diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-05-11 07:26:05 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-05-20 13:53:32 -0400 |
commit | baed81029b74c8d801ea9d5cf67a78005472e6ed (patch) | |
tree | b7c8b61992b18df56558d8dfff744990d18e3e26 | |
parent | 8d5432932d21b6863f813437d649044ca2264a2d (diff) | |
download | podman-baed81029b74c8d801ea9d5cf67a78005472e6ed.tar.gz podman-baed81029b74c8d801ea9d5cf67a78005472e6ed.tar.bz2 podman-baed81029b74c8d801ea9d5cf67a78005472e6ed.zip |
Fixup Flags
Mark hidden all references to signature-policy
Default all uses of --authfile
Add --authfile support to podman run and podman create.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rwxr-xr-x | API.md | 25 | ||||
-rw-r--r-- | cmd/podman/build.go | 3 | ||||
-rw-r--r-- | cmd/podman/common.go | 18 | ||||
-rw-r--r-- | cmd/podman/load.go | 7 | ||||
-rw-r--r-- | cmd/podman/login.go | 18 | ||||
-rw-r--r-- | cmd/podman/logout.go | 14 | ||||
-rw-r--r-- | cmd/podman/play_kube.go | 18 | ||||
-rw-r--r-- | cmd/podman/pull.go | 21 | ||||
-rw-r--r-- | cmd/podman/push.go | 18 | ||||
-rw-r--r-- | cmd/podman/run.go | 2 | ||||
-rw-r--r-- | cmd/podman/runlabel.go | 18 | ||||
-rw-r--r-- | cmd/podman/search.go | 9 | ||||
-rw-r--r-- | cmd/podman/varlink/io.podman.varlink | 14 | ||||
-rw-r--r-- | completions/bash/podman | 10 | ||||
-rw-r--r-- | docs/podman-build.1.md | 12 | ||||
-rw-r--r-- | docs/podman-container-runlabel.1.md | 12 | ||||
-rw-r--r-- | docs/podman-create.1.md | 7 | ||||
-rw-r--r-- | docs/podman-load.1.md | 8 | ||||
-rw-r--r-- | docs/podman-login.1.md | 6 | ||||
-rw-r--r-- | docs/podman-logout.1.md | 2 | ||||
-rw-r--r-- | docs/podman-play-kube.1.md | 13 | ||||
-rw-r--r-- | docs/podman-pull.1.md | 14 | ||||
-rw-r--r-- | docs/podman-push.1.md | 12 | ||||
-rw-r--r-- | docs/podman-run.1.md | 7 | ||||
-rw-r--r-- | docs/podman-search.1.md | 4 | ||||
-rw-r--r-- | pkg/adapter/runtime_remote.go | 41 | ||||
-rw-r--r-- | pkg/varlinkapi/images.go | 70 |
27 files changed, 164 insertions, 239 deletions
@@ -131,9 +131,9 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in [func Ps(opts: PsOpts) PsContainer](#Ps) -[func PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: ) MoreResponse](#PullImage) +[func PullImage(name: string) MoreResponse](#PullImage) -[func PushImage(name: string, tag: string, tlsverify: , signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) MoreResponse](#PushImage) +[func PushImage(name: string, tag: string, compress: bool, format: string, removeSignatures: bool, signBy: string) MoreResponse](#PushImage) [func ReceiveFile(path: string, delete: bool) int](#ReceiveFile) @@ -147,7 +147,7 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in [func RestartPod(name: string) string](#RestartPod) -[func SearchImages(query: string, limit: , tlsVerify: , filter: ImageSearchFilter) ImageSearchResult](#SearchImages) +[func SearchImages(query: string, limit: , filter: ImageSearchFilter) ImageSearchResult](#SearchImages) [func SendFile(type: string, length: int) string](#SendFile) @@ -921,16 +921,15 @@ method Ps(opts: [PsOpts](#PsOpts)) [PsContainer](#PsContainer)</div> ### <a name="PullImage"></a>func PullImage <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> -method PullImage(name: [string](https://godoc.org/builtin#string), certDir: [string](https://godoc.org/builtin#string), creds: [string](https://godoc.org/builtin#string), signaturePolicy: [string](https://godoc.org/builtin#string), tlsVerify: [](#)) [MoreResponse](#MoreResponse)</div> +method PullImage(name: [string](https://godoc.org/builtin#string)) [MoreResponse](#MoreResponse)</div> PullImage pulls an image from a repository to local storage. After a successful pull, the image id and logs are returned as a [MoreResponse](#MoreResponse). This connection also will handle a WantsMores request to send status as it occurs. ### <a name="PushImage"></a>func PushImage <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> -method PushImage(name: [string](https://godoc.org/builtin#string), tag: [string](https://godoc.org/builtin#string), tlsverify: [](#), signaturePolicy: [string](https://godoc.org/builtin#string), creds: [string](https://godoc.org/builtin#string), certDir: [string](https://godoc.org/builtin#string), compress: [bool](https://godoc.org/builtin#bool), format: [string](https://godoc.org/builtin#string), removeSignatures: [bool](https://godoc.org/builtin#bool), signBy: [string](https://godoc.org/builtin#string)) [MoreResponse](#MoreResponse)</div> -PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image, -and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior). +method PushImage(name: [string](https://godoc.org/builtin#string), tag: [string](https://godoc.org/builtin#string), compress: [bool](https://godoc.org/builtin#bool), format: [string](https://godoc.org/builtin#string), removeSignatures: [bool](https://godoc.org/builtin#bool), signBy: [string](https://godoc.org/builtin#string)) [MoreResponse](#MoreResponse)</div> +PushImage takes two input arguments: the name or ID of an image, the fully-qualified destination name of the image, It will return an [ImageNotFound](#ImageNotFound) error if the image cannot be found in local storage; otherwise it will return a [MoreResponse](#MoreResponse) ### <a name="ReceiveFile"></a>func ReceiveFile @@ -1013,7 +1012,7 @@ $ varlink call -m unix:/run/podman/io.podman/io.podman.RestartPod '{"name": "135 ### <a name="SearchImages"></a>func SearchImages <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> -method SearchImages(query: [string](https://godoc.org/builtin#string), limit: [](#), tlsVerify: [](#), filter: [ImageSearchFilter](#ImageSearchFilter)) [ImageSearchResult](#ImageSearchResult)</div> +method SearchImages(query: [string](https://godoc.org/builtin#string), limit: [](#), filter: [ImageSearchFilter](#ImageSearchFilter)) [ImageSearchResult](#ImageSearchResult)</div> SearchImages searches available registries for images that contain the contents of "query" in their