Merge pull request #304 from WaberZhuang/main

minor fixes & tools improvements

CMake/Findphoton.cmake

@@ -5,7 +5,7 @@ set(PHOTON_ENABLE_EXTFS ON)
 FetchContent_Declare(
   photon
   GIT_REPOSITORY https://github.com/alibaba/PhotonLibOS.git
-  GIT_TAG v0.6.14
+  GIT_TAG v0.6.15
 )
 
 if(BUILD_TESTING)

CMakeLists.txt

@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.15)
+cmake_minimum_required(VERSION 3.14)
 
 project(
   overlaybd

README.md

@@ -47,7 +47,7 @@ It is better to run `overlaybd-tcmu` as a service so that it can be restarted af
 
 To build overlaybd from source code, the following dependencies are required:
 
-* CMake >= 3.15
+* CMake >= 3.14
 
 * gcc/g++ >= 7
 
@@ -201,6 +201,8 @@ Default configure file `overlaybd.json` is installed to `/etc/overlaybd/`.
 | auditPath           | The path for audit file, `/var/log/overlaybd-audit.log` is the default value.                         |
 | registryFsVersion   | registry client version, 'v1' libcurl based, 'v2' is photon http based. 'v2' is the default value.    |
 | prefetchConfig.concurrency    | Prefetch concurrency for reloading trace, `16` is default                                   |
+| certConfig.certFile | The path for SSL/TLS client certificate file                                                          |
+| certConfig.keyFile  | The path for SSL/TLS client key file                                                                  |
 
 > NOTE: `download` is the config for background downloading. After an overlaybd device is lauched, a background task will be running to fetch the whole blobs into local directories. After downloading, I/O requests are directed to local files. Unlike other options, download config is reloaded when a device launching.
 

src/config.h

@@ -123,6 +123,13 @@ struct PrefetchConfig : public ConfigUtils::Config {
     APPCFG_PARA(concurrency, int, 16);
 };
 
+struct CertConfig : public ConfigUtils::Config {
+    APPCFG_CLASS
+
+    APPCFG_PARA(certFile, std::string, "");
+    APPCFG_PARA(keyFile, std::string, "");
+};
+
 struct GlobalConfig : public ConfigUtils::Config {
     APPCFG_CLASS
 
@@ -145,6 +152,7 @@ struct GlobalConfig : public ConfigUtils::Config {
     APPCFG_PARA(gzipCacheConfig, GzipCacheConfig);
     APPCFG_PARA(logConfig, LogConfig);
     APPCFG_PARA(prefetchConfig, PrefetchConfig);
+    APPCFG_PARA(certConfig, CertConfig);
 };
 
 struct AuthConfig : public ConfigUtils::Config {

src/image_service.cpp

@@ -348,7 +348,8 @@ int ImageService::init() {
             registryfs_creator = new_registryfs_v2;
 
         global_fs.underlay_registryfs = registryfs_creator(
-            {this, &ImageService::reload_auth}, cafile, 30UL * 1000000);
+            {this, &ImageService::reload_auth}, cafile, 30UL * 1000000,
+            global_conf.certConfig().certFile().c_str(), global_conf.certConfig().keyFile().c_str());
         if (global_fs.underlay_registryfs == nullptr) {
             LOG_ERROR_RETURN(0, -1, "create registryfs failed.");
         }
@@ -512,4 +513,4 @@ ImageService *create_image_service(const char *config_path) {
         return nullptr;
     }
     return ret;
-}
+}

src/main.cpp

@@ -32,6 +32,7 @@
 #include <fcntl.h>
 #include <scsi/scsi.h>
 #include <sys/resource.h>
+#include <sys/prctl.h>
 
 class TCMUDevLoop;
 
@@ -401,6 +402,7 @@ void sigint_handler(int signal = SIGINT) {
 
 int main(int argc, char **argv) {
     mallopt(M_TRIM_THRESHOLD, 128 * 1024);
+    prctl(PR_SET_THP_DISABLE, 1);
 
     photon::init(photon::INIT_EVENT_DEFAULT, photon::INIT_IO_DEFAULT);
     photon::block_all_signal();

src/overlaybd/base64.h

@@ -1,3 +1,5 @@
+#pragma once
+
 #ifndef _BASE64_H_
 #define _BASE64_H_
 
@@ -13,7 +15,7 @@ static inline bool is_base64(BYTE c) {
     return (isalnum(c) || (c == '+') || (c == '/'));
 }
 
-std::string base64_encode(BYTE const *buf, unsigned int bufLen) {
+static inline std::string base64_encode(BYTE const *buf, unsigned int bufLen) {
     std::string ret;
     int i = 0;
     int j = 0;
@@ -53,7 +55,7 @@ std::string base64_encode(BYTE const *buf, unsigned int bufLen) {
     return ret;
 }
 
-std::string base64_decode(std::string const &encoded_string) {
+static inline std::string base64_decode(std::string const &encoded_string) {
     int in_len = encoded_string.size();
     int i = 0;
     int j = 0;
@@ -96,4 +98,4 @@ std::string base64_decode(std::string const &encoded_string) {
     return ret;
 }
 
-#endif
+#endif

src/overlaybd/registryfs/registryfs.cpp

@@ -14,6 +14,7 @@
    limitations under the License.
 */
 #include "registryfs.h"
+#include "../base64.h"
 
