Add tlsVerify bool to SearchImage for varlink

Cockpit wants to be able to search images on systems without tlsverify turned on. tlsverify should be an optional parameter, if not set then we default to the system defaults defined in /etc/containers/registries.conf. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
author: Daniel J Walsh <dwalsh@redhat.com> 2019-02-13 14:08:53 -0700
committer: Daniel J Walsh <dwalsh@redhat.com> 2019-02-14 14:31:20 -0500
commit: 5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327 (patch)
tree: 6296fb8d690872d374450fa5b75d583a62e67b45
parent: dd82acd8ba02be51ec5fea65584e1f7b2036d7c8 (diff)
download: podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.tar.gz
podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.tar.bz2
podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.zip
4 files changed, 46 insertions, 27 deletions
diff --git a/API.md b/API.md
index e44862c3f..5d5acf454 100755
--- a/API.md
+++ b/API.md
@@ -91,9 +91,9 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
 
 [func PausePod(name: string) string](#PausePod)
 
-[func PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: bool) string](#PullImage)
+[func PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: ?bool) string](#PullImage)
 
-[func PushImage(name: string, tag: string, tlsverify: bool, signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) MoreResponse](#PushImage)
+[func PushImage(name: string, tag: string, tlsverify: ?bool, signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) MoreResponse](#PushImage)
 
 [func ReceiveFile(path: string, delete: bool) int](#ReceiveFile)
 
@@ -107,7 +107,7 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
 
 [func RestartPod(name: string) string](#RestartPod)
 
-[func SearchImages(query: string, limit: ) ImageSearchResult](#SearchImages)
+[func SearchImages(quety: string, limit: int, tlsVerify: ?bool) ImageSearchResult](#SearchImages)
 
 [func SendFile(type: string, length: int) string](#SendFile)
 
diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink
index dc6a25c44..84af8aa1f 100644
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@@ -412,7 +412,7 @@ type Runlabel(
     name: string,
     pull: bool,
     signaturePolicyPath: string,
-    tlsVerify: bool,
+    tlsVerify: ?bool,
     label: string,
     extraArgs: []string,
     opts: [string]string
@@ -658,7 +658,7 @@ method HistoryImage(name: string) -> (history: []ImageHistory)
 # and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior).
 # It will return an [ImageNotFound](#ImageNotFound) error if
 # the image cannot be found in local storage; otherwise it will return a [MoreResponse](#MoreResponse)
-method PushImage(name: string, tag: string, tlsverify: bool, signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) -> (reply: MoreResponse)
+method PushImage(name: string, tag: string, tlsverify: ?bool, signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) -> (reply: MoreResponse)
 
 # TagImage takes the name or ID of an image in local storage as well as the desired tag name.  If the image cannot
 # be found, an [ImageNotFound](#ImageNotFound) error will be returned; otherwise, the ID of the image is returned on success.
@@ -679,7 +679,7 @@ method RemoveImage(name: string, force: bool) -> (image: string)
 # SearchImages searches available registries for images that contain the
 # contents of "query" in their name. If "limit" is given, limits the amount of
 # search results per registry.
-method SearchImages(query: string, limit: ?int) -> (results: []ImageSearchResult)
+method SearchImages(query: string, limit: ?int, tlsVerify: ?bool) -> (results: []ImageSearchResult)
 
 # DeleteUnusedImages deletes any images not associated with a container.  The IDs of the deleted images are returned
 # in a string array.
@@ -726,7 +726,7 @@ method ExportImage(name: string, destination: string, compress: bool, tags: []st
 #   "id": "426866d6fa419873f97e5cbd320eeb22778244c1dfffa01c944db3114f55772e"
 # }
 # ~~~
-method PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: bool) -> (id: string)
+method PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: ?bool) -> (id: string)
 
 # CreatePod creates a new empty pod.  It uses a [PodCreate](#PodCreate) type for input.
 # On success, the ID of the newly created pod will be returned.
diff --git a/libpod/adapter/runtime_remote.go b/libpod/adapter/runtime_remote.go
index 66ff5ed51..fc6b054f9 100644
--- a/libpod/adapter/runtime_remote.go
+++ b/libpod/adapter/runtime_remote.go
@@ -163,7 +163,8 @@ func (r *LocalRuntime) NewImageFromLocal(name string) (*ContainerImage, error) {
 func (r *LocalRuntime) LoadFromArchiveReference(ctx context.Context, srcRef types.ImageReference, signaturePolicyPath string, writer io.Writer) ([]*ContainerImage, error) {
 	// TODO We need to find a way to leak certDir, creds, and the tlsverify into this function, normally this would
 	// come from cli options but we don't want want those in here either.
-	imageID, err := iopodman.PullImage().Call(r.Conn, srcRef.DockerReference().String(), "", "", signaturePolicyPath, true)
+	tlsverify := true
+	imageID, err := iopodman.PullImage().Call(r.Conn, srcRef.DockerReference().String(), "", "", signaturePolicyPath, &tlsverify)
 	if err != nil {
 		return nil, err
 	}
@@ -179,15 +180,21 @@ func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authf
 	if label != nil {
 		return nil, errors.New("the remote client function does not support checking a remote image for a label")
 	}
-	// TODO Creds needs to be figured out here too, like above
-	tlsBool := dockeroptions.DockerInsecureSkipTLSVerify
-	// Remember SkipTlsVerify is the opposite of tlsverify
-	// If tlsBook is true or undefined, we do not skip
-	SkipTlsVerify := false
-	if tlsBool == types.OptionalBoolFalse {
-		SkipTlsVerify = true
+	var (
+		tlsVerify    bool
+		tlsVerifyPtr *bool
+	)
+	if dockeroptions.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+		tlsVerify = true
+		tlsVerifyPtr = &tlsVerify
+
+	}
+	if dockeroptions.DockerInsecureSkipTLSVerify == types.OptionalBoolTrue {
+		tlsVerify = false
+		tlsVerifyPtr = &tlsVerify
 	}
-	imageID, err := iopodman.PullImage().Call(r.Conn, name, dockeroptions.DockerCertPath, "", signaturePolicyPath, SkipTlsVerify)
+
+	imageID, err := iopodman.PullImage().Call(r.Conn, name, dockeroptions.DockerCertPath, "", signaturePolicyPath, tlsVerifyPtr)
 	if err != nil {
 		return nil, err
 	}
@@ -577,10 +584,19 @@ func (r *LocalRuntime) RemoveVolumes(ctx context.Context, c *cliconfig.VolumeRmV
 
