labring
diff --git a/‎lifecycle/cmd/image-cri-shim/cmd/root.go‎
Lines changed: 100 additions & 7 deletions b/‎lifecycle/cmd/image-cri-shim/cmd/root.go‎
Lines changed: 100 additions & 7 deletions
diff --git a/‎lifecycle/cmd/image-cri-shim/cmd/root_test.go‎
Lines changed: 163 additions & 0 deletions b/‎lifecycle/cmd/image-cri-shim/cmd/root_test.go‎
Lines changed: 163 additions & 0 deletions
diff --git a/‎lifecycle/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎lifecycle/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lifecycle/staging/src/github.com/labring/image-cri-shim/go.mod‎
Lines changed: 8 additions & 0 deletions b/‎lifecycle/staging/src/github.com/labring/image-cri-shim/go.mod‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎lifecycle/staging/src/github.com/labring/image-cri-shim/go.sum‎
Lines changed: 8 additions & 8 deletions b/‎lifecycle/staging/src/github.com/labring/image-cri-shim/go.sum‎
Lines changed: 8 additions & 8 deletions
@@ -17,10 +17,14 @@ limitations under the License.
 package cmd
 
 import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"os"
 	"os/signal"
 	"syscall"
+	"time"
 
 	"github.com/labring/image-cri-shim/pkg/shim"
 	"github.com/labring/image-cri-shim/pkg/types"
@@ -68,7 +72,7 @@ func Execute() {
 }
 
 func init() {
-	rootCmd.Flags().StringVarP(&cfgFile, "file", "f", "", "image shim root config")
+	rootCmd.Flags().StringVarP(&cfgFile, "file", "f", types.DefaultImageCRIShimConfig, "image shim root config")
 }
 
 func run(cfg *types.Config, auth *types.ShimAuthConfig) {
@@ -78,6 +82,9 @@ func run(cfg *types.Config, auth *types.ShimAuthConfig) {
 		logger.Fatal("failed to new image_shim, %s", err)
 	}
 
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
 	err = imgShim.Setup()
 	if err != nil {
 		logger.Fatal("failed to setup image_shim, %s", err)
@@ -88,15 +95,101 @@ func run(cfg *types.Config, auth *types.ShimAuthConfig) {
 		logger.Fatal(fmt.Sprintf("failed to start image_shim, %s", err))
 	}
 
+	watchDone := make(chan struct{})
+	go func() {
+		defer close(watchDone)
+		if err := watchAuthConfig(ctx, cfgFile, imgShim, cfg.ReloadInterval.Duration); err != nil {
+			logger.Error("config watcher stopped with error: %v", err)
+		}
+	}()
+
 	signalCh := make(chan os.Signal, 1)
 	signal.Notify(signalCh, syscall.SIGINT, syscall.SIGTERM)
 
