docker-credential-mmds

command module
v0.0.0-...-e5a3c77 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 31, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

README

Docker Credential Helper MMDS

Docker Credential Helper MMDS is a credential helper for exposing docker credentials inside a Firecracker microVM via MMDS.

Building

docker-credential-mmds can built with

make

Configuration

Docker inside Firecracker

When building a firecracker rootfs, place docker-credential-mmds on the PATH then put the following configuration in ~/.docker/config

{
	"credsStore": "mmds"
}

This configures the Docker daemon running inside the Firecracker microVM to read all credentials from MMDS.

Credentials from Host

docker-credential-mmds reads credentials from MMDS inside the Firecracker microVM, but a cooperating process on the host needs to place credentials into MMDS. The credentials must be placed in MMDS under a key called docker-credentials which contains maps of host names to username and password.

For example, the following configures credentials for the ECR public gallery and docker hub

{
	"docker-credentials": {
		"public.ecr.aws": {
			"username": "123456789012",
			"password": "access_key"
		},
		"docker.io": {
			"username": "user",
			"password": "pass"
		}
	}
}
Placing credentials with the Firecracker HTTP API

One way to put credentials into MMDS is with firecracker's HTTP API.

curl --unix-socket /tmp/firecracker.socket -i \
    -X PUT "http://localhost/mmds"            \
    -H "Content-Type: application/json"       \
    -d '{
		"docker-credentials": {
			"public.ecr.aws": {
				"username": "123456789012",
				"password": "access_key"
			},
			"docker.io": {
				"username": "user",
				"password": "pass"
			}	
		}
	}'
Placing credentials with the Firecracker-go-sdk

For larger systems, it may be useful to write a full program on the host to enable additional features such as credential refreshing. The firecracker-go-sdk wraps the firecracker HTTP APIs with go APIs for this purpose.

credentials := `{
	"docker-credentials": {
		"public.ecr.aws": {
			"username": "123456789012",
			"password": "access_key"
		},
		"docker.io": {
			"username": "user",
			"password": "pass
		}
	}
}`
fcClient, _ := client.New("/tmp/firecracker.socket")
fcClient.SetVMMetadata(ctx, &proto.SetVMMetadataRequest{
		VMID:     vmID,
		Metadata: credentials,
	})

Documentation

Overview

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 

http://aws.amazon.com/apache2.0/

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.