 func (r *LocalRuntime) Push(ctx context.Context, srcName, destination, manifestMIMEType, authfile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions image.SigningOptions, dockerRegistryOptions *image.DockerRegistryOptions, additionalDockerArchiveTags []reference.NamedTagged) error {
 
-	tls := true
+	var (
+		tls       *bool
+		tlsVerify bool
+	)
 	if dockerRegistryOptions.DockerInsecureSkipTLSVerify == types.OptionalBoolTrue {
-		tls = false
+		tlsVerify = false
+		tls = &tlsVerify
 	}
+	if dockerRegistryOptions.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+		tlsVerify = true
+		tls = &tlsVerify
+	}
+
 	reply, err := iopodman.PushImage().Send(r.Conn, varlink.More, srcName, destination, tls, signaturePolicyPath, "", dockerRegistryOptions.DockerCertPath, forceCompress, manifestMIMEType, signingOptions.RemoveSignatures, signingOptions.SignBy)
 	if err != nil {
 		return err
diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go
index 534419f6f..b3090d2dd 100644
--- a/pkg/varlinkapi/images.go
+++ b/pkg/varlinkapi/images.go
@@ -313,7 +313,7 @@ func (i *LibpodAPI) HistoryImage(call iopodman.VarlinkCall, name string) error {
 }
 
 // PushImage pushes an local image to registry
-func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVerify bool, signaturePolicy, creds, certDir string, compress bool, format string, removeSignatures bool, signBy string) error {
+func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVerify *bool, signaturePolicy, creds, certDir string, compress bool, format string, removeSignatures bool, signBy string) error {
 	var (
 		registryCreds *types.DockerAuthConfig
 		manifestType  string
@@ -337,8 +337,8 @@ func (i *LibpodAPI) PushImage(call iopodman.VarlinkCall, name, tag string, tlsVe
 		DockerRegistryCreds: registryCreds,
 		DockerCertPath:      certDir,
 	}
-	if !tlsVerify {
-		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+	if tlsVerify != nil {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*tlsVerify)
 	}
 	if format != "" {
 		switch format {
@@ -441,8 +441,11 @@ func (i *LibpodAPI) RemoveImage(call iopodman.VarlinkCall, name string, force bo
 
 // SearchImages searches all registries configured in /etc/containers/registries.conf for an image
 // Requires an image name and a search limit as int
-func (i *LibpodAPI) SearchImages(call iopodman.VarlinkCall, query string, limit *int64) error {
+func (i *LibpodAPI) SearchImages(call iopodman.VarlinkCall, query string, limit *int64, tlsVerify *bool) error {
 	sc := image.GetSystemContext("", "", false)
+	if tlsVerify != nil {
+		sc.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*tlsVerify)
+	}
 	registries, err := sysreg.GetRegistries()
 	if err != nil {
 		return call.ReplyErrorOccurred(fmt.Sprintf("unable to get system registries: %q", err))
@@ -583,7 +586,7 @@ func (i *LibpodAPI) ExportImage(call iopodman.VarlinkCall, name, destination str
 }
 
 // PullImage pulls an image from a registry to the image store.
-func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string, certDir, creds, signaturePolicy string, tlsVerify bool) error {
+func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string, certDir, creds, signaturePolicy string, tlsVerify *bool) error {
 	var (
 		registryCreds *types.DockerAuthConfig
 		imageID       string
@@ -600,8 +603,8 @@ func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string, certDir, c
 		DockerRegistryCreds: registryCreds,
 		DockerCertPath:      certDir,
 	}
-	if tlsVerify {
-		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!tlsVerify)
+	if tlsVerify != nil {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*tlsVerify)
 	}
 
 	so := image.SigningOptions{}
@@ -644,8 +647,8 @@ func (i *LibpodAPI) ContainerRunlabel(call iopodman.VarlinkCall, input iopodman.
 	dockerRegistryOptions := image.DockerRegistryOptions{
 		DockerCertPath: input.CertDir,
 	}
-	if !input.TlsVerify {
-		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+	if input.TlsVerify != nil {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!*input.TlsVerify)
 	}
 
 	stdErr := os.Stderr
author	Daniel J Walsh <dwalsh@redhat.com>	2019-02-13 14:08:53 -0700
committer	Daniel J Walsh <dwalsh@redhat.com>	2019-02-14 14:31:20 -0500
commit	5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327 (patch)
tree	6296fb8d690872d374450fa5b75d583a62e67b45
parent	dd82acd8ba02be51ec5fea65584e1f7b2036d7c8 (diff)
download	podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.tar.gz podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.tar.bz2 podman-5f7d4ee73fdf53f912d7e31c24daf5f4c8a93327.zip