name. If "limit" is given, limits the amount of search results per registry. @@ -1207,8 +1206,6 @@ reportWriter [string](https://godoc.org/builtin#string) runtimeArgs [[]string](#[]string) -signaturePolicyPath [string](https://godoc.org/builtin#string) - squash [bool](https://godoc.org/builtin#bool) ### <a name="BuildOptions"></a>type BuildOptions @@ -1908,20 +1905,12 @@ image [string](https://godoc.org/builtin#string) authfile [string](https://godoc.org/builtin#string) -certDir [string](https://godoc.org/builtin#string) - -creds [string](https://godoc.org/builtin#string) - display [bool](https://godoc.org/builtin#bool) name [string](https://godoc.org/builtin#string) pull [bool](https://godoc.org/builtin#bool) -signaturePolicyPath [string](https://godoc.org/builtin#string) - -tlsVerify [](#) - label [string](https://godoc.org/builtin#string) extraArgs [[]string](#[]string) diff --git a/cmd/podman/build.go b/cmd/podman/build.go index 24be9bb46..6e70c6540 100644 --- a/cmd/podman/build.go +++ b/cmd/podman/build.go @@ -43,7 +43,7 @@ var ( return buildCmd(&buildCommand) }, Example: `podman build . - podman build --cert-dir ~/auth --creds=username:password -t imageName -f Dockerfile.simple . + podman build --creds=username:password -t imageName -f Dockerfile.simple . podman build --layers --force-rm --tag imageName .`, } ) @@ -72,6 +72,7 @@ func init() { flags.AddFlagSet(&budFlags) flags.AddFlagSet(&layerFlags) flags.AddFlagSet(&fromAndBugFlags) + flags.MarkHidden("signature-policy") } func getDockerfiles(files []string) []string { diff --git a/cmd/podman/common.go b/cmd/podman/common.go index c0bcaa5c5..5e26d9bfd 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os" + "path/filepath" "strings" "github.com/containers/buildah" @@ -163,6 +164,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "Attach to STDIN, STDOUT or STDERR (default [])", ) createFlags.String( + "authfile", getAuthFile(""), + "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override", + ) + createFlags.String( "blkio-weight", "", "Block IO weight (relative weight) accepts a weight value between 10 and 1000.", ) @@ -553,7 +558,18 @@ func getAuthFile(authfile string) string { if authfile != "" { return authfile } - return os.Getenv("REGISTRY_AUTH_FILE") + if remote { + return "" + } + authfile = os.Getenv("REGISTRY_AUTH_FILE") + if authfile != "" { + return authfile + } + runtimeDir := os.Getenv("XDG_RUNTIME_DIR") + if runtimeDir != "" { + return filepath.Join(runtimeDir, "containers/auth.json") + } + return "" } // scrubServer removes 'http://' or 'https://' from the front of the diff --git a/cmd/podman/load.go b/cmd/podman/load.go index f3bbed48f..0c41eb792 100644 --- a/cmd/podman/load.go +++ b/cmd/podman/load.go @@ -40,8 +40,11 @@ func init() { flags := loadCommand.Flags() flags.StringVarP(&loadCommand.Input, "input", "i", "", "Read from specified archive file (default: stdin)") flags.BoolVarP(&loadCommand.Quiet, "quiet", "q", false, "Suppress the output") - flags.StringVar(&loadCommand.SignaturePolicy, "signature-policy", "", "Pathname of signature policy file (not usually used)") - + // Disabled flags for the remote client + if !remote { + flags.StringVar(&loadCommand.SignaturePolicy, "signature-policy", "", "Pathname of signature policy file (not usually used)") + flags.MarkHidden("signature-policy") + } } // loadCmd gets the image/file to be loaded from the command line diff --git a/cmd/podman/login.go b/cmd/podman/login.go index 6bf148cca..eded2049f 100644 --- a/cmd/podman/login.go +++ b/cmd/podman/login.go @@ -32,25 +32,30 @@ var ( return loginCmd(&loginCommand) }, Example: `podman login -u testuser -p testpassword localhost:5000 - podman login --authfile authdir/myauths.json quay.io podman login -u testuser -p testpassword localhost:5000`, } ) func init() { + if !remote { + _loginCommand.Example = fmt.Sprintf("%s\n podman login --authfile authdir/myauths.json quay.io", _loginCommand.Example) + + } loginCommand.Command = _loginCommand loginCommand.SetHelpTemplate(HelpTemplate()) loginCommand.SetUsageTemplate(UsageTemplate()) flags := loginCommand.Flags() - flags.StringVar(&loginCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") - flags.StringVar(&loginCommand.CertDir, "cert-dir", "", "Pathname of a directory containing TLS certificates and keys used to connect to the registry") flags.BoolVar(&loginCommand.GetLogin, "get-login", true, "Return the current login user for the registry") flags.StringVarP(&loginCommand.Password, "password", "p", "", "Password for registry") - flags.BoolVar(&loginCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") flags.StringVarP(&loginCommand.Username, "username", "u", "", "Username for registry") flags.BoolVar(&loginCommand.StdinPassword, "password-stdin", false, "Take the password from stdin") - + // Disabled flags for the remote client + if !remote { + flags.StringVar(&loginCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&loginCommand.CertDir, "cert-dir", "", "Pathname of a directory containing TLS certificates and keys used to connect to the registry") + flags.BoolVar(&loginCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + } } // loginCmd uses the authentication package to store a user's authenticated credentials @@ -64,9 +69,8 @@ func loginCmd(c *cliconfig.LoginValues) error { return errors.Errorf("please specify a registry to login to") } server := registryFromFullName(scrubServer(args[0])) - authfile := getAuthFile(c.Authfile) - sc := image.GetSystemContext("", authfile, false) + sc := image.GetSystemContext("", c.Authfile, false) if c.Flag("tls-verify").Changed { sc.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify) } diff --git a/cmd/podman/logout.go b/cmd/podman/logout.go index ec581a098..5df838bba 100644 --- a/cmd/podman/logout.go +++ b/cmd/podman/logout.go @@ -24,20 +24,23 @@ var ( logoutCommand.Remote = remoteclient return logoutCmd(&logoutCommand) }, - Example: `podman logout docker.io - podman logout --authfile authdir/myauths.json docker.io + Example: `podman logout quay.io podman logout --all`, } ) func init() { + if !remote { + _logoutCommand.Example = fmt.Sprintf("%s\n podman logout --authfile authdir/myauths.json quay.io", _logoutCommand.Example) + + } logoutCommand.Command = _logoutCommand logoutCommand.SetHelpTemplate(HelpTemplate()) logoutCommand.SetUsageTemplate(UsageTemplate()) flags := logoutCommand.Flags() flags.BoolVarP(&logoutCommand.All, "all", "a", false, "Remove the cached credentials for all registries in the auth file") - flags.StringVar(&logoutCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") - + flags.StringVar(&logoutCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + markFlagHiddenForRemoteClient("authfile", flags) } // logoutCmd uses the authentication package to remove the authenticated of a registry @@ -54,9 +57,8 @@ func logoutCmd(c *cliconfig.LogoutValues) error { if len(args) == 1 { server = scrubServer(args[0]) } - authfile := getAuthFile(c.Authfile) - sc := image.GetSystemContext("", authfile, false) + sc := image.GetSystemContext("", c.Authfile, false) if c.All { if err := config.RemoveAllAuthentication(sc); err != nil { diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go index e778bafb9..ed1510a71 100644 --- a/cmd/podman/play_kube.go +++ b/cmd/podman/play_kube.go @@ -47,22 +47,28 @@ var ( playKubeCommand.Remote = remoteclient return playKubeCmd(&playKubeCommand) }, - Example: `podman play kube demo.yml - podman play kube --cert-dir /mycertsdir --tls-verify=true --quiet myWebPod`, + Example: `podman play kube demo.yml`, } ) func init() { + if !remote { + _playKubeCommand.Example = fmt.Sprintf("%s\n podman play kube --cert-dir /mycertsdir --tls-verify=true --quiet myWebPod", _playKubeCommand.Example) + } playKubeCommand.Command = _playKubeCommand playKubeCommand.SetHelpTemplate(HelpTemplate()) playKubeCommand.SetUsageTemplate(UsageTemplate()) flags := playKubeCommand.Flags() - flags.StringVar(&playKubeCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") - flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&playKubeCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.BoolVarP(&playKubeCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") - flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") - flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + // Disabled flags for the remote client + if !remote { + flags.StringVar(&playKubeCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") + flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") + flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + flags.MarkHidden("signature-policy") + } } func playKubeCmd(c *cliconfig.KubePlayValues) error { diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go index f6a5beb17..115f437d8 100644 --- a/cmd/podman/pull.go +++ b/cmd/podman/pull.go @@ -36,28 +36,31 @@ var ( return pullCmd(&pullCommand) }, Example: `podman pull imageName - podman pull --cert-dir image/certs --authfile temp-auths/myauths.json docker://docker.io/myrepo/finaltest podman pull fedora:latest`, } ) func init() { + + if !remote { + _pullCommand.Example = fmt.Sprintf("%s\n podman pull --cert-dir image/certs --authfile temp-auths/myauths.json docker://docker.io/myrepo/finaltest", _pullCommand.Example) + + } pullCommand.Command = _pullCommand pullCommand.SetHelpTemplate(HelpTemplate()) pullCommand.SetUsageTemplate(UsageTemplate()) flags := pullCommand.Flags() flags.BoolVar(&pullCommand.AllTags, "all-tags", false, "All tagged images in the repository will be pulled") - flags.StringVar(&pullCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&pullCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.BoolVarP(&pullCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") - // Disabled flags for the remote client if !remote { - flags.StringVar(&pullCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pullCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pullCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&pullCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.BoolVar(&pullCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + flags.MarkHidden("signature-policy") } - } // pullCmd gets the data from the command line and calls pullImage @@ -138,8 +141,6 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { return nil } - authfile := getAuthFile(c.String("authfile")) - // FIXME: the default pull consults the registries.conf's search registries // while the all-tags pull does not. This behavior must be fixed in the // future and span across c/buildah, c/image and c/libpod to avoid redundant @@ -148,7 +149,7 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { // See https://bugzilla.redhat.com/show_bug.cgi?id=1701922 for background // information. if !c.Bool("all-tags") { - newImage, err := runtime.New(getContext(), imgArg, c.SignaturePolicy, authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, true, nil) + newImage, err := runtime.New(getContext(), imgArg, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, true, nil) if err != nil { return errors.Wrapf(err, "error pulling image %q", imgArg) } @@ -158,7 +159,7 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { // FIXME: all-tags should use the libpod backend instead of baking its own bread. spec := imgArg - systemContext := image.GetSystemContext("", authfile, false) + systemContext := image.GetSystemContext("", c.Authfile, false) srcRef, err := alltransports.ParseImageName(spec) if err != nil { dockerTransport := "docker://" @@ -186,7 +187,7 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { var foundIDs []string foundImage := true for _, name := range names { - newImage, err := runtime.New(getContext(), name, c.String("signature-policy"), authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, true, nil) + newImage, err := runtime.New(getContext(), name, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, true, nil) if err != nil { logrus.Errorf("error pulling image %q", name) foundImage = false diff --git a/cmd/podman/push.go