Skip to content

Commit 5cdd6ab

Browse files
thaJeztahthaJeztah
committed
daemon/config: remove TrustKeyPath, and local utilities
Turned out that the loadOrCreateTrustKey() utility was doing exactly the same as libtrust.LoadOrCreateTrustKey(), so making it a thin wrapped. I kept the tests to verify the behavior, but we could remove them as we only need this for our integration tests. The storage location for the generated key was changed (again as we only need this for some integration tests), so we can remove the TrustKeyPath from the config. Signed-off-by: Sebastiaan van Stijn <[email protected]>
1 parent 1981706 commit 5cdd6ab

9 files changed

Lines changed: 13 additions & 103 deletions

File tree

cmd/dockerd/config.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,6 @@ import (
77
"github.com/spf13/pflag"
88
)
99

10-
// defaultTrustKeyFile is the default filename for the trust key
11-
const defaultTrustKeyFile = "key.json"
12-
1310
// installCommonConfigFlags adds flags to the pflag.FlagSet to configure the daemon
1411
func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
1512
var (

cmd/dockerd/daemon.go

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -414,14 +414,6 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
414414
conf.CommonTLSOptions = config.CommonTLSOptions{}
415415
}
416416

417-
if conf.TrustKeyPath == "" {
418-
daemonConfDir, err := getDaemonConfDir(conf.Root)
419-
if err != nil {
420-
return nil, err
421-
}
422-
conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)
423-
}
424-
425417
if opts.configFile != "" {
426418
c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
427419
if err != nil {

cmd/dockerd/daemon_unix.go

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -56,10 +56,6 @@ func setDefaultUmask() error {
5656
return nil
5757
}
5858

59-
func getDaemonConfDir(_ string) (string, error) {
60-
return getDefaultDaemonConfigDir()
61-
}
62-
6359
func (cli *DaemonCli) getPlatformContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {
6460
opts := []supervisor.DaemonOpt{
6561
// TODO(thaJeztah) change this to use /proc/self/oom_score_adj instead,

cmd/dockerd/daemon_windows.go

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ import (
44
"context"
55
"fmt"
66
"os"
7-
"path/filepath"
87
"time"
98

109
"github.com/docker/docker/daemon/config"
@@ -23,10 +22,6 @@ func setDefaultUmask() error {
2322
return nil
2423
}
2524

26-
func getDaemonConfDir(root string) (string, error) {
27-
return filepath.Join(root, "config"), nil
28-
}
29-
3025
// preNotifyReady sends a message to the host when the API is active, but before the daemon is
3126
func preNotifyReady() {
3227
// start the service now to prevent timeouts waiting for daemon to start

cmd/dockerd/docker_windows.go

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,11 +24,7 @@ func runDaemon(opts *daemonOptions) error {
2424

2525
// Windows specific settings as these are not defaulted.
2626
if opts.configFile == "" {
27-
configDir, err := getDaemonConfDir(opts.daemonConfig.Root)
28-
if err != nil {
29-
return err
30-
}
31-
opts.configFile = filepath.Join(configDir, "daemon.json")
27+
opts.configFile = filepath.Join(opts.daemonConfig.Root, "config", "daemon.json")
3228
}
3329
if runAsService {
3430
// If Windows SCM manages the service - no need for PID files

daemon/config/config.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -168,12 +168,6 @@ type CommonConfig struct {
168168
// Proxies holds the proxies that are configured for the daemon.
169169
Proxies `json:"proxies"`
170170

171-
// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
172-
// when pushing to a registry which does not support schema 2. This field is marked as
173-
// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
174-
// daemon ID will use a dedicated identifier not shared with exported signatures.
175-
TrustKeyPath string `json:"deprecated-key-path,omitempty"`
176-
177171
// LiveRestoreEnabled determines whether we should keep containers
178172
// alive upon daemon shutdown/start
179173
LiveRestoreEnabled bool `json:"live-restore,omitempty"`

daemon/daemon.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1062,13 +1062,13 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
10621062
// manifest v2 schema 1 images to test-registries used for testing *pulling*
10631063
// these images.
10641064
if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
1065-
imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
1065+
// Previously, this was stored in the daemon's config-directory, but
1066+
// as pushing V1 is deprecated, and we only need this file during
1067+
// our integration tests, just store it within the "trust" directory.
1068+
imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(filepath.Join(config.Root, "trust", "key.json"))
10661069
if err != nil {
10671070
return nil, err
10681071
}
1069-
if err = os.Mkdir(filepath.Join(config.Root, "trust"), 0o700); err != nil && !errors.Is(err, os.ErrExist) {
1070-
return nil, err
1071-
}
10721072
}
10731073

