github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 17:59:31 +00:00
Code Issues Projects Releases Wiki Activity

doc: Add doc for authenticated pull image

Browse Source 
Add support for a new source credentials environment variable in the
test script
Add documentation of it into the how-to guide

Fixes #2653

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2021-09-16 11:55:31 +01:00
parent 40c406506b
commit 522b9e33c3
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/how-to/ccv0.sh
View File

@ -392,7 +392,7 @@ run_agent_ctl_command() {
}
agent_pull_image() {
run_agent_ctl_command "PullImage image=${PULL_IMAGE} cid=${CONTAINER_ID}"
run_agent_ctl_command "PullImage image=${PULL_IMAGE} cid=${CONTAINER_ID} source_creds=${SOURCE_CREDS}"
}

7
docs/how-to/how-to-build-and-test-ccv0.md
View File

@ -65,7 +65,12 @@ drwxr-xr-x 3 root root 60 Sep 6 09:44 shared
```
$ ~/ccv0.sh -d open_kata_console
```
- In the first console list run the pull image agent endpoint using `~/ccv0.sh -d agent_pull_image`:
- In the first terminal run the pull image agent endpoint:
- Optionally set up some environment variables to set the image and credentials used:
- By default the agent pull test in `ccv0.sh` will use the image `registry.fedoraproject.org/fedora:latest` which requires no authentication. If you want to use a different image, first set the `PULL_IMAGE` environment variable e.g. `export PULL_IMAGE="docker.io/library/busybox:latest"`.
- If the container registry for the image requires authentication then this can be set with an environment variable `SOURCE_CREDS`. For example to use `docker.io` as an authenticated user first run `export SOURCE_CREDS="<dockerhub username>:<dockerhub api key>"`
- *Note: the credentials support on the agent request is a tactical solution for the short-term proof of concept to allow more images to be pulled and tested. Once we have support for getting keys into the kata guest using the attestation-agent and/or KBS I'd expect container registry credentials to be looked up using that mechanism.*
- Run the pull image agent endpoint with `~/ccv0.sh -d agent_pull_image`:
- *For unknown reasons sometimes the unpack fails the first time and the sandbox crashes, but seems to work the second time and the pod will restart automatically, so just re-open the shell and console and re-run the agent_pull_image.*
```
$ ~/ccv0.sh -d agent_pull_image