diff options
Diffstat (limited to 'recipes-containers/vcontainer/files/vdkr-init.sh')
| -rwxr-xr-x | recipes-containers/vcontainer/files/vdkr-init.sh | 127 |
1 files changed, 121 insertions, 6 deletions
diff --git a/recipes-containers/vcontainer/files/vdkr-init.sh b/recipes-containers/vcontainer/files/vdkr-init.sh index 084a8791..a993aca4 100755 --- a/recipes-containers/vcontainer/files/vdkr-init.sh +++ b/recipes-containers/vcontainer/files/vdkr-init.sh | |||
| @@ -22,8 +22,12 @@ | |||
| 22 | # docker_network=1 Enable networking (configure eth0, DNS) | 22 | # docker_network=1 Enable networking (configure eth0, DNS) |
| 23 | # docker_registry=<url> Default registry for unqualified images (e.g., 10.0.2.2:5000/yocto) | 23 | # docker_registry=<url> Default registry for unqualified images (e.g., 10.0.2.2:5000/yocto) |
| 24 | # docker_insecure_registry=<host:port> Mark registry as insecure (HTTP). Can repeat. | 24 | # docker_insecure_registry=<host:port> Mark registry as insecure (HTTP). Can repeat. |
| 25 | # docker_registry_secure=1 Enable TLS verification for registry | ||
| 26 | # docker_registry_ca=1 CA certificate available in /mnt/share/ca.crt | ||
| 27 | # docker_registry_user=<user> Registry username for authentication | ||
| 28 | # docker_registry_pass=<base64> Base64-encoded registry password | ||
| 25 | # | 29 | # |
| 26 | # Version: 2.4.0 | 30 | # Version: 2.5.0 |
| 27 | 31 | ||
| 28 | # Set runtime-specific parameters before sourcing common code | 32 | # Set runtime-specific parameters before sourcing common code |
| 29 | VCONTAINER_RUNTIME_NAME="vdkr" | 33 | VCONTAINER_RUNTIME_NAME="vdkr" |
| @@ -31,13 +35,21 @@ VCONTAINER_RUNTIME_CMD="docker" | |||
| 31 | VCONTAINER_RUNTIME_PREFIX="docker" | 35 | VCONTAINER_RUNTIME_PREFIX="docker" |
| 32 | VCONTAINER_STATE_DIR="/var/lib/docker" | 36 | VCONTAINER_STATE_DIR="/var/lib/docker" |
| 33 | VCONTAINER_SHARE_NAME="vdkr_share" | 37 | VCONTAINER_SHARE_NAME="vdkr_share" |
| 34 | VCONTAINER_VERSION="2.4.0" | 38 | VCONTAINER_VERSION="2.5.0" |
| 35 | 39 | ||
| 36 | # Docker-specific: default registry for unqualified image names | 40 | # Docker-specific: default registry for unqualified image names |
| 37 | # Set via kernel param: docker_registry=10.0.2.2:5000/yocto | 41 | # Set via kernel param: docker_registry=10.0.2.2:5000/yocto |
| 38 | # Or baked into rootfs: /etc/vdkr/registry.conf | 42 | # Or baked into rootfs: /etc/vdkr/registry.conf |
| 39 | DOCKER_DEFAULT_REGISTRY="" | 43 | DOCKER_DEFAULT_REGISTRY="" |
| 40 | 44 | ||
| 45 | # Secure registry mode (TLS verification) | ||
| 46 | # Set via kernel param: docker_registry_secure=1 | ||
| 47 | # CA cert passed via: virtio-9p share at /mnt/share/ca.crt | ||
| 48 | DOCKER_REGISTRY_SECURE="" | ||
| 49 | DOCKER_REGISTRY_CA="" | ||
| 50 | DOCKER_REGISTRY_USER="" | ||
| 51 | DOCKER_REGISTRY_PASS="" | ||
| 52 | |||
| 41 | # Source common init functions | 53 | # Source common init functions |
| 42 | # When installed as /init, common file is at /vcontainer-init-common.sh | 54 | # When installed as /init, common file is at /vcontainer-init-common.sh |
| 43 | . /vcontainer-init-common.sh | 55 | . /vcontainer-init-common.sh |
| @@ -56,6 +68,97 @@ load_registry_config() { | |||
| 56 | fi | 68 | fi |
| 57 | } | 69 | } |
| 58 | 70 | ||
