From 84cc7186842b45844b017a5bc8afa16b28bac668 Mon Sep 17 00:00:00 2001 From: zhangxiaoyu Date: Thu, 11 May 2023 10:27:08 +0800 Subject: [PATCH 64/79] split remote grpc code by macro Signed-off-by: zhangxiaoyu --- cmake/options.cmake | 6 ++ src/client/connect/connect.h | 2 + src/client/connect/grpc/client_base.h | 12 ++- .../connect/grpc/grpc_containers_client.cc | 22 +++++- src/cmd/isula/client_arguments.c | 10 +++ src/cmd/isula/client_arguments.h | 15 +++- src/cmd/isulad-shim/common.h | 4 +- src/cmd/isulad/isulad_commands.c | 1 + src/cmd/isulad/isulad_commands.h | 78 ++++++++++--------- src/cmd/isulad/main.c | 31 +++++--- src/common/constants.h | 2 + src/daemon/config/daemon_arguments.c | 4 + src/daemon/config/isulad_config.c | 4 + .../connect/grpc/grpc_server_tls_auth.cc | 6 +- src/daemon/entry/connect/grpc/grpc_service.cc | 11 +++ .../cri/cri_container_manager_service_impl.cc | 6 +- src/daemon/entry/cri/cri_helpers.cc | 2 +- .../oci/storage/image_store/image_store.c | 14 ++-- .../oci/storage/layer_store/layer_store.c | 14 ++-- .../remote_layer_support/image_remote_impl.c | 3 +- src/utils/cutils/utils_verify.c | 6 ++ .../remote_layer_support/remote_layer_ut.cc | 2 +- 22 files changed, 181 insertions(+), 74 deletions(-) diff --git a/cmake/options.cmake b/cmake/options.cmake index 701082dd..d8b88dec 100644 --- a/cmake/options.cmake +++ b/cmake/options.cmake @@ -90,6 +90,12 @@ if (ENABLE_SELINUX STREQUAL "ON") message("${Green}-- Enable selinux${ColourReset}") endif() +option(ENABLE_GRPC_REMOTE_CONNECT "enable gRPC remote connect" ON) +if (ENABLE_GRPC_REMOTE_CONNECT STREQUAL "ON") + add_definitions(-DENABLE_GRPC_REMOTE_CONNECT=1) + set(ENABLE_GRPC_REMOTE_CONNECT 1) +endif() + option(ENABLE_SHIM_V2 "enable shim v2 runtime" OFF) if (ENABLE_SHIM_V2 STREQUAL "ON") add_definitions(-DENABLE_SHIM_V2=1) diff --git a/src/client/connect/connect.h b/src/client/connect/connect.h index 1b2ea5b3..68c6d57f 100644 --- a/src/client/connect/connect.h +++ b/src/client/connect/connect.h @@ -24,12 +24,14 @@ extern "C" { typedef struct { unsigned int deadline; char *socket; +#ifdef ENABLE_GRPC_REMOTE_CONNECT // gRPC tls config bool tls; bool tls_verify; char *ca_file; char *cert_file; char *key_file; +#endif } client_connect_config_t; #ifdef __cplusplus diff --git a/src/client/connect/grpc/client_base.h b/src/client/connect/grpc/client_base.h index dbe130cd..4a29765a 100644 --- a/src/client/connect/grpc/client_base.h +++ b/src/client/connect/grpc/client_base.h @@ -44,9 +44,10 @@ public: auto *arguments = reinterpret_cast(args); std::string socket_address = arguments->socket; - const std::string tcp_prefix = "tcp://"; deadline = arguments->deadline; +#ifdef ENABLE_GRPC_REMOTE_CONNECT + const std::string tcp_prefix = "tcp://"; if (socket_address.compare(0, tcp_prefix.length(), tcp_prefix) == 0) { socket_address.erase(0, tcp_prefix.length()); } @@ -76,9 +77,12 @@ public: // Connect to gRPC server with ssl/tls authentication mechanism. stub_ = SV::NewStub(channel); } else { +#endif // Connect to gRPC server without ssl/tls authentication mechanism. stub_ = SV::NewStub(grpc::CreateChannel(socket_address, grpc::InsecureChannelCredentials())); +#ifdef ENABLE_GRPC_REMOTE_CONNECT } +#endif } virtual ~ClientBase() = default; @@ -109,12 +113,14 @@ public: context.set_deadline(tDeadline); } +#ifdef ENABLE_GRPC_REMOTE_CONNECT // Set metadata for authorization if (SetMetadataInfo(context) != 0) { ERROR("Failed to set metadata info for authorization"); response->cc = ISULAD_ERR_INPUT; return -1; } +#endif ret = request_to_grpc(request, &req); if (ret != 0) { @@ -187,6 +193,7 @@ protected: return ss.str(); } +#ifdef ENABLE_GRPC_REMOTE_CONNECT auto SetMetadataInfo(ClientContext &context) -> int { // Set common name from cert.perm @@ -204,10 +211,13 @@ protected: return 0; } +#endif std::unique_ptr stub_; +#ifdef ENABLE_GRPC_REMOTE_CONNECT std::string m_tlsMode { ClientBaseConstants::TLS_OFF }; std::string m_certFile; +#endif unsigned int deadline; }; diff --git a/src/client/connect/grpc/grpc_containers_client.cc b/src/client/connect/grpc/grpc_containers_client.cc index 1528b2ee..301e172b 100644 --- a/src/client/connect/grpc/grpc_containers_client.cc +++ b/src/client/connect/grpc/grpc_containers_client.cc @@ -298,6 +298,7 @@ public: } }; +#ifdef ENABLE_GRPC_REMOTE_CONNECT class RemoteStartWriteToServerTask : public StoppableThread { public: explicit RemoteStartWriteToServerTask( @@ -442,6 +443,8 @@ out: return (response->cc == ISULAD_SUCCESS) ? 