10741074
// containerd is not currently supported with Windows.

daemon/trustkey.go

Lines changed: 3 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,57 +1,9 @@
11
package daemon // import "github.com/docker/docker/daemon"
22

3-
import (
4-
"encoding/json"
5-
"encoding/pem"
6-
"fmt"
7-
"os"
8-
"path/filepath"
9-
10-
"github.com/docker/docker/pkg/ioutils"
11-
"github.com/docker/docker/pkg/system"
12-
"github.com/docker/libtrust"
13-
)
3+
import "github.com/docker/libtrust"
144

155
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
16-
// otherwise generates a new one
17-
// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
18-
// a refactor or this function to be moved into libtrust
6+
// otherwise generates a new one.
197
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
20-
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755)
21-
if err != nil {
22-
return nil, err
23-
}
24-
trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
25-
if err == libtrust.ErrKeyFileDoesNotExist {
26-
trustKey, err = libtrust.GenerateECP256PrivateKey()
27-
if err != nil {
28-
return nil, fmt.Errorf("Error generating key: %s", err)
29-
}
30-
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
31-
if err != nil {
32-
return nil, fmt.Errorf("Error serializing key: %s", err)
33-
}
34-
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
35-
return nil, fmt.Errorf("Error saving key file: %s", err)
36-
}
37-
} else if err != nil {
38-
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
39-
}
40-
return trustKey, nil
41-
}
42-
43-
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
44-
if ext == ".json" || ext == ".jwk" {
45-
encoded, err = json.Marshal(key)
46-
if err != nil {
47-
return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
48-
}
49-
} else {
50-
pemBlock, err := key.PEMBlock()
51-
if err != nil {
52-
return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
53-
}
54-
encoded = pem.EncodeToMemory(pemBlock)
55-
}
56-
return
8+
return libtrust.LoadOrCreateTrustKey(trustKeyPath)
579
}

daemon/trustkey_test.go

Lines changed: 5 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -7,29 +7,20 @@ import (
77

88
"gotest.tools/v3/assert"
99
is "gotest.tools/v3/assert/cmp"
10-
"gotest.tools/v3/fs"
1110
)
1211

1312
// LoadOrCreateTrustKey
1413
func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
15-
tmpKeyFolderPath, err := os.MkdirTemp("", "api-trustkey-test")
14+
tmpKeyFile, err := os.CreateTemp(t.TempDir(), "keyfile")
1615
assert.NilError(t, err)
17-
defer os.RemoveAll(tmpKeyFolderPath)
18-
19-
tmpKeyFile, err := os.CreateTemp(tmpKeyFolderPath, "keyfile")
20-
assert.NilError(t, err)
21-
defer tmpKeyFile.Close()
16+
_ = tmpKeyFile.Close()
2217

2318
_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
24-
assert.Check(t, is.ErrorContains(err, "Error loading key file"))
19+
assert.Check(t, is.ErrorContains(err, "error loading key file"))
2520
}
2621

2722
func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
28-
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
29-
defer tmpKeyFolderPath.Remove()
30-
31-
// Without the need to create the folder hierarchy
32-
tmpKeyFile := tmpKeyFolderPath.Join("keyfile")
23+
tmpKeyFile := filepath.Join(t.TempDir(), "keyfile")
3324

3425
key, err := loadOrCreateTrustKey(tmpKeyFile)
3526
assert.NilError(t, err)
@@ -40,10 +31,7 @@ func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
4031
}
4132

4233
func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
43-
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
44-
defer tmpKeyFolderPath.Remove()
45-
tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")
46-
34+
tmpKeyFile := filepath.Join(t.TempDir(), "folder/hierarchy/keyfile")
4735
key, err := loadOrCreateTrustKey(tmpKeyFile)
4836
assert.NilError(t, err)
4937
assert.Check(t, key != nil)

0 commit comments

Comments
 (0)