| 71 | # Parse secure registry settings from kernel cmdline | ||
| 72 | parse_secure_registry_config() { | ||
| 73 | # Check for secure mode flag | ||
| 74 | GREP_RESULT=$(grep -o 'docker_registry_secure=[^ ]*' /proc/cmdline 2>/dev/null || true) | ||
| 75 | if [ -n "$GREP_RESULT" ]; then | ||
| 76 | DOCKER_REGISTRY_SECURE=$(echo "$GREP_RESULT" | sed 's/docker_registry_secure=//') | ||
| 77 | log "Secure registry mode: $DOCKER_REGISTRY_SECURE" | ||
| 78 | fi | ||
| 79 | |||
| 80 | # Check for CA certificate in shared folder (passed via virtio-9p) | ||
| 81 | if [ -f "/mnt/share/ca.crt" ]; then | ||
| 82 | DOCKER_REGISTRY_CA="/mnt/share/ca.crt" | ||
| 83 | log "Found CA certificate in shared folder" | ||
| 84 | fi | ||
| 85 | |||
| 86 | # Check for registry user | ||
| 87 | GREP_RESULT=$(grep -o 'docker_registry_user=[^ ]*' /proc/cmdline 2>/dev/null || true) | ||
| 88 | if [ -n "$GREP_RESULT" ]; then | ||
| 89 | DOCKER_REGISTRY_USER=$(echo "$GREP_RESULT" | sed 's/docker_registry_user=//') | ||
| 90 | log "Registry user: $DOCKER_REGISTRY_USER" | ||
| 91 | fi | ||
| 92 | |||
| 93 | # Check for registry password (base64 encoded) | ||
| 94 | GREP_RESULT=$(grep -o 'docker_registry_pass=[^ ]*' /proc/cmdline 2>/dev/null || true) | ||
| 95 | if [ -n "$GREP_RESULT" ]; then | ||
| 96 | DOCKER_REGISTRY_PASS=$(echo "$GREP_RESULT" | sed 's/docker_registry_pass=//') | ||
| 97 | log "Received registry password from cmdline" | ||
| 98 | fi | ||
| 99 | } | ||
| 100 | |||
| 101 | # Install CA certificate for secure registry | ||
| 102 | # Creates /etc/docker/certs.d/{registry}/ca.crt | ||
| 103 | install_registry_ca() { | ||
| 104 | if [ "$DOCKER_REGISTRY_SECURE" != "1" ]; then | ||
| 105 | return 0 | ||
| 106 | fi | ||
| 107 | |||
| 108 | if [ -z "$DOCKER_DEFAULT_REGISTRY" ]; then | ||
| 109 | log "WARNING: Secure mode enabled but no registry configured" | ||
| 110 | return 0 | ||
| 111 | fi | ||
| 112 | |||
| 113 | # Extract registry host (strip path/namespace) | ||
| 114 | local registry_host=$(echo "$DOCKER_DEFAULT_REGISTRY" | cut -d'/' -f1) | ||
| 115 | |||
| 116 | # Install CA cert if provided via shared folder | ||
| 117 | if [ -n "$DOCKER_REGISTRY_CA" ] && [ -f "$DOCKER_REGISTRY_CA" ]; then | ||
| 118 | local cert_dir="/etc/docker/certs.d/$registry_host" | ||
| 119 | mkdir -p "$cert_dir" | ||
| 120 | |||
| 121 | # Copy CA cert from shared folder | ||
| 122 | if cp "$DOCKER_REGISTRY_CA" "$cert_dir/ca.crt" 2>/dev/null && [ -s "$cert_dir/ca.crt" ]; then | ||
| 123 | log "Installed CA certificate: $cert_dir/ca.crt" | ||
| 124 | else | ||
| 125 | log "WARNING: Failed to copy CA certificate from $DOCKER_REGISTRY_CA" | ||
| 126 | rm -f "$cert_dir/ca.crt" | ||
| 127 | fi | ||
| 128 | else | ||
| 129 | # Check if CA cert exists from baked rootfs | ||
| 130 | local cert_dir="/etc/docker/certs.d/$registry_host" | ||
| 131 | if [ -f "$cert_dir/ca.crt" ]; then | ||
| 132 | log "Using baked CA certificate: $cert_dir/ca.crt" | ||
| 133 | else | ||
| 134 | log "WARNING: Secure mode enabled but no CA certificate available" | ||
| 135 | fi | ||
| 136 | fi | ||
| 137 | |||
| 138 | # Setup Docker auth if credentials provided | ||
| 139 | if [ -n "$DOCKER_REGISTRY_USER" ] && [ -n "$DOCKER_REGISTRY_PASS" ]; then | ||
| 140 | local password=$(echo "$DOCKER_REGISTRY_PASS" | base64 -d 2>/dev/null) | ||
