Browse code
daemon: only create trust-key if DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE is set
The libtrust trust-key is only used for pushing legacy image manifests;
pushing these images has been deprecated, and we only need to be able
to push them in our CI.
This patch disables generating the trust-key (and related paths) unless
the DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE env-var is set (which we do in
our CI).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2022/05/04 06:10:14Showing 2 changed files
| ... | ... |
@@ -985,17 +985,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S |
| 985 | 985 |
logrus.WithError(err).Warnf("unable to migrate engine ID; a new engine ID will be generated")
|
| 986 | 986 |
} |
| 987 | 987 |
|
| 988 |
- trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath) |
|
| 989 |
- if err != nil {
|
|
| 990 |
- return nil, err |
|
| 991 |
- } |
|
| 992 |
- |
|
| 993 |
- trustDir := filepath.Join(config.Root, "trust") |
|
| 994 |
- |
|
| 995 |
- if err := system.MkdirAll(trustDir, 0700); err != nil {
|
|
| 996 |
- return nil, err |
|
| 997 |
- } |
|
| 998 |
- |
|
| 999 | 988 |
// We have a single tag/reference store for the daemon globally. However, it's |
| 1000 | 989 |
// stored under the graphdriver. On host platforms which only support a single |
| 1001 | 990 |
// container OS, but multiple selectable graphdrivers, this means depending on which |
| ... | ... |
@@ -1057,10 +1046,22 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S |
| 1057 | 1057 |
MaxDownloadAttempts: *config.MaxDownloadAttempts, |
| 1058 | 1058 |
ReferenceStore: rs, |
| 1059 | 1059 |
RegistryService: registryService, |
| 1060 |
- TrustKey: trustKey, |
|
| 1061 | 1060 |
ContentNamespace: config.ContainerdNamespace, |
| 1062 | 1061 |
} |
| 1063 | 1062 |
|
| 1063 |
+ // This is a temporary environment variables used in CI to allow pushing |
|
| 1064 |
+ // manifest v2 schema 1 images to test-registries used for testing *pulling* |
|
| 1065 |
+ // these images. |
|
| 1066 |
+ if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
|
|
| 1067 |
+ imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath) |
|
| 1068 |
+ if err != nil {
|
|
| 1069 |
+ return nil, err |
|
| 1070 |
+ } |
|
| 1071 |
+ if err = system.MkdirAll(filepath.Join(config.Root, "trust"), 0700); err != nil {
|
|
| 1072 |
+ return nil, err |
|
| 1073 |
+ } |
|
| 1074 |
+ } |
|
| 1075 |
+ |
|
| 1064 | 1076 |
// containerd is not currently supported with Windows. |
| 1065 | 1077 |
// So sometimes d.containerdCli will be nil |
| 1066 | 1078 |
// In that case we'll create a local content store... but otherwise we'll use containerd |
| ... | ... |
@@ -559,6 +559,7 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *testing.T) {
|
| 559 | 559 |
func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) {
|
| 560 | 560 |
// TODO: skip or update for Windows daemon |
| 561 | 561 |
os.Remove("/etc/docker/key.json")
|
| 562 |
+ c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
|
| 562 | 563 |
s.d.Start(c) |
| 563 | 564 |
s.d.Stop(c) |
| 564 | 565 |
|
| ... | ... |
@@ -1212,6 +1213,7 @@ func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *testing.T) {
|
| 1212 | 1212 |
} |
| 1213 | 1213 |
|
| 1214 | 1214 |
os.Remove("/etc/docker/key.json")
|
| 1215 |
+ c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1")
|
|
| 1215 | 1216 |
s.d.Start(c) |
| 1216 | 1217 |
s.d.Stop(c) |
| 1217 | 1218 |
|