summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSascha Grunert <sgrunert@redhat.com>2021-07-20 12:20:43 +0200
committerSascha Grunert <sgrunert@redhat.com>2021-07-30 14:53:55 +0200
commit732ece6ae264ea04a8ab8775275ce75432a35fcb (patch)
tree9001e6eb494b137e788ad076fe202bf3fad647ca
parenta5de8314188d7376f645d8ac6c6f7a6f685b6a45 (diff)
downloadpodman-732ece6ae264ea04a8ab8775275ce75432a35fcb.tar.gz
podman-732ece6ae264ea04a8ab8775275ce75432a35fcb.tar.bz2
podman-732ece6ae264ea04a8ab8775275ce75432a35fcb.zip
Add `--accept-repositories` integration tests
This adds the integration tests for the repository or namespaced registry feature introduced in c/common. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
-rw-r--r--cmd/podman/login.go1
-rw-r--r--cmd/podman/logout.go1
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--test/e2e/login_logout_test.go223
-rw-r--r--vendor/github.com/containers/common/libimage/copier.go12
-rw-r--r--vendor/github.com/containers/common/libimage/image.go8
-rw-r--r--vendor/github.com/containers/common/libimage/import.go2
-rw-r--r--vendor/github.com/containers/common/libimage/manifests/manifests.go18
-rw-r--r--vendor/github.com/containers/common/libimage/pull.go80
-rw-r--r--vendor/github.com/containers/common/libimage/search.go4
-rw-r--r--vendor/github.com/containers/common/pkg/auth/auth.go153
-rw-r--r--vendor/github.com/containers/common/pkg/auth/cli.go20
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go11
-rw-r--r--vendor/github.com/containers/common/pkg/config/pull_policy.go8
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/types.go2
-rw-r--r--vendor/modules.txt2
17 files changed, 462 insertions, 89 deletions
diff --git a/cmd/podman/login.go b/cmd/podman/login.go
index a8dadf5cd..7e853b38d 100644
--- a/cmd/podman/login.go
+++ b/cmd/podman/login.go
@@ -52,6 +52,7 @@ func init() {
loginOptions.Stdin = os.Stdin
loginOptions.Stdout = os.Stdout
loginOptions.AcceptUnspecifiedRegistry = true
+ loginOptions.AcceptRepositories = true
}
// Implementation of podman-login.
diff --git a/cmd/podman/logout.go b/cmd/podman/logout.go
index 0ee134635..f44b13a1f 100644
--- a/cmd/podman/logout.go
+++ b/cmd/podman/logout.go
@@ -43,6 +43,7 @@ func init() {
logoutOptions.Stdout = os.Stdout
logoutOptions.AcceptUnspecifiedRegistry = true
+ logoutOptions.AcceptRepositories = true
}
// Implementation of podman-logout.
diff --git a/go.mod b/go.mod
index 3586ee74e..adda76349 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.1
github.com/containers/buildah v1.21.1-0.20210721171232-54cafea4c933
- github.com/containers/common v0.41.1-0.20210721172332-291287e9d060
+ github.com/containers/common v0.41.1-0.20210730122913-cd6c45fd20e3
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.14.0
github.com/containers/ocicrypt v1.1.2
diff --git a/go.sum b/go.sum
index 7049fbcdb..dddbfeb3c 100644
--- a/go.sum
+++ b/go.sum
@@ -242,8 +242,8 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD
github.com/containers/buildah v1.21.1-0.20210721171232-54cafea4c933 h1:jqO3hDypBoKM5be+fVcqGHOpX2fOiQy2DFEeb/VKpsk=
github.com/containers/buildah v1.21.1-0.20210721171232-54cafea4c933/go.mod h1:9gspFNeUJxIK72n1IMIKIHmtcePEZQsv0tjo+1LqkCo=
github.com/containers/common v0.41.1-0.20210721112610-c95d2f794edf/go.mod h1:Ba5YVNCnyX6xDtg1JqEHa2EMVMW5UbHmIyEqsEwpeGE=
-github.com/containers/common v0.41.1-0.20210721172332-291287e9d060 h1:HgGff2MeEKfYoKp2WQFl9xdsgP7KV8rr/1JZRIuPXmg=
-github.com/containers/common v0.41.1-0.20210721172332-291287e9d060/go.mod h1:Ba5YVNCnyX6xDtg1JqEHa2EMVMW5UbHmIyEqsEwpeGE=
+github.com/containers/common v0.41.1-0.20210730122913-cd6c45fd20e3 h1:lHOZ+G5B7aP2YPsbDo4DtALFAuFG5PWH3Pv5zL2bC08=
+github.com/containers/common v0.41.1-0.20210730122913-cd6c45fd20e3/go.mod h1:UzAAjDsxwd4qkN1mgsk6aspduBY5bspxvKgwQElaBwk=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.13.2/go.mod h1:GkWursKDlDcUIT7L7vZf70tADvZCk/Ga0wgS0MuF0ag=
diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go
index 6088d991f..7ad1fc1f2 100644
--- a/test/e2e/login_logout_test.go
+++ b/test/e2e/login_logout_test.go
@@ -97,6 +97,24 @@ var _ = Describe("Podman login and logout", func() {
os.RemoveAll(certDirPath)
})
+ readAuthInfo := func(filePath string) map[string]interface{} {
+ authBytes, err := ioutil.ReadFile(filePath)
+ Expect(err).To(BeNil())
+
+ var authInfo map[string]interface{}
+ err = json.Unmarshal(authBytes, &authInfo)
+ Expect(err).To(BeNil())
+ fmt.Println(authInfo)
+
+ const authsKey = "auths"
+ Expect(authInfo).To(HaveKey(authsKey))
+
+ auths, ok := authInfo[authsKey].(map[string]interface{})
+ Expect(ok).To(BeTrue())
+
+ return auths
+ }
+
It("podman login and logout", func() {
session := podmanTest.Podman([]string{"login", "-u", "podmantest", "-p", "test", server})
session.WaitWithDefaultTimeout()
@@ -151,10 +169,7 @@ var _ = Describe("Podman login and logout", func() {
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
- authInfo, _ := ioutil.ReadFile(authFile)
- var info map[string]interface{}
- json.Unmarshal(authInfo, &info)
- fmt.Println(info)
+ readAuthInfo(authFile)
// push should fail with nonexistent authfile
session = podmanTest.Podman([]string{"push", "--authfile", "/tmp/nonexistent", ALPINE, testImg})
@@ -284,4 +299,204 @@ var _ = Describe("Podman login and logout", func() {
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
})
+
+ It("podman login and logout with repository", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+
+ testRepository := server + "/podmantest"
+ session := podmanTest.Podman([]string{
+ "login",
+ "-u", "podmantest",
+ "-p", "test",
+ "--authfile", authFile,
+ testRepository,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ authInfo := readAuthInfo(authFile)
+ Expect(authInfo).To(HaveKey(testRepository))
+
+ session = podmanTest.Podman([]string{
+ "logout",
+ "--authfile", authFile,
+ testRepository,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ authInfo = readAuthInfo(authFile)
+ Expect(authInfo).NotTo(HaveKey(testRepository))
+ })
+
+ It("podman login and logout with repository and specified image", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+
+ testTarget := server + "/podmantest/test-alpine"
+ session := podmanTest.Podman([]string{
+ "login",
+ "-u", "podmantest",
+ "-p", "test",
+ "--authfile", authFile,
+ testTarget,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ authInfo := readAuthInfo(authFile)
+ Expect(authInfo).To(HaveKey(testTarget))
+
+ session = podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, testTarget,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ })
+
+ It("podman login and logout with repository with fallback", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+
+ testRepos := []string{
+ server + "/podmantest",
+ server,
+ }
+ for _, testRepo := range testRepos {
+ session := podmanTest.Podman([]string{
+ "login",
+ "-u", "podmantest",
+ "-p", "test",
+ "--authfile", authFile,
+ testRepo,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ }
+
+ authInfo := readAuthInfo(authFile)
+ Expect(authInfo).To(HaveKey(testRepos[0]))
+ Expect(authInfo).To(HaveKey(testRepos[1]))
+
+ session := podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, testRepos[0] + "/test-image-alpine",
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{
+ "logout",
+ "--authfile", authFile,
+ testRepos[0],
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, testRepos[0] + "/test-image-alpine",
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{
+ "logout",
+ "--authfile", authFile,
+ testRepos[1],
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ authInfo = readAuthInfo(authFile)
