daemon: separate daemon ID from trust-key

This change is in preparation of deprecating support for old manifests.
Currently the daemon's ID is based on the trust-key ID, which will be
removed once we fully deprecate support for old manifests (the trust
key is currently only used in tests).

This patch:

- looks if a trust-key is present; if so, it migrates the trust-key
  ID to the new "engine-id" file within the daemon's root.
- if no trust-key is present (so in case it's a "fresh" install), we
  generate a UUID instead and use that as ID.

The migration is to prevent engines from getting a new ID on upgrades;
while we don't provide any guarantees on the engine's ID, users may
expect the ID to be "stable" (not change) between upgrades.

A test has been added, which can be ran with;

    make DOCKER_GRAPHDRIVER=vfs TEST_FILTER='TestConfigDaemonID' test-integration

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

1 files changed, 47 insertions, 5 deletions

diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go
index 346857d9ae..e4649a7ab3 100644
--- a/integration/daemon/daemon_test.go
+++ b/integration/daemon/daemon_test.go
@@ -22,6 +22,11 @@ import (
 	"gotest.tools/v3/skip"
 )
 
+const (
+	libtrustKey   = `{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`
+	libtrustKeyID = "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB"
+)
+
 func TestConfigDaemonLibtrustID(t *testing.T) {
 	skip.If(t, runtime.GOOS == "windows")
 
@@ -29,16 +34,53 @@ func TestConfigDaemonLibtrustID(t *testing.T) {
 	defer d.Stop(t)
 
 	trustKey := filepath.Join(d.RootDir(), "key.json")
-	err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644)
+	err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
+	assert.NilError(t, err)
+
+	cfg := filepath.Join(d.RootDir(), "daemon.json")
+	err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
+	assert.NilError(t, err)
+
+	d.Start(t, "--config-file", cfg)
+	info := d.Info(t)
+	assert.Equal(t, info.ID, libtrustKeyID)
+}
+
+func TestConfigDaemonID(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+
+	d := daemon.New(t)
+	defer d.Stop(t)
+
+	trustKey := filepath.Join(d.RootDir(), "key.json")
+	err := os.WriteFile(trustKey, []byte(libtrustKey), 0644)
 	assert.NilError(t, err)
 
-	config := filepath.Join(d.RootDir(), "daemon.json")
-	err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
+	cfg := filepath.Join(d.RootDir(), "daemon.json")
+	err = os.WriteFile(cfg, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
 	assert.NilError(t, err)
 
-	d.Start(t, "--config-file", config)
+	// Verify that on an installation with a trust-key present, the ID matches
+	// the trust-key ID, and that the ID has been migrated to the engine-id file.
+	d.Start(t, "--config-file", cfg, "--iptables=false")
 	info := d.Info(t)
-	assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB")
+	assert.Equal(t, info.ID, libtrustKeyID)
+
+	idFile := filepath.Join(d.RootDir(), "engine-id")
+	id, err := os.ReadFile(idFile)
+	assert.NilError(t, err)
+	assert.Equal(t, string(id), libtrustKeyID)
+	d.Stop(t)
+
+	// Verify that (if present) the engine-id file takes precedence
+	const engineID = "this-is-the-engine-id"
+	err = os.WriteFile(idFile, []byte(engineID), 0600)
+	assert.NilError(t, err)
+
+	d.Start(t, "--config-file", cfg, "--iptables=false")
+	info = d.Info(t)
+	assert.Equal(t, info.ID, engineID)
+	d.Stop(t)
 }
 
 func TestDaemonConfigValidation(t *testing.T) {