Move ImageCacheAuthenticator to env (#4869)

Author: bduffany

enterprise/server/cmd/executor/executor.go

@@ -199,6 +199,9 @@ func main() {
 	}
 	executorID := executorUUID.String()
 
+	imageCacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
+	env.SetImageCacheAuthenticator(imageCacheAuth)
+
 	runnerPool, err := runner.NewPool(env, &runner.PoolOptions{})
 	if err != nil {
 		log.Fatalf("Failed to initialize runner pool: %s", err)

enterprise/server/remote_execution/container/container.go

@@ -42,6 +42,8 @@ var (
 
 	containerRegistries     = flag.Slice("executor.container_registries", []ContainerRegistry{}, "")
 	debugUseLocalImagesOnly = flag.Bool("debug_use_local_images_only", false, "Do not pull OCI images and only used locally cached images. This can be set to test local image builds during development without needing to push to a container registry. Not intended for production use.")
+
+	slowPullWarnOnce sync.Once
 )
 
 type ContainerRegistry struct {
@@ -231,13 +233,17 @@ type Stdio struct {
 
 // PullImageIfNecessary pulls the image configured for the container if it
 // is not cached locally.
-func PullImageIfNecessary(ctx context.Context, env environment.Env, cacheAuth *ImageCacheAuthenticator, ctr CommandContainer, creds PullCredentials, imageRef string) error {
+func PullImageIfNecessary(ctx context.Context, env environment.Env, ctr CommandContainer, creds PullCredentials, imageRef string) error {
 	if *debugUseLocalImagesOnly {
 		return nil
 	}
-	if env.GetAuthenticator() == nil {
+	cacheAuth := env.GetImageCacheAuthenticator()
+	if cacheAuth == nil || env.GetAuthenticator() == nil {
 		// If we don't have an authenticator available, fall back to
 		// authenticating the creds with the image registry on every request.
+		slowPullWarnOnce.Do(func() {
+			log.CtxWarningf(ctx, "Authentication is not properly configured; this will result in slower image pulls.")
+		})
 		return ctr.PullImage(ctx, creds)
 	}
 	isCached, err := ctr.IsImageCached(ctx)
@@ -279,39 +285,33 @@ func (p PullCredentials) String() string {
 	return p.Username + ":" + p.Password
 }
 
-// ImageCacheToken is a claim to be able to access a locally cached image.
-type ImageCacheToken struct {
-	GroupID  string
-	ImageRef string
-}
-
 // NewImageCacheToken returns the token representing the authenticated group ID,
 // pull credentials, and image ref. For the same sets of those values, the
 // same token is always returned.
-func NewImageCacheToken(ctx context.Context, env environment.Env, creds PullCredentials, imageRef string) (ImageCacheToken, error) {
+func NewImageCacheToken(ctx context.Context, env environment.Env, creds PullCredentials, imageRef string) (interfaces.ImageCacheToken, error) {
 	groupID := ""
 	u, err := perms.AuthenticatedUser(ctx, env)
 	if err != nil {
 		if !authutil.IsAnonymousUserError(err) {
-			return ImageCacheToken{}, err
+			return interfaces.ImageCacheToken{}, err
 		}
 	} else {
 		groupID = u.GetGroupID()
 	}
-	return ImageCacheToken{
+	return interfaces.ImageCacheToken{
 		GroupID:  groupID,
 		ImageRef: imageRef,
 	}, nil
 }
 
-// ImageCacheAuthenticator grants access to short-lived tokens for accessing
+// imageCacheAuthenticator grants access to short-lived tokens for accessing
 // locally cached images without needing to re-authenticate with the remote
 // registry (which can be slow).
-type ImageCacheAuthenticator struct {
+type imageCacheAuthenticator struct {
 	opts ImageCacheAuthenticatorOpts
 
 	mu               sync.Mutex // protects(tokenExpireTimes)
-	tokenExpireTimes map[ImageCacheToken]time.Time
+	tokenExpireTimes map[interfaces.ImageCacheToken]time.Time
 }
 
 type ImageCacheAuthenticatorOpts struct {
@@ -320,31 +320,31 @@ type ImageCacheAuthenticatorOpts struct {
 	TokenTTL time.Duration
 }
 