+ Expect(authInfo).NotTo(HaveKey(testRepos[0]))
+ Expect(authInfo).NotTo(HaveKey(testRepos[1]))
+ })
+
+ It("podman login with repository invalid arguments", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+
+ for _, invalidArg := range []string{
+ "https://" + server + "/podmantest",
+ server + "/podmantest/image:latest",
+ } {
+ session := podmanTest.Podman([]string{
+ "login",
+ "-u", "podmantest",
+ "-p", "test",
+ "--authfile", authFile,
+ invalidArg,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(ExitWithError())
+ }
+ })
+
+ It("podman login and logout with repository push with invalid auth.json credentials", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+ // only `server` contains the correct login data
+ err := ioutil.WriteFile(authFile, []byte(fmt.Sprintf(`{"auths": {
+ "%s/podmantest": { "auth": "cG9kbWFudGVzdDp3cm9uZw==" },
+ "%s": { "auth": "cG9kbWFudGVzdDp0ZXN0" }
+ }}`, server, server)), 0644)
+ Expect(err).To(BeNil())
+
+ session := podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, server + "/podmantest/test-image",
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).To(ExitWithError())
+
+ session = podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, server + "/test-image",
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).To(Exit(0))
+ })
+
+ It("podman login and logout with repository pull with wrong auth.json credentials", func() {
+ authFile := filepath.Join(podmanTest.TempDir, "auth.json")
+
+ testTarget := server + "/podmantest/test-alpine"
+ session := podmanTest.Podman([]string{
+ "login",
+ "-u", "podmantest",
+ "-p", "test",
+ "--authfile", authFile,
+ testTarget,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ session = podmanTest.Podman([]string{
+ "push",
+ "--authfile", authFile,
+ ALPINE, testTarget,
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ // only `server + /podmantest` and `server` have the correct login data
+ err := ioutil.WriteFile(authFile, []byte(fmt.Sprintf(`{"auths": {
+ "%s/podmantest/test-alpine": { "auth": "cG9kbWFudGVzdDp3cm9uZw==" },
+ "%s/podmantest": { "auth": "cG9kbWFudGVzdDp0ZXN0" },
+ "%s": { "auth": "cG9kbWFudGVzdDp0ZXN0" }
+ }}`, server, server, server)), 0644)
+ Expect(err).To(BeNil())
+
+ session = podmanTest.Podman([]string{
+ "pull",
+ "--authfile", authFile,
+ server + "/podmantest/test-alpine",
+ })
+ session.WaitWithDefaultTimeout()
+ Expect(session).To(ExitWithError())
+ })
})
diff --git a/vendor/github.com/containers/common/libimage/copier.go b/vendor/github.com/containers/common/libimage/copier.go
index 34cc0d45d..a44f098ad 100644
--- a/vendor/github.com/containers/common/libimage/copier.go
+++ b/vendor/github.com/containers/common/libimage/copier.go
@@ -342,7 +342,7 @@ func (c *copier) copy(ctx context.Context, source, destination types.ImageRefere
}
}
- var copiedManifest []byte
+ var returnManifest []byte
f := func() error {
opts := c.imageCopyOptions
if sourceInsecure != nil {
@@ -354,11 +354,13 @@ func (c *copier) copy(ctx context.Context, source, destination types.ImageRefere
opts.DestinationCtx.DockerInsecureSkipTLSVerify = value
}
- var err error
- copiedManifest, err = copy.Image(ctx, c.policyContext, destination, source, &opts)
+ copiedManifest, err := copy.Image(ctx, c.policyContext, destination, source, &opts)
+ if err == nil {
+ returnManifest = copiedManifest
+ }
return err
}
- return copiedManifest, retry.RetryIfNecessary(ctx, f, &c.retryOptions)
+ return returnManifest, retry.RetryIfNecessary(ctx, f, &c.retryOptions)
}
// checkRegistrySourcesAllows checks the $BUILD_REGISTRY_SOURCES environment
@@ -369,7 +371,7 @@ func (c *copier) copy(ctx context.Context, source, destination types.ImageRefere
// If set, the insecure return value indicates whether the registry is set to
// be insecure.
//
-// NOTE: this functionality is required by Buildah.
