- Allow creating sigstore signatures via --sign-by-sigstore-private-key .
Like existing --sign-by, it does not work remote (in this case
because we would have to copy the private key to the server).
- Allow passing a passphrase (which is mandatory for sigstore private keys)
via --sign-passphrase-file; if it is not provided, prompt interactively.
- Also, use that passphrase for --sign-by as well, allowing non-interactive
GPG use. (But --sign-passphrase-file can only be used with _one of_
--sign-by and --sign-by-sigstore-private-key.)
Note that unlike the existing code, (podman build) does not yet
implement sigstore (I'm not sure why it needs to, it seems not to
push images?) because Buildah does not expose the feature yet.
Also, (podman image sign) was not extended to support sigstore.
The test for this follows existing (podman image sign) tests
and doesn't work rootless; that could be improved by exposing
a registries.d override option.
The test for push is getting large; I didn't want to
start yet another registry container, but that would be an
alternative. In the future, Ginkgo's Ordered/BeforeAll
would allow starting a registry once and using it for two
tests.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
By vendoring the fixes from containers/image. Also add a test (thanks
@edsantiago) to make sure we won't regress in the future again.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Changes as of 2022-04-21:
- apply-podman-deltas: minor cleanup
- buildah-tests.diff: deal with:
. buildah #3894 (the registry one), which affected helpers.bash in
a way that resulted in conflicts here; and
. buildah #3917 (etchosts), which caused offset-only diffs
with no conflicts
- Reevaluate the bud skip list, and reenable some tests that
seems to be passing now under podman:
. bud with specified context ...
. two tests that require a local registry (which buildah now runs)
. bud with --cgroup-parent
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Bumps
c/buildah to -> `v1.24.3-0.20220310160415-5ec70bf01ea5`
c/storage to -> `v1.38.3-0.20220308085612-93ce26691863`
c/image to -> `v5.20.1-0.20220310094651-0d8056ee346f`
Signed-off-by: Aditya R <arajan@redhat.com>
Also update the e2e pull test to account for the changes when pulling
from the dir transport. Images pulled via the dir transport are not
tagged anymore; the path is not a reliable source.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Update the `--filter reference=...` tests to reflect recent changes in
c/common. The reference values now match as specified without
implicitly adding wildcards arounds.
Fixes: #11905
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The Docker-compatible REST API has historically behaved just as the rest
of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where
`containers-registries.conf` is centrally controlling which registries
a short name may resolve to during pull or local image lookups. Please
refer to a blog for more details [1].
Docker, however, is only resolving short names to docker.io which has
been reported (see #12320) to break certain clients who rely on this
behavior. In order to support this scenario, `containers.conf(5)`
received a new option to control whether Podman's compat API resolves
to docker.io only or behaves as before.
Most endpoints allow for directly normalizing parameters that represent
an image. If set in containers.conf, Podman will then normalize the
references directly to docker.io. The build endpoint is an outlier
since images are also referenced in Dockerfiles. The Buildah API,
however, supports specifying a custom `types.SystemContext` in which
we can set a field that enforces short-name resolution to docker.io
in `c/image/pkg/shortnames`.
Notice that this a "hybrid" approach of doing the normalization directly
in the compat endpoints *and* in `pkg/shortnames` by passing a system
context. Doing such a hybrid approach is neccessary since the compat
and the libpod endpoints share the same `libimage.Runtime` which makes
a global enforcement via the `libimage.Runtime.systemContext`
impossible. Having two separate runtimes for the compat and the libpod
endpoints seems risky and not generally applicable to all endpoints.
[1] https://www.redhat.com/sysadmin/container-image-short-namesFixes: #12320
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
