containerd · sctb512 · Aug 1, 2023 · Aug 1, 2023 · Aug 2, 2023 · Aug 2, 2023
diff --git a/config/config.go b/config/config.go
@@ -168,6 +168,7 @@ type AuthConfig struct {
 	// CRI proxy mode
 	EnableCRIKeychain   bool   `toml:"enable_cri_keychain"`
 	ImageServiceAddress string `toml:"image_service_address"`
+	EnableKeyring       bool   `toml:"enable_keyring"`
 }
 
 // Configure remote storage like container registry

diff --git a/config/daemonconfig/daemonconfig.go b/config/daemonconfig/daemonconfig.go
@@ -12,6 +12,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
 
 	"github.com/containerd/nydus-snapshotter/config"
 	"github.com/containerd/nydus-snapshotter/pkg/auth"
@@ -140,7 +141,7 @@ func DumpConfigString(c interface{}) (string, error) {
 
 // Achieve a daemon configuration from template or snapshotter's configuration
 func SupplementDaemonConfig(c DaemonConfig, imageID, snapshotID string,
-	vpcRegistry bool, labels map[string]string, params map[string]string) error {
+	vpcRegistry bool, labels map[string]string, params map[string]string, fn func(string, *auth.PassKeyChain) error) error {
 
 	image, err := registry.ParseImage(imageID)
 	if err != nil {
@@ -168,7 +169,16 @@ func SupplementDaemonConfig(c DaemonConfig, imageID, snapshotID string,
 		// when repository is public.
 		keyChain := auth.GetRegistryKeyChain(registryHost, imageID, labels)
 		c.Supplement(registryHost, image.Repo, snapshotID, params)
-		c.FillAuth(keyChain)
+		if config.IsKeyringEnabled() && fn != nil {
+			if err := fn(registryHost, keyChain); err != nil {
+				if errors.Is(err, unix.EINVAL) {
+					c.FillAuth(keyChain)
+				}
+				return err
+			}
+		} else {
+			c.FillAuth(keyChain)
+		}
 
 	// Localfs and OSS backends don't need any update,
 	// just use the provided config in template

diff --git a/config/global.go b/config/global.go
@@ -43,6 +43,10 @@ func IsFusedevSharedModeEnabled() bool {
 	return globalConfig.DaemonMode == DaemonModeShared
 }
 
+func IsKeyringEnabled() bool {
+	return globalConfig.origin.RemoteConfig.AuthConfig.EnableKeyring
+}
+
 func GetDaemonMode() DaemonMode {
 	return globalConfig.DaemonMode
 }

diff --git a/go.mod b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/containerd/nri v0.3.0
 	github.com/containerd/stargz-snapshotter v0.14.3
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3
+	github.com/containers/ocicrypt v1.1.7
 	github.com/docker/cli v23.0.1+incompatible
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/google/go-containerregistry v0.13.0
@@ -38,15 +39,14 @@ require (
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/net v0.8.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.6.0
+	golang.org/x/sys v0.10.0
 	google.golang.org/grpc v1.53.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gotest.tools v2.2.0+incompatible
 	k8s.io/api v0.26.2
 	k8s.io/apimachinery v0.26.2
 	k8s.io/client-go v0.26.2
 	k8s.io/cri-api v0.27.0-alpha.3
-	github.com/containers/ocicrypt v1.1.7
 )
 
 require (
@@ -112,6 +112,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/locker v1.0.1
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
@@ -128,12 +129,15 @@ require (
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	golang.org/x/mod v0.9.0
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/oauth2 v0.6.0 // indirect
 	golang.org/x/term v0.6.0 // indirect
 	golang.org/x/text v0.8.0 // indirect
@@ -143,6 +147,7 @@ require (
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
@@ -151,11 +156,6 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
-	github.com/miekg/pkcs11 v1.1.1 // indirect
-	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 )
 
 retract (

diff --git a/go.sum b/go.sum
@@ -424,8 +424,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=

diff --git a/misc/snapshotter/config.toml b/misc/snapshotter/config.toml
@@ -79,6 +79,8 @@ kubeconfig_path = ""
 enable_cri_keychain = false
 # the target image service when using image proxy
 #image_service_address = "/run/containerd/containerd.sock"
+# Save auth to keyring and avoid dumping it to nydusd config file.
+enable_keyring = false
 
 [snapshot]
 # Let containerd use nydus-overlayfs mount helper

diff --git a/pkg/auth/cache.go b/pkg/auth/cache.go
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2023. Nydus Developers. All rights reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package auth
+
+import (
+	"sync"
+
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/nydus-snapshotter/pkg/utils/registry"
+	"github.com/golang/groupcache/lru"
+	"github.com/pkg/errors"
+)
+
+type Cache struct {
+	lock  sync.RWMutex
+	cache *lru.Cache
+}
+
+func NewCache() *Cache {
+	return &Cache{
+		cache: lru.New(30),
+	}
+}
+
+func (c *Cache) UpdateAuth(imageHost, auth string) error {
+	log.L.Debugf("update auth for %s", imageHost)
+	key, err := AddKeyring(imageHost, auth)
+	if err != nil {
+		return err
+	}
+	data, err := getData(key)
+	if err != nil {
+		return err
+	}
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	c.cache.Add(imageHost, data)
+
+	return nil
+}
+
+func (c *Cache) GetAuth(imageHost string) (string, error) {
+	log.L.Debugf("get auth for %s", imageHost)
+	if auth, ok := c.cache.Get(imageHost); ok {
+		return auth.(string), nil
+	}
+
+	data, err := SearchKeyring(imageHost)
+	if err != nil {
+		return "", errors.Wrap(err, "search key error")
+
+	}
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	c.cache.Add(imageHost, data)
+
+	return data, err
+}
+
+func (c *Cache) GetKeyChain(imageID string) (*PassKeyChain, error) {
+	image, err := registry.ParseImage(imageID)
+	if err != nil {
+		return nil, errors.Wrapf(err, "parse image %s", imageID)
+	}
+
+	cachedAuth, err := c.GetAuth(image.Host)
+	if err != nil {
+		return nil, err
+	}
+
+	keyChain, err := FromBase64(cachedAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	return &keyChain, nil
+}
diff --git a/pkg/auth/cache_test.go b/pkg/auth/cache_test.go
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2023. Nydus Developers. All rights reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCache_UpdateAuth(t *testing.T) {
+	A := assert.New(t)
+
+	cache := NewCache()
+
+	testKey1 := "docker.io"
+	testValue := "dXNlcjpwYXNzd29yZAo="
+	err := cache.UpdateAuth(testKey1, testValue)
+	A.NoError(err)
+
+	value, err := cache.GetAuth(testKey1)
+	A.NoError(err)
+	A.Equal(testValue, value)
+
+	keyChain, err := cache.GetKeyChain(testKey1)
+	A.NoError(err)
+	A.Equal(keyChain.ToBase64(), value)
+
+	value, err = cache.GetAuth("invalidKey")
+	A.ErrorContains(err, "required key not available")
+	A.Equal(value, "")
+
+	testInvalidAuthValue := "invalidAuthValue"
+	err = cache.UpdateAuth(testKey1, testInvalidAuthValue)
+	A.NoError(err)
+
+	keyChain, err = cache.GetKeyChain(testKey1)
+	A.ErrorContains(err, "invalid registry auth token")
+	A.Nil(keyChain)
+}