+// NOTE: this functionality is required by Buildah for OpenShift.
func checkRegistrySourcesAllows(dest types.ImageReference) (insecure *bool, err error) {
registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES")
if !ok || registrySources == "" {
diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go
index 5b060a185..c47e63339 100644
--- a/vendor/github.com/containers/common/libimage/image.go
+++ b/vendor/github.com/containers/common/libimage/image.go
@@ -836,9 +836,9 @@ func (i *Image) Manifest(ctx context.Context) (rawManifest []byte, mimeType stri
return src.GetManifest(ctx, nil)
}
-// getImageDigest creates an image object and uses the hex value of the digest as the image ID
-// for parsing the store reference
-func getImageDigest(ctx context.Context, src types.ImageReference, sys *types.SystemContext) (string, error) {
+// getImageID creates an image object and uses the hex value of the config
+// blob's digest (if it has one) as the image ID for parsing the store reference
+func getImageID(ctx context.Context, src types.ImageReference, sys *types.SystemContext) (string, error) {
newImg, err := src.NewImage(ctx, sys)
if err != nil {
return "", err
@@ -852,5 +852,5 @@ func getImageDigest(ctx context.Context, src types.ImageReference, sys *types.Sy
if err = imageDigest.Validate(); err != nil {
return "", errors.Wrapf(err, "error getting config info")
}
- return "@" + imageDigest.Hex(), nil
+ return "@" + imageDigest.Encoded(), nil
}
diff --git a/vendor/github.com/containers/common/libimage/import.go b/vendor/github.com/containers/common/libimage/import.go
index 9926aaec7..bcfb4e129 100644
--- a/vendor/github.com/containers/common/libimage/import.go
+++ b/vendor/github.com/containers/common/libimage/import.go
@@ -86,7 +86,7 @@ func (r *Runtime) Import(ctx context.Context, path string, options *ImportOption
return "", err
}
- id, err := getImageDigest(ctx, srcRef, r.systemContextCopy())
+ id, err := getImageID(ctx, srcRef, r.systemContextCopy())
if err != nil {
return "", err
}
diff --git a/vendor/github.com/containers/common/libimage/manifests/manifests.go b/vendor/github.com/containers/common/libimage/manifests/manifests.go
index 875c2948d..81b5343c0 100644
--- a/vendor/github.com/containers/common/libimage/manifests/manifests.go
+++ b/vendor/github.com/containers/common/libimage/manifests/manifests.go
@@ -18,6 +18,7 @@ import (
"github.com/containers/image/v5/transports/alltransports"
"github.com/containers/image/v5/types"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/lockfile"
digest "github.com/opencontainers/go-digest"
v1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/pkg/errors"
@@ -395,3 +396,20 @@ func (l *list) Remove(instanceDigest digest.Digest) error {
}
return err
}
+
+// LockerForImage returns a Locker for a given image record. It's recommended
+// that processes which use LoadFromImage() to load a list from an image and
+// then use that list's SaveToImage() method to save a modified version of the
+// list to that image record use this lock to avoid accidentally wiping out
+// changes that another process is also attempting to make.
+func LockerForImage(store storage.Store, image string) (lockfile.Locker, error) {
+ img, err := store.Image(image)
+ if err != nil {
+ return nil, errors.Wrapf(err, "locating image %q for locating lock", image)
+ }
+ d := digest.NewDigestFromEncoded(digest.Canonical, img.ID)
+ if err := d.Validate(); err != nil {
+ return nil, errors.Wrapf(err, "coercing image ID for %q into a digest", image)
+ }
+ return store.GetDigestLock(d)
+}
diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go
index 1a6ad1ce2..97347178a 100644
--- a/vendor/github.com/containers/common/libimage/pull.go
+++ b/vendor/github.com/containers/common/libimage/pull.go
@@ -12,6 +12,7 @@ import (
dockerArchiveTransport "github.com/containers/image/v5/docker/archive"
dockerDaemonTransport "github.com/containers/image/v5/docker/daemon"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/manifest"
ociArchiveTransport "github.com/containers/image/v5/oci/archive"
ociTransport "github.com/containers/image/v5/oci/layout"
"github.com/containers/image/v5/pkg/shortnames"
@@ -19,6 +20,7 @@ import (
"github.com/containers/image/v5/transports/alltransports"
"github.com/containers/image/v5/types"
"github.com/containers/storage"
+ digest "github.com/opencontainers/go-digest"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -192,19 +194,19 @@ func (r *Runtime) copyFromDefault(ctx context.Context, ref types.ImageReference,
imageName = storageName
case ociArchiveTransport.Transport.Name():
- manifest, err := ociArchiveTransport.LoadManifestDescriptor(ref)
+ manifestDescriptor, err := ociArchiveTransport.LoadManifestDescriptor(ref)
if err != nil {
return nil, err
}
- // if index.json has no reference name, compute the image digest instead
- if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" {
- storageName, err = getImageDigest(ctx, ref, nil)
+ // if index.json has no reference name, compute the image ID instead
+ if manifestDescriptor.Annotations == nil || manifestDescriptor.Annotations["org.opencontainers.image.ref.name"] == "" {
+ storageName, err = getImageID(ctx, ref, nil)
if err != nil {
return nil, err
}
imageName = "sha256:" + storageName[1:]
} else {
- storageName = manifest.Annotations["org.opencontainers.image.ref.name"]
+ storageName = manifestDescriptor.Annotations["org.opencontainers.image.ref.name"]
named, err := NormalizeName(storageName)
if err != nil {
return nil, err
@@ -248,7 +250,7 @@ func (r *Runtime) storageReferencesReferencesFromArchiveReader(ctx context.Conte
var imageNames []string
if len(destNames) == 0 {
- destName, err := getImageDigest(ctx, readerRef, &r.systemContext)
+ destName, err := getImageID(ctx, readerRef, &r.systemContext)
if err != nil {
return nil, nil, err
}
@@ -316,8 +318,8 @@ func (r *Runtime) copyFromDockerArchiveReaderReference(ctx context.Context, read
}
// copyFromRegistry pulls the specified, possibly unqualified, name from a
-// registry. On successful pull it returns the used fully-qualified name that
-// can later be used to look up the image in the local containers storage.