-	stopCh := make(chan struct{}, 1)
-	select {
-	case <-signalCh:
-		close(stopCh)
-	case <-stopCh:
-	}
+	<-signalCh
+	cancel()
+	<-watchDone
+	imgShim.Stop()
 	_ = os.Remove(cfg.ImageShimSocket)
 	logger.Info("shutting down the image_shim")
 }
+
+func watchAuthConfig(ctx context.Context, path string, imgShim shim.Shim, interval time.Duration) error {
+	if path == "" {
+		logger.Warn("config file path is empty, skip dynamic auth reload")
+		return nil
+	}
+
+	logger.Info("start watching shim config: %s", path)
+	if interval <= 0 {
+		interval = types.DefaultReloadInterval
+	}
+
+	lastHash := ""
+	if data, err := os.ReadFile(path); err == nil {
+		if cfg, err := types.UnmarshalData(data); err == nil {
+			cfg.RegistryDir = types.NormalizeRegistryDir(cfg.RegistryDir)
+			digest, err := types.RegistryDirDigest(cfg.RegistryDir)
+			if err != nil {
+				logger.Warn("failed to fingerprint registry.d %s: %v", cfg.RegistryDir, err)
+			} else {
+				sum := sha256.Sum256(append(data, digest...))
+				lastHash = hex.EncodeToString(sum[:])
+			}
+		} else {
+			logger.Warn("failed to parse shim config %s: %v", path, err)
+		}
+	}
+
+	currentInterval := interval
+	// ticker acts like a pulse; changing the config lets us tune the heartbeat without restart.
+	ticker := time.NewTicker(currentInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-ticker.C:
+			data, err := os.ReadFile(path)
+			if err != nil {
+				logger.Warn("failed to read shim config %s: %v", path, err)
+				continue
+			}
+			cfg, err := types.UnmarshalData(data)
+			if err != nil {
+				logger.Warn("failed to parse shim config %s: %v", path, err)
+				continue
+			}
+			cfg.RegistryDir = types.NormalizeRegistryDir(cfg.RegistryDir)
+			digest, err := types.RegistryDirDigest(cfg.RegistryDir)
+			if err != nil {
+				logger.Warn("failed to fingerprint registry.d %s: %v", cfg.RegistryDir, err)
+				continue
+			}
+			sum := sha256.Sum256(append(data, digest...))
+			hash := hex.EncodeToString(sum[:])
+			if hash == lastHash {
+				continue
+			}
+			auth, err := cfg.PreProcess()
+			if err != nil {
+				logger.Warn("failed to preprocess shim config %s: %v", path, err)
+				continue
+			}
+			imgShim.UpdateAuth(auth)
+			lastHash = hash
+			logger.Info("reloaded shim auth configuration from %s", path)
+			newInterval := cfg.ReloadInterval.Duration
+			if newInterval <= 0 {
+				newInterval = types.DefaultReloadInterval
+			}
+			if newInterval != currentInterval {
+				ticker.Stop()
+				ticker = time.NewTicker(newInterval)
+				currentInterval = newInterval
+				logger.Info("updated reload interval to %s", newInterval)
+			}
+		}
+	}
+}
@@ -0,0 +1,163 @@
+/*
+Copyright 2024 [email protected].
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://github.com/labring/sealos/blob/main/LICENSE.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/labring/image-cri-shim/pkg/types"
+)
+
+type fakeShim struct {
+	updates chan *types.ShimAuthConfig
+}
+
+func newFakeShim() *fakeShim {
+	return &fakeShim{updates: make(chan *types.ShimAuthConfig, 1)}
+}
+
+func (f *fakeShim) Setup() error { return nil }
+
+func (f *fakeShim) Start() error { return nil }
+
+func (f *fakeShim) Stop() {}
+
+func (f *fakeShim) UpdateAuth(auth *types.ShimAuthConfig) {
+	select {
+	case f.updates <- auth:
+	default:
+	}
+}
+
+func TestWatchAuthConfigReloads(t *testing.T) {
+	dir := t.TempDir()
+	cfgPath := filepath.Join(dir, "shim-config.yaml")
+	registryDir := filepath.Join(dir, "registry.d")
+
+	if err := os.MkdirAll(registryDir, 0o755); err != nil {
+		t.Fatalf("failed to create registry.d directory: %v", err)
+	}
+
+	mirrorPath := filepath.Join(registryDir, "mirror.yaml")
+	if err := os.WriteFile(mirrorPath, []byte("address: \"https://mirror.example.com\"\nauth: \"user:pass\"\n"), 0o644); err != nil {
+		t.Fatalf("failed to write mirror registry config: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(registryDir, "public.yaml"), []byte("address: \"https://public.example.com\"\n"), 0o644); err != nil {
+		t.Fatalf("failed to write public registry config: %v", err)
+	}
+
+	initialConfig := []byte(fmt.Sprintf(`shim: "/tmp/test.sock"
+cri: "/var/run/containerd/containerd.sock"
+address: "https://example.com"
+force: true
+auth: "offline:initial"
+reloadInterval: 10ms
+registry.d: %q
+`, registryDir))
+
+	if err := os.WriteFile(cfgPath, initialConfig, 0o644); err != nil {
+		t.Fatalf("failed to write initial config: %v", err)
+	}
+
+	shim := newFakeShim()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() {
+		done <- watchAuthConfig(ctx, cfgPath, shim, 10*time.Millisecond)
+	}()
+
+	time.Sleep(20 * time.Millisecond)
+
+	updatedConfig := []byte(fmt.Sprintf(`shim: "/tmp/test.sock"
+cri: "/var/run/containerd/containerd.sock"
+address: "https://example.com"
+force: true
+auth: "offline:updated"
+reloadInterval: 10ms
+registry.d: %q
+`, registryDir))
+
+	if err := os.WriteFile(cfgPath, updatedConfig, 0o644); err != nil {
+		t.Fatalf("failed to write updated config: %v", err)
+	}
+
+	var auth *types.ShimAuthConfig
+	select {
+	case auth = <-shim.updates:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timed out waiting for auth update")
+	}
+
+	offline, ok := auth.OfflineCRIConfigs["example.com"]
+	if !ok {
+		t.Fatalf("expected offline auth for example.com, got %#v", auth.OfflineCRIConfigs)
+	}
+	if offline.Password != "updated" {
+		t.Fatalf("expected updated password, got %q", offline.Password)
+	}
+
+	mirror, ok := auth.CRIConfigs["mirror.example.com"]
+	if !ok {
+		t.Fatalf("expected registry credentials for mirror.example.com, got %#v", auth.CRIConfigs)
+	}
+	if mirror.Password != "pass" {
+		t.Fatalf("expected initial password from registry.d, got %q", mirror.Password)
+	}
+
+	if !auth.SkipLoginRegistries["public.example.com"] {
+		t.Fatalf("expected public.example.com to skip login, got %#v", auth.SkipLoginRegistries)
+	}
+	if cfg, ok := auth.CRIConfigs["public.example.com"]; !ok || cfg.Username != "" || cfg.Password != "" {
+		t.Fatalf("expected public.example.com to use anonymous credentials, got %#v", cfg)
+	}
+
+	if err := os.WriteFile(mirrorPath, []byte("address: \"https://mirror.example.com\"\nauth: \"user:changed\"\n"), 0o644); err != nil {
+		t.Fatalf("failed to write updated mirror registry config: %v", err)
+	}
+
+	select {
+	case auth = <-shim.updates:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timed out waiting for registry.d auth update")
+	}
+
+	mirror, ok = auth.CRIConfigs["mirror.example.com"]
+	if !ok {
+		t.Fatalf("expected registry credentials for mirror.example.com after update, got %#v", auth.CRIConfigs)
+	}
+	if mirror.Password != "changed" {
+		t.Fatalf("expected updated password from registry.d, got %q", mirror.Password)
+	}
+
+	cancel()
+
+	select {
+	case err := <-done:
+		if err != nil {
+			t.Fatalf("watcher exited with error: %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("watcher did not exit after context cancel")
+	}
+}
@@ -15,7 +15,7 @@ require (
 	github.com/containers/ocicrypt v1.1.7
 	github.com/containers/storage v1.50.2
 	github.com/davecgh/go-spew v1.1.1
-	github.com/docker/docker v25.0.6+incompatible
+	github.com/docker/docker v25.0.1+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/emicklei/go-restful/v3 v3.11.0
 	github.com/emirpasic/gods v1.18.1
 
