Skip to content

Commit

Permalink
Mirror repository rewrites (v1.1)
Browse files Browse the repository at this point in the history
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <[email protected]>
Co-authored-by: Brad Davidson <[email protected]>
Signed-off-by: Brad Davidson <[email protected]>
  • Loading branch information
dweomer and brandond committed Dec 3, 2024
1 parent e30e02b commit 5d9043b
Show file tree
Hide file tree
Showing 6 changed files with 111 additions and 39 deletions.
17 changes: 17 additions & 0 deletions pkg/cri/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,23 @@ type Mirror struct {
// with host specified.
// The scheme, host and path from the endpoint URL will be used.
Endpoints []string `toml:"endpoint" json:"endpoint"`

// Rewrites are repository rewrite rules for a namespace. When fetching image resources
// from an endpoint and a key matches the repository via regular expression matching
// it will be replaced with the corresponding value from the map in the resource request.
//
// This example configures CRI to pull docker.io/library/* images from docker.io/my-org/*:
//
// [plugins]
// [plugins."io.containerd.grpc.v1.cri"]
// [plugins."io.containerd.grpc.v1.cri".registry]
// [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
// [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
// endpoint = ["https://registry-1.docker.io/v2"]
// [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
// "^library/(.*)" = "my-org/$1"
//
Rewrites map[string]string `toml:"rewrite" json:"rewrite"`
}

// AuthConfig contains the config related to authentication to a specific registry
Expand Down
19 changes: 19 additions & 0 deletions pkg/cri/server/image_pull.go
Original file line number Diff line number Diff line change
Expand Up @@ -449,6 +449,10 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
if err != nil {
return nil, fmt.Errorf("get registry endpoints: %w", err)
}
rewrites, err := c.registryRewrites(host)
if err != nil {
return nil, fmt.Errorf("get registry rewrites: %w", err)
}
for _, e := range endpoints {
u, err := url.Parse(e)
if err != nil {
Expand Down Expand Up @@ -503,6 +507,7 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
Scheme: u.Scheme,
Path: u.Path,
Capabilities: docker.HostCapabilityResolve | docker.HostCapabilityPull,
Rewrites: rewrites,
})
}
return registries, nil
Expand Down Expand Up @@ -565,6 +570,20 @@ func (c *criService) registryEndpoints(host string) ([]string, error) {
return append(endpoints, defaultScheme(defaultHost)+"://"+defaultHost), nil
}

func (c *criService) registryRewrites(host string) (map[string]string, error) {
var rewrites map[string]string
_, ok := c.config.Registry.Mirrors[host]
if ok {
rewrites = c.config.Registry.Mirrors[host].Rewrites
} else {
rewrites = c.config.Registry.Mirrors["*"].Rewrites
}
if rewrites == nil {
rewrites = map[string]string{}
}
return rewrites, nil
}

// newTransport returns a new HTTP transport used to pull image.
// TODO(random-liu): Create a library and share this code with `ctr`.
func newTransport() *http.Transport {
Expand Down
55 changes: 34 additions & 21 deletions remotes/docker/fetcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,14 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
return nil, fmt.Errorf("no pull hosts: %w", errdefs.ErrNotFound)
}

ctx, err := ContextWithRepositoryScope(ctx, r.refspec, false)
if err != nil {
return nil, err
}

return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) {
// firstly try fetch via external urls
for _, us := range desc.URLs {
ctx, err := ContextWithRepositoryScope(ctx, r.refspec, false)
if err != nil {
return nil, err
}

u, err := url.Parse(us)
if err != nil {
log.G(ctx).WithError(err).Debugf("failed to parse %q", us)
Expand Down Expand Up @@ -101,8 +101,14 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R

var firstErr error
for _, host := range r.hosts {
req := r.request(host, http.MethodGet, "manifests", desc.Digest.String())
if err := req.addNamespace(r.refspec.Hostname()); err != nil {
base := r.withRewritesFromHost(host)
ctx, err := ContextWithRepositoryScope(ctx, base.refspec, false)
if err != nil {
return nil, err
}

req := base.request(host, http.MethodGet, "manifests", desc.Digest.String())
if err := req.addNamespace(base.refspec.Hostname()); err != nil {
return nil, err
}

