[launcher] Fix image pulling in launcher

Now will only supply access token when pulling from GCP gcr.io or artifact registries. Also can pull images without a token from the public docker.io registry. Signed-off-by: Jiankun Lu <jiankun@google.com>
google · Feb 8, 2023 · 53ba115 · 53ba115
1 parent 1e4872c
commit 53ba115
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/launcher/auth.go b/launcher/auth.go
@@ -2,6 +2,7 @@ package launcher
 
 import (
 	"encoding/json"
+	"strings"
 
 	"cloud.google.com/go/compute/metadata"
 	"github.com/containerd/containerd/remotes"
@@ -31,7 +32,11 @@ func Resolver(token string) remotes.Resolver {
 	options := docker.ResolverOptions{}
 
 	credentials := func(host string) (string, string, error) {
-		return "_token", token, nil
+		// append the token if is talking to Artifact Registry or GCR Registry
+		if strings.HasSuffix(host, "docker.pkg.dev") || strings.HasSuffix(host, "gcr.io") {
+			return "_token", token, nil
+		}
+		return "", "", nil
 	}
 	authOpts := []docker.AuthorizerOpt{docker.WithAuthCreds(credentials)}
 	options.Authorizer = docker.NewDockerAuthorizer(authOpts...)

diff --git a/launcher/container_runner.go b/launcher/container_runner.go
@@ -516,16 +516,18 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
 }
 
 func initImage(ctx context.Context, cdClient *containerd.Client, launchSpec spec.LaunchSpec, token oauth2.Token, logger *log.Logger) (containerd.Image, error) {
-	var remoteOpt containerd.RemoteOpt
 	if token.Valid() {
-		remoteOpt = containerd.WithResolver(Resolver(token.AccessToken))
-	} else {
-		logger.Println("invalid auth token, will use empty auth")
-	}
+		remoteOpt := containerd.WithResolver(Resolver(token.AccessToken))
 
-	image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack, remoteOpt)
+		image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack, remoteOpt)
+		if err != nil {
+			return nil, fmt.Errorf("cannot pull the image: %w", err)
+		}
+		return image, nil
+	}
+	image, err := cdClient.Pull(ctx, launchSpec.ImageRef, containerd.WithPullUnpack)
 	if err != nil {
-		return nil, fmt.Errorf("cannot pull image: %w", err)
+		return nil, fmt.Errorf("cannot pull the image (no token, only works for a public image): %w", err)
 	}
 	return image, nil
 }

diff --git a/launcher/launcher/main.go b/launcher/launcher/main.go
@@ -168,7 +168,7 @@ func startLauncher() error {
 
 	token, err := launcher.RetrieveAuthToken(mdsClient)
 	if err != nil {
-		logger.Printf("failed to retrieve auth token: %v, using empty auth", err)
+		logger.Printf("failed to retrieve auth token: %v, using empty auth for image pulling\n", err)
 	}
 
 	ctx := namespaces.WithNamespace(context.Background(), namespaces.Default)