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -46,6 +47,7 @@ using namespace photon::fs;
 static const estring kDockerRegistryAuthChallengeKeyValuePrefix = "www-authenticate";
 static const estring kAuthHeaderKey = "Authorization";
 static const estring kBearerAuthPrefix = "Bearer ";
+static const estring kBasicAuthPrefix = "Basic ";
 static const estring kDockerRegistryBlobReaderFailPrefix = "DockerRegistryBolbReader Failure: ";
 static const uint64_t kMinimalTokenLife = 30L * 1000 * 1000; // token lives atleast 30s
 static const uint64_t kMinimalAUrlLife = 300L * 1000 * 1000; // actual_url lives atleast 300s
@@ -102,8 +104,10 @@ class RegistryFSImpl : public RegistryFS {
         return open(pathname, flags); // ignore mode
     }
 
-    RegistryFSImpl(PasswordCB callback, const char *caFile, uint64_t timeout)
+    RegistryFSImpl(PasswordCB callback, const char *caFile, uint64_t timeout,
+                   const char *cert_file, const char *key_file)
         : m_callback(callback), m_caFile(caFile), m_timeout(timeout),
+          m_cert_file(cert_file), m_key_file(key_file),
           m_meta_size(kMinimalMetaLife), m_scope_token(kMinimalTokenLife),
           m_url_info(kMinimalAUrlLife) {
     }
@@ -134,9 +138,6 @@ class RegistryFSImpl : public RegistryFS {
 
         {
             auto curl = get_cURL();
-            if (photon::net::http::what_protocol(actual_url) == 2) {
-                curl->reset().clear_header().setopt(CURLOPT_SSL_VERIFYPEER, 0L);
-            }
             DEFER({ release_cURL(curl); });
             curl->set_redirect(10);
             // set token if needed
@@ -265,6 +266,8 @@ class RegistryFSImpl : public RegistryFS {
     estring m_accelerate;
     estring m_caFile;
     uint64_t m_timeout;
+    estring m_cert_file;
+    estring m_key_file;
     ObjectCache<estring, size_t *> m_meta_size;
     ObjectCache<estring, estring *> m_scope_token;
     ObjectCache<estring, UrlInfo *> m_url_info;
@@ -275,7 +278,14 @@ class RegistryFSImpl : public RegistryFS {
         auto curl = m_curl_pool.get();
         mutex.unlock();
         curl->reset_error();
-        curl->reset().clear_header().set_cafile(m_caFile.c_str());
+        curl->reset().clear_header().set_cafile(m_caFile.c_str())
+              .setopt(CURLOPT_SSL_VERIFYPEER, 0L).setopt(CURLOPT_SSL_VERIFYHOST, 0L);
+        if (m_cert_file != "" && m_key_file != "" &&
+            !::access(m_cert_file.c_str(), 0) && !::access(m_key_file.c_str(), 0)) {
+            LOG_DEBUG("curl with ` and `", m_cert_file.c_str(), m_key_file.c_str());
+            curl->setopt(CURLOPT_SSLCERT, m_cert_file.c_str());
+            curl->setopt(CURLOPT_SSLKEY, m_key_file.c_str());
+        }
         return curl;
     };
 
@@ -334,7 +344,9 @@ class RegistryFSImpl : public RegistryFS {
         DEFER({ release_cURL(req); });
         photon::net::StringWriter writer;
         if (!username.empty()) {
-            req->set_user_passwd(username.c_str(), password.c_str()).set_redirect(3);
+            std::string basic_auth = username + ":" + password;
+            std::string encoded = base64_encode((const BYTE*) basic_auth.c_str(), basic_auth.length());
+            req->append_header(kAuthHeaderKey, kBasicAuthPrefix + encoded);
         }
         auto ret = req->GET(auth_url, &writer, tmo.timeout_us());
 
@@ -515,9 +527,10 @@ inline IFile *RegistryFSImpl::open(const char *pathname, int) {
     return file;
 }
 
-IFileSystem *new_registryfs_v1(PasswordCB callback, const char *caFile,
-                                                     uint64_t timeout) {
+IFileSystem *new_registryfs_v1(PasswordCB callback, const char *caFile, uint64_t timeout,
+                               const char *cert_file, const char *key_file) {
     if (!callback)
         LOG_ERROR_RETURN(EINVAL, nullptr, "password callback not set");
-    return new RegistryFSImpl(callback, caFile ? caFile : "", timeout);
+    return new RegistryFSImpl(callback, caFile ? caFile : "", timeout,
+                              cert_file ? cert_file : "", key_file ? key_file : "");
 }

src/overlaybd/registryfs/registryfs.h

@@ -30,15 +30,21 @@ using PasswordCB = Delegate<std::pair<std::string, std::string>, const char *>;
 extern "C" {
 photon::fs::IFileSystem *new_registryfs_v1(PasswordCB callback,
                                            const char *caFile = nullptr,
-                                           uint64_t timeout = -1);
+                                           uint64_t timeout = -1,
+                                           const char *cert_file = nullptr,
+                                           const char *key_file = nullptr);
 
 photon::fs::IFileSystem *new_registryfs_v2(PasswordCB callback,
                                            const char *caFile = nullptr,
-                                           uint64_t timeout = -1);
+                                           uint64_t timeout = -1,
+                                           const char *cert_file = nullptr,
+                                           const char *key_file = nullptr);
 
 photon::fs::IFile* new_registry_uploader(photon::fs::IFile *lfile,
                                          std::string &upload_url,
                                          std::string &username, std::string &password,
                                          uint64_t timeout,
-                                         ssize_t upload_bs = -1);
+                                         ssize_t upload_bs = -1,
+                                         const char *cert_file = nullptr,
+                                         const char *key_file = nullptr);
 }