diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index e054d1bdb4..96ec056e4c 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -529,8 +529,24 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, "`Pathname` of signature policy file (not usually used)", ) _ = createFlags.MarkHidden("signature-policy") + + certDirFlagName := "cert-dir" + createFlags.StringVar( + &cf.CertDir, + certDirFlagName, "", + "`Pathname` of a directory containing TLS certificates and keys", + ) + _ = cmd.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault) } + credsFlagName := "creds" + createFlags.StringVar( + &cf.Creds, + credsFlagName, "", + "`credentials` (USERNAME:PASSWORD) to use for authenticating to a registry", + ) + _ = cmd.RegisterFlagCompletionFunc(credsFlagName, completion.AutocompleteDefault) + createFlags.BoolVar( &cf.Replace, "replace", false, diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 617da4a825..97cf0e3405 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -384,6 +384,7 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container PullPolicy: pullPolicy, SkipTLSVerify: skipTLSVerify, OciDecryptConfig: decConfig, + CertDir: cliVals.CertDir, } if cmd.Flags().Changed("retry") { @@ -404,6 +405,15 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container pullOptions.RetryDelay = val } + if cliVals.Creds != "" { + creds, err := util.ParseRegistryCreds(cliVals.Creds) + if err != nil { + return "", err + } + pullOptions.Username = creds.Username + pullOptions.Password = creds.Password + } + pullReport, pullErr := registry.ImageEngine().Pull(registry.Context(), imageName, pullOptions) if pullErr != nil { return "", pullErr diff --git a/docs/source/markdown/options/cert-dir.md b/docs/source/markdown/options/cert-dir.md index 014b1cd452..c2bd97dfcc 100644 --- a/docs/source/markdown/options/cert-dir.md +++ b/docs/source/markdown/options/cert-dir.md @@ -1,5 +1,5 @@ ####> This option file is used in: -####> podman artifact pull, artifact push, build, container runlabel, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, search +####> podman artifact pull, artifact push, build, container runlabel, create, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, run, search ####> If file is edited, make sure the changes ####> are applicable to all of those. #### **--cert-dir**=*path* diff --git a/docs/source/markdown/options/creds.md b/docs/source/markdown/options/creds.md index 76bdfb5035..138dd68d57 100644 --- a/docs/source/markdown/options/creds.md +++ b/docs/source/markdown/options/creds.md @@ -1,5 +1,5 @@ ####> This option file is used in: -####> podman artifact pull, artifact push, build, container runlabel, farm build, kube play, manifest add, manifest push, pull, push, search +####> podman artifact pull, artifact push, build, container runlabel, create, farm build, kube play, manifest add, manifest push, pull, push, run, search ####> If file is edited, make sure the changes ####> are applicable to all of those. #### **--creds**=*[username[:password]]* diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in index 7308fee288..05965c5e20 100644 --- a/docs/source/markdown/podman-create.1.md.in +++ b/docs/source/markdown/podman-create.1.md.in @@ -83,6 +83,8 @@ and specified with a _tag_. @@option cap-drop +@@option cert-dir + @@option cgroup-conf @@option cgroup-parent @@ -113,6 +115,8 @@ and specified with a _tag_. @@option cpuset-mems +@@option creds + @@option decryption-key @@option device diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in index 641bbfda3a..ab48b0d08a 100644 --- a/docs/source/markdown/podman-run.1.md.in +++ b/docs/source/markdown/podman-run.1.md.in @@ -102,6 +102,8 @@ and specified with a _tag_. @@option cap-drop +@@option cert-dir + @@option cgroup-conf @@option cgroup-parent @@ -132,6 +134,8 @@ and specified with a _tag_. @@option cpuset-mems +@@option creds + @@option decryption-key #### **--detach**, **-d** diff --git a/pkg/domain/entities/pods.go b/pkg/domain/entities/pods.go index 9edf5aca4a..4da106f9fd 100644 --- a/pkg/domain/entities/pods.go +++ b/pkg/domain/entities/pods.go @@ -266,6 +266,8 @@ type ContainerCreateOptions struct { IsInfra bool IsClone bool DecryptionKeys []string + CertDir string + Creds string Net *NetOptions `json:"net,omitempty"` CgroupConf []string diff --git a/test/system/030-run.bats b/test/system/030-run.bats index eb0b90a926..e32c0441ab 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -2,6 +2,7 @@ load helpers load helpers.network +load helpers.registry # bats test_tags=distro-integration, ci:parallel @test "podman run - basic tests" { @@ -1827,4 +1828,35 @@ EOF run_podman rm -f $c1name $c2name } +# bats test_tags=networking,registry +@test "podman run with --cert-dir" { + skip_if_remote "cert-dir option not working via remote" + + test -n "$PODMAN_LOGIN_REGISTRY_PORT" || skip "registry not set up" + + start_registry + + image=localhost:${PODMAN_LOGIN_REGISTRY_PORT}/cert-dir-run-test-$(safename) + + # First push an image to our test registry + run_podman push \ + --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \ + --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \ + $IMAGE $image + + # Run without --cert-dir should fail (TLS verification error) + run_podman 125 run --rm \ + --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \ + $image echo "this should fail" + + # Run with --cert-dir should succeed (will pull the image) + run_podman run --rm \ + --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \ + --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \ + $image true + + # Clean up, and it would fail if the $image was not pulled + run_podman rmi $image +} + # vim: filetype=sh