github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-23 10:12:10 +00:00
Code Issues Projects Releases Wiki Activity

agent: Add authenticated pull image support

Browse Source 
Add source credentials field to pull_image endpoint
If field is not blank, send to skopeo in image pull command
Add source_creds to agentl-ctl pull command

Fixes: #2653
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2021-09-16 11:41:19 +01:00
parent 522b9e33c3
commit c624e7fd97
3 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/agent/protocols/protos/agent.proto
View File

@ -518,4 +518,5 @@ message Metrics {
message PullImageRequest { message PullImageRequest {
string image = 1; string image = 1;
string container_id = 2; string container_id = 2;
string source_creds = 3;
} }

19
src/agent/src/rpc.rs
View File

@ -685,8 +685,9 @@ impl protocols::agent_ttrpc::AgentService for AgentService {
) -> ttrpc::Result<protocols::empty::Empty> { ) -> ttrpc::Result<protocols::empty::Empty> {
let image = req.get_image(); let image = req.get_image();
let cid = req.get_container_id(); let cid = req.get_container_id();
let source_creds = (!req.get_source_creds().is_empty()).then(|| req.get_source_creds());
pull_image_from_registry(image, cid) pull_image_from_registry(image, cid, &source_creds)
.map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e.to_string()))?; .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e.to_string()))?;
unpack_image(cid).map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e.to_string()))?; unpack_image(cid).map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e.to_string()))?;
@ -1722,7 +1723,7 @@ fn load_kernel_module(module: &protocols::agent::KernelModule) -> Result<()> {
} }
} }
fn pull_image_from_registry(image: &str, cid: &str) -> Result<()> { fn pull_image_from_registry(image: &str, cid: &str, source_creds: &Option<&str>) -> Result<()> {
let source_image = format!("{}{}", "docker://", image); let source_image = format!("{}{}", "docker://", image);
let manifest_path = format!("/tmp/{}/image_manifest", cid); let manifest_path = format!("/tmp/{}/image_manifest", cid);
@ -1735,11 +1736,19 @@ fn pull_image_from_registry(image: &str, cid: &str) -> Result<()> {
fs::create_dir_all(&manifest_path)?; fs::create_dir_all(&manifest_path)?;
fs::create_dir_all(&oci_path)?; fs::create_dir_all(&oci_path)?;
let status: ExitStatus = Command::new(SKOPEO_PATH) info!(sl!(), "Attempting to pull image {}...", &source_image);
let mut pull_command = Command::new(SKOPEO_PATH);
pull_command
.arg("copy") .arg("copy")
.arg(source_image) .arg(source_image)
.arg(&target_path_manifest) .arg(&target_path_manifest);
.status()?;
if let Some(source_creds) = source_creds {
pull_command.arg("--src-creds").arg(source_creds);
}
let status: ExitStatus = pull_command.status()?;
if !status.success() { if !status.success() {
return Err(anyhow!(format!("failed to pull image: {:?}", status))); return Err(anyhow!(format!("failed to pull image: {:?}", status)));

2
tools/agent-ctl/src/client.rs
View File

@ -1951,9 +1951,11 @@ fn agent_cmd_pull_image(
let image = utils::get_option("image", options, args); let image = utils::get_option("image", options, args);
let cid = utils::get_option("cid", options, args); let cid = utils::get_option("cid", options, args);
let source_creds = utils::get_option("source_creds", options, args);
req.set_image(image); req.set_image(image);
req.set_container_id(cid); req.set_container_id(cid);
req.set_source_creds(source_creds);
debug!(sl!(), "sending request"; "request" => format!("{:?}", req)); debug!(sl!(), "sending request"; "request" => format!("{:?}", req));