, 2023

Conversation

sctb512
Copy link
Contributor

@sctb512 sctb512 commented Jul 24, 2023

Details

This commit attempts to avoid loading auth from the nydusd configuration file, which is insecure for users. The auth loaded from env will overwrite the auth loaded from file if it is not null.

Types of changes

What types of changes does your PullRequest introduce? Put an x in all the boxes that apply:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation Update (if none of the other choices apply)

Checklist

Go over all the following points, and put an x in all the boxes that apply.

  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@sctb512 sctb512 requested a review from a team as a code owner July 24, 2023 09:42
@sctb512 sctb512 requested review from liubin, luodw and adamqqqplay and removed request for a team July 24, 2023 09:42
@anolis-bot
Copy link
Collaborator

@sctb512 , a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86636

@codecov
Copy link

codecov bot commented Jul 24, 2023

Codecov Report

Merging #1382 (db0c32a) into master (0c01dac) will increase coverage by 0.05%.
The diff coverage is 82.75%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1382      +/-   ##
==========================================
+ Coverage   46.27%   46.33%   +0.05%     
==========================================
  Files         122      122              
  Lines       37975    38032      +57     
  Branches    37975    38032      +57     
==========================================
+ Hits        17574    17621      +47     
- Misses      19478    19487       +9     
- Partials      923      924       +1     
Files Changed Coverage Δ
src/bin/nydusd/main.rs 0.19% <0.00%> (-0.01%) ⬇️
api/src/config.rs 71.43% <94.11%> (+0.91%) ⬆️

... and 2 files with indirect coverage changes

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

src/bin/nydusd/main.rs Outdated Show resolved Hide resolved
@jiangliu
Copy link
Collaborator

jiangliu commented Jul 25, 2023

There's a PR to enable passing nydusd configuration information through pipe instead of a file, seems these two PRs are both to enhance the security of auth info. So what's the relationship between the two PRs?

#1379

@sctb512
Copy link
Contributor Author

sctb512 commented Jul 25, 2023

There's a PR to enable passing nydusd configuration information through pipe instead of a file, seems these two PRs are both to enhance the security of auth info. So what's the relationship between the two PRs?

The PR #1379 attempts to propose an interface for nydus-snapshotter to update configuration (including auth). This PR avoids loading auth from disk when starting nydusd. I think they are not in conflict with each other.

In short, we can parse auth from the environment variable and update it via pipe.

@anolis-bot
Copy link
Collaborator

@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86777

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

api/src/config.rs Outdated Show resolved Hide resolved
@anolis-bot
Copy link
Collaborator

@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86968

api/src/http.rs Outdated
@@ -31,6 +31,8 @@ pub struct ApiMountCmd {
pub fs_type: String,
/// Configuration for the filesystem.
pub config: String,
/// Authorization for private registry.
pub auth: Option<String>,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this extension needed? I think callers should merge the auth info into config.

Copy link
Contributor Author

@sctb512 sctb512 Jul 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are correct. Fixed it.

@anolis-bot
Copy link
Collaborator

@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87003

@anolis-bot
Copy link
Collaborator

@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87006

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

Copy link
Member

@adamqqqplay adamqqqplay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can prefix the first commit log with nydusd? nydusd: parse image pull auth from env

@anolis-bot
Copy link
Collaborator

@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87150

@sctb512
Copy link
Contributor Author

sctb512 commented Jul 27, 2023

Maybe we can prefix the first commit log with nydusd? nydusd: parse image pull auth from env

Done.

Copy link
Member

@adamqqqplay adamqqqplay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@anolis-bot
Copy link
Collaborator

@sctb512 , The CI test is completed, please check result:

Test CaseTest Result
build rust golang image✅ SUCCESS
compile nydusd✅ SUCCESS
compile ctr remote✅ SUCCESS
compile nydus snapshotter✅ SUCCESS
run container with rafs✅ SUCCESS
run container with zran✅ SUCCESS
run container with rafs and compile linux✅ SUCCESS

Congratulations, your test job passed!

Copy link
Contributor

@changweige changweige left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@changweige changweige merged commit 82ebd11 into dragonflyoss:master Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants