host-ctr: add support for authenticated image pulls from ECR Public

[etungsten]

Issue number:
N/A

Description of changes:

Author: Erikson Tung <etung@amazon.com>
Date:   Thu Jan 28 15:25:47 2021 -0800

    host-ctr: add support for authenticated image pulls from ECR Public
    
    Add support for authenticated image pulls from ECR Public registries.
    Unlike ECR private registries, we have to use Docker's registry API for
    resolving ECR Public image references. This means having to manage
    ECR Public registry auth credentials ourselves

Testing done:

Verified that ecrpublic::GetAuthorizationToken calls from host-ctr are successful and I get credentials back without problems.

Verified the request header includes the base64-encoded authorization token and the image gets pulled successfully:

time="2021-02-01T10:02:25-08:00" level=debug msg="do request" digest="sha256:6c72cf34ed39ff40a5ad8abd57c66e6766897f311a28f6b993f4b87545195204" mediatype=application/vnd.docker.distribution.manifest.list.v2+json 
request.header.accept="application/vnd.docker.distribution.manifest.list.v2+json, */*" 
request.header.authorization="Bearer  <BASE64-ENCODED AUTHORIZATION TOKEN>"
request.header.user-agent=containerd/1.3.7+unknown 
request.method=GET 
size=743 
url="https://public.ecr.aws/v2/nginx/nginx/manifests/sha256:6c72cf34ed39ff40a5ad8abd57c66e6766897f311a28f6b993f4b87545195204"
time="2021-02-01T10:02:25-08:00" level=debug msg="fetch response received" host=public.ecr.aws response.header.content-length=743 response.header.content-type=application/vnd.docker.distribution.manifest.list.v2+json response.header.date="Mon, 01 Feb 2021 18:02:25 GMT" response.header.docker-content-digest="sha256:6c72cf34ed39ff40a5ad8abd57c66e6766897f311a28f6b993f4b87545195204" response.header.docker-distribution-api-version=registry/2.0 response.status="200 OK" url="https://public.ecr.aws/v2/nginx/nginx/manifests/latest"
....

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[etungsten]

Push above and below addresses all of @samuelkarp 's comments.

[etungsten]

Push above fixes a small issue with double checking the host part of the url

[zmrow]

🤗

[webern]

What are the pre-conditions for this to work? The instance needs an instance role? Same as for the old resolver, right?

[etungsten]

Yes, the instance needs to be launched with an instance role profile that has the ECRPublic:GetAuthorizationToken permission. For the normal resolver, the role just needs the managed policy for ECR (not public). All other registries just uses the default resolver.

I think this brings up a good point on how we should make host-ctr more cloud-agnostic. I don't think it's easy to make a determination at runtime to check if we're running in EC2 (or at least not in a hacky way). So this is something that needs to be conditionally compiled... I can follow up with a issue to investigate that further if that's alright.

[etungsten]

Or maybe it just makes sense to fallback to using the default resolver if we fail a call to ecrpublic:GetAuthorizationToken. I think that's probably better and makes things easier. I'll go ahead and do that.

[samuelkarp]

Since ECR Public specifically allows unauthenticated requests (albeit with more throttling), a lack of credentials/permission should fall-through to an anonymous pull.

[etungsten]

Push above and below makes it so that we fallback to using the default resolver with no creds if we can't get creds for ECR Public.

Tested things and they work as they should. If I don't have permission to get authorization creds, host-ctr correctly falls back to using the default resovler:

Feb 02 00:22:51 host-ctr[4640]: time="2021-02-02T00:22:51Z" level=warning msg="ecr-public: failed to get authorization token, falling back to default resolver (unauthenticated pull)"
Feb 02 00:22:52 host-ctr[4640]: time="2021-02-02T00:22:52Z" level=info msg="pulled image successfully" img="public.ecr.aws/nginx/nginx:latest"

[samuelkarp]

If I don't have permission to get authorization creds, host-ctr correctly falls back to using the default resovler

Can you also explicitly test the case where no AWS credentials are available as opposed to the case where AWS credentials are available but don't have permission?

[etungsten]

Push above addresses @samuelkarp 's latest comments.

If I don't have permission to get authorization creds, host-ctr correctly falls back to using the default resovler

Can you also explicitly test the case where no AWS credentials are available as opposed to the case where AWS credentials are available but don't have permission?

I moved my ~/.aws/ directory to a random location and tried running host-ctr locally. It was not able to fetch credentials and fell back using the default resolver as expected:

time="2021-02-01T20:33:17-08:00" level=warning msg="ecr-public: failed to get authorization token, falling back to default resolver (unauthenticated pull)"
time="2021-02-01T20:33:17-08:00" level=debug msg=resolving host=public.ecr.aws
time="2021-02-01T20:33:17-08:00" level=debug msg="do request" host=public.ecr.aws request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/1.3.7+unknown request.method=HEAD url="https://public.ecr.aws/v2/nginx/nginx/manifests/latest"

[samuelkarp]

🚢

[jahkeup]

Looks great! 👍🏽

I would like to see the error messages slightly tweaked to avoid the potential of misleading users in some situations before merging - let me know what you think.

[etungsten]

Push above addresses @jahkeup 's comments.