+// registry. On successful pull it returns the ID of the image in local
+// storage.
//
// If options.All is set, all tags from the specified registry will be pulled.
func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference, inputName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) {
@@ -337,7 +339,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference
return nil, err
}
- pulledTags := []string{}
+ pulledIDs := []string{}
for _, tag := range tags {
select { // Let's be gentle with Podman remote.
case <-ctx.Done():
@@ -353,15 +355,54 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference
if err != nil {
return nil, err
}
- pulledTags = append(pulledTags, pulled...)
+ pulledIDs = append(pulledIDs, pulled...)
}
- return pulledTags, nil
+ return pulledIDs, nil
+}
+
+// imageIDsForManifest() parses the manifest of the copied image and then looks
+// up the IDs of the matching image. There's a small slice of time, between
+// when we copy the image into local storage and when we go to look for it
+// using the name that we gave it when we copied it, when the name we wanted to
+// assign to the image could have been moved, but the image's ID will remain
+// the same until it is deleted.
+func (r *Runtime) imagesIDsForManifest(manifestBytes []byte, sys *types.SystemContext) ([]string, error) {
+ var imageDigest digest.Digest
+ manifestType := manifest.GuessMIMEType(manifestBytes)
+ if manifest.MIMETypeIsMultiImage(manifestType) {
+ list, err := manifest.ListFromBlob(manifestBytes, manifestType)
+ if err != nil {
+ return nil, errors.Wrapf(err, "parsing manifest list")
+ }
+ d, err := list.ChooseInstance(sys)
+ if err != nil {
+ return nil, errors.Wrapf(err, "choosing instance from manifest list")
+ }
+ imageDigest = d
+ } else {
+ d, err := manifest.Digest(manifestBytes)
+ if err != nil {
+ return nil, errors.Wrapf(err, "digesting manifest")
+ }
+ imageDigest = d
+ }
+ var results []string
+ images, err := r.store.ImagesByDigest(imageDigest)
+ if err != nil {
+ return nil, errors.Wrapf(err, "listing images by manifest digest")
+ }
+ for _, image := range images {
+ results = append(results, image.ID)
+ }
+ if len(results) == 0 {
+ return nil, errors.Wrapf(storage.ErrImageUnknown, "identifying new image by manifest digest")
+ }
+ return results, nil
}
// copySingleImageFromRegistry pulls the specified, possibly unqualified, name
-// from a registry. On successful pull it returns the used fully-qualified
-// name that can later be used to look up the image in the local containers
+// from a registry. On successful pull it returns the ID of the image in local
// storage.
func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo
// Sanity check.
@@ -375,7 +416,7 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
err error
)
- // Always check if there's a local image. If, we should use it's
+ // Always check if there's a local image. If so, we should use its
// resolved name for pulling. Assume we're doing a `pull foo`.
// If there's already a local image "localhost/foo", then we should
// attempt pulling that instead of doing the full short-name dance.
@@ -454,7 +495,7 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
}
}
- // If we found a local image, we should use it's locally resolved name
+ // If we found a local image, we should use its locally resolved name
// (see containers/buildah/issues/2904). An exception is if a custom
// platform is specified (e.g., `--arch=arm64`). In that case, we need
// to pessimistically pull the image since some images declare wrong
@@ -462,7 +503,8 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
// containers/podman/issues/10682).