-func NewImageCacheAuthenticator(opts ImageCacheAuthenticatorOpts) *ImageCacheAuthenticator {
+func NewImageCacheAuthenticator(opts ImageCacheAuthenticatorOpts) *imageCacheAuthenticator {
 	if opts.TokenTTL == 0 {
 		opts.TokenTTL = defaultImageCacheTokenTTL
 	}
-	return &ImageCacheAuthenticator{
+	return &imageCacheAuthenticator{
 		opts:             opts,
-		tokenExpireTimes: map[ImageCacheToken]time.Time{},
+		tokenExpireTimes: map[interfaces.ImageCacheToken]time.Time{},
 	}
 }
 
-func (a *ImageCacheAuthenticator) IsAuthorized(token ImageCacheToken) bool {
+func (a *imageCacheAuthenticator) IsAuthorized(token interfaces.ImageCacheToken) bool {
 	a.mu.Lock()
 	defer a.mu.Unlock()
 	a.purgeExpiredTokens()
 	_, ok := a.tokenExpireTimes[token]
 	return ok
 }
 
-func (a *ImageCacheAuthenticator) Refresh(token ImageCacheToken) {
+func (a *imageCacheAuthenticator) Refresh(token interfaces.ImageCacheToken) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
 	a.tokenExpireTimes[token] = time.Now().Add(a.opts.TokenTTL)
 }
 
-func (a *ImageCacheAuthenticator) purgeExpiredTokens() {
+func (a *imageCacheAuthenticator) purgeExpiredTokens() {
 	for token, expireTime := range a.tokenExpireTimes {
 		if time.Now().After(expireTime) {
 			delete(a.tokenExpireTimes, token)

enterprise/server/remote_execution/container/container_test.go

@@ -61,7 +61,7 @@ func TestPullImageIfNecessary_ValidCredentials(t *testing.T) {
 	env := testenv.GetTestEnv(t)
 	ta := testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1", "US2", "GR2"))
 	env.SetAuthenticator(ta)
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
+	env.SetImageCacheAuthenticator(container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{}))
 	imageRef := "docker.io/some-org/some-image:v1.0.0"
 	ctx := userCtx(t, ta, "US1")
 	goodCreds1 := container.PullCredentials{
@@ -76,17 +76,17 @@ func TestPullImageIfNecessary_ValidCredentials(t *testing.T) {
 
 	assert.Equal(t, 0, c.PullCount, "sanity check: pull count should be 0 initially")
 
-	err := container.PullImageIfNecessary(ctx, env, cacheAuth, c, goodCreds1, imageRef)
+	err := container.PullImageIfNecessary(ctx, env, c, goodCreds1, imageRef)
 
 	require.NoError(t, err)
 	assert.Equal(t, 1, c.PullCount, "should pull the image if credentials are valid")
 
-	err = container.PullImageIfNecessary(ctx, env, cacheAuth, c, goodCreds1, imageRef)
+	err = container.PullImageIfNecessary(ctx, env, c, goodCreds1, imageRef)
 
 	require.NoError(t, err)
 	assert.Equal(t, 1, c.PullCount, "should not need to immediately re-authenticate with the remote registry")
 
-	err = container.PullImageIfNecessary(ctx, env, cacheAuth, c, goodCreds2, imageRef)
+	err = container.PullImageIfNecessary(ctx, env, c, goodCreds2, imageRef)
 
 	require.NoError(t, err)
 	assert.Equal(
@@ -98,7 +98,7 @@ func TestPullImageIfNecessary_InvalidCredentials_PermissionDenied(t *testing.T)
 	env := testenv.GetTestEnv(t)
 	ta := testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1", "US2", "GR2"))
 	env.SetAuthenticator(ta)
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
+	env.SetImageCacheAuthenticator(container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{}))
 	imageRef := "docker.io/some-org/some-image:v1.0.0"
 	ctx := userCtx(t, ta, "US1")
 	goodCreds := container.PullCredentials{
@@ -111,15 +111,15 @@ func TestPullImageIfNecessary_InvalidCredentials_PermissionDenied(t *testing.T)
 		Password: "trying-to-guess-the-real-secret",
 	}
 