b/cmd/podman/push.go index ee14b15e2..497820156 100644 --- a/cmd/podman/push.go +++ b/cmd/podman/push.go @@ -35,18 +35,20 @@ var ( return pushCmd(&pushCommand) }, Example: `podman push imageID docker://registry.example.com/repository:tag - podman push imageID oci-archive:/path/to/layout:image:tag - podman push --authfile temp-auths/myauths.json alpine docker://docker.io/myrepo/alpine`, + podman push imageID oci-archive:/path/to/layout:image:tag`, } ) func init() { + if !remote { + _pushCommand.Example = fmt.Sprintf("%s\n podman push --authfile temp-auths/myauths.json alpine docker://docker.io/myrepo/alpine", _pushCommand.Example) + + } + pushCommand.Command = _pushCommand pushCommand.SetHelpTemplate(HelpTemplate()) pushCommand.SetUsageTemplate(UsageTemplate()) flags := pushCommand.Flags() - flags.MarkHidden("signature-policy") - flags.StringVar(&pushCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&pushCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.StringVarP(&pushCommand.Format, "format", "f", "", "Manifest type (oci, v2s1, or v2s2) to use when pushing an image using the 'dir:' transport (default is manifest type of source)") flags.BoolVarP(&pushCommand.Quiet, "quiet", "q", false, "Don't output progress information when pushing images") @@ -55,10 +57,12 @@ func init() { // Disabled flags for the remote client if !remote { - flags.StringVar(&pushCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pushCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pushCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.BoolVar(&pushCommand.Compress, "compress", false, "Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type as source)") flags.StringVar(&pushCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.BoolVar(&pushCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + flags.MarkHidden("signature-policy") } } @@ -138,7 +142,5 @@ func pushCmd(c *cliconfig.PushValues) error { SignBy: signBy, } - authfile := getAuthFile(c.Authfile) - - return runtime.Push(getContext(), srcName, destName, manifestType, authfile, c.SignaturePolicy, writer, c.Compress, so, &dockerRegistryOptions, nil) + return runtime.Push(getContext(), srcName, destName, manifestType, c.Authfile, c.SignaturePolicy, writer, c.Compress, so, &dockerRegistryOptions, nil) } diff --git a/cmd/podman/run.go b/cmd/podman/run.go index 01b12d282..7d84d716b 100644 --- a/cmd/podman/run.go +++ b/cmd/podman/run.go @@ -36,6 +36,8 @@ func init() { flags.SetInterspersed(false) flags.Bool("sig-proxy", true, "Proxy received signals to the process") getCreateFlags(&runCommand.PodmanCommand) + markFlagHiddenForRemoteClient("authfile", flags) + flags.MarkHidden("signature-policy") } func runCmd(c *cliconfig.RunValues) error { diff --git a/cmd/podman/runlabel.go b/cmd/podman/runlabel.go index e87b88992..59cbc7aa4 100644 --- a/cmd/podman/runlabel.go +++ b/cmd/podman/runlabel.go @@ -45,8 +45,6 @@ func init() { runlabelCommand.SetHelpTemplate(HelpTemplate()) runlabelCommand.SetUsageTemplate(UsageTemplate()) flags := runlabelCommand.Flags() - flags.StringVar(&runlabelCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") - flags.StringVar(&runlabelCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&runlabelCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.BoolVar(&runlabelCommand.Display, "display", false, "Preview the command that the label would run") flags.BoolVar(&runlabelCommand.Replace, "replace", false, "Replace existing container with a new one from the image") @@ -61,10 +59,17 @@ func init() { flags.BoolP("pull", "p", false, "Pull the image if it does not exist locally prior to executing the label contents") flags.BoolVarP(&runlabelCommand.Quiet, "quiet", "q", false, "Suppress output information when installing images") - flags.StringVar(&runlabelCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") - flags.BoolVar(&runlabelCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + // Disabled flags for the remote client + if !remote { + flags.StringVar(&runlabelCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&runlabelCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") + flags.StringVar(&runlabelCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") + flags.BoolVar(&runlabelCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") - flags.MarkDeprecated("pull", "podman will pull if not found in local storage") + flags.MarkDeprecated("pull", "podman will pull if not found in local storage") + flags.MarkHidden("signature-policy") + } + markFlagHiddenForRemoteClient("authfile", flags) } // installCmd gets the data from the command line and calls installImage @@ -137,8 +142,7 @@ func runlabelCmd(c *cliconfig.RunlabelValues) error { dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify) } - authfile := getAuthFile(c.Authfile) - runLabel, imageName, err := shared.GetRunlabel(label, runlabelImage, ctx, runtime, true, c.Creds, dockerRegistryOptions, authfile, c.SignaturePolicy, stdOut) + runLabel, imageName, err := shared.GetRunlabel(label, runlabelImage, ctx, runtime, true, c.Creds, dockerRegistryOptions, c.Authfile, c.SignaturePolicy, stdOut) if err != nil { return err } diff --git a/cmd/podman/search.go b/cmd/podman/search.go index b236f3055..ba04002f6 100644 --- a/cmd/podman/search.go +++ b/cmd/podman/search.go @@ -43,12 +43,15 @@ func init() { searchCommand.SetHelpTemplate(HelpTemplate()) searchCommand.SetUsageTemplate(UsageTemplate()) flags := searchCommand.Flags() - flags.StringVar(&searchCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringSliceVarP(&searchCommand.Filter, "filter", "f", []string{}, "Filter output based on conditions provided (default [])") flags.StringVar(&searchCommand.Format, "format", "", "Change the output format to a Go template") flags.IntVar(&searchCommand.Limit, "limit", 0, "Limit the number of results") flags.BoolVar(&searchCommand.NoTrunc, "no-trunc", false, "Do not truncate the output") - flags.BoolVar(&searchCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + // Disabled