Adding an interface to the system socket to help nydusd obtain config #504
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #504 +/- ##
==========================================
+ Coverage 33.56% 33.61% +0.05%
==========================================
Files 65 65
Lines 8176 8259 +83
==========================================
+ Hits 2744 2776 +32
- Misses 5117 5167 +50
- Partials 315 316 +1
|
|
The link for this issue is not valid. |
I am confused why we need this API? Could you tell me more about this? |
|
Related to dragonflyoss/nydus#1361 |
My initial plan was to provide an API in nydusd to pass config from SN to nydusd, but this would require opening the socket before creating the daemon. The thread creating the daemon would need to block until the API server thread received the passed config. Similarly, in SN, it is necessary to block after sending the config until the daemon is created. In the original logic, once the SN establishes a connection with the socket, it is considered that the daemon has been created. I think such changes will have a significant impact, bringing many uncontrollable impacts. Therefore, the current solution is to request config from nydusd to SN. This will not change the original Logical framework, but also add control items that are compatible with the old version of nydusd. |
|
Is it possible only add the capability to nydus-snapshotter to share registry credentials to nydusd when nydusd requires it? |
|
I think in addition to considering that credentials cannot be persisted, we also need to consider how to promptly renew the registry token using the new registry user/pass when it changed (for example when a credential helper is used). And how nydusd can use the updated config when serving new images after the user updates the nydusd config (for example tune the prefetch setting). Therefore, I think it is feasible to have the snapshotter provide this API. |
|
Sorry, need rebase |
|
The method has changed, and now snapshotter supports providing backend config to nydus instead of writing files. |
|
Hello @sctb512 @changweige , I've submitted a Pull Request that introduces a new implementation approach. In this approach, the backend configuration's Auth information is not persisted. Instead, during the startup of nydusd, a URL is provided, and nydusd retrieves the Auth information by making a request to this URL. This design aims to enhance the security. Please review and share your thoughts on this approach. Thank you! |
|
@DarkMountain-wyz It seems we need to fix the CI. |
I will fix it. |
|
need rebase |
@changweige it has been rebased now. |
config/daemonconfig/fuse.go
Outdated
| c.Device.Backend.Config.Auth = backendAuth | ||
| c.Device.Backend.Config.RegistryToken = registryToken | ||
| return err | ||
| case BackendTypeOss: |
There was a problem hiding this comment.
The s3 backend should also be handled. :)
There was a problem hiding this comment.
Perhaps a more elegant way would be to use struct tags and reflect, for example:
type BackendConfig struct {
...
Auth string `json:"auth,omitempty" secret:"true"`
RegistryToken string `json:"registry_token,omitempty" secret:"true"`
AccessKeyID string `json:"access_key_id,omitempty" secret:"true"`
AccessKeySecret string `json:"access_key_secret,omitempty" secret:"true"`
...
}
There was a problem hiding this comment.
The
s3backend should also be handled. :)
Sorry for this, the s3 backend only be added in https://github.com/dragonflyoss/image-service/blob/631db29759f4dceacaa7ff80b845a9d0107beef5/api/src/config.rs#L520, not in snapshshotter, maybe we don't need to handle it first.
pkg/system/system.go
Outdated
| statusCode = http.StatusNotFound | ||
| return | ||
| } | ||
| jsonResponse(w, credentialConfig) |
There was a problem hiding this comment.
Maybe respond to the backendConfig directly here? In this way, when we add a new backend, we don't need to worry about handling miss here.
| default: | ||
| return errors.Errorf("unknown backend type %s", backendType) | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| func serializeWithSecretFilter(obj interface{}) map[string]interface{} { |
There was a problem hiding this comment.
Can we add a UT for this func?
config/config.go
Outdated
| EnableStargz bool `toml:"enable_stargz"` | ||
| EnableReferrerDetect bool `toml:"enable_referrer_detect"` | ||
| TarfsConfig TarfsConfig `toml:"tarfs"` | ||
| EnableCredentialSource bool `toml:"enable_credential_source"` |
There was a problem hiding this comment.
EnableBackendSource bool toml:"enable_backend_source"
config/daemonconfig/daemonconfig.go
Outdated
| @@ -124,11 +126,13 @@ type DeviceConfig struct { | |||
| // We don't have to persist configuration file for fscache since its configuration | |||
| // is passed through HTTP API. | |||
| func DumpConfigFile(c interface{}, path string) error { | |||
| if config.IsCredentialSourceEnabled() { | |||
pkg/manager/daemon_adaptor.go
Outdated
| @@ -25,6 +26,8 @@ import ( | |||
| "github.com/containerd/nydus-snapshotter/pkg/prefetch" | |||
| ) | |||
|
|
|||
| const endpointGetCredential string = "/api/v1/daemons/%s/credential" | |||
There was a problem hiding this comment.
const endpointGetBackend string = "/api/v1/daemons/%s/backend"
pkg/system/system.go
Outdated
| sc.router.HandleFunc(endpointGetCredential, sc.getCredential()).Methods(http.MethodGet) | ||
| } | ||
|
|
||
| func (sc *Controller) getCredential() func(w http.ResponseWriter, r *http.Request) { |
| require.Equal(t, newCfg.Device.Backend.Config.Proxy, cfg.Device.Backend.Config.Proxy) | ||
| require.Equal(t, newCfg.Device.Backend.Config.BlobURLScheme, cfg.Device.Backend.Config.BlobURLScheme) | ||
| require.NotEqual(t, newCfg.Device.Backend.Config.Auth, cfg.Device.Backend.Config.Auth) | ||
| } |
…ce of auth information This change introduces a new startup option, enable_backend_source, which controls whether the authentication information is persisted or not. By default, enable_backend_source is set to false, which means that the authentication information will be persisted. Signed-off-by: Guijie Wang <[email protected]>
… with secret tag This commit introduces a new function, serializeWithSecretFilter, which filters fields with the 'secret' tag and prevents them from being persisted to local storage when the value is true. Signed-off-by: Guijie Wang <[email protected]>
This commit introduces a new interface that allows nydusd to request backend configurations from the snapshotter via a Unix domain socket. Transferring all backend configs is to cope with the addition of different backend in the future. Signed-off-by: Guijie Wang <[email protected]>
Signed-off-by: Guijie Wang <[email protected]>
Signed-off-by: Guijie Wang <[email protected]>
Signed-off-by: Guijie Wang <[email protected]>
Signed-off-by: Guijie Wang <[email protected]>
Signed-off-by: Guijie Wang <[email protected]>
Issue
https://github.com/containerd/nydus-snapshotter/issues/388
Details