app-admin/toolbox: fix access to private toolbox image on GCR
Use docker-credential-gcr to generate credentials string for
the containers from gcr.io registry and mirrors to authorize
access to private images.
BUG=b/211904749
TEST=presubmit
RELEASE_NOTE=Fix access to private toolbox images hosted on GCR.
Change-Id: Iaf275ec47ef01eb3fc3428669ebc94c5244aa90f
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/26860
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Varsha Teratipally <teratipally@google.com>
Reviewed-by: Rayan Dasoriya <dasoriya@google.com>
diff --git a/project-lakitu/app-admin/toolbox/files/0001-Added-containerd-support.patch b/project-lakitu/app-admin/toolbox/files/0001-Added-containerd-support.patch
index dd6b860..0e7f251 100644
--- a/project-lakitu/app-admin/toolbox/files/0001-Added-containerd-support.patch
+++ b/project-lakitu/app-admin/toolbox/files/0001-Added-containerd-support.patch
@@ -1,14 +1,14 @@
-From fc9fea5b5b47686f9e841d4b7d0105e06960c112 Mon Sep 17 00:00:00 2001
+From 1e3d36e86b30ed217172a47c55c64e1d76e5b99d Mon Sep 17 00:00:00 2001
From: Rayan Dasoriya <dasoriya@google.com>
Date: Tue, 20 Jul 2021 02:32:45 +0000
Subject: [PATCH] Added containerd support
---
- toolbox | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
+ toolbox | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/toolbox b/toolbox
-index f101cf1..fcd2102 100755
+index f101cf1..ede3b31 100755
--- a/toolbox
+++ b/toolbox
@@ -10,6 +10,8 @@ TOOLBOX_DIRECTORY="/var/lib/toolbox"
@@ -20,7 +20,7 @@
toolboxrc="${HOME}"/.toolboxrc
-@@ -28,18 +30,27 @@ machinepath="${TOOLBOX_DIRECTORY}/${machinename}"
+@@ -28,18 +30,40 @@ machinepath="${TOOLBOX_DIRECTORY}/${machinename}"
osrelease="${machinepath}/etc/os-release"
if [ ! -f ${osrelease} ] || systemctl is-failed -q ${machinename} ; then
sudo mkdir -p "${machinepath}"
@@ -32,10 +32,23 @@
- docker export ${machinename} | sudo tar -x -C "${machinepath}" -f -
- docker rm ${machinename}
+ if [ ! -z "${TOOLBOX_DOCKER_IMAGE_TARBALL}" ] ; then
-+ sudo ctr image import "${TOOLBOX_DOCKER_IMAGE_TARBALL}"
-+ else
-+ sudo ctr image pull "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}"
-+ fi
++ sudo ctr image import "${TOOLBOX_DOCKER_IMAGE_TARBALL}"
++ else
++ if [[ "${TOOLBOX_DOCKER_IMAGE}" =~ ^[a-z.]*gcr.io/ ]]; then
++ # Get a host part of the container name
++ registry_host="${TOOLBOX_DOCKER_IMAGE/gcr.io*/gcr.io}"
++ # docker-credential-gcr can fail if it runs in a
++ # non-GCP env, so let it fail and proceed without
++ # --user flag in this case
++ credentials=$(echo "${registry_host}" | \
++ (/usr/bin/docker-credential-gcr get || true) 2>/dev/null | \
++ jq -r '.Username + ":" + .Secret')
++ if [[ -n "${credentials}" ]]; then
++ user_flags=('--user' "${credentials}")
++ fi
++ fi
++ sudo ctr image pull "${user_flags[@]}" "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}"
++ fi
+ sudo ctr containers create "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}" ${machinename} /bin/true
+ sudo ctr snapshot mounts "${TOOLBOX_TEMP_DIR}" ${machinename} | xargs sudo
+ sudo rsync -a "${TOOLBOX_TEMP_DIR}/" "${machinepath}"
@@ -53,5 +66,5 @@
${TOOLBOX_BIND} \
${TOOLBOX_ENV} \
--
-2.32.0.402.g57bb445576-goog
+2.34.1.448.ga2b2bfdf31-goog
diff --git a/project-lakitu/app-admin/toolbox/toolbox-0.0.1-r29.ebuild b/project-lakitu/app-admin/toolbox/toolbox-0.0.1-r30.ebuild
similarity index 100%
rename from project-lakitu/app-admin/toolbox/toolbox-0.0.1-r29.ebuild
rename to project-lakitu/app-admin/toolbox/toolbox-0.0.1-r30.ebuild
diff --git a/project-lakitu/app-admin/toolbox/toolbox-0.0.1.ebuild b/project-lakitu/app-admin/toolbox/toolbox-0.0.1.ebuild
index 77c9471..f485602 100644
--- a/project-lakitu/app-admin/toolbox/toolbox-0.0.1.ebuild
+++ b/project-lakitu/app-admin/toolbox/toolbox-0.0.1.ebuild
@@ -18,7 +18,7 @@
IUSE=""
DEPEND=""
-RDEPEND="${DEPEND}"
+RDEPEND="${DEPEND} app-misc/jq"
src_prepare() {
epatch "${FILESDIR}"/0001-Added-containerd-support.patch