0 : -1; } }; +#endif + class ContainerTop : public ClientBase { public: @@ -868,6 +871,7 @@ public: } }; +#ifdef ENABLE_GRPC_REMOTE_CONNECT class RemoteExecWriteToServerTask : public StoppableThread { public: explicit RemoteExecWriteToServerTask( @@ -1035,6 +1039,7 @@ out: return (response->cc == ISULAD_SUCCESS) ? 0 : -1; } }; +#endif class ContainerInspect : public ClientBase { @@ -1351,6 +1356,7 @@ public: ERROR("Missing container id in the request"); return -1; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT #ifdef OPENSSL_VERIFY // Set common name from cert.perm char common_name_value[ClientBaseConstants::COMMON_NAME_LEN] = { 0 }; @@ -1362,6 +1368,7 @@ public: } context.AddMetadata("username", std::string(common_name_value, strlen(common_name_value))); context.AddMetadata("tls_mode", m_tlsMode); +#endif #endif context.AddMetadata("container-id", std::string(request->name)); context.AddMetadata("attach-stdin", request->attach_stdin ? "true" : "false"); @@ -1742,11 +1749,13 @@ public: Status status; container_events_format_t *isula_event = nullptr; +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (SetMetadataInfo(context) != 0) { ERROR("Failed to set metadata info for authorization"); response->cc = ISULAD_ERR_INPUT; return -1; } +#endif ret = events_request_to_grpc(request, &req); if (ret != 0) { @@ -1926,6 +1935,7 @@ public: return -1; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT #ifdef OPENSSL_VERIFY // Set common name from cert.perm char common_name_value[ClientBaseConstants::COMMON_NAME_LEN] = { 0 }; @@ -1938,6 +1948,7 @@ public: } ctx->context.AddMetadata("username", std::string(common_name_value, strlen(common_name_value))); ctx->context.AddMetadata("tls_mode", m_tlsMode); +#endif #endif auto reader = stub_->CopyFromContainer(&ctx->context, ctx->request); reader->WaitForInitialMetadata(); @@ -2073,6 +2084,7 @@ public: goto out; } context.AddMetadata("isulad-copy-to-container", json); +#ifdef ENABLE_GRPC_REMOTE_CONNECT #ifdef OPENSSL_VERIFY { // Set common name from cert.perm @@ -2088,6 +2100,7 @@ public: context.AddMetadata("tls_mode", m_tlsMode); } #endif +#endif out: free(err); @@ -2146,6 +2159,7 @@ public: ClientContext context; LogsRequest grequest; +#ifdef ENABLE_GRPC_REMOTE_CONNECT #ifdef OPENSSL_VERIFY // Set common name from cert.perm char common_name_value[ClientBaseConstants::COMMON_NAME_LEN] = { 0 }; @@ -2157,6 +2171,7 @@ public: } context.AddMetadata("username", std::string(common_name_value, strlen(common_name_value))); context.AddMetadata("tls_mode", m_tlsMode); +#endif #endif if (logs_request_to_grpc(request, &grequest) != 0) { @@ -2234,13 +2249,11 @@ auto grpc_containers_client_ops_init(isula_connect_ops *ops) -> int ops->container.info = container_func; ops->container.create = container_func; ops->container.start = container_func; - ops->container.remote_start = container_func; ops->container.stop = container_func; ops->container.restart = container_func; ops->container.remove = container_func; ops->container.list = container_func; ops->container.exec = container_func; - ops->container.remote_exec = container_func; ops->container.attach = container_func; ops->container.pause = container_func; ops->container.resume = container_func; @@ -2260,5 +2273,10 @@ auto grpc_containers_client_ops_init(isula_connect_ops *ops) -> int ops->container.resize = container_func; ops->container.logs = container_func; +#ifdef ENABLE_GRPC_REMOTE_CONNECT + ops->container.remote_start = container_func; + ops->container.remote_exec = container_func; +#endif + return 0; } diff --git a/src/cmd/isula/client_arguments.c