| 141 | if [ -n "$password" ]; then | ||
| 142 | mkdir -p /root/.docker | ||
| 143 | # Create auth config | ||
| 144 | local auth=$(echo -n "$DOCKER_REGISTRY_USER:$password" | base64 | tr -d '\n') | ||
| 145 | cat > /root/.docker/config.json << EOF | ||
| 146 | { | ||
| 147 | "auths": { | ||
| 148 | "$registry_host": { | ||
| 149 | "auth": "$auth" | ||
| 150 | } | ||
| 151 | } | ||
| 152 | } | ||
| 153 | EOF | ||
| 154 | chmod 600 /root/.docker/config.json | ||
| 155 | log "Configured Docker auth for: $registry_host" | ||
| 156 | else | ||
| 157 | log "WARNING: Failed to decode registry password" | ||
| 158 | fi | ||
| 159 | fi | ||
| 160 | } | ||
| 161 | |||
| 59 | # ============================================================================ | 162 | # ============================================================================ |
| 60 | # Docker-Specific Functions | 163 | # Docker-Specific Functions |
| 61 | # ============================================================================ | 164 | # ============================================================================ |
| @@ -141,10 +244,16 @@ start_dockerd() { | |||
| 141 | if [ -n "$DOCKER_DEFAULT_REGISTRY" ]; then | 244 | if [ -n "$DOCKER_DEFAULT_REGISTRY" ]; then |
| 142 | # Extract host:port for insecure registry config (strip path/namespace) | 245 | # Extract host:port for insecure registry config (strip path/namespace) |
| 143 | REGISTRY_HOST=$(echo "$DOCKER_DEFAULT_REGISTRY" | cut -d'/' -f1) | 246 | REGISTRY_HOST=$(echo "$DOCKER_DEFAULT_REGISTRY" | cut -d'/' -f1) |
| 144 | # Auto-add to insecure registries if it looks like a local/private registry | 247 | |
| 145 | if echo "$REGISTRY_HOST" | grep -qE '^(localhost|127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)'; then | 248 | # In secure mode, DO NOT add to insecure-registries (use TLS verification) |
| 146 | DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=$REGISTRY_HOST" | 249 | if [ "$DOCKER_REGISTRY_SECURE" = "1" ]; then |
| 147 | log "Auto-added insecure registry: $REGISTRY_HOST" | 250 | log "Secure mode: using TLS verification for $REGISTRY_HOST" |
| 251 | else | ||
| 252 | # Auto-add to insecure registries if it looks like a local/private registry | ||
| 253 | if echo "$REGISTRY_HOST" | grep -qE '^(localhost|127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)'; then | ||
| 254 | DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=$REGISTRY_HOST" | ||
| 255 | log "Auto-added insecure registry: $REGISTRY_HOST" | ||
| 256 | fi | ||
| 148 | fi | 257 | fi |
| 149 | fi | 258 | fi |
| 150 | 259 | ||
| @@ -569,6 +678,12 @@ configure_networking | |||
| 569 | # Load baked registry config (can be overridden by kernel cmdline) | 678 | # Load baked registry config (can be overridden by kernel cmdline) |
| 570 | load_registry_config | 679 | load_registry_config |
| 571 | 680 | ||
| 681 | # Parse secure registry settings from kernel cmdline | ||
| 682 | parse_secure_registry_config | ||
| 683 | |||
| 684 | # Install CA certificate for secure registry | ||
| 685 | install_registry_ca | ||
| 686 | |||
| 572 | # Start containerd and dockerd (Docker-specific) | 687 | # Start containerd and dockerd (Docker-specific) |
| 573 | start_containerd | 688 | start_containerd |
| 574 | start_dockerd | 689 | start_dockerd |