flags for the remote client + if !remote { + flags.StringVar(&searchCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.BoolVar(&searchCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + } } func searchCmd(c *cliconfig.SearchValues) error { @@ -70,7 +73,7 @@ func searchCmd(c *cliconfig.SearchValues) error { NoTrunc: c.NoTrunc, Limit: c.Limit, Filter: *filter, - Authfile: getAuthFile(c.Authfile), + Authfile: c.Authfile, } if c.Flag("tls-verify").Changed { searchOptions.InsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify) diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink index faaecdb6b..ed7b49c68 100644 --- a/cmd/podman/varlink/io.podman.varlink +++ b/cmd/podman/varlink/io.podman.varlink @@ -414,7 +414,6 @@ type BuildInfo ( remoteIntermediateCtrs: bool, reportWriter: string, runtimeArgs: []string, - signaturePolicyPath: string, squash: bool ) @@ -467,13 +466,9 @@ type PodContainerErrorData ( type Runlabel( image: string, authfile: string, - certDir: string, - creds: string, display: bool, name: string, pull: bool, - signaturePolicyPath: string, - tlsVerify: ?bool, label: string, extraArgs: []string, opts: [string]string @@ -759,11 +754,10 @@ method InspectImage(name: string) -> (image: string) # [ImageNotFound](#ImageNotFound) error is returned. method HistoryImage(name: string) -> (history: []ImageHistory) -# PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image, -# and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior). +# PushImage takes two input arguments: the name or ID of an image, the fully-qualified destination name of the image, # It will return an [ImageNotFound](#ImageNotFound) error if # the image cannot be found in local storage; otherwise it will return a [MoreResponse](#MoreResponse) -method PushImage(name: string, tag: string, tlsverify: ?bool, signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) -> (reply: MoreResponse) +method PushImage(name: string, tag: string, compress: bool, format: string, removeSignatures: bool, signBy: string) -> (reply: MoreResponse) # TagImage takes the name or ID of an image in local storage as well as the desired tag name. If the image cannot # be found, an [ImageNotFound](#ImageNotFound) error will be returned; otherwise, the ID of the image is returned on success. @@ -784,7 +778,7 @@ method RemoveImage(name: string, force: bool) -> (image: string) # SearchImages searches available registries for images that contain the # contents of "query" in their name. If "limit" is given, limits the amount of # search results per registry. -method SearchImages(query: string, limit: ?int, tlsVerify: ?bool, filter: ImageSearchFilter) -> (results: []ImageSearchResult) +method SearchImages(query: string, limit: ?int, filter: ImageSearchFilter) -> (results: []ImageSearchResult) # DeleteUnusedImages deletes any images not associated with a container. The IDs of the deleted images are returned # in a string array. @@ -825,7 +819,7 @@ method ExportImage(name: string, destination: string, compress: bool, tags: []st # PullImage pulls an image from a repository to local storage. After a successful pull, the image id and logs # are returned as a [MoreResponse](#MoreResponse). This connection also will handle a WantsMores request to send # status as it occurs. -method PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: ?bool) -> (reply: MoreResponse) +method PullImage(name: string) -> (reply: MoreResponse) # CreatePod creates a new empty pod. It uses a [PodCreate](#PodCreate) type for input. # On success, the ID of the newly created pod will be returned. diff --git a/completions/bash/podman b/completions/bash/podman index e3c0c1dbf..60d5fde52 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -968,7 +968,7 @@ _podman_container() { export inspect kill - ls + list logs mount pause @@ -979,6 +979,7 @@ _podman_container() { restore rm run + runlabel start stats stop @@ -1145,7 +1146,6 @@ _podman_build() { --runtime-flag --security-opt --shm-size - --signature-policy -t --tag --ulimit @@ -1564,7 +1564,6 @@ _podman_pull() { --authfile --creds --cert-dir - --signature-policy " local boolean_options=" --all-tags @@ -1655,7 +1654,6 @@ _podman_push() { -h --quiet -q - --remove-signatures --tls-verify " @@ -1665,7 +1663,6 @@ _podman_push() { --cert-dir --creds --sign-by - --signature-policy " local all_options="$options_with_args $boolean_options" @@ -2366,7 +2363,6 @@ _complete_() { _podman_load() { local options_with_args=" --input -i - --signature-policy " local boolean_options=" --help @@ -2492,7 +2488,6 @@ _podman_play_kube() { --authfile --cert-dir --creds - --signature-policy " local boolean_options=" @@ -2535,7 +2530,6 @@ _podman_container_runlabel() { --cert-dir --creds --name - --signature-policy " local boolean_options=" diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index ccc8bd900..496918a84 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -36,7 +36,7 @@ Note: this information is not present in Docker image formats, so it is discarde **--authfile** *path* Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. -If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -75,7 +75,7 @@ given. **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--cgroup-parent**="" @@ -354,12 +354,6 @@ Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater tha Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. -**--signature-policy** *signaturepolicy* - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred. - **--squash** Squash all of the new image's layers (including those inherited from a base image) into a single new layer. @@ -378,7 +372,7 @@ Commands after the target stage will be skipped. **--tls-verify** *bool-value* -Require HTTPS and verify certificates when talking to container registries (defaults to true). +Require HTTPS and verify certificates when talking to container registries (defaults to true). (Not available for remote commands) **--ulimit**=*type*=*soft-limit*[:*hard-limit*] diff --git a/docs/podman-container-runlabel.1.md