@@ -66,4 +66,12 @@ require (
 
 replace github.com/labring/sealos => ../../../../../
 
+replace github.com/docker/docker => github.com/docker/docker v25.0.1+incompatible
+
+replace gotest.tools/v3 => gotest.tools/v3 v3.5.0
+
+replace go.uber.org/goleak => go.uber.org/goleak v1.3.0
+
+replace github.com/containers/common => github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5
+
 replace k8s.io/endpointslice => k8s.io/endpointslice v0.30.3
@@ -19,8 +19,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
-github.com/containers/common v0.53.0 h1:Ax814cLeX5VXSnkKUdxz762g+27fJj1st4UvKoXmkKs=
-github.com/containers/common v0.53.0/go.mod h1:pABPxJwlTE8oYk9/2BW0e0mumkuhJHIPsABHTGRXN3w=
+github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5 h1:Lc5zOwO6+G/OItXPt4sF1DnE/UAGygiDuVKWW5bqplw=
+github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5/go.mod h1:F+dtzPF95PXAvc6Rxat7h3PVdBTvifOeBS+tQE/fiNw=
 github.com/containers/image/v5 v5.25.1-0.20230605120906-abe51339f34d h1:rNGRwMeck1s0/IPWFT7hN1WJ0R/vWP+ikueMTf8rmlI=
 github.com/containers/image/v5 v5.25.1-0.20230605120906-abe51339f34d/go.mod h1:52TGKzziLzutVX0cskgbWjQOzTDCHGPUEQH7/N2Ofnc=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -42,8 +42,8 @@ github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbT
 github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v25.0.6+incompatible h1:5cPwbwriIcsua2REJe8HqQV+6WlWc1byg2QSXzBxBGg=
-github.com/docker/docker v25.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v25.0.1+incompatible h1:k5TYd5rIVQRSqcTwCID+cyVA0yRg86+Pcrz1ls0/frA=
+github.com/docker/docker v25.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -219,8 +219,8 @@ go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPi
 go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8=
 go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg=
 go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo=
-go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
-go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
@@ -294,8 +294,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
 k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/cri-api v0.30.3 h1:o7AAGb3645Ik44WkHI0eqUc7JbQVmstlINLlLAtU/rI=