-	err := container.PullImageIfNecessary(ctx, env, cacheAuth, c, badCreds, imageRef)
+	err := container.PullImageIfNecessary(ctx, env, c, badCreds, imageRef)
 
 	require.True(t, status.IsPermissionDeniedError(err), "should return PermissionDenied if credentials are valid")
 
-	err = container.PullImageIfNecessary(ctx, env, cacheAuth, c, badCreds, imageRef)
+	err = container.PullImageIfNecessary(ctx, env, c, badCreds, imageRef)
 
 	require.True(t, status.IsPermissionDeniedError(err), "should return PermissionDenied on subsequent attempts as well")
 
-	err = container.PullImageIfNecessary(ctx, env, cacheAuth, c, goodCreds, imageRef)
+	err = container.PullImageIfNecessary(ctx, env, c, goodCreds, imageRef)
 
 	require.NoError(t, err, "good creds should still work after previous incorrect attempts")
 }

enterprise/server/remote_execution/containers/docker/docker.go

@@ -60,10 +60,9 @@ var (
 )
 
 type Provider struct {
-	env            environment.Env
-	client         *dockerclient.Client
-	imageCacheAuth *container.ImageCacheAuthenticator
-	buildRoot      string
+	env       environment.Env
+	client    *dockerclient.Client
+	buildRoot string
 }
 
 var (
@@ -100,17 +99,16 @@ func NewClient() (*dockerclient.Client, error) {
 	return dockerClient, initErr
 }
 
-func NewProvider(env environment.Env, imageCacheAuth *container.ImageCacheAuthenticator, hostBuildRoot string) (*Provider, error) {
+func NewProvider(env environment.Env, hostBuildRoot string) (*Provider, error) {
 	client, err := NewClient()
 	if err != nil {
 		return nil, status.FailedPreconditionErrorf("Failed to create docker client: %s", err)
 	}
 
 	return &Provider{
-		env:            env,
-		client:         client,
-		imageCacheAuth: imageCacheAuth,
-		buildRoot:      hostBuildRoot,
+		env:       env,
+		client:    client,
+		buildRoot: hostBuildRoot,
 	}, nil
 }
 
@@ -130,7 +128,7 @@ func (p *Provider) New(ctx context.Context, props *platform.Properties, task *re
 		Volumes:                 *dockerVolumes,
 		InheritUserIDs:          *dockerInheritUserIDs,
 	}
-	return NewDockerContainer(p.env, p.imageCacheAuth, p.client, props.ContainerImage, p.buildRoot, opts), nil
+	return NewDockerContainer(p.env, p.client, props.ContainerImage, p.buildRoot, opts), nil
 }
 
 type DockerOptions struct {
@@ -151,8 +149,7 @@ type DockerOptions struct {
 
 // dockerCommandContainer containerizes a command's execution using a Docker container.
 type dockerCommandContainer struct {
-	env            environment.Env
-	imageCacheAuth *container.ImageCacheAuthenticator
+	env environment.Env
 
 	image string
 	// hostRootDir is the path on the _host_ machine ("node", in k8s land) of the
@@ -173,14 +170,13 @@ type dockerCommandContainer struct {
 	removed bool
 }
 
-func NewDockerContainer(env environment.Env, imageCacheAuth *container.ImageCacheAuthenticator, client *dockerclient.Client, image, hostRootDir string, options *DockerOptions) *dockerCommandContainer {
+func NewDockerContainer(env environment.Env, client *dockerclient.Client, image, hostRootDir string, options *DockerOptions) *dockerCommandContainer {
 	return &dockerCommandContainer{
-		env:            env,
-		imageCacheAuth: imageCacheAuth,
-		image:          image,
-		hostRootDir:    hostRootDir,
-		client:         client,
-		options:        options,
+		env:         env,
+		image:       image,
+		hostRootDir: hostRootDir,
+		client:      client,
+		options:     options,
 	}
 }
 
@@ -206,7 +202,7 @@ func (r *dockerCommandContainer) Run(ctx context.Context, command *repb.Command,
 