b/docs/podman-container-runlabel.1.md index 39d798804..a54d5c68e 100644 --- a/docs/podman-container-runlabel.1.md +++ b/docs/podman-container-runlabel.1.md @@ -55,7 +55,7 @@ Any additional arguments will be appended to the command. **--authfile** Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. -If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -68,7 +68,7 @@ The runlabel command will not execute if --display is specified. **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--creds** @@ -92,17 +92,11 @@ Suppress output information when pulling images If a container exists of the default or given name, as needed it will be stopped, deleted and a new container will be created from this image. -**--signature-policy="PATHNAME"** - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred - **--tls-verify** Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, -TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf +TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf (Not available for remote commands) ## Examples ## diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index cf36106e8..58e579605 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -40,6 +40,13 @@ error. It can even pretend to be a TTY (this is what most commandline executables expect) and pass along signals. The **-a** option can be set for each of stdin, stdout, and stderr. +**--authfile** + +Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json + +Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE +environment variable. `export REGISTRY_AUTH_FILE=path` (Not available for remote commands) + **--blkio-weight**=*0* Block IO weight (relative weight) accepts a weight value between 10 and 1000. diff --git a/docs/podman-load.1.md b/docs/podman-load.1.md index d156a7682..a3443a229 100644 --- a/docs/podman-load.1.md +++ b/docs/podman-load.1.md @@ -32,12 +32,6 @@ The remote client requires the use of this option. Suppress the progress output -**--signature-policy="PATHNAME"** - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred - **--help**, **-h** Print usage statement @@ -49,7 +43,7 @@ $ podman load --quiet -i fedora.tar ``` ``` -$ podman load -q --signature-policy /etc/containers/policy.json -i fedora.tar +$ podman load -q -i fedora.tar ``` ``` diff --git a/docs/podman-login.1.md b/docs/podman-login.1.md index a3fcd1eea..f96803c58 100644 --- a/docs/podman-login.1.md +++ b/docs/podman-login.1.md @@ -35,7 +35,7 @@ Username for registry **--authfile** -Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json +Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -47,13 +47,13 @@ Return the logged-in user for the registry. Return error if no login is found. **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--tls-verify** Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, -TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. +TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands) **--help**, **-h** diff --git a/docs/podman-logout.1.md b/docs/podman-logout.1.md index b848fcdee..b30328d5b 100644 --- a/docs/podman-logout.1.md +++ b/docs/podman-logout.1.md @@ -22,7 +22,7 @@ All the cached credentials can be removed by setting the **all** flag. **--authfile** -Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json +Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` diff --git a/docs/podman-play-kube.1.md b/docs/podman-play-kube.1.md index a38abf35a..a3a6abbe7 100644 --- a/docs/podman-play-kube.1.md +++ b/docs/podman-play-kube.1.md @@ -11,7 +11,6 @@ podman-play-kube - Create pods and containers based on Kubernetes YAML [**--cert-dir**] [**--creds**] [***-q** | **--quiet**] -[**--signature-policy**] [**--tls-verify**] kubernetes_input.yml @@ -29,7 +28,7 @@ Note: HostPath volume types created by play kube will be given an SELinux privat **--authfile** Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. -If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -37,7 +36,7 @@ environment variable. `export REGISTRY_AUTH_FILE=path` **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--creds** @@ -49,17 +48,11 @@ value can be entered. The password is entered without echo. Suppress output information when pulling images -**--signature-policy="PATHNAME"** - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred. - **--tls-verify** Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, -TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. +TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands) **--help**, **-h** diff --git a/docs/podman-pull.1.md b/docs/podman-pull.1.md index ab01bb40d..f5b6539e9 100644 --- a/docs/podman-pull.1.md +++ b/docs/podman-pull.1.md @@ -54,7 +54,7 @@ Note: When using the all-tags flag, Podman will not iterate over the search regi **--authfile** Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. -If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -62,7 +62,7 @@ environment variable. `export REGISTRY_AUTH_FILE=path` **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--creds** @@ -74,17 +74,11 @@ value can be entered. The password is entered without echo. Suppress output information when pulling images -**--signature-policy="PATHNAME"** - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred - **--tls-verify** Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, -TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. +TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands) **--help**, **-h** @@ -93,7 +87,7 @@ Print usage statement ## EXAMPLES ``` -$ podman pull --signature-policy /etc/containers/policy.json alpine:latest +$ podman pull alpine:latest Trying to pull registry.access.redhat.com/alpine:latest... Failed Trying to pull registry.fedoraproject.org/alpine:latest... Failed Trying to pull docker.io/library/alpine:latest...Getting image source signatures diff --git a/docs/podman-push.1.md b/docs/podman-push.1.md index 73fdd625e..ceb42fa28 100644 --- a/docs/podman-push.1.md +++ b/docs/podman-push.1.md @@ -47,7 +47,7 @@ Image stored in local