Minimally update for the DockerInsecureSkipTLSVerify type change

Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-05-20 16:47:39 +08:00 · 2018-12-03 22:15:06 +01:00
parent b70f8b3884
commit b134951d14
16 changed files with 49 additions and 34 deletions
--- a/API.md
+++ b/API.md
@ -609,7 +609,8 @@ $ varlink call -m unix:/run/podman/io.podman/io.podman.PullImage '{"name": "regi

 method PushImage(name: [string](https://godoc.org/builtin#string), tag: [string](https://godoc.org/builtin#string), tlsverify: [bool](https://godoc.org/builtin#bool)) [string](https://godoc.org/builtin#string)</div>
 PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image,
-and a boolean as to whether tls-verify should be used.  It will return an [ImageNotFound](#ImageNotFound) error if
+and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior).
+It will return an [ImageNotFound](#ImageNotFound) error if
 the image cannot be found in local storage; otherwise the ID of the image will be returned on success.
 ### <a name="RemoveContainer"></a>func RemoveContainer
 <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">
--- a/cmd/podman/login.go
+++ b/cmd/podman/login.go
@ -8,6 +8,7 @@ import (

 	"github.com/containers/image/docker"
 	"github.com/containers/image/pkg/docker/config"
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod/common"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@ -93,7 +94,9 @@ func loginCmd(c *cli.Context) error {
 		return errors.Wrapf(err, "error getting username and password")
 	}

-	sc.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+	if c.IsSet("tls-verify") {
+		sc.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
+	}
 	if c.String("cert-dir") != "" {
 		sc.DockerCertPath = c.String("cert-dir")
 	}
--- a/cmd/podman/pull.go
+++ b/cmd/podman/pull.go
@ -104,11 +104,11 @@ func pullCmd(c *cli.Context) error {
 	}

 	dockerRegistryOptions := image2.DockerRegistryOptions{
-		DockerRegistryCreds:         registryCreds,
-		DockerCertPath:              c.String("cert-dir"),
-		DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
+		DockerRegistryCreds: registryCreds,
+		DockerCertPath:      c.String("cert-dir"),
 	}
 	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
 		forceSecure = c.Bool("tls-verify")
 	}

--- a/cmd/podman/push.go
+++ b/cmd/podman/push.go
@ -108,7 +108,6 @@ func pushCmd(c *cli.Context) error {
 	}

 	certPath := c.String("cert-dir")
-	skipVerify := !c.BoolT("tls-verify")
 	removeSignatures := c.Bool("remove-signatures")
 	signBy := c.String("sign-by")

@ -145,14 +144,13 @@ func pushCmd(c *cli.Context) error {
 		}
 	}

-	if c.IsSet("tls-verify") {
-		forceSecure = c.Bool("tls-verify")
-	}
-
 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerRegistryCreds:         registryCreds,
-		DockerCertPath:              certPath,
-		DockerInsecureSkipTLSVerify: skipVerify,
+		DockerRegistryCreds: registryCreds,
+		DockerCertPath:      certPath,
+	}
+	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
+		forceSecure = c.Bool("tls-verify")
 	}

 	so := image.SigningOptions{
--- a/cmd/podman/runlabel.go
+++ b/cmd/podman/runlabel.go
@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"

+	"github.com/containers/image/types"
 	"github.com/containers/libpod/cmd/podman/libpodruntime"
 	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/libpod/image"
@ -153,8 +154,10 @@ func runlabelCmd(c *cli.Context) error {
 	}

 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerCertPath:              c.String("cert-dir"),
-		DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
+		DockerCertPath: c.String("cert-dir"),
+	}
+	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
 	}

 	authfile := getAuthFile(c.String("authfile"))
--- a/cmd/podman/search.go
+++ b/cmd/podman/search.go
@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/containers/image/docker"
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/cmd/podman/formats"
 	"github.com/containers/libpod/libpod/common"
 	sysreg "github.com/containers/libpod/pkg/registries"
@ -216,7 +217,7 @@ func getSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts
 	var paramsArr []searchParams
 	for reg, skipTLS := range regAndSkipTLS {
 		// set the SkipTLSVerify bool depending on the registry being searched through
-		sc.DockerInsecureSkipTLSVerify = skipTLS
+		sc.DockerInsecureSkipTLSVerify = types.NewOptionalBool(skipTLS)
 		results, err := docker.SearchRegistry(context.TODO(), sc, reg, term, limit)
 		if err != nil {
 			logrus.Errorf("error searching registry %q: %v", reg, err)
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@ -610,7 +610,8 @@ method InspectImage(name: string) -> (image: string)
 method HistoryImage(name: string) -> (history: []ImageHistory)

 # PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image,
-# and a boolean as to whether tls-verify should be used.  It will return an [ImageNotFound](#ImageNotFound) error if
+# and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior).
+# It will return an [ImageNotFound](#ImageNotFound) error if
 # the image cannot be found in local storage; otherwise the ID of the image will be returned on success.
 method PushImage(name: string, tag: string, tlsverify: bool) -> (image: string)

--- a/docs/podman-container-runlabel.1.md
+++ b/docs/podman-container-runlabel.1.md
@ -95,8 +95,8 @@ option be used, as the default behavior of using the system-wide default policy
 **--tls-verify**

 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used, If set to false then tls verification will not be used. If not specified
-tls verification will be used unless the target registry is listed as an insecure registry in registries.conf
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf

 ## Examples ##

--- a/docs/podman-login.1.md
+++ b/docs/podman-login.1.md
@ -43,7 +43,9 @@ Default certificates directory is _/etc/containers/certs.d_.

 **--tls-verify**

-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

 **--help**, **-h**

--- a/docs/podman-pull.1.md
+++ b/docs/podman-pull.1.md
@ -77,8 +77,8 @@ option be used, as the default behavior of using the system-wide default policy
 **--tls-verify**

 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used, If set to false then tls verification will not be used. If not specified
-tls verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

 **--help**, **-h**

--- a/docs/podman-push.1.md
+++ b/docs/podman-push.1.md
@ -93,7 +93,9 @@ Add a signature at the destination using the specified key

 **--tls-verify**

-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.

 ## EXAMPLE

--- a/docs/podman-search.1.md
+++ b/docs/podman-search.1.md
@ -72,8 +72,8 @@ Do not truncate the output
 **--tls-verify**

 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used. If set to false then tls verification will not be used if needed. If not specified
-default registries will be searched through (in /etc/containers/registries.conf), and tls will be skipped if a default
+then TLS verification will be used. If set to false, then TLS verification will not be used if needed. If not specified,
+default registries will be searched through (in /etc/containers/registries.conf), and TLS will be skipped if a default
 registry is listed in the insecure registries.

 **--help**, **-h**
--- a/libpod/image/docker_registry_options.go
+++ b/libpod/image/docker_registry_options.go
@ -19,8 +19,9 @@ type DockerRegistryOptions struct {
 	// except for ".cert" and ".key" suffixes).
 	DockerCertPath string
 	// DockerInsecureSkipTLSVerify turns off verification of TLS
-	// certificates and allows connecting to registries without encryption.
-	DockerInsecureSkipTLSVerify bool
+	// certificates and allows connecting to registries without encryption
+	// - or forces it on even if registries.conf has the registry configured as insecure.
+	DockerInsecureSkipTLSVerify types.OptionalBool
 }

 // GetSystemContext constructs a new system context from a parent context. the values in the DockerRegistryOptions, and other parameters.
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@ -547,7 +547,7 @@ func (i *Image) PushImageToReference(ctx context.Context, dest types.ImageRefere
 		registry := reference.Domain(imgRef)

 		if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
-			copyOptions.DestinationCtx.DockerInsecureSkipTLSVerify = true
+			copyOptions.DestinationCtx.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
 			logrus.Info(fmt.Sprintf("%s is an insecure registry; pushing with tls-verify=false", registry))
 		}
 	}
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@ -247,7 +247,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa
 			registry := reference.Domain(imgRef)

 			if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
-				copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
+				copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
 				logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
 			}
 		}
--- a/pkg/varlinkapi/images.go
+++ b/pkg/varlinkapi/images.go
@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"github.com/containers/libpod/cmd/podman/shared"
 	"io"
 	"os"
 	"path/filepath"
@ -16,6 +15,7 @@ import (
 	"github.com/containers/image/docker"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
+	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/cmd/podman/varlink"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
@ -322,8 +322,9 @@ func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVe
 		destname = tag
 	}

-	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerInsecureSkipTLSVerify: !tlsVerify,
+	dockerRegistryOptions := image.DockerRegistryOptions{}
+	if !tlsVerify {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
 	}

 	so := image.SigningOptions{}
@ -520,8 +521,10 @@ func (i *LibpodAPI) ImageExists(call iopodman.VarlinkCall, name string) error {
 func (i *LibpodAPI) ContainerRunlabel(call iopodman.VarlinkCall, input iopodman.Runlabel) error {
 	ctx := getContext()
 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerCertPath:              input.CertDir,
-		DockerInsecureSkipTLSVerify: !input.TlsVerify,
+		DockerCertPath: input.CertDir,
+	}
+	if !input.TlsVerify {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
 	}

 	stdErr := os.Stderr