Docker registry auth support via driver config.

Signed-off-by: Shishir Mahajan <[email protected]>

Author: shishir-a412ed

README.md

@@ -87,6 +87,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **containerd_runtime** | string | yes | N/A | Runtime for containerd e.g. `io.containerd.runc.v1` or `io.containerd.runc.v2`. |
 | **stats_interval** | string | no | 1s | Interval for collecting `TaskStats`. |
 | **allow_privileged** | bool | no | true | If set to `false`, driver will deny running privileged jobs. |
+| **auth** | block | no | N/A | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
 
 **Task Config**
 
@@ -111,7 +112,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **cap_add** | []string | no | Add individual capabilities. |
 | **cap_drop** | []string | no | Drop invidual capabilities. |
 | **devices** | []string | no | A list of devices to be exposed to the container. |
-| **auth** | block | no | Provide authentication for a private registry. See [Auth](#auth) for more details. |
+| **auth** | block | no | Provide authentication for a private registry. See [Authentication](#authentication-private-registry) for more details. |
 | **mounts** | []block | no | A list of mounts to be mounted in the container. Volume, bind and tmpfs type mounts are supported. fstab style [`mount options`](https://github.com/containerd/containerd/blob/master/mount/mount_linux.go#L211-L235) are supported. |
 
 **Mount block**<br/>
@@ -163,18 +164,19 @@ config {
 }
 ```
 
-### auth
+## Authentication (Private registry)
 
-If you want to pull from a private repository e.g. docker hub, you can specify `username` and `password` in the `auth` stanza. See example below.
+`auth` stanza allow you to set credentials for your private registry e.g. if you want to pull
+an image from a private repository in docker hub.<br/>
+`auth` stanza can be set either in `Driver Config` or `Task Config` or both.<br/>
+If set at both places, `Task Config` auth will take precedence over `Driver Config` auth.
 
-**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials.
+**NOTE**: In the below example, `user` and `pass` are just placeholder values which need to be replaced by actual `username` and `password`, when specifying the credentials. Below `auth` stanza can be used for both `Driver Config` and `Task Config`.
 
 ```
-config {
-  auth {
+auth {
     username = "user"
     password = "pass"
-  }
 }
 ```
 

containerd/containerd.go

@@ -65,12 +65,20 @@ func (d *Driver) getContainerdVersion() (containerd.Version, error) {
 
 type CredentialsOpt func(string) (string, string, error)
 
-func parshAuth(auth *RegistryAuth) CredentialsOpt {
+func (d *Driver) parshAuth(auth *RegistryAuth) CredentialsOpt {
 	return func(string) (string, string, error) {
-		if auth == nil {
-			return "", "", nil
+		var username, password string
+		if d.config.Auth.Username != "" && d.config.Auth.Password != "" {
+			username = d.config.Auth.Username
+			password = d.config.Auth.Password
 		}
-		return auth.Username, auth.Password, nil
+
+		// Job auth will take precedence over plugin auth options.
+		if auth.Username != "" && auth.Password != "" {
+			username = auth.Username
+			password = auth.Password
+		}
+		return username, password, nil
 	}
 }
 
@@ -98,7 +106,7 @@ func (d *Driver) pullImage(imageName, imagePullTimeout string, auth *RegistryAut
 
 	pullOpts := []containerd.RemoteOpt{
 		containerd.WithPullUnpack,
-		withResolver(parshAuth(auth)),
+		withResolver(d.parshAuth(auth)),
 	}
 
 	return d.client.Pull(ctxWithTimeout, named.String(), pullOpts...)

containerd/driver.go

@@ -84,6 +84,10 @@ var (
 			hclspec.NewAttr("allow_privileged", "bool", false),
 			hclspec.NewLiteral("true"),
 		),
+		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
+			"username": hclspec.NewAttr("username", "string", true),
+			"password": hclspec.NewAttr("password", "string", true),
+		})),
 	})
 
 	// taskConfigSpec is the specification of the plugin's configuration for
@@ -117,8 +121,8 @@ var (
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 		"host_network":    hclspec.NewAttr("host_network", "bool", false),
 		"auth": hclspec.NewBlock("auth", false, hclspec.NewObject(map[string]*hclspec.Spec{
-			"username": hclspec.NewAttr("username", "string", false),
-			"password": hclspec.NewAttr("password", "string", false),
+			"username": hclspec.NewAttr("username", "string", true),
+			"password": hclspec.NewAttr("password", "string", true),
 		})),
 		"mounts": hclspec.NewBlockList("mounts", hclspec.NewObject(map[string]*hclspec.Spec{
 			"type": hclspec.NewDefault(
@@ -144,10 +148,11 @@ var (
 
 // Config contains configuration information for the plugin
 type Config struct {
-	Enabled           bool   `codec:"enabled"`
-	ContainerdRuntime string `codec:"containerd_runtime"`
-	StatsInterval     string `codec:"stats_interval"`
-	AllowPrivileged   bool   `codec:"allow_privileged"`
+	Enabled           bool         `codec:"enabled"`
+	ContainerdRuntime string       `codec:"containerd_runtime"`
+	StatsInterval     string       `codec:"stats_interval"`
+	AllowPrivileged   bool         `codec:"allow_privileged"`
+	Auth              RegistryAuth `codec:"auth"`
 }
 
 // Volume, bind, and tmpfs type mounts are supported.

tests/004-test-privileged.sh

@@ -33,7 +33,17 @@ test_privileged_nomad_job() {
 
     # Check if container is running in privileged mode.
     echo "INFO: Checking if container is running in privileged mode."
+
+    # If you are running the tests locally in the vagrant VM (Ubuntu 18.04.03)
+    # the capability set (capsh --print) consists of 37 capabilities.
+    # However, GHA environment is showing 39 capabilities.
+    # The below check will set the expected_capabilities to 37 or 39
+    # depending on the execution environment.
     expected_capabilities="37"
+    if [[ "$GITHUB_ACTIONS" == "true" ]]; then
+       expected_capabilities="39"
+    fi
+
     actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}')
     if [ "$expected_capabilities" != "$actual_capabilities" ]; then
        echo "ERROR: container is not running in privileged mode."

tests/run_tests.sh

@@ -80,20 +80,6 @@ setup() {
            return 0
         fi
 
-        sudo systemctl stop apt-daily-upgrade apt-daily >/dev/null 2>&1
-
-	set +e
-	sudo pkill --signal SIGKILL -P $(ps faux | grep 'daily' | awk '{print $2}')
-	set -e
-
-	# Remove docker daemon and containerd.
-	sudo systemctl stop docker
-	sudo systemctl stop containerd
-	sudo apt-get purge -y docker-ce docker-ce-cli containerd.io
-
-	sudo apt-get update
-	sudo apt-get install -y apt-utils curl runc unzip make build-essential
-
 	# Change $(pwd) to /tmp
 	pushd /tmp