container/storage **--authfile** Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. -If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -61,7 +61,7 @@ value can be entered. The password is entered without echo. **--cert-dir** *path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) (Not available for remote commands) **--compress** @@ -81,12 +81,6 @@ When writing the output image, suppress progress output Discard any pre-existing signatures in the image -**--signature-policy="PATHNAME"** - -Pathname of a signature policy file to use. It is not recommended that this -option be used, as the default behavior of using the system-wide default policy -(frequently */etc/containers/policy.json*) is most often preferred - **--sign-by="KEY"** Add a signature at the destination using the specified key @@ -95,7 +89,7 @@ Add a signature at the destination using the specified key Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, -TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. +TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. (Not available for remote commands) ## EXAMPLE diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 1840e0f0b..0a29a9551 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -54,6 +54,13 @@ error. It can even pretend to be a TTY (this is what most commandline executables expect) and pass along signals. The **-a** option can be set for each of stdin, stdout, and stderr. +**--authfile** + +Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) + +Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE +environment variable. `export REGISTRY_AUTH_FILE=path` + **--blkio-weight**=*0* Block IO weight (relative weight) accepts a weight value between 10 and 1000. diff --git a/docs/podman-search.1.md b/docs/podman-search.1.md index 312cdae59..8d315086e 100644 --- a/docs/podman-search.1.md +++ b/docs/podman-search.1.md @@ -27,7 +27,7 @@ Note, searching without a search term will only work for registries that impleme **--authfile** -Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json +Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` @@ -74,7 +74,7 @@ Do not truncate the output Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used if needed. If not specified, default registries will be searched through (in /etc/containers/registries.conf), and TLS will be skipped if a default -registry is listed in the insecure registries. +registry is listed in the insecure registries. (Not available for remote commands) **--help**, **-h** diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go index e86287462..e0c0898bd 100644 --- a/pkg/adapter/runtime_remote.go +++ b/pkg/adapter/runtime_remote.go @@ -182,10 +182,7 @@ func (r *LocalRuntime) NewImageFromLocal(name string) (*ContainerImage, error) { // LoadFromArchiveReference creates an image from a local archive func (r *LocalRuntime) LoadFromArchiveReference(ctx context.Context, srcRef types.ImageReference, signaturePolicyPath string, writer io.Writer) ([]*ContainerImage, error) { var iid string - // TODO We need to find a way to leak certDir, creds, and the tlsverify into this function, normally this would - // come from cli options but we don't want want those in here either. - tlsverify := true - reply, err := iopodman.PullImage().Send(r.Conn, varlink.More, srcRef.DockerReference().String(), "", "", signaturePolicyPath, &tlsverify) + reply, err := iopodman.PullImage().Send(r.Conn, varlink.More, srcRef.DockerReference().String()) if err != nil { return nil, err } @@ -217,21 +214,7 @@ func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authf if label != nil { return nil, errors.New("the remote client function does not support checking a remote image for a label") } - var ( - tlsVerify bool - tlsVerifyPtr *bool - ) - if dockeroptions.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse { - tlsVerify = true - tlsVerifyPtr = &tlsVerify - - } - if dockeroptions.DockerInsecureSkipTLSVerify == types.OptionalBoolTrue { - tlsVerify = false - tlsVerifyPtr = &tlsVerify - } - - reply, err := iopodman.PullImage().Send(r.Conn, varlink.More, name, dockeroptions.DockerCertPath, "", signaturePolicyPath, tlsVerifyPtr) + reply, err := iopodman.PullImage().Send(r.Conn, varlink.More, name) if err != nil { return nil, err } @@ -429,9 +412,8 @@ func (r *LocalRuntime) Build(ctx context.Context, c *cliconfig.BuildValues, opti Quiet: options.Quiet, RemoteIntermediateCtrs: options.RemoveIntermediateCtrs, // ReportWriter: - RuntimeArgs: options.RuntimeArgs, - SignaturePolicyPath: options.SignaturePolicyPath, - Squash: options.Squash, + RuntimeArgs: options.RuntimeArgs, + Squash: options.Squash, } // tar the file outputFile, err := ioutil.TempFile("", "varlink_tar_send") @@ -570,20 +552,7 @@ func (r *LocalRuntime) RemoveVolumes(ctx context.Context, c *cliconfig.VolumeRmV func (r *LocalRuntime) Push(ctx context.Context, srcName, destination, manifestMIMEType, authfile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions image.SigningOptions, dockerRegistryOptions *image.DockerRegistryOptions, additionalDockerArchiveTags []reference.NamedTagged) error { - var ( - tls *bool - tlsVerify bool - ) - if dockerRegistryOptions.DockerInsecureSkipTLSVerify == types.OptionalBoolTrue { - tlsVerify = false - tls = &tlsVerify - } - if dockerRegistryOptions.