mirror of
https://github.com/containers/podman.git
synced 2025-06-19 16:33:24 +08:00
Remove the forceSecure parameter on the pull call stack
DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
@ -129,7 +129,7 @@ func createContainer(c *cli.Context, runtime *libpod.Runtime) (*libpod.Container
|
|||||||
var data *inspect.ImageData = nil
|
var data *inspect.ImageData = nil
|
||||||
|
|
||||||
if rootfs == "" && !rootless.SkipStorageSetup() {
|
if rootfs == "" && !rootless.SkipStorageSetup() {
|
||||||
newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
|
newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -64,7 +64,6 @@ specified, the image with the 'latest' tag (if it exists) is pulled
|
|||||||
// pullCmd gets the data from the command line and calls pullImage
|
// pullCmd gets the data from the command line and calls pullImage
|
||||||
// to copy an image from a registry to a local machine
|
// to copy an image from a registry to a local machine
|
||||||
func pullCmd(c *cli.Context) error {
|
func pullCmd(c *cli.Context) error {
|
||||||
forceSecure := false
|
|
||||||
runtime, err := libpodruntime.GetRuntime(c)
|
runtime, err := libpodruntime.GetRuntime(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "could not get runtime")
|
return errors.Wrapf(err, "could not get runtime")
|
||||||
@ -109,7 +108,6 @@ func pullCmd(c *cli.Context) error {
|
|||||||
}
|
}
|
||||||
if c.IsSet("tls-verify") {
|
if c.IsSet("tls-verify") {
|
||||||
dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
|
dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
|
||||||
forceSecure = c.Bool("tls-verify")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Possible for docker-archive to have multiple tags, so use LoadFromArchiveReference instead
|
// Possible for docker-archive to have multiple tags, so use LoadFromArchiveReference instead
|
||||||
@ -125,7 +123,7 @@ func pullCmd(c *cli.Context) error {
|
|||||||
imgID = newImage[0].ID()
|
imgID = newImage[0].ID()
|
||||||
} else {
|
} else {
|
||||||
authfile := getAuthFile(c.String("authfile"))
|
authfile := getAuthFile(c.String("authfile"))
|
||||||
newImage, err := runtime.ImageRuntime().New(getContext(), image, c.String("signature-policy"), authfile, writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
|
newImage, err := runtime.ImageRuntime().New(getContext(), image, c.String("signature-policy"), authfile, writer, &dockerRegistryOptions, image2.SigningOptions{}, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "error pulling image %q", image)
|
return errors.Wrapf(err, "error pulling image %q", image)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -4,11 +4,6 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/containers/image/types"
|
|
||||||
"github.com/containers/libpod/libpod/image"
|
|
||||||
"github.com/containers/libpod/pkg/util"
|
|
||||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
|
||||||
"github.com/docker/go-units"
|
|
||||||
"io"
|
"io"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
@ -18,9 +13,14 @@ import (
|
|||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/containers/image/types"
|
||||||
"github.com/containers/libpod/libpod"
|
"github.com/containers/libpod/libpod"
|
||||||
|
"github.com/containers/libpod/libpod/image"
|
||||||
"github.com/containers/libpod/pkg/inspect"
|
"github.com/containers/libpod/pkg/inspect"
|
||||||
cc "github.com/containers/libpod/pkg/spec"
|
cc "github.com/containers/libpod/pkg/spec"
|
||||||
|
"github.com/containers/libpod/pkg/util"
|
||||||
|
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||||
|
"github.com/docker/go-units"
|
||||||
"github.com/opencontainers/runtime-spec/specs-go"
|
"github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
@ -620,7 +620,7 @@ func GetRunlabel(label string, runlabelImage string, ctx context.Context, runtim
|
|||||||
registryCreds = creds
|
registryCreds = creds
|
||||||
}
|
}
|
||||||
dockerRegistryOptions.DockerRegistryCreds = registryCreds
|
dockerRegistryOptions.DockerRegistryCreds = registryCreds
|
||||||
newImage, err = runtime.ImageRuntime().New(ctx, runlabelImage, signaturePolicyPath, authfile, output, &dockerRegistryOptions, image.SigningOptions{}, false, false)
|
newImage, err = runtime.ImageRuntime().New(ctx, runlabelImage, signaturePolicyPath, authfile, output, &dockerRegistryOptions, image.SigningOptions{}, false)
|
||||||
} else {
|
} else {
|
||||||
newImage, err = runtime.ImageRuntime().NewFromLocal(runlabelImage)
|
newImage, err = runtime.ImageRuntime().NewFromLocal(runlabelImage)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -125,7 +125,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) {
|
|||||||
|
|
||||||
