diff options
author | Sebastiaan van Stijn <github@gone.nl> | 2022-05-03 13:52:17 +0200 |
---|---|---|
committer | Sebastiaan van Stijn <github@gone.nl> | 2022-05-04 20:17:18 +0200 |
commit | bb1208639b4cf92522d56b8cba2a4c30033a2144 (patch) | |
tree | b6e52467bbbfc008b2615990b32294313c7ebb56 /integration | |
parent | 846d37cad31af970ab7a98e461891de33c784974 (diff) | |
download | docker-bb1208639b4cf92522d56b8cba2a4c30033a2144.tar.gz |
daemon: separate daemon ID from trust-key
This change is in preparation of deprecating support for old manifests.
Currently the daemon's ID is based on the trust-key ID, which will be
removed once we fully deprecate support for old manifests (the trust
key is currently only used in tests).
This patch:
- looks if a trust-key is present; if so, it migrates the trust-key
ID to the new "engine-id" file within the daemon's root.
- if no trust-key is present (so in case it's a "fresh" install), we
generate a UUID instead and use that as ID.
The migration is to prevent engines from getting a new ID on upgrades;
while we don't provide any guarantees on the engine's ID, users may
expect the ID to be "stable" (not change) between upgrades.
A test has been added, which can be ran with;
make DOCKER_GRAPHDRIVER=vfs TEST_FILTER='TestConfigDaemonID' test-integration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Diffstat (limited to 'integration')
-rw-r--r-- | integration/daemon/daemon_test.go | 52 |
1 files changed, 47 insertions, 5 deletions
diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go index 346857d9ae..e4649a7ab3 100644 --- a/integration/daemon/daemon_test.go +++ b/integration/daemon/daemon_test.go @@ -22,6 +22,11 @@ import ( "gotest.tools/v3/skip" ) +const ( + libtrustKey = `{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}` + libtrustKeyID = "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB" +) + func TestConfigDaemonLibtrustID(t *testing.T) { skip.If(t, runtime.GOOS == "windows") @@ -29,16 +34,53 @@ func TestConfigDaemonLibtrustID(t *testing.T) { defer d.Stop(t) trustKey := filepath.Join(d.RootDir(), "key.json") - err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644) + err := os.WriteFile(trustKey, []byte(libtrustKey), 0644) + assert.NilError(t, err) + + cfg := filepath.Join(d.RootDir(), "daemon.json") + err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644) + assert.NilError(t, err) + + d.Start(t, "--config-file", cfg) + info := d.Info(t) + assert.Equal(t, info.ID, libtrustKeyID) +} + +func TestConfigDaemonID(t *testing.T) { + skip.If(t, runtime.GOOS == "windows") + + d := daemon.New(t) + defer d.Stop(t) + + trustKey := filepath.Join(d.RootDir(), "key.json") + err := os.WriteFile(trustKey, []byte(libtrustKey), 0644) assert.NilError(t, err) - config := filepath.Join(d.RootDir(), "daemon.json") - err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644) + cfg := filepath.Join(d.RootDir(), "daemon.json") + err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644) assert.NilError(t, err) - d.Start(t, "--config-file", config) + // Verify that on an installation with a trust-key present, the ID matches + // the trust-key ID, and that the ID has been migrated to the engine-id file. + d.Start(t, "--config-file", cfg, "--iptables=false") info := d.Info(t) - assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB") + assert.Equal(t, info.ID, libtrustKeyID) + + idFile := filepath.Join(d.RootDir(), "engine-id") + id, err := os.ReadFile(idFile) + assert.NilError(t, err) + assert.Equal(t, string(id), libtrustKeyID) + d.Stop(t) + + // Verify that (if present) the engine-id file takes precedence + const engineID = "this-is-the-engine-id" + err = os.WriteFile(idFile, []byte(engineID), 0600) + assert.NilError(t, err) + + d.Start(t, "--config-file", cfg, "--iptables=false") + info = d.Info(t) + assert.Equal(t, info.ID, engineID) + d.Stop(t) } func TestDaemonConfigValidation(t *testing.T) { |