 	// explicitly pull the image before running to avoid the
 	// pull output logs spilling into the execution logs.
-	if err := container.PullImageIfNecessary(ctx, r.env, r.imageCacheAuth, r, creds, r.image); err != nil {
+	if err := container.PullImageIfNecessary(ctx, r.env, r, creds, r.image); err != nil {
 		result.Error = wrapDockerErr(err, fmt.Sprintf("failed to pull docker image %q", r.image))
 		return result
 	}

enterprise/server/remote_execution/containers/docker/docker_test.go

@@ -59,8 +59,8 @@ func TestDockerRun(t *testing.T) {
 	}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	env.SetImageCacheAuthenticator(container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{}))
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 
 	res := c.Run(ctx, cmd, workDir, container.PullCredentials{})
 
@@ -95,8 +95,8 @@ func TestDockerLifecycleControl(t *testing.T) {
 	}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	env.SetImageCacheAuthenticator(container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{}))
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 
 	isContainerRunning := false
 	t.Cleanup(func() {
@@ -114,7 +114,7 @@ func TestDockerLifecycleControl(t *testing.T) {
 	})
 
 	err = container.PullImageIfNecessary(
-		ctx, env, cacheAuth, c, container.PullCredentials{},
+		ctx, env, c, container.PullCredentials{},
 		"mirror.gcr.io/library/busybox",
 	)
 	require.NoError(t, err)
@@ -184,11 +184,10 @@ func TestDockerRun_Timeout_StdoutStderrStillVisible(t *testing.T) {
 	}}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 	// Ensure the image is cached
 	err = container.PullImageIfNecessary(
-		ctx, env, cacheAuth, c, container.PullCredentials{}, "mirror.gcr.io/library/busybox")
+		ctx, env, c, container.PullCredentials{}, "mirror.gcr.io/library/busybox")
 	require.NoError(t, err)
 
 	ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
@@ -238,11 +237,10 @@ func TestDockerExec_Timeout_StdoutStderrStillVisible(t *testing.T) {
 	}}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 	// Ensure the image is cached
 	err = container.PullImageIfNecessary(
-		ctx, env, cacheAuth, c, container.PullCredentials{}, "mirror.gcr.io/library/busybox")
+		ctx, env, c, container.PullCredentials{}, "mirror.gcr.io/library/busybox")
 	require.NoError(t, err)
 
 	err = c.Create(ctx, workDir)
@@ -298,10 +296,9 @@ func TestDockerExec_Stdio(t *testing.T) {
 	}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 	err = container.PullImageIfNecessary(
-		ctx, env, cacheAuth, c, container.PullCredentials{},
+		ctx, env, c, container.PullCredentials{},
 		"mirror.gcr.io/library/busybox",
 	)
 	require.NoError(t, err)
@@ -347,8 +344,7 @@ func TestDockerRun_LongRunningProcess_CanGetAllLogs(t *testing.T) {
 	}
 	env := testenv.GetTestEnv(t)
 	env.SetAuthenticator(testauth.NewTestAuthenticator(testauth.TestUsers("US1", "GR1")))
-	cacheAuth := container.NewImageCacheAuthenticator(container.ImageCacheAuthenticatorOpts{})
-	c := docker.NewDockerContainer(env, cacheAuth, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
+	c := docker.NewDockerContainer(env, dc, "mirror.gcr.io/library/busybox", rootDir, cfg)
 
 	res := c.Run(ctx, cmd, workDir, container.PullCredentials{})
 

enterprise/server/remote_execution/containers/firecracker/BUILD

@@ -90,6 +90,7 @@ go_test(
         "//enterprise/server/remote_execution/runner",
         "//enterprise/server/remote_execution/snaploader",
         "//enterprise/server/remote_execution/workspace",
+        "//enterprise/server/testutil/testcontainer",
         "//enterprise/server/util/ext4",
         "//proto:firecracker_go_proto",
         "//proto:remote_execution_go_proto",
@@ -148,6 +149,7 @@ go_test(
         "//enterprise/server/remote_execution/runner",
         "//enterprise/server/remote_execution/snaploader",
         "//enterprise/server/remote_execution/workspace",
+        "//enterprise/server/testutil/testcontainer",
         "//enterprise/server/util/ext4",
         "//proto:firecracker_go_proto",
         "//proto:remote_execution_go_proto",