// New creates a new image object where the image could be local
|
// New creates a new image object where the image could be local
|
||||||
// or remote
|
// or remote
|
||||||
func (ir *Runtime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
|
func (ir *Runtime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull bool) (*Image, error) {
|
||||||
// We don't know if the image is local or not ... check local first
|
// We don't know if the image is local or not ... check local first
|
||||||
newImage := Image{
|
newImage := Image{
|
||||||
InputName: name,
|
InputName: name,
|
||||||
@ -145,7 +145,7 @@ func (ir *Runtime) New(ctx context.Context, name, signaturePolicyPath, authfile
|
|||||||
if signaturePolicyPath == "" {
|
if signaturePolicyPath == "" {
|
||||||
signaturePolicyPath = ir.SignaturePolicyPath
|
signaturePolicyPath = ir.SignaturePolicyPath
|
||||||
}
|
}
|
||||||
imageName, err := ir.pullImageFromHeuristicSource(ctx, name, writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
|
imageName, err := ir.pullImageFromHeuristicSource(ctx, name, writer, authfile, signaturePolicyPath, signingoptions, dockeroptions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "unable to pull %s", name)
|
return nil, errors.Wrapf(err, "unable to pull %s", name)
|
||||||
}
|
}
|
||||||
@ -167,7 +167,7 @@ func (ir *Runtime) LoadFromArchiveReference(ctx context.Context, srcRef types.Im
|
|||||||
if signaturePolicyPath == "" {
|
if signaturePolicyPath == "" {
|
||||||
signaturePolicyPath = ir.SignaturePolicyPath
|
signaturePolicyPath = ir.SignaturePolicyPath
|
||||||
}
|
}
|
||||||
imageNames, err := ir.pullImageFromReference(ctx, srcRef, writer, "", signaturePolicyPath, SigningOptions{}, &DockerRegistryOptions{}, false)
|
imageNames, err := ir.pullImageFromReference(ctx, srcRef, writer, "", signaturePolicyPath, SigningOptions{}, &DockerRegistryOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "unable to pull %s", transports.ImageName(srcRef))
|
return nil, errors.Wrapf(err, "unable to pull %s", transports.ImageName(srcRef))
|
||||||
}
|
}
|
||||||
|
|||||||
@ -86,9 +86,9 @@ func TestImage_NewFromLocal(t *testing.T) {
|
|||||||
// Need images to be present for this test
|
// Need images to be present for this test
|
||||||
ir, err := NewImageRuntimeFromOptions(so)
|
ir, err := NewImageRuntimeFromOptions(so)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
bb, err := ir.New(context.Background(), "docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
|
bb, err := ir.New(context.Background(), "docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
bbglibc, err := ir.New(context.Background(), "docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
|
bbglibc, err := ir.New(context.Background(), "docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
tm, err := makeLocalMatrix(bb, bbglibc)
|
tm, err := makeLocalMatrix(bb, bbglibc)
|
||||||
@ -135,7 +135,7 @@ func TestImage_New(t *testing.T) {
|
|||||||
// Iterate over the names and delete the image
|
// Iterate over the names and delete the image
|
||||||
// after the pull
|
// after the pull
|
||||||
for _, img := range names {
|
for _, img := range names {
|
||||||
newImage, err := ir.New(context.Background(), img, "", "", writer, nil, SigningOptions{}, false, false)
|
newImage, err := ir.New(context.Background(), img, "", "", writer, nil, SigningOptions{}, false)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.NotEqual(t, newImage.ID(), "")
|
assert.NotEqual(t, newImage.ID(), "")
|
||||||
err = newImage.Remove(false)
|
err = newImage.Remove(false)
|
||||||
@ -163,7 +163,7 @@ func TestImage_MatchRepoTag(t *testing.T) {
|
|||||||
}
|
}
|
||||||
ir, err := NewImageRuntimeFromOptions(so)
|
ir, err := NewImageRuntimeFromOptions(so)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
newImage, err := ir.New(context.Background(), "busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
|
newImage, err := ir.New(context.Background(), "busybox", "", "", os.Stdout, nil, SigningOptions{}, false)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
err = newImage.TagImage("foo:latest")
|
err = newImage.TagImage("foo:latest")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|||||||
@ -193,7 +193,7 @@ func (ir *Runtime) pullGoalFromImageReference(ctx context.Context, srcRef types.
|
|||||||
|
|
||||||
// pullImageFromHeuristicSource pulls an image based on inputName, which is heuristically parsed and may involve configured registries.
|
// pullImageFromHeuristicSource pulls an image based on inputName, which is heuristically parsed and may involve configured registries.
|
||||||
// Use pullImageFromReference if the source is known precisely.
|
// Use pullImageFromReference if the source is known precisely.