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse { - tlsVerify = true - tls = &tlsVerify - } - - reply, err := iopodman.PushImage().Send(r.Conn, varlink.More, srcName, destination, tls, signaturePolicyPath, "", dockerRegistryOptions.DockerCertPath, forceCompress, manifestMIMEType, signingOptions.RemoveSignatures, signingOptions.SignBy) + reply, err := iopodman.PushImage().Send(r.Conn, varlink.More, srcName, destination, forceCompress, manifestMIMEType, signingOptions.RemoveSignatures, signingOptions.SignBy) if err != nil { return err } diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go index 20f82a1c6..fa1a0a109 100644 --- a/pkg/varlinkapi/images.go +++ b/pkg/varlinkapi/images.go @@ -188,7 +188,6 @@ func (i *LibpodAPI) BuildImage(call iopodman.VarlinkCall, config iopodman.BuildI RemoveIntermediateCtrs: config.RemoteIntermediateCtrs, ReportWriter: &output, RuntimeArgs: config.RuntimeArgs, - SignaturePolicyPath: config.SignaturePolicyPath, Squash: config.Squash, SystemContext: &systemContext, } @@ -311,10 +310,9 @@ func (i *LibpodAPI) HistoryImage(call iopodman.VarlinkCall, name string) error { } // PushImage pushes an local image to registry -func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVerify *bool, signaturePolicy, creds, certDir string, compress bool, format string, removeSignatures bool, signBy string) error { +func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, compress bool, format string, removeSignatures bool, signBy string) error { var ( - registryCreds *types.DockerAuthConfig - manifestType string + manifestType string ) newImage, err := i.Runtime.ImageRuntime().NewFromLocal(name) if err != nil { @@ -324,20 +322,7 @@ func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVe if tag != "" { destname = tag } - if creds != "" { - creds, err := util.ParseRegistryCreds(creds) - if err != nil { - return err - } - registryCreds = creds - } - dockerRegistryOptions := image.DockerRegistryOptions{ - DockerRegistryCreds: registryCreds, - DockerCertPath: certDir, - } - if tlsVerify != nil { - dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*tlsVerify) - } + dockerRegistryOptions := image.DockerRegistryOptions{} if format != "" { switch format { case "oci": //nolint @@ -362,7 +347,7 @@ func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVe output := bytes.NewBuffer([]byte{}) c := make(chan error) go func() { - err := newImage.PushImageToHeuristicDestination(getContext(), destname, manifestType, "", signaturePolicy, output, compress, so, &dockerRegistryOptions, nil) + err := newImage.PushImageToHeuristicDestination(getContext(), destname, manifestType, "", "", output, compress, so, &dockerRegistryOptions, nil) c <- err close(c) }() @@ -439,18 +424,14 @@ func (i *LibpodAPI) RemoveImage(call iopodman.VarlinkCall, name string, force bo // SearchImages searches all registries configured in /etc/containers/registries.conf for an image // Requires an image name and a search limit as int -func (i *LibpodAPI) SearchImages(call iopodman.VarlinkCall, query string, limit *int64, tlsVerify *bool, filter iopodman.ImageSearchFilter) error { +func (i *LibpodAPI) SearchImages(call iopodman.VarlinkCall, query string, limit *int64, filter iopodman.ImageSearchFilter) error { // Transform all arguments to proper types first argLimit := 0 - argTLSVerify := types.OptionalBoolUndefined argIsOfficial := types.OptionalBoolUndefined argIsAutomated := types.OptionalBoolUndefined if limit != nil { argLimit = int(*limit) } - if tlsVerify != nil { - argTLSVerify = types.NewOptionalBool(!*tlsVerify) - } if filter.Is_official != nil { argIsOfficial = types.NewOptionalBool(*filter.Is_official) } @@ -466,9 +447,8 @@ func (i *LibpodAPI) SearchImages(call iopodman.VarlinkCall, query string, limit } searchOptions := image.SearchOptions{ - Limit: argLimit, - Filter: sFilter, - InsecureSkipTLSVerify: argTLSVerify, + Limit: argLimit, + Filter: sFilter, } results, err := image.SearchImages(query, searchOptions) if err != nil { @@ -600,27 +580,11 @@ func (i *LibpodAPI) ExportImage(call iopodman.VarlinkCall, name, destination str } // PullImage pulls an image from a registry to the image store. -func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string, certDir, creds, signaturePolicy string, tlsVerify *bool) error { +func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string) error { var ( - registryCreds *types.DockerAuthConfig - imageID string + imageID string ) - if creds != "" { - creds, err := util.ParseRegistryCreds(creds) - if err != nil { - return err - } - registryCreds = creds - } - - dockerRegistryOptions := image.DockerRegistryOptions{ - DockerRegistryCreds: registryCreds, - DockerCertPath: certDir, - } - if tlsVerify != nil { - dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*tlsVerify) - } - + dockerRegistryOptions := image.DockerRegistryOptions{} so := image.SigningOptions{} if call.WantsMore() { @@ -634,14 +598,14 @@ func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string, certDir, c if err != nil { c <- errors.Wrapf(err, "error parsing %q", name) } - newImage, err := i.Runtime.ImageRuntime().LoadFromArchiveReference(getContext(), srcRef, signaturePolicy, output) + newImage, err := i.Runtime.ImageRuntime().LoadFromArchiveReference(getContext(), srcRef, "", output) if err != nil { c <- errors.Wrapf(err, "error pulling image from %q", name) } else { imageID = newImage[0].ID() } } else { - newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, signaturePolicy, "", output, &dockerRegistryOptions, so, false, nil) + newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, "", "", output, &dockerRegistryOptions, so, false, nil) if err != nil { c <- errors.Wrapf(err, "unable to pull %s", name) } else { @@ -709,18 +673,12 @@ func (i *LibpodAPI) ImageExists(call iopodman.VarlinkCall, name string) error { // ContainerRunlabel ... func (i *LibpodAPI) ContainerRunlabel(call iopodman.VarlinkCall, input iopodman.Runlabel) error { ctx := getContext() - dockerRegistryOptions := image.DockerRegistryOptions{ - DockerCertPath: input.CertDir, - } - if input.TlsVerify != nil { - dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*input.TlsVerify) - } - + dockerRegistryOptions := image.DockerRegistryOptions{} stdErr := os.Stderr stdOut := os.Stdout stdIn := os.Stdin - runLabel, imageName, err := shared.GetRunlabel(input.Label, input.Image, ctx, i.Runtime, input.Pull, input.Creds, dockerRegistryOptions, input.Authfile, input.SignaturePolicyPath, nil) + runLabel, imageName, err := shared.GetRunlabel(input.Label, input.Image, ctx, i.Runtime, input.Pull, "", dockerRegistryOptions, input.Authfile, "", nil) if err != nil { return call.ReplyErrorOccurred(err.Error()) } |