//
// In other words: multi-arch support can only be as good as the images
- // in the wild.
+ // in the wild, so we shouldn't break things for our users by trying to
+ // insist that they make sense.
if localImage != nil && !customPlatform {
if imageName != resolvedImageName {
logrus.Debugf("Image %s resolved to local image %s which will be used for pulling", imageName, resolvedImageName)
@@ -541,7 +583,8 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
return nil, err
}
}
- if _, err := c.copy(ctx, srcRef, destRef); err != nil {
+ var manifestBytes []byte
+ if manifestBytes, err = c.copy(ctx, srcRef, destRef); err != nil {
logrus.Debugf("Error pulling candidate %s: %v", candidateString, err)
pullErrors = append(pullErrors, err)
continue
@@ -554,6 +597,9 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
}
logrus.Debugf("Pulled candidate %s successfully", candidateString)
+ if ids, err := r.imagesIDsForManifest(manifestBytes, sys); err == nil {
+ return ids, nil
+ }
return []string{candidate.Value.String()}, nil
}
diff --git a/vendor/github.com/containers/common/libimage/search.go b/vendor/github.com/containers/common/libimage/search.go
index 4d1b842e7..df29bc7da 100644
--- a/vendor/github.com/containers/common/libimage/search.go
+++ b/vendor/github.com/containers/common/libimage/search.go
@@ -185,6 +185,10 @@ func (r *Runtime) searchImageInRegistry(ctx context.Context, term, registry stri
sys.DockerInsecureSkipTLSVerify = options.InsecureSkipTLSVerify
}
+ if options.Authfile != "" {
+ sys.AuthFilePath = options.Authfile
+ }
+
if options.ListTags {
results, err := searchRepositoryTags(ctx, sys, registry, term, options)
if err != nil {
diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go
index d2e75c1f7..093da0299 100644
--- a/vendor/github.com/containers/common/pkg/auth/auth.go
+++ b/vendor/github.com/containers/common/pkg/auth/auth.go
@@ -9,6 +9,7 @@ import (
"strings"
"github.com/containers/image/v5/docker"
+ "github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/pkg/docker/config"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/types"
@@ -69,30 +70,50 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
systemContext = systemContextWithOptions(systemContext, opts.AuthFile, opts.CertDir)
var (
- server string
- err error
+ authConfig types.DockerAuthConfig
+ key, registry string
+ ref reference.Named
+ err error
)
- if len(args) > 1 {
- return errors.New("login accepts only one registry to login to")
- }
- if len(args) == 0 {
+ l := len(args)
+ switch l {
+ case 0:
if !opts.AcceptUnspecifiedRegistry {
return errors.New("please provide a registry to login to")
}
- if server, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
+ if key, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
return err
}
- logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", server)
- } else {
- server = getRegistryName(args[0])
+ registry = key
+ logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", key)
+
+ case 1:
+ key, registry, ref, err = parseRegistryArgument(args[0], opts.AcceptRepositories)
+ if err != nil {
+ return err
+ }
+
+ default:
+ return errors.New("login accepts only one registry to login to")
+
}
- authConfig, err := config.GetCredentials(systemContext, server)
- if err != nil {
- return errors.Wrap(err, "reading auth file")
+
+ if ref != nil {
+ authConfig, err = config.GetCredentialsForRef(systemContext, ref)
+ if err != nil {
+ return errors.Wrap(err, "get credentials for repository")
+ }
+ } else {
+ // nolint: staticcheck
+ authConfig, err = config.GetCredentials(systemContext, registry)
+ if err != nil {
+ return errors.Wrap(err, "get credentials")
+ }
}
+
if opts.GetLoginSet {
if authConfig.Username == "" {
- return errors.Errorf("not logged into %s", server)
+ return errors.Errorf("not logged into %s", key)
}
fmt.Fprintf(opts.Stdout, "%s\n", authConfig.Username)
return nil
@@ -119,9 +140,9 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
// If no username and no password is specified, try to use existing ones.
if opts.Username == "" && password == "" && authConfig.Username != "" && authConfig.Password != "" {
- fmt.Println("Authenticating with existing credentials...")
