Skip to content

Commit

Permalink
microsoft.genpolicy: log image reference on unauthorized access
Browse files Browse the repository at this point in the history
  • Loading branch information
jmxnzo committed Dec 4, 2024
1 parent e6d3880 commit 1d5e7c8
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: jmxnzo <[email protected]>
Date: Mon, 2 Dec 2024 12:38:04 +0100
Subject: [PATCH] genpolicy: include reference in logs when auth failure

---
src/tools/genpolicy/src/registry.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index bdce2d40e3a7c3ec34137ceb3685fcc94aedcb39..9aa1cde98cd28a8c78d652986408e7738e5d96d6 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -125,7 +125,7 @@ impl Container {
})
}
Err(oci_distribution::errors::OciDistributionError::AuthenticationFailure(message)) => {
- panic!("Container image registry authentication failure ({}). Are docker credentials set-up for current user?", &message);
+ panic!("Container image registry authentication failure ({}) for {}. Are docker credentials set-up for current user?", &message, &reference.whole().as_str());
}
Err(e) => {
panic!(
7 changes: 7 additions & 0 deletions packages/by-name/microsoft/genpolicy/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ rustPlatform.buildRustPackage rec {
# to Microsofts genpolicy.
# TODO(miampf): remove when picked up by microsoft/kata-containers fork.
./0007-genpolicy-support-for-VOLUME-definition-in-container.patch

# Simple genpolicy logging patch to include the image reference in case of authentication failure
# TODO(jmxnzo): remove when authentication failure error logging includes image reference on microsoft/kata-containers fork.
# This will be achieved when updating oci_distribution to oci_client crate on microsoft/kata-containers fork.
# kata/kata-runtime/0011-genpolicy-bump-oci-distribution-to-v0.12.0.patch introduces this update to kata-containers.
# After upstreaming, microsoft/kata-containers fork would need to pick up the changes.
./0008-genpolicy-include-reference-in-logs-when-auth-failure.patch
];
};

Expand Down

0 comments on commit 1d5e7c8

Please sign in to comment.