Expand All @@ -124,8 +130,14 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
// Finally use blobs endpoints
var firstErr error
for _, host := range r.hosts {
req := r.request(host, http.MethodGet, "blobs", desc.Digest.String())
if err := req.addNamespace(r.refspec.Hostname()); err != nil {
base := r.withRewritesFromHost(host)
ctx, err := ContextWithRepositoryScope(ctx, base.refspec, false)
if err != nil {
return nil, err
}

req := base.request(host, http.MethodGet, "blobs", desc.Digest.String())
if err := req.addNamespace(base.refspec.Hostname()); err != nil {
return nil, err
}

Expand Down Expand Up @@ -153,8 +165,14 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
}

func (r dockerFetcher) createGetReq(ctx context.Context, host RegistryHost, ps ...string) (*request, int64, error) {
headReq := r.request(host, http.MethodHead, ps...)
if err := headReq.addNamespace(r.refspec.Hostname()); err != nil {
base := r.withRewritesFromHost(host)
ctx, err := ContextWithRepositoryScope(ctx, base.refspec, false)
if err != nil {
return nil, 0, err
}

headReq := base.request(host, http.MethodHead, ps...)
if err := headReq.addNamespace(base.refspec.Hostname()); err != nil {
return nil, 0, err
}

Expand All @@ -169,8 +187,8 @@ func (r dockerFetcher) createGetReq(ctx context.Context, host RegistryHost, ps .
return nil, 0, fmt.Errorf("unexpected HEAD status code %v: %s", headReq.String(), headResp.Status)
}

getReq := r.request(host, http.MethodGet, ps...)
if err := getReq.addNamespace(r.refspec.Hostname()); err != nil {
getReq := base.request(host, http.MethodGet, ps...)
if err := getReq.addNamespace(base.refspec.Hostname()); err != nil {
return nil, 0, err
}
return getReq, headResp.ContentLength, nil
Expand All @@ -185,15 +203,10 @@ func (r dockerFetcher) FetchByDigest(ctx context.Context, dgst digest.Digest) (i
return nil, desc, fmt.Errorf("no pull hosts: %w", errdefs.ErrNotFound)
}

ctx, err := ContextWithRepositoryScope(ctx, r.refspec, false)
if err != nil {
return nil, desc, err
}

var (
getReq *request
sz int64
firstErr error
getReq *request
sz int64
err, firstErr error
)

for _, host := range r.hosts {
Expand Down
16 changes: 9 additions & 7 deletions remotes/docker/pusher.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,6 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
l.Lock(ref)
defer l.Unlock(ref)
}
ctx, err := ContextWithRepositoryScope(ctx, p.refspec, true)
if err != nil {
return nil, err
}
status, err := p.tracker.GetStatus(ref)
if err == nil {
if status.Committed && status.Offset == status.Total {
Expand Down Expand Up @@ -104,6 +100,12 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
host = hosts[0]
)

base := p.withRewritesFromHost(host)
ctx, err = ContextWithRepositoryScope(ctx, base.refspec, true)
if err != nil {
return nil, err
}

switch desc.MediaType {
case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList,
ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex:
Expand All @@ -113,7 +115,7 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str
existCheck = []string{"blobs", desc.Digest.String()}
}

req := p.request(host, http.MethodHead, existCheck...)
req := base.request(host, http.MethodHead, existCheck...)
req.header.Set("Accept", strings.Join([]string{desc.MediaType, `*/*`}, ", "))

log.G(ctx).WithField("url", req.String()).Debugf("checking and pushing to")
Expand Down Expand Up @@ -163,11 +165,11 @@ func (p dockerPusher) push(ctx context.Context, desc ocispec.Descriptor, ref str

