Default config_path if legacy registry options are not set. #6488
Conversation
|
Hi @evankanderson. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/cri/server/image_pull.go
Outdated
| if len(cR.Mirrors) == 0 && len(cR.Configs) == 0 && len(cR.Auths) == 0 && len(cR.Headers) == 0 { | ||
| // No old-style configuration, default to docker-compatible defaults | ||
| // See https://github.com/containerd/containerd/issues/6485 | ||
| c.config.Registry.ConfigPath = "/etc/containerd/certs.d:/etc/docker/certs.d" |
There was a problem hiding this comment.
This is Linux-specific. I don't know if I need to do something cross-platform here or not.
There was a problem hiding this comment.
Windows server directions are here; the TL;DR is that the certificates need to be installed into the system cert store on Windows, I think: https://docs.docker.com/registry/insecure/#use-self-signed-certificates
There was a problem hiding this comment.
In addition, it seems like the Windows cert directions require restarting Docker, so it's not as seamless as the Linux process of putting certificates under the registry name in /etc/docker/certs.d.
There was a problem hiding this comment.
would it help to set it here?https://github.com/containerd/containerd/blob/main/pkg/cri/config/config_unix.go#L29?
There was a problem hiding this comment.
Sorry, needed to do a little research.
Setting the default in config_unix causes the default config to be merged with any config in the paths, which means that you can hit the error condition on line 400 of config.go by setting any of the (deprecated) mirrors or tls parameters and not explicitly setting config_path to the empty string.
There was a problem hiding this comment.
It is still best to catch the conflict there. This is kind of deep in the path to start applying default values. Where is it checking whether ConfigPath is already set?
There was a problem hiding this comment.
Good point!
I've moved this to the end of ValidatePluginConfig and updated the appropriate tests in config_test.go.
|
(DCO-signed) |
|
/assign @cpuguy83 |
|
/assign @kzys |
|
/ok-to-test |
adisky
left a comment
There was a problem hiding this comment.
Thanks @evankanderson LGTM
can you update the docs as well?
https://github.com/containerd/containerd/blob/main/docs/cri/registry.md
https://github.com/containerd/containerd/blob/main/docs/cri/config.md
Signed-off-by: Evan Anderson <evana@vmware.com>
|
Updated docs |
|
LGTM |
|
Is there anything else I need to do before this can be merged? (I don't have permissions to merge it myself.) |
pkg/cri/config/config.go
Outdated
| // Validation for deprecated auths options and mapping it to configs. | ||
| if len(c.Registry.Auths) != 0 { | ||
| if useConfigPath { | ||
| return errors.New("`auths` is deprecated, please use `config_path` instead") |
There was a problem hiding this comment.
Authorization via config_path is intentionally not supported today
There was a problem hiding this comment.
The code looks like it supports setting an authorizer, but I've reverted this portion of the change and updated the tests.
evankanderson
left a comment
There was a problem hiding this comment.
Let me know if you want me to squash the commits before merging the PR.
pkg/cri/config/config.go
Outdated
| log.G(ctx).Warning("`auths` is deprecated, please use `configs` instead") | ||
| } | ||
|
|
||
| if len(c.Registry.Mirrors) == 0 && !hasDeprecatedTLS && len(c.Registry.Auths) == 0 { |
There was a problem hiding this comment.
Removed Registry.Auths here as well.
pkg/cri/config/config.go
Outdated
| // Validation for deprecated auths options and mapping it to configs. | ||
| if len(c.Registry.Auths) != 0 { | ||
| if useConfigPath { | ||
| return errors.New("`auths` is deprecated, please use `config_path` instead") |
There was a problem hiding this comment.
The code looks like it supports setting an authorizer, but I've reverted this portion of the change and updated the tests.
|
Build succeeded.
|
|
Build succeeded.
|
|
Anything else I need to do? |
|
Can you squash your commits? We have one LGTM from a containerd maintainer so will need at least one more before merging. I've marked it as ready for review since you had already made the updates @dmcgowan asked for. |
|
Squashed. Ready for another look. |
|
Build succeeded.
|
There was a problem hiding this comment.
thinking this over...
right now default for configpath is "" .. (containerd config default > config.toml)
if a user edits the configpath in the config.toml the old mirror/tls has to have already been removed (checked by validator)
with this change we introduce a behavior change
if the configpath is "" and if mirrors/tls isn't set.. then nil configpath means use "/etc/containerd/certs.d:/etc/docker/certs.d"
an admin isn't informed or directing containerd to do that .. it just happens... default is now promoted to auto config from docker/certs.d + containerd/certs.d
if they don't want that to happen they have to add a dummy mirror..
this would be a behavior difference between 1.5 and main
it should be noted that the default config does not have mirrors/tls in it
...
my gut says it would be better, in main, to change the actual default value for config_path in new default configs from "" to the proposed, than to come up with a behavior change for what config_path = "" means retroactively against older configs...
something like:
diff --git a/pkg/cri/config/config_unix.go b/pkg/cri/config/config_unix.go
index ed75bb41c..6bf3d2c1e 100644
--- a/pkg/cri/config/config_unix.go
+++ b/pkg/cri/config/config_unix.go
@@ -69,6 +69,9 @@ func DefaultConfig() PluginConfig {
NetworkPluginMaxConfNum: 1, // only one CNI plugin config file will be loaded
NetworkPluginConfTemplate: "",
},
+ Registry: Registry{
+ ConfigPath: "/etc/containerd/certs.d:/etc/docker/certs.d",
+ },
ContainerdConfig: ContainerdConfig{
Snapshotter: containerd.DefaultSnapshotter,
DefaultRuntimeName: "runc",
and whatever is needed for config_windows.go
Signed-off-by: Evan Anderson <evan.k.anderson@gmail.com>
|
Rebased to run another round of CI on latest main |
|
I'm willing to do some bounded additional amount of work here, but I'm not sure that I'll be able to debug the current issues, as I don't understand the test harnesses and environments well enough to recognize flakes vs failures. |
Default config_path if legacy registry options are not set.
There was a problem hiding this comment.
I don't know enough about Windows (or how to test) to suggest anything here.
Default config_path if legacy registry options are not set.
Fixes #6485