- if err := docker.CheckAuth(ctx, systemContext, authConfig.Username, authConfig.Password, server); err == nil {
- fmt.Fprintln(opts.Stdout, "Existing credentials are valid. Already logged in to", server)
+ fmt.Fprintf(opts.Stdout, "Authenticating with existing credentials for %s\n", key)
+ if err := docker.CheckAuth(ctx, systemContext, authConfig.Username, authConfig.Password, registry); err == nil {
+ fmt.Fprintf(opts.Stdout, "Existing credentials are valid. Already logged in to %s\n", registry)
return nil
}
fmt.Fprintln(opts.Stdout, "Existing credentials are invalid, please enter valid username and password")
@@ -132,9 +153,9 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
return errors.Wrap(err, "getting username and password")
}
- if err = docker.CheckAuth(ctx, systemContext, username, password, server); err == nil {
+ if err = docker.CheckAuth(ctx, systemContext, username, password, registry); err == nil {
// Write the new credentials to the authfile
- desc, err := config.SetCredentials(systemContext, server, username, password)
+ desc, err := config.SetCredentials(systemContext, key, username, password)
if err != nil {
return err
}
@@ -147,10 +168,45 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
return nil
}
if unauthorized, ok := err.(docker.ErrUnauthorizedForCredentials); ok {
- logrus.Debugf("error logging into %q: %v", server, unauthorized)
- return errors.Errorf("error logging into %q: invalid username/password", server)
+ logrus.Debugf("error logging into %q: %v", key, unauthorized)
+ return errors.Errorf("error logging into %q: invalid username/password", key)
+ }
+ return errors.Wrapf(err, "authenticating creds for %q", key)
+}
+
+// parseRegistryArgument verifies the provided arg depending if we accept
+// repositories or not.
+func parseRegistryArgument(arg string, acceptRepositories bool) (key, registry string, maybeRef reference.Named, err error) {
+ if !acceptRepositories {
+ registry = getRegistryName(arg)
+ key = registry
+ return key, registry, maybeRef, nil
+ }
+
+ key = trimScheme(arg)
+ if key != arg {
+ return key, registry, nil, errors.New("credentials key has https[s]:// prefix")
}
- return errors.Wrapf(err, "authenticating creds for %q", server)
+
+ registry = getRegistryName(key)
+ if registry == key {
+ // We cannot parse a reference from a registry, so we stop here
+ return key, registry, nil, nil
+ }
+
+ ref, parseErr := reference.ParseNamed(key)
+ if parseErr != nil {
+ return key, registry, nil, errors.Wrapf(parseErr, "parse reference from %q", key)
+ }
+
+ if !reference.IsNameOnly(ref) {
+ return key, registry, nil, errors.Errorf("reference %q contains tag or digest", ref.String())
+ }
+
+ maybeRef = ref
+ registry = reference.Domain(ref)
+
+ return key, registry, maybeRef, nil
}
// getRegistryName scrubs and parses the input to get the server name
@@ -158,13 +214,21 @@ func getRegistryName(server string) string {
// removes 'http://' or 'https://' from the front of the
// server/registry string if either is there. This will be mostly used
// for user input from 'Buildah login' and 'Buildah logout'.
- server = strings.TrimPrefix(strings.TrimPrefix(server, "https://"), "http://")
+ server = trimScheme(server)
// gets the registry from the input. If the input is of the form
// quay.io/myuser/myimage, it will parse it and just return quay.io
split := strings.Split(server, "/")
return split[0]
}
+// trimScheme removes the HTTP(s) scheme from the provided repository.
+func trimScheme(repository string) string {
+ // removes 'http://' or 'https://' from the front of the
+ // server/registry string if either is there. This will be mostly used
+ // for user input from 'Buildah login' and 'Buildah logout'.
+ return strings.TrimPrefix(strings.TrimPrefix(repository, "https://"), "http://")
+}
+
// getUserAndPass gets the username and password from STDIN if not given
// using the -u and -p flags. If the username prompt is left empty, the
// displayed userFromAuthFile will be used instead.