if isManifest {
putPath := getManifestPath(p.object, desc.Digest)
req = p.request(host, http.MethodPut, putPath...)
req = base.request(host, http.MethodPut, putPath...)
req.header.Add("Content-Type", desc.MediaType)
} else {
// Start upload request
req = p.request(host, http.MethodPost, "blobs", "uploads/")
req = base.request(host, http.MethodPost, "blobs", "uploads/")

mountedFrom := ""
var resp *http.Response
Expand Down
1 change: 1 addition & 0 deletions remotes/docker/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ type RegistryHost struct {
Path string
Capabilities HostCapabilities
Header http.Header
Rewrites map[string]string
}

func (h RegistryHost) isProxy(refhost string) bool {
Expand Down
42 changes: 31 additions & 11 deletions remotes/docker/resolver.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"net/http"
"net/url"
"path"
"regexp"
"strings"

"github.com/containerd/log"
Expand Down Expand Up @@ -237,15 +238,14 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
if err != nil {
return "", ocispec.Descriptor{}, err
}
refspec := base.refspec
if refspec.Object == "" {
if base.refspec.Object == "" {
return "", ocispec.Descriptor{}, reference.ErrObjectRequired
}

var (
firstErr error
paths [][]string
dgst = refspec.Digest()
dgst = base.refspec.Digest()
caps = HostCapabilityPull
)

Expand All @@ -263,7 +263,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
paths = append(paths, []string{"blobs", dgst.String()})
} else {
// Add
paths = append(paths, []string{"manifests", refspec.Object})
paths = append(paths, []string{"manifests", base.refspec.Object})
caps |= HostCapabilityResolve
}

Expand All @@ -272,15 +272,14 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
return "", ocispec.Descriptor{}, fmt.Errorf("no resolve hosts: %w", errdefs.ErrNotFound)
}

ctx, err = ContextWithRepositoryScope(ctx, refspec, false)
if err != nil {
return "", ocispec.Descriptor{}, err
}

for _, u := range paths {
for _, host := range hosts {
ctx := log.WithLogger(ctx, log.G(ctx).WithField("host", host.Host))

base := base.withRewritesFromHost(host)
ctx, err = ContextWithRepositoryScope(ctx, base.refspec, false)
if err != nil {
return "", ocispec.Descriptor{}, err
}
req := base.request(host, http.MethodHead, u...)
if err := req.addNamespace(base.refspec.Hostname()); err != nil {
return "", ocispec.Descriptor{}, err
Expand Down Expand Up @@ -481,7 +480,6 @@ func (r *dockerBase) request(host RegistryHost, method string, ps ...string) *re
if header == nil {
header = http.Header{}
}

for key, value := range host.Header {
header[key] = append(header[key], value...)
}
Expand All @@ -499,6 +497,28 @@ func (r *dockerBase) request(host RegistryHost, method string, ps ...string) *re
}
}

func (r *dockerBase) withRewritesFromHost(host RegistryHost) *dockerBase {
for pattern, replace := range host.Rewrites {
exp, err := regexp.Compile(pattern)
if err != nil {
log.L.WithError(err).Warnf("Failed to compile rewrite, `%s`, for %s", pattern, host.Host)
continue
}
if rr := exp.ReplaceAllString(r.repository, replace); rr != r.repository {
log.L.Debugf("Rewrote repository for %s: %s => %s", r.refspec, r.repository, rr)
return &dockerBase{
refspec: reference.Spec{
Locator: r.refspec.Hostname() + "/" + rr,
Object: r.refspec.Object,
},
repository: rr,
header: r.header,
}
}
}
return r
}

func (r *request) authorize(ctx context.Context, req *http.Request) error {
// Check if has header for host
if r.host.Authorizer != nil {
Expand Down

0 comments on commit 5d9043b

Please sign in to comment.