Merge pull request #282 from jkl73/miscfixfeb

[launcher] Fix image pulling in launcher
google · Feb 15, 2023 · 4a63ee0 · 4a63ee0
2 parents 2ed3096 + 276fea5
commit 4a63ee0
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 10 deletions.
diff --git a/launcher/auth.go b/launcher/auth.go
@@ -2,6 +2,7 @@ package launcher
 
 import (
 	"encoding/json"
+	"strings"
 
 	"cloud.google.com/go/compute/metadata"
 	"github.com/containerd/containerd/remotes"
@@ -31,7 +32,11 @@ func Resolver(token string) remotes.Resolver {
 	options := docker.ResolverOptions{}
 
 	credentials := func(host string) (string, string, error) {
-		return "_token", token, nil
+		// append the token if is talking to Artifact Registry or GCR Registry
+		if strings.HasSuffix(host, "docker.pkg.dev") || strings.HasSuffix(host, "gcr.io") {
+			return "_token", token, nil
+		}
+		return "", "", nil
 	}
 	authOpts := []docker.AuthorizerOpt{docker.WithAuthCreds(credentials)}
 	options.Authorizer = docker.NewDockerAuthorizer(authOpts...)

diff --git a/launcher/container_runner.go b/launcher/container_runner.go
@@ -392,7 +392,7 @@ func (r *ContainerRunner) fetchAndWriteTokenWithRetry(ctx context.Context,
 			select {
 			case <-ctx.Done():
 				timer.Stop()
-				r.logger.Printf("token refreshing stopped: %v", ctx.Err())
+				r.logger.Println("token refreshing stopped")
 				return
 			case <-timer.C:
 				var duration time.Duration
@@ -516,16 +516,18 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
 }
 
 func initImage(ctx context.Context, cdClient *containerd.Client, launchSpec spec.LaunchSpec, token oauth2.Token, logger *log.Logger) (containerd.Image, error) {
-	var remoteOpt containerd.RemoteOpt
 	if token.Valid() {
-		remoteOpt = containerd.WithResolver(Resolver(token.AccessToken))
-	} else {
-		logger.Println("invalid auth token, will use empty auth")
-	}
+		remoteOpt := containerd.WithResolver(Resolver(token.AccessToken))
 
-	image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack, remoteOpt)
+		image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack, remoteOpt)
+		if err != nil {
+			return nil, fmt.Errorf("cannot pull the image: %w", err)
+		}
+		return image, nil
+	}
+	image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack)
 	if err != nil {
-		return nil, fmt.Errorf("cannot pull image: %w", err)
+		return nil, fmt.Errorf("cannot pull the image (no token, only works for a public image): %w", err)
 	}
 	return image, nil
 }

diff --git a/launcher/container_runner_test.go b/launcher/container_runner_test.go
@@ -18,8 +18,13 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/namespaces"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-tpm-tools/cel"
+	"github.com/google/go-tpm-tools/launcher/spec"
+	"golang.org/x/oauth2"
 	"google.golang.org/api/option"
 )
 
@@ -464,3 +469,31 @@ func TestGetNextRefresh(t *testing.T) {
 		}
 	}
 }
+
+func TestInitImageDockerPublic(t *testing.T) {
+	// testing image fetching using a dummy token and a docker repo url
+	containerdClient, err := containerd.New(defaults.DefaultAddress)
+	if err != nil {
+		t.Skipf("test needs containerd daemon: %v", err)
+	}
+
+	ctx := namespaces.WithNamespace(context.Background(), "test")
+	// This is a "valid" token (formatwise)
+	validToken := oauth2.Token{AccessToken: "000000", Expiry: time.Now().Add(time.Hour)}
+	if _, err := initImage(ctx, containerdClient, spec.LaunchSpec{ImageRef: "docker.io/library/hello-world:latest"}, validToken, log.Default()); err != nil {
+		t.Error(err)
+	} else {
+		if err := containerdClient.ImageService().Delete(ctx, "docker.io/library/hello-world:latest"); err != nil {
+			t.Error(err)
+		}
+	}
+
+	invalidToken := oauth2.Token{}
+	if _, err := initImage(ctx, containerdClient, spec.LaunchSpec{ImageRef: "docker.io/library/hello-world:latest"}, invalidToken, log.Default()); err != nil {
+		t.Error(err)
+	} else {
+		if err := containerdClient.ImageService().Delete(ctx, "docker.io/library/hello-world:latest"); err != nil {
+			t.Error(err)
+		}
+	}
+}
diff --git a/launcher/launcher/main.go b/launcher/launcher/main.go
@@ -168,7 +168,7 @@ func startLauncher() error {
 
 	token, err := launcher.RetrieveAuthToken(mdsClient)
 	if err != nil {
-		logger.Printf("failed to retrieve auth token: %v, using empty auth", err)
+		logger.Printf("failed to retrieve auth token: %v, using empty auth for image pulling\n", err)
 	}
 
 	ctx := namespaces.WithNamespace(context.Background(), namespaces.Default)