diff options
author | baude <bbaude@redhat.com> | 2018-05-09 12:04:28 -0500 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-05-10 14:56:56 +0000 |
commit | 0e58ec74747ac7fbb0dccd364765b83b212657c9 (patch) | |
tree | 4d123eb30ce8b7ef3651d38b96fb03f75e505178 | |
parent | a74107b506857b35c0ca9455177c309cd440a5aa (diff) | |
download | podman-0e58ec74747ac7fbb0dccd364765b83b212657c9.tar.gz podman-0e58ec74747ac7fbb0dccd364765b83b212657c9.tar.bz2 podman-0e58ec74747ac7fbb0dccd364765b83b212657c9.zip |
podman push should honor registries.conf
Like podman pull, when you push an image, podman should check
if the registry is listed as insecure and if so, it should
--tls-verify=false unless the user overrides this.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #738
Approved by: mheon
-rw-r--r-- | cmd/podman/push.go | 7 | ||||
-rw-r--r-- | cmd/podman/save.go | 2 | ||||
-rw-r--r-- | libpod/image/image.go | 20 | ||||
-rw-r--r-- | pkg/varlinkapi/images.go | 4 |
4 files changed, 27 insertions, 6 deletions
diff --git a/cmd/podman/push.go b/cmd/podman/push.go index dc1894ebb..272c49e32 100644 --- a/cmd/podman/push.go +++ b/cmd/podman/push.go @@ -80,6 +80,7 @@ func pushCmd(c *cli.Context) error { var ( registryCreds *types.DockerAuthConfig destName string + forceSecure bool ) args := c.Args() @@ -143,6 +144,10 @@ func pushCmd(c *cli.Context) error { } } + if c.IsSet("tls-verify") { + forceSecure = c.Bool("tls-verify") + } + dockerRegistryOptions := image.DockerRegistryOptions{ DockerRegistryCreds: registryCreds, DockerCertPath: certPath, @@ -160,5 +165,5 @@ func pushCmd(c *cli.Context) error { } //return runtime.PushImage(srcName, destName, options) - return newImage.PushImage(getContext(), destName, manifestType, c.String("authfile"), c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions) + return newImage.PushImage(getContext(), destName, manifestType, c.String("authfile"), c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions, forceSecure) } diff --git a/cmd/podman/save.go b/cmd/podman/save.go index ce82b588a..c3e87f145 100644 --- a/cmd/podman/save.go +++ b/cmd/podman/save.go @@ -121,7 +121,7 @@ func saveCmd(c *cli.Context) error { if err != nil { return err } - if err := newImage.PushImage(getContext(), dest, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}); err != nil { + if err := newImage.PushImage(getContext(), dest, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}, false); err != nil { if err2 := os.Remove(output); err2 != nil { logrus.Errorf("error deleting %q: %v", output, err) } diff --git a/libpod/image/image.go b/libpod/image/image.go index db0fdab90..b7d9200ec 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -26,7 +26,9 @@ import ( "github.com/projectatomic/libpod/libpod/common" "github.com/projectatomic/libpod/libpod/driver" "github.com/projectatomic/libpod/pkg/inspect" + "github.com/projectatomic/libpod/pkg/registries" "github.com/projectatomic/libpod/pkg/util" + "github.com/sirupsen/logrus" ) // imageConversions is used to cache image "cast" types @@ -426,7 +428,7 @@ func (i *Image) UntagImage(tag string) error { } // PushImage pushes the given image to a location described by the given path -func (i *Image) PushImage(ctx context.Context, destination, manifestMIMEType, authFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions) error { +func (i *Image) PushImage(ctx context.Context, destination, manifestMIMEType, authFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions, forceSecure bool) error { if destination == "" { return errors.Wrapf(syscall.EINVAL, "destination image name must be specified") } @@ -458,9 +460,23 @@ func (i *Image) PushImage(ctx context.Context, destination, manifestMIMEType, au if err != nil { return errors.Wrapf(err, "error getting source imageReference for %q", i.InputName) } - + insecureRegistries, err := registries.GetInsecureRegistries() + if err != nil { + return err + } copyOptions := getCopyOptions(writer, signaturePolicyPath, nil, dockerRegistryOptions, signingOptions, authFile, manifestMIMEType, forceCompress) + if strings.HasPrefix(DockerTransport, dest.Transport().Name()) { + imgRef, err := reference.Parse(dest.DockerReference().String()) + if err != nil { + return err + } + registry := reference.Domain(imgRef.(reference.Named)) + if util.StringInSlice(registry, insecureRegistries) && !forceSecure { + copyOptions.DestinationCtx.DockerInsecureSkipTLSVerify = true + logrus.Info(fmt.Sprintf("%s is an insecure registry; pushing with tls-verify=false", registry)) + } + } // Copy the image to the remote destination err = cp.Image(ctx, policyContext, dest, src, copyOptions) if err != nil { diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go index 16bc46107..f488a10fe 100644 --- a/pkg/varlinkapi/images.go +++ b/pkg/varlinkapi/images.go @@ -137,7 +137,7 @@ func (i *LibpodAPI) PushImage(call ioprojectatomicpodman.VarlinkCall, name, tag so := image.SigningOptions{} - if err := newImage.PushImage(getContext(), destname, "", "", "", nil, false, so, &dockerRegistryOptions); err != nil { + if err := newImage.PushImage(getContext(), destname, "", "", "", nil, false, so, &dockerRegistryOptions, false); err != nil { return call.ReplyErrorOccurred(err.Error()) } return call.ReplyPushImage(newImage.ID()) @@ -272,7 +272,7 @@ func (i *LibpodAPI) ExportImage(call ioprojectatomicpodman.VarlinkCall, name, de if err != nil { return call.ReplyImageNotFound(name) } - if err := newImage.PushImage(getContext(), destination, "", "", "", nil, compress, image.SigningOptions{}, &image.DockerRegistryOptions{}); err != nil { + if err := newImage.PushImage(getContext(), destination, "", "", "", nil, compress, image.SigningOptions{}, &image.DockerRegistryOptions{}, false); err != nil { return call.ReplyErrorOccurred(err.Error()) } return call.ReplyExportImage(newImage.ID()) |