-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
parse image pull auth from env #1382
Conversation
@sctb512 , a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86636 |
Codecov Report
@@ Coverage Diff @@
## master #1382 +/- ##
==========================================
+ Coverage 46.27% 46.33% +0.05%
==========================================
Files 122 122
Lines 37975 38032 +57
Branches 37975 38032 +57
==========================================
+ Hits 17574 17621 +47
- Misses 19478 19487 +9
- Partials 923 924 +1
|
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
There's a PR to enable passing nydusd configuration information through pipe instead of a file, seems these two PRs are both to enhance the security of auth info. So what's the relationship between the two PRs? |
The PR #1379 attempts to propose an interface for nydus-snapshotter to update configuration (including auth). This PR avoids loading auth from disk when starting In short, we can parse auth from the environment variable and update it via pipe. |
cce27cc
to
f74f0fa
Compare
@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86777 |
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
f74f0fa
to
b387c7f
Compare
@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/86968 |
api/src/http.rs
Outdated
@@ -31,6 +31,8 @@ pub struct ApiMountCmd { | |||
pub fs_type: String, | |||
/// Configuration for the filesystem. | |||
pub config: String, | |||
/// Authorization for private registry. | |||
pub auth: Option<String>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this extension needed? I think callers should merge the auth info into config
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are correct. Fixed it.
b387c7f
to
e272663
Compare
@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87003 |
e272663
to
be5a0e2
Compare
@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87006 |
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can prefix the first commit log with nydusd? nydusd: parse image pull auth from env
Signed-off-by: Bin Tang <[email protected]>
Signed-off-by: Bin Tang <[email protected]>
Signed-off-by: Bin Tang <[email protected]>
be5a0e2
to
db0c32a
Compare
@sctb512 , the code has been updated, so a new test job has been submitted. Please wait in patience. The test job url: https://tone.openanolis.cn/ws/nrh4nnio/test_result/87150 |
Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thanks!
@sctb512 , The CI test is completed, please check result:
Congratulations, your test job passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
Details
This commit attempts to avoid loading auth from the nydusd configuration file, which is insecure for users. The auth loaded from env will overwrite the auth loaded from file if it is not null.
Types of changes
What types of changes does your PullRequest introduce? Put an
x
in all the boxes that apply:Checklist
Go over all the following points, and put an
x
in all the boxes that apply.