b/src/cmd/isula/client_arguments.c index 8f8c2657..2340beec 100644 --- a/src/cmd/isula/client_arguments.c +++ b/src/cmd/isula/client_arguments.c @@ -31,6 +31,8 @@ client_connect_config_t get_connect_config(const struct client_arguments *args) client_connect_config_t config = { 0 }; config.socket = args->socket; + +#ifdef ENABLE_GRPC_REMOTE_CONNECT // unix socket not support tls if (strncmp(args->socket, "tcp://", strlen("tcp://"))) { config.tls_verify = false; @@ -49,9 +51,12 @@ client_connect_config_t get_connect_config(const struct client_arguments *args) config.cert_file = args->cert_file; config.key_file = args->key_file; } +#endif + return config; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT static int set_default_tls_options(struct client_arguments *args) { int ret = -1; @@ -104,6 +109,7 @@ out: free(cert_path); return ret; } +#endif /* client arguments init */ int client_arguments_init(struct client_arguments *args) @@ -127,9 +133,11 @@ int client_arguments_init(struct client_arguments *args) (void)memset(&args->custom_conf, 0, sizeof(struct custom_configs)); (void)memset(&args->cr, 0, sizeof(struct args_cgroup_resources)); +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (set_default_tls_options(args) != 0) { return -1; } +#endif // default swappiness should be set to -1 args->cr.swappiness = -1; @@ -241,6 +249,7 @@ void client_arguments_free(struct client_arguments *args) util_free_array(custom_conf->security); custom_conf->security = NULL; +#ifdef ENABLE_GRPC_REMOTE_CONNECT free(args->ca_file); args->ca_file = NULL; @@ -249,6 +258,7 @@ void client_arguments_free(struct client_arguments *args) free(args->key_file); args->key_file = NULL; +#endif util_free_array(custom_conf->blkio_throttle_read_bps_device); custom_conf->blkio_throttle_read_bps_device = NULL; diff --git a/src/cmd/isula/client_arguments.h b/src/cmd/isula/client_arguments.h index 087ea056..0b08bcb2 100644 --- a/src/cmd/isula/client_arguments.h +++ b/src/cmd/isula/client_arguments.h @@ -348,12 +348,14 @@ struct client_arguments { json_map_string_string *annotations; +#ifdef ENABLE_GRPC_REMOTE_CONNECT // gRPC tls config bool tls; bool tls_verify; char *ca_file; char *cert_file; char *key_file; +#endif do_resize_call_back_t resize_cb; struct winsize s_pre_wsz; @@ -361,9 +363,10 @@ struct client_arguments { #define LOG_OPTIONS(log) { CMD_OPT_TYPE_BOOL_FALSE, false, "debug", 'D', &(log).quiet, "Enable debug mode", NULL }, -#define COMMON_OPTIONS(cmdargs) \ - { CMD_OPT_TYPE_STRING_DUP, false, "host", 'H', &(cmdargs).socket, "Daemon socket(s) to connect to", \ - command_valid_socket }, \ +#ifdef ENABLE_GRPC_REMOTE_CONNECT +#define COMMON_OPTIONS(cmdargs) \ + { CMD_OPT_TYPE_STRING_DUP, false, "host", 'H', &(cmdargs).socket, "Daemon socket(s) to connect to", \ + command_valid_socket }, \ { CMD_OPT_TYPE_BOOL, false, "tls", 0, &(cmdargs).tls, "Use TLS; implied by --tlsverify", NULL }, \ { CMD_OPT_TYPE_BOOL, false, "tlsverify", 0, &(cmdargs).tls_verify, "Use TLS and verify the remote", NULL }, \ { CMD_OPT_TYPE_STRING_DUP, \ @@ -388,6 +391,12 @@ struct client_arguments { "Path to TLS key file (default \"/root/.iSulad/key.pem\")", \ NULL }, \ { CMD_OPT_TYPE_BOOL, false, "help", 0, &(cmdargs).help, "Print usage", NULL }, +#else +#define COMMON_OPTIONS(cmdargs) \ + { CMD_OPT_TYPE_STRING_DUP, false, "host", 'H', &(cmdargs).socket, "Daemon socket(s) to connect to", \ + command_valid_socket }, \ + { CMD_OPT_TYPE_BOOL, false, "help", 0, &(cmdargs).help, "Print usage", NULL }, +#endif #define VERSION_OPTIONS(cmdargs) \ { CMD_OPT_TYPE_BOOL, false, "version", 0, NULL, "Print version information and quit", NULL }, diff --git a/src/cmd/isulad-shim/common.h b/src/cmd/isulad-shim/common.h index d733823b..b3f52dc3 100644 --- a/src/cmd/isulad-shim/common.h +++ b/src/cmd/isulad-shim/common.h @@ -35,8 +35,8 @@ extern "C" { #define SHIM_ERR_TIMEOUT (-4) // common exit code is defined in stdlib.h -// EXIT_FAILURE 1 : Failing exit status. -// EXIT_SUCCESS 0 : Successful exit status. +// EXIT_FAILURE 