host-ctr: use docker resolver #760
Conversation
KCSesh
force-pushed
the
use-docker-resolver
branch
from
e9a464e to
1270ef8
Compare
KCSesh
force-pushed
the
use-docker-resolver
branch
5 times, most recently
from
0a23786 to
9f148c1
Compare
Signed-off-by: Kyle Sessions <[email protected]>
Signed-off-by: Kyle Sessions <[email protected]>
KCSesh
force-pushed
the
use-docker-resolver
branch
2 times, most recently
from
f3e0301 to
0f5fa44
Compare
KCSesh
changed the title
| }) | ||
| authorizer := docker.NewDockerAuthorizer(authOpt) | ||
| c.Resolver = docker.NewResolver(docker.ResolverOptions{ | ||
| // TODO: Consider adding support for user-provided credentials with registryConfig as fallback, |
There was a problem hiding this comment.
This is the same TODO as before:
https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/sources/host-ctr/cmd/host-ctr/main.go#L1250
Signed-off-by: Kyle Sessions <[email protected]>
Replace the amazon-ecr-containerd-resolver dependency with direct implementation using containerd's Docker resolver. Signed-off-by: Kyle Sessions <[email protected]>
KCSesh
force-pushed
the
use-docker-resolver
branch
from
0f5fa44 to
48d1c7e
Compare
| [[package.metadata.build-package.external-files]] | ||
| url = "https://github.com/aws/amazon-ecs-agent/archive/v1.91.2/amazon-ecs-agent-1.91.2.tar.gz" | ||
| sha512 = "c079dc22ee60ff0701d9a66f59add26fcab02baae36c72f98e8397ea6747a1858c4df2cada9ed3e2af3657d65920d2495b0b94c88dfbd573a6485ce2a4d6a816" | ||
| # Verify the Git submodule commit of amazon-vpc-cni-plugins matches what is shipped |
There was a problem hiding this comment.
Good comment but admittedly it took me a moment to realize you meant shipped seperately in core-kit. Maybe revise to "... shipped in ../amazon-vpc-cni-plugins"
| // | ||
| // Capture groups: [1] = account ID, [2] = "-fips" or empty, [3] = region | ||
| // | ||
| // ECR hostname pattern also used in the ecr-credential-provider: |
There was a problem hiding this comment.
We've since deviated from this in order to support .eu domain suffix.
I think this regex predates your PR. It's a gnarly one to read. It would be great if we could reign it in or do away with it somehow. I know in Python regexes have "verbose" mode where you can add inline comments explaining parts of the regex.
I want to say I remember interacting with this one in the past, so there's a chance I tried to do battle with it and failed. Might be a dead end.
|
|
||
| // Check if the image source is an ECR image. If it is, then we need to handle it with the ECR resolver. | ||
| isECRImage := ecrRegex.MatchString(source) | ||
| // Use unified image fetching for all registries |
There was a problem hiding this comment.
nit: Feel a bit mixed about this comment, as it is more a comment about the history of the code than the current state.
| log.G(ctx).WithField("ref", source).Error(err) | ||
| return err | ||
| } | ||
| // Use unified image fetching for all registries |
| // A set of the currently supported FIPS regions for ECR: https://docs.aws.amazon.com/general/latest/gr/ecr.html | ||
| // FIPS-supported ECR regions: https://docs.aws.amazon.com/general/latest/gr/ecr.html | ||
| var fipsSupportedEcrRegionSet = map[string]bool{ |
There was a problem hiding this comment.
nit: dupe comment and the official list from the link appears to be larger now.
not nit: Is this something we can lean on the SDK for now? It seems like in the old code we needed to understand if we were doing FIPS to avoid hitting an error condition in the resolver.
Now we only use it to raise an error - but the SDK might take care of that for us.
4 participants
Issue Related to aws/amazon-ecs-agent#4538
Code change dependency: bottlerocket-os/bottlerocket#4715
Description of changes:
Recent ecs-agent updates introduced an incompatibility when using FIPS ECR endpoints alongside use_fips_endpoint=true, requiring us to choose one approach.
We opted to let users specify FIPS ECR endpoints directly. However, amazon-ecr-containerd-resolver doesn't support FIPS endpoints without use_fips_endpoint=true, and the library has been tech debt we've wanted to migrate away from.
This change replaces amazon-ecr-containerd-resolver with containerd's Docker resolver.
Testing done:
ECS Agent Conformance Testing
Ran internal ECS conformance tests across multiple variants and architectures with use_fips_endpoint=false:
Additionally verified ECS task execution with both FIPS and non-FIPS containers to confirm expected behavior.
Host Container Image Pull Testing
GovCloud (us-gov-west-1)
China Region (cn-north-1)
Special Region Test For New Regions (ap-southeast-7)
Verified host container image pull works in special region:
Digest test:
Details
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.