|
||||||
func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName string, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName string, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) ([]string, error) {
|
||||||
var goal *pullGoal
|
var goal *pullGoal
|
||||||
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
||||||
srcRef, err := alltransports.ParseImageName(inputName)
|
srcRef, err := alltransports.ParseImageName(inputName)
|
||||||
@ -209,21 +209,21 @@ func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName s
|
|||||||
return nil, errors.Wrapf(err, "error determining pull goal for image %q", inputName)
|
return nil, errors.Wrapf(err, "error determining pull goal for image %q", inputName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, forceSecure)
|
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions)
|
||||||
}
|
}
|
||||||
|
|
||||||
// pullImageFromReference pulls an image from a types.imageReference.
|
// pullImageFromReference pulls an image from a types.imageReference.
|
||||||
func (ir *Runtime) pullImageFromReference(ctx context.Context, srcRef types.ImageReference, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
func (ir *Runtime) pullImageFromReference(ctx context.Context, srcRef types.ImageReference, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) ([]string, error) {
|
||||||
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
sc := GetSystemContext(signaturePolicyPath, authfile, false)
|
||||||
goal, err := ir.pullGoalFromImageReference(ctx, srcRef, transports.ImageName(srcRef), sc)
|
goal, err := ir.pullGoalFromImageReference(ctx, srcRef, transports.ImageName(srcRef), sc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "error determining pull goal for image %q", transports.ImageName(srcRef))
|
return nil, errors.Wrapf(err, "error determining pull goal for image %q", transports.ImageName(srcRef))
|
||||||
}
|
}
|
||||||
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions, forceSecure)
|
return ir.doPullImage(ctx, sc, *goal, writer, signingOptions, dockerOptions)
|
||||||
}
|
}
|
||||||
|
|
||||||
// doPullImage is an internal helper interpreting pullGoal. Almost everyone should call one of the callers of doPullImage instead.
|
// doPullImage is an internal helper interpreting pullGoal. Almost everyone should call one of the callers of doPullImage instead.
|
||||||
func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goal pullGoal, writer io.Writer, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) ([]string, error) {
|
func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goal pullGoal, writer io.Writer, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) ([]string, error) {
|
||||||
policyContext, err := getPolicyContext(sc)
|
policyContext, err := getPolicyContext(sc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -246,7 +246,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa
|
|||||||
}
|
}
|
||||||
registry := reference.Domain(imgRef)
|
registry := reference.Domain(imgRef)
|
||||||
|
|
||||||
if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
|
if util.StringInSlice(registry, insecureRegistries) && dockerOptions.DockerInsecureSkipTLSVerify != types.OptionalBoolFalse {
|
||||||
copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
|
copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
|
||||||
logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
|
logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
|
||||||
}
|
}
|
||||||
|
|||||||
@ -67,7 +67,7 @@ func (r *Runtime) createInfraContainer(ctx context.Context, p *Pod) (*Container,
|
|||||||
return nil, ErrRuntimeStopped
|
return nil, ErrRuntimeStopped
|
||||||
}
|
}
|
||||||
|
|
||||||
newImage, err := r.ImageRuntime().New(ctx, r.config.InfraImage, "", "", nil, nil, image.SigningOptions{}, false, false)
|
newImage, err := r.ImageRuntime().New(ctx, r.config.InfraImage, "", "", nil, nil, image.SigningOptions{}, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -25,7 +25,7 @@ func (i *LibpodAPI) CreateContainer(call iopodman.VarlinkCall, config iopodman.C
|
|||||||
rtc := i.Runtime.GetConfig()
|
rtc := i.Runtime.GetConfig()
|
||||||
ctx := getContext()
|
ctx := getContext()
|
||||||
|
|
||||||
newImage, err := i.Runtime.ImageRuntime().New(ctx, config.Image, rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
|
newImage, err := i.Runtime.ImageRuntime().New(ctx, config.Image, rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return call.ReplyErrorOccurred(err.Error())
|
return call.ReplyErrorOccurred(err.Error())
|
||||||
}
|
}
|
||||||
|
|||||||
@ -498,7 +498,7 @@ func (i *LibpodAPI) ExportImage(call iopodman.VarlinkCall, name, destination str
|
|||||||
// PullImage pulls an image from a registry to the image store.
|
// PullImage pulls an image from a registry to the image store.
|
||||||
// TODO This implementation is incomplete
|
// TODO This implementation is incomplete
|
||||||
func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string) error {
|
func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string) error {
|
||||||
newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, "", "", nil, &image.DockerRegistryOptions{}, image.SigningOptions{}, true, false)
|
newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, "", "", nil, &image.DockerRegistryOptions{}, image.SigningOptions{}, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return call.ReplyErrorOccurred(fmt.Sprintf("unable to pull %s: %s", name, err.Error()))
|
return call.ReplyErrorOccurred(fmt.Sprintf("unable to pull %s: %s", name, err.Error()))
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user