Merge pull request moby#5390 from crazy-max/ci-mount-docker-config

hack: mount docker config on gha

Author: tonistiigi

.github/CONTRIBUTING.md

@@ -164,6 +164,10 @@ CGO_ENABLED=1 GOBUILDFLAGS="-race" ./hack/test integration
 Set `TEST_KEEP_CACHE=1` for the test framework to keep external dependant images in a docker volume
 if you are repeatedly calling `./hack/test` script. This helps to avoid rate limiting on the remote registry side.
 
+You can also set `MOUNT_BUILDKIT_DOCKER_CONFIG_PATH` to forward docker config that will be used to pull
+test images into the container. Don't use your personal docker config, create a new one with a dedicated
+token that only has public read-only access.
+
 If you are working behind a proxy, you can set some of or all
 `HTTP_PROXY=http://ip:port`, `HTTPS_PROXY=http://ip:port`, `NO_PROXY=http://ip:port` for the test framework
 to specify the proxy build args.

hack/shell

@@ -20,5 +20,12 @@ if [ -n "$MOUNT_BUILDKIT_SOURCE" ]; then
   volumes="-v $(pwd):/src"
 fi
 
+config=
+if [ -n "$MOUNT_BUILDKIT_DOCKER_CONFIG_PATH" ]; then
+  if [ -f "$MOUNT_BUILDKIT_DOCKER_CONFIG_PATH" ]; then
+    config="-v $MOUNT_BUILDKIT_DOCKER_CONFIG_PATH:/root/.docker/config.json:ro"
+  fi
+fi
+
 set -x
-docker run $SSH $volumes -it --privileged -v /tmp -e BUILDKIT_REGISTRY_MIRROR_DIR=/root/.cache/registry --rm $(cat $iidfile) ash
+docker run $SSH $volumes $config -it --privileged -v /tmp -e BUILDKIT_REGISTRY_MIRROR_DIR=/root/.cache/registry --rm $(cat $iidfile) ash

hack/test

@@ -29,6 +29,7 @@ set -eu -o pipefail
 : "${DOCKERFILE_RELEASES=}"
 : "${BUILDKIT_WORKER_RANDOM=}"
 : "${BUILDKIT_TEST_DISABLE_FEATURES=}"
+: "${MOUNT_BUILDKIT_DOCKER_CONFIG_PATH=}"
 
 if [ "$TEST_DOCKERD" == "1" ]; then
   if [ ! -f "$TEST_DOCKERD_BINARY" ]; then
@@ -107,7 +108,18 @@ if [ "$TEST_KEEP_CACHE" != "1" ]; then
   trap 'docker rm -v $cacheVolume' EXIT
 fi
 
-baseCreateFlags="--rm --privileged \
+dockerConfigMount=""
+if [ "$GITHUB_ACTIONS" = "true" ] || [ -n "$MOUNT_BUILDKIT_DOCKER_CONFIG_PATH" ]; then
+  dockerConfigPath="$HOME/.docker/config.json"
+  if [ -n "$MOUNT_BUILDKIT_DOCKER_CONFIG_PATH" ]; then
+    dockerConfigPath="$MOUNT_BUILDKIT_DOCKER_CONFIG_PATH"
+  fi
+  if [ -f "$dockerConfigPath" ]; then
+    dockerConfigMount="-v $dockerConfigPath:/root/.docker/config.json:ro"
+  fi
+fi
+
+baseCreateFlags="--rm --privileged $dockerConfigMount \
 -v /tmp $testReportsVol \
 --volumes-from=$cacheVolume \
 -e CGO_ENABLED \

util/contentutil/refs.go

@@ -16,12 +16,41 @@ import (
 	"github.com/pkg/errors"
 )
 
-func ProviderFromRef(ref string) (ocispecs.Descriptor, content.Provider, error) {
+type ResolveOpt struct {
+	Credentials func(string) (string, string, error)
+}
+
+type ResolveOptFunc func(*ResolveOpt)
+
+func WithCredentials(c func(string) (string, string, error)) ResolveOptFunc {
+	return func(o *ResolveOpt) {
+		o.Credentials = func(host string) (string, string, error) {
+			if host == "registry-1.docker.io" {
+				host = "https://index.docker.io/v1/"
+			}
+			return c(host)
+		}
+	}
+}
+
+func ProviderFromRef(ref string, opts ...ResolveOptFunc) (ocispecs.Descriptor, content.Provider, error) {
 	headers := http.Header{}
 	headers.Set("User-Agent", version.UserAgent())
-	remote := docker.NewResolver(docker.ResolverOptions{
+
+	var ro ResolveOpt
+	for _, f := range opts {
+		f(&ro)
+	}
+
+	dro := docker.ResolverOptions{
 		Headers: headers,
-	})
+	}
+	if ro.Credentials != nil {
+		dro.Hosts = docker.ConfigureDefaultRegistries(
+			docker.WithAuthorizer(docker.NewDockerAuthorizer(docker.WithAuthCreds(ro.Credentials))),
+		)
+	}
+	remote := docker.NewResolver(dro)
 
 	name, desc, err := remote.Resolve(context.TODO(), ref)
 	if err != nil {

util/testutil/integration/run.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/containerd/containerd/v2/core/content"
 	"github.com/containerd/containerd/v2/core/remotes/docker"
+	"github.com/docker/cli/cli/config"
 	"github.com/gofrs/flock"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/moby/buildkit/util/contentutil"
@@ -257,7 +258,16 @@ func copyImagesLocal(t *testing.T, host string, images map[string]string) error
 				defer closer()
 			}
 		} else {
-			desc, provider, err = contentutil.ProviderFromRef(from)
+			dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+
+			desc, provider, err = contentutil.ProviderFromRef(from, contentutil.WithCredentials(
+				func(host string) (string, string, error) {
+					ac, err := dockerConfig.GetAuthConfig(host)
+					if err != nil {
+						return "", "", err
+					}
+					return ac.Username, ac.Password, nil
+				}))
 			if err != nil {
 				return err
 			}