1 : Failing exit status. +// EXIT_SUCCESS 0 : Successful exit status. // custom shim exit code // SHIM_EXIT_TIMEOUT 2: Container process timeout exit code #define SHIM_EXIT_TIMEOUT 2 diff --git a/src/cmd/isulad/isulad_commands.c b/src/cmd/isulad/isulad_commands.c index 42d0bde6..e814109e 100644 --- a/src/cmd/isulad/isulad_commands.c +++ b/src/cmd/isulad/isulad_commands.c @@ -225,6 +225,7 @@ int parse_args(struct service_arguments *args, int argc, const char **argv) command_t cmd = { 0 }; struct command_option options[] = { ISULAD_OPTIONS(args) + ISULAD_TLS_OPTIONS(args) }; command_init_isulad(&cmd, options, sizeof(options) / sizeof(options[0]), argc, (const char **)argv, isulad_desc, isulad_usage); diff --git a/src/cmd/isulad/isulad_commands.h b/src/cmd/isulad/isulad_commands.h index a89de5c1..e5bcb6c8 100644 --- a/src/cmd/isulad/isulad_commands.h +++ b/src/cmd/isulad/isulad_commands.h @@ -65,6 +65,48 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); #define USERNS_REMAP_OPT(cmdargs) #endif +#ifdef ENABLE_GRPC_REMOTE_CONNECT +#define ISULAD_TLS_OPTIONS(cmdargs) \ + { CMD_OPT_TYPE_STRING_DUP, \ + false, \ + "authorization-plugin", \ + 0, \ + &(cmdargs)->json_confs->authorization_plugin, \ + "Use authorization plugin", \ + NULL }, \ + { CMD_OPT_TYPE_BOOL, false, "tls", 0, &(cmdargs)->json_confs->tls, "Use TLS; implied by --tlsverify", NULL }, \ + { CMD_OPT_TYPE_BOOL, \ + false, \ + "tlsverify", \ + 0, \ + &(cmdargs)->json_confs->tls_verify, \ + "Use TLS and verify the remote", \ + NULL }, \ + { CMD_OPT_TYPE_STRING_DUP, \ + false, \ + "tlscacert", \ + 0, \ + &(cmdargs)->json_confs->tls_config->ca_file, \ + "Trust certs signed only by this CA (default \"/root/.iSulad/ca.pem\")", \ + NULL }, \ + { CMD_OPT_TYPE_STRING_DUP, \ + false, \ + "tlscert", \ + 0, \ + &(cmdargs)->json_confs->tls_config->cert_file, \ + "Path to TLS certificate file (default \"/root/.iSulad/cert.pem\")", \ + NULL }, \ + { CMD_OPT_TYPE_STRING_DUP, \ + false, \ + "tlskey", \ + 0, \ + &(cmdargs)->json_confs->tls_config->key_file, \ + "Path to TLS key file (default \"/root/.iSulad/key.pem\")", \ + NULL }, +#else +#define ISULAD_TLS_OPTIONS(cmdargs) +#endif + #define ISULAD_OPTIONS(cmdargs) \ { CMD_OPT_TYPE_CALLBACK, \ false, \ @@ -241,42 +283,6 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); (cmdargs)->json_confs->use_decrypted_key, \ "Use decrypted private key by default (default true)", \ NULL }, \ - { CMD_OPT_TYPE_STRING_DUP, \ - false, \ - "authorization-plugin", \ - 0, \ - &(cmdargs)->json_confs->authorization_plugin, \ - "Use authorization plugin", \ - NULL }, \ - { CMD_OPT_TYPE_BOOL, false, "tls", 0, &(cmdargs)->json_confs->tls, "Use TLS; implied by --tlsverify", NULL }, \ - { CMD_OPT_TYPE_BOOL, \ - false, \ - "tlsverify", \ - 0, \ - &(cmdargs)->json_confs->tls_verify, \ - "Use TLS and verify the remote", \ - NULL }, \ - { CMD_OPT_TYPE_STRING_DUP, \ - false, \ - "tlscacert", \ - 0, \ - &(cmdargs)->json_confs->tls_config->ca_file, \ - "Trust certs signed only by this CA (default \"/root/.iSulad/ca.pem\")", \ - NULL }, \ - { CMD_OPT_TYPE_STRING_DUP, \ - false, \ - "tlscert", \ - 0, \ - &(cmdargs)->json_confs->tls_config->cert_file, \ - "Path to TLS certificate file (default \"/root/.iSulad/cert.pem\")", \ - NULL }, \ - { CMD_OPT_TYPE_STRING_DUP, \ - false, \ - "tlskey", \ - 0, \ - &(cmdargs)->json_confs->tls_config->key_file, \ - "Path to TLS key file (default \"/root/.iSulad/key.pem\")", \ - NULL }, \ { CMD_OPT_TYPE_CALLBACK, \ false, \ "default-ulimit", \ diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c index 6d121f33..f5ded220 100644 --- a/src/cmd/isulad/main.c +++ b/src/cmd/isulad/main.c @@ -695,6 +695,7 @@ out: } #endif +#ifdef ENABLE_GRPC_REMOTE_CONNECT // update values for options after flag parsing is complete static int update_tls_options(struct service_arguments *args) { @@ -745,6 +746,7 @@ static int update_tls_options(struct service_arguments *args) out: return ret; } +#endif static int update_set_default_log_file(struct service_arguments *args) { @@ -946,9 +948,11 @@ static int update_server_args(struct service_arguments *args) } #endif +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (update_tls_options(args)) { return -1; } +#endif if (update_set_default_log_file(args) != 0) { return -1; @@ -1284,17 +1288,20 @@ static char *parse_host(bool tls, const char *val) char *host = NULL; char *tmp = util_strdup_s(val); tmp = util_trim_space(tmp); - if (tmp == NULL) { - if (tls) { - host = util_strdup_s(DEFAULT_TLS_HOST); - } else { - host = util_strdup_s(DEFAULT_UNIX_SOCKET); - } - } else { + + if (tmp != NULL) { host = util_strdup_s(val); + free(tmp); + return host; + } + +#ifdef ENABLE_GRPC_REMOTE_CONNECT + if (tls) { + return util_strdup_s(DEFAULT_TLS_HOST); } - free(tmp); - return host; +#endif + + return util_strdup_s(DEFAULT_UNIX_SOCKET); } static int listener_init(const char *proto, const char *addr, const char *socket_group) @@ -1329,7 +1336,11 @@ static int load_listener(const struct service_arguments *args) for (i = 0; i < args->hosts_len; i++) { char *proto_addr = NULL; +#ifdef ENABLE_GRPC_REMOTE_CONNECT proto_addr = parse_host(args->json_confs->tls, args->hosts[i]); +#else + proto_addr = parse_host(false, args->hosts[i]); +#endif proto = strtok_r(proto_addr, delim, &addr); if (proto == NULL) { ERROR("Failed to get proto"); @@ -1339,11 +1350,13 @@ static int load_listener(const struct service_arguments *args) } addr += strlen("://") - 1; +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (strncmp(proto, "tcp", strlen("tcp")) == 0 && (args->json_confs->tls_config == NULL || !args->json_confs->tls_verify)) { WARN("[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting" " --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"); } +#endif // note: If we're binding to a TCP port, make sure that a container doesn't try to use it. ret = listener_init(proto, args->hosts[i], args->json_confs->group); diff --git a/src/common/constants.h b/src/common/constants.h index 1a4cb7c4..37854291 100644 --- a/src/common/constants.h +++ b/src/common/constants.h @@ -121,8 +121,10 @@ extern "C" { #define OCI_IMAGE_GRAPH_ROOTPATH_NAME "storage" +#ifdef ENABLE_GRPC_REMOTE_CONNECT #define DEFAULT_TCP_HOST "tcp://localhost:2375" #define DEFAULT_TLS_HOST "tcp://localhost:2376" +#endif #define AUTH_PLUGIN "authz-broker" diff --git a/src/daemon/config/daemon_arguments.c b/src/daemon/config/daemon_arguments.c index 04173557..078fb4a1 100644 --- a/src/daemon/config/daemon_arguments.c +++ b/src/daemon/config/daemon_arguments.c @@ -27,6 +27,7 @@ #include "utils_array.h" #include "utils_file.h" +#ifdef ENABLE_GRPC_REMOTE_CONNECT static int set_daemon_default_tls_options(struct service_arguments *args) { int ret = -1; @@ -87,6 +88,7 @@ out: free(cert_path); return ret; } +#endif int service_arguments_init(struct service_arguments *args) { @@ -156,9 +158,11 @@ int service_arguments_init(struct service_arguments *args) *(args->json_confs->use_decrypted_key) = true; args->json_confs->insecure_skip_verify_enforce = false; +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (set_daemon_default_tls_options(args) != 0) { goto free_out; } +#endif args->default_ulimit = NULL; args->default_ulimit_len = 0; diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c index 996917c4..d9644756 100644 --- a/src/daemon/config/isulad_config.c +++ b/src/daemon/config/isulad_config.c @@ -1496,6 +1496,7 @@ static int merge_cri_runtimes_into_global(struct service_arguments *args, isulad return 0; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT static int merge_authorization_conf_into_global(struct service_arguments *args, isulad_daemon_configs *tmp_json_confs) { args->json_confs->tls = tmp_json_confs->tls; @@ -1511,6 +1512,7 @@ static int merge_authorization_conf_into_global(struct service_arguments *args, return 0; } +#endif static int merge_storage_conf_into_global(struct service_arguments *args, isulad_daemon_configs *tmp_json_confs) { @@ -1651,10 +1653,12 @@ int merge_json_confs_into_global(struct service_arguments *args) args->json_confs->insecure_skip_verify_enforce = tmp_json_confs->insecure_skip_verify_enforce; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (merge_authorization_conf_into_global(args, tmp_json_confs)) { ret = -1; goto out; } +#endif if (merge_default_ulimits_conf_into_global(args, tmp_json_confs)) { ret = -1; diff --git a/src/daemon/entry/connect/grpc/grpc_server_tls_auth.cc b/src/daemon/entry/connect/grpc/grpc_server_tls_auth.cc index 6e958e23..737bb129 100644 --- a/src/daemon/entry/connect/grpc/grpc_server_tls_auth.cc +++ b/src/daemon/entry/connect/grpc/grpc_server_tls_auth.cc @@ -17,6 +17,7 @@ #include #include #include "http.h" +#include "constants.h" namespace AuthorizationPluginConfig { std::string auth_plugin = ""; @@ -25,6 +26,7 @@ std::string auth_plugin = ""; namespace GrpcServerTlsAuth { Status auth(ServerContext *context, std::string action) { +#ifdef ENABLE_GRPC_REMOTE_CONNECT const std::multimap &init_metadata = context->client_metadata(); auto tls_mode_kv = init_metadata.find("tls_mode"); if (tls_mode_kv == init_metadata.end()) { @@ -36,7 +38,7 @@ Status auth(ServerContext *context, std::string action) } if (AuthorizationPluginConfig::auth_plugin.empty()) { return Status::OK; - } else if (AuthorizationPluginConfig::auth_plugin == "authz-broker") { + } else if (AuthorizationPluginConfig::auth_plugin == AUTH_PLUGIN) { auto username_kv = init_metadata.find("username"); if (username_kv == init_metadata.end()) { return Status(StatusCode::UNKNOWN, "unknown error"); @@ -55,6 +57,8 @@ Status auth(ServerContext *context, std::string action) } else { return Status(StatusCode::UNIMPLEMENTED, "authorization plugin invalid"); } +#endif + return Status::OK; } } // namespace GrpcServerTlsAuth diff --git a/src/daemon/entry/connect/grpc/grpc_service.cc b/src/daemon/entry/connect/grpc/grpc_service.cc index ab3e32ab..050a43f8 100644 --- a/src/daemon/entry/connect/grpc/grpc_service.cc +++ b/src/daemon/entry/connect/grpc/grpc_service.cc @@ -54,13 +54,19 @@ public: ERROR("Init runtime service failed: %s", err.GetCMessage()); return -1; } + + // hosts has been validate by util_validate_socket auto hosts = std::vector(args->hosts, args->hosts + args->hosts_len); for (auto host : hosts) { +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (host.find("tcp://") == 0) { m_tcpPath.push_back(host.erase(0, std::string("tcp://").length())); } else { +#endif m_socketPath.push_back(host); +#ifdef ENABLE_GRPC_REMOTE_CONNECT } +#endif } if (ListeningPort(args, err)) { @@ -109,6 +115,7 @@ public: private: int ListeningPort(const struct service_arguments *args, Errors &err) { +#ifdef ENABLE_GRPC_REMOTE_CONNECT if (args->json_confs->tls) { if (args->json_confs->authorization_plugin != nullptr) { AuthorizationPluginConfig::auth_plugin = args->json_confs->authorization_plugin; @@ -152,6 +159,8 @@ private: INFO("Server listening on %s", address.c_str()); } } +#endif + // Listen on the given socket address without any authentication mechanism. for (const auto &address : m_socketPath) { m_builder.AddListeningPort(address, grpc::InsecureServerCredentials()); @@ -187,7 +196,9 @@ private: RuntimeRuntimeServiceImpl m_runtimeRuntimeService; RuntimeImageServiceImpl m_runtimeImageService; ServerBuilder m_builder; +#ifdef ENABLE_GRPC_REMOTE_CONNECT std::vector m_tcpPath; +#endif std::vector m_socketPath; std::unique_ptr m_server; }; diff --git a/src/daemon/entry/cri/cri_container_manager_service_impl.cc b/src/daemon/entry/cri/cri_container_manager_service_impl.cc index 5398c088..101824ae 100644 --- a/src/daemon/entry/cri/cri_container_manager_service_impl.cc +++ b/src/daemon/entry/cri/cri_container_manager_service_impl.cc @@ -1228,14 +1228,14 @@ void ContainerManagerServiceImpl::UpdateContainerResources(const std::string &co } if (resources.hugepage_limits_size() != 0) { hostconfig->hugetlbs = (host_config_hugetlbs_element **)util_smart_calloc_s( - sizeof(host_config_hugetlbs_element *), resources.hugepage_limits_size()); + sizeof(host_config_hugetlbs_element *), resources.hugepage_limits_size()); if (hostconfig->hugetlbs == nullptr) { error.SetError("Out of memory"); return; } - for (int i = 0; i < resources.hugepage_limits_size(); i++) { + for (int i = 0; i < resources.hugepage_limits_size(); i++) { hostconfig->hugetlbs[i] = - (host_config_hugetlbs_element *)util_common_calloc_s(sizeof(host_config_hugetlbs_element)); + (host_config_hugetlbs_element *)util_common_calloc_s(sizeof(host_config_hugetlbs_element)); if (hostconfig->hugetlbs[i] == nullptr) { error.SetError("Out of memory"); goto cleanup; diff --git a/src/daemon/entry/cri/cri_helpers.cc b/src/daemon/entry/cri/cri_helpers.cc index e588b6c4..e2d00bc7 100644 --- a/src/daemon/entry/cri/cri_helpers.cc +++ b/src/daemon/entry/cri/cri_helpers.cc @@ -457,7 +457,7 @@ void UpdateCreateConfig(container_config *createConfig, host_config *hc, } for (int i = 0; i < rOpts.hugepage_limits_size(); i++) { hc->hugetlbs[i] = - (host_config_hugetlbs_element *)util_common_calloc_s(sizeof(host_config_hugetlbs_element)); + (host_config_hugetlbs_element *)util_common_calloc_s(sizeof(host_config_hugetlbs_element)); if (hc->hugetlbs[i] == nullptr) { error.SetError("Out of memory"); return; diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c index d436eba2..f6ddd03b 100644 --- a/src/daemon/modules/image/oci/storage/image_store/image_store.c +++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c @@ -133,7 +133,7 @@ static void free_image_store(image_store_t *store) (void)map_free(store->bydigest); store->bydigest = NULL; - linked_list_for_each_safe (item, &(store->images_list), next) { + linked_list_for_each_safe(item, &(store->images_list), next) { linked_list_del(item); image_ref_dec((image_t *)item->elem); free(item); @@ -165,7 +165,7 @@ static void image_store_digest_field_kvfree(void *key, void *value) free(key); if (val != NULL) { - linked_list_for_each_safe (item, &(val->images_list), next) { + linked_list_for_each_safe(item, &(val->images_list), next) { linked_list_del(item); free(item); item = NULL; @@ -501,7 +501,7 @@ static void digest_image_slice_without_value(digest_image_t *digest_filter_image return; } - linked_list_for_each_safe (item, &(digest_filter_images->images_list), next) { + linked_list_for_each_safe(item, &(digest_filter_images->images_list), next) { tmp = (image_t *)item->elem; if (strcmp(tmp->simage->id, img->simage->id) == 0) { linked_list_del(item); @@ -582,7 +582,7 @@ static int remove_image_from_memory(const char *id) goto out; } - linked_list_for_each_safe (item, &(g_image_store->images_list), next) { + linked_list_for_each_safe(item, &(g_image_store->images_list), next) { image_t *tmp = (image_t *)item->elem; if (strcmp(tmp->simage->id, id) != 0) { continue; @@ -681,7 +681,7 @@ static void free_digest_image(digest_image_t *ptr) return; } - linked_list_for_each_safe (item, &(ptr->images_list), next) { + linked_list_for_each_safe(item, &(ptr->images_list), next) { linked_list_del(item); free(item); item = NULL; @@ -2679,7 +2679,7 @@ int image_store_get_all_images(imagetool_images_list *images_list) goto unlock; } - linked_list_for_each_safe (item, &(g_image_store->images_list), next) { + linked_list_for_each_safe(item, &(g_image_store->images_list), next) { imagetool_image_summary *imginfo = NULL; image_t *img = (image_t *)item->elem; imginfo = get_image_summary(img); @@ -3546,7 +3546,7 @@ static void image_store_check_all_images() return; } - linked_list_for_each_safe (item, &(g_image_store->images_list), next) { + linked_list_for_each_safe(item, &(g_image_store->images_list), next) { image_t *img = (image_t *)item->elem; if (img->spec == NULL) { ERROR("Failed to check spec info of image: %s, try to delete", img->simage->id); diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c index 12fca5ff..6024d734 100644 --- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c @@ -136,7 +136,7 @@ void layer_store_cleanup() map_free(g_metadata.by_uncompress_digest); g_metadata.by_uncompress_digest = NULL; - linked_list_for_each_safe (item, &(g_metadata.layers_list), next) { + linked_list_for_each_safe(item, &(g_metadata.layers_list), next) { linked_list_del(item); layer_ref_dec((layer_t *)item->elem); free(item); @@ -167,7 +167,7 @@ static void free_digest_layer_t(digest_layer_t *ptr) return; } - linked_list_for_each_safe (item, &(ptr->layer_list), next) { + linked_list_for_each_safe(item, &(ptr->layer_list), next) { linked_list_del(item); free(item->elem); item->elem = NULL; @@ -622,7 +622,7 @@ static int delete_digest_from_map(map_t *by_digest, const char *digest, const ch return 0; } - linked_list_for_each_safe (item, &(old_list->layer_list), next) { + linked_list_for_each_safe(item, &(old_list->layer_list), next) { char *t_id = (char *)item->elem; if (strcmp(t_id, id) == 0) { linked_list_del(item); @@ -735,7 +735,7 @@ static int remove_memory_stores(const char *id) } } - linked_list_for_each_safe (item, &(g_metadata.layers_list), next) { + linked_list_for_each_safe(item, &(g_metadata.layers_list), next) { layer_t *tl = (layer_t *)item->elem; if (strcmp(tl->slayer->id, id) != 0) { continue; @@ -1505,7 +1505,7 @@ int layer_store_list(struct layer_list *resp) goto unlock; } - linked_list_for_each_safe (item, &(g_metadata.layers_list), next) { + linked_list_for_each_safe(item, &(g_metadata.layers_list), next) { layer_t *l = (layer_t *)item->elem; resp->layers[i] = util_common_calloc_s(sizeof(struct layer)); if (resp->layers[i] == NULL) { @@ -1548,7 +1548,7 @@ static int layers_by_digest_map(map_t *m, const char *digest, struct layer_list goto free_out; } - linked_list_for_each_safe (item, &(id_list->layer_list), next) { + linked_list_for_each_safe(item, &(id_list->layer_list), next) { layer_t *l = NULL; resp->layers[i] = util_common_calloc_s(sizeof(struct layer)); if (resp->layers[i] == NULL) { @@ -1902,7 +1902,7 @@ static int load_layers_from_json_files() goto unlock_out; } - linked_list_for_each_safe (item, &(g_metadata.layers_list), next) { + linked_list_for_each_safe(item, &(g_metadata.layers_list), next) { layer_t *tl = (layer_t *)item->elem; size_t i = 0; diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c index 1ac0139f..92bf901d 100644 --- a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c +++ b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c @@ -184,7 +184,8 @@ static int remote_image_add(void *data) return ret; } -void remote_image_refresh(struct remote_image_data *data) { +void remote_image_refresh(struct remote_image_data *data) +{ if (remote_dir_scan(data) != 0) { ERROR("remote overlay failed to scan dir, skip refresh"); return; diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c index ea43a40a..c2836ae3 100644 --- a/src/utils/cutils/utils_verify.c +++ b/src/utils/cutils/utils_verify.c @@ -121,6 +121,7 @@ int util_validate_absolute_path(const char *path) return nret; } +#ifdef ENABLE_GRPC_REMOTE_CONNECT static bool util_vaildate_tcp_socket(const char *socket) { if (socket == NULL) { @@ -132,6 +133,7 @@ static bool util_vaildate_tcp_socket(const char *socket) "|([1-5][0-9]{4})|([1-9][0-9]{0,3})|0))$", socket) == 0; } +#endif bool util_validate_unix_socket(const char *socket) { @@ -162,7 +164,11 @@ bool util_validate_unix_socket(const char *socket) bool util_validate_socket(const char *socket) { +#ifdef ENABLE_GRPC_REMOTE_CONNECT return util_validate_unix_socket(socket) || util_vaildate_tcp_socket(socket); +#else + return util_validate_unix_socket(socket); +#endif } bool util_valid_device_mode(const char *mode) diff --git a/test/image/oci/storage/remote_layer_support/remote_layer_ut.cc b/test/image/oci/storage/remote_layer_support/remote_layer_ut.cc index 5f5e92fb..13e535c5 100644 --- a/test/image/oci/storage/remote_layer_support/remote_layer_ut.cc +++ b/test/image/oci/storage/remote_layer_support/remote_layer_ut.cc @@ -74,7 +74,7 @@ void mockCommonAll(MockRemoteStore *mock) TEST(remote_Layer_ut, test_map_diff) { - // old: a b x + // old: a b x // new: x b c map_t *old_one = map_new(MAP_STR_BOOL, MAP_DEFAULT_CMP_FUNC, MAP_DEFAULT_FREE_FUNC); map_t *new_one = map_new(MAP_STR_BOOL, MAP_DEFAULT_CMP_FUNC, MAP_DEFAULT_FREE_FUNC); -- 2.25.1