@@ -209,8 +273,9 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri
systemContext = systemContextWithOptions(systemContext, opts.AuthFile, "")
var (
- server string
- err error
+ key, registry string
+ ref reference.Named
+ err error
)
if len(args) > 1 {
return errors.New("logout accepts only one registry to logout from")
@@ -219,16 +284,20 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri
if !opts.AcceptUnspecifiedRegistry {
return errors.New("please provide a registry to logout from")
}
- if server, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
+ if key, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
return err
}
- logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", server)
+ registry = key
+ logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", key)
}
if len(args) != 0 {
if opts.All {
return errors.New("--all takes no arguments")
}
- server = getRegistryName(args[0])
+ key, registry, ref, err = parseRegistryArgument(args[0], opts.AcceptRepositories)
+ if err != nil {
+ return err
+ }
}
if opts.All {
@@ -239,24 +308,34 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri
return nil
}
- err = config.RemoveAuthentication(systemContext, server)
+ err = config.RemoveAuthentication(systemContext, key)
switch errors.Cause(err) {
case nil:
- fmt.Fprintf(opts.Stdout, "Removed login credentials for %s\n", server)
+ fmt.Fprintf(opts.Stdout, "Removed login credentials for %s\n", key)
return nil
case config.ErrNotLoggedIn:
- authConfig, err := config.GetCredentials(systemContext, server)
- if err != nil {
- return errors.Wrap(err, "reading auth file")
+ var authConfig types.DockerAuthConfig
+ if ref != nil {
+ authConfig, err = config.GetCredentialsForRef(systemContext, ref)
+ if err != nil {
+ return errors.Wrap(err, "get credentials for repository")
+ }
+ } else {
+ // nolint: staticcheck
+ authConfig, err = config.GetCredentials(systemContext, registry)
+ if err != nil {
+ return errors.Wrap(err, "get credentials")
+ }
}
- authInvalid := docker.CheckAuth(context.Background(), systemContext, authConfig.Username, authConfig.Password, server)
+
+ authInvalid := docker.CheckAuth(context.Background(), systemContext, authConfig.Username, authConfig.Password, registry)
if authConfig.Username != "" && authConfig.Password != "" && authInvalid == nil {
- fmt.Printf("Not logged into %s with current tool. Existing credentials were established via docker login. Please use docker logout instead.\n", server)
+ fmt.Printf("Not logged into %s with current tool. Existing credentials were established via docker login. Please use docker logout instead.\n", key)
return nil
}
- return errors.Errorf("Not logged into %s\n", server)
+ return errors.Errorf("Not logged into %s\n", key)
default:
- return errors.Wrapf(err, "logging out of %q", server)
+ return errors.Wrapf(err, "logging out of %q", key)
}
}
diff --git a/vendor/github.com/containers/common/pkg/auth/cli.go b/vendor/github.com/containers/common/pkg/auth/cli.go
index 5a7c1137c..7266bf48b 100644
--- a/vendor/github.com/containers/common/pkg/auth/cli.go
+++ b/vendor/github.com/containers/common/pkg/auth/cli.go
@@ -14,13 +14,14 @@ type LoginOptions struct {
// CLI flags managed by the FlagSet returned by GetLoginFlags
// Callers that use GetLoginFlags should not need to touch these values at all; callers that use
// other CLI frameworks should set them based on user input.
- AuthFile string
- CertDir string
- Password string
- Username string
- StdinPassword bool
- GetLoginSet bool
- Verbose bool // set to true for verbose output
+ AuthFile string
+ CertDir string
+ Password string
+ Username string
+ StdinPassword bool
+ GetLoginSet bool
+ Verbose bool // set to true for verbose output
+ AcceptRepositories bool // set to true to allow namespaces or repositories rather than just registries
// Options caller can set
Stdin io.Reader // set to os.Stdin
Stdout io.Writer // set to os.Stdout
@@ -32,8 +33,9 @@ type LogoutOptions struct {
// CLI flags managed by the FlagSet returned by GetLogoutFlags
// Callers that use GetLogoutFlags should not need to touch these values at all; callers that use
// other CLI frameworks should set them based on user input.
- AuthFile string
- All bool
+ AuthFile string
+ All bool
+ AcceptRepositories bool // set to true to allow namespaces or repositories rather than just registries
// Options caller can set
Stdout io.Writer // set to os.Stdout
AcceptUnspecifiedRegistry bool // set to true if allows logout with unspecified registry
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 84876026d..008cfb642 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -637,9 +637,14 @@ func (c *Config) CheckCgroupsAndAdjustConfig() {
session := os.Getenv("DBUS_SESSION_BUS_ADDRESS")
hasSession := session != ""
- if hasSession && strings.HasPrefix(session, "unix:path=") {
- _, err := os.Stat(strings.TrimPrefix(session, "unix:path="))
- hasSession = err == nil
+ if hasSession {
+ for _, part := range strings.Split(session, ",") {
+ if strings.HasPrefix(part, "unix:path=") {
+ _, err := os.Stat(strings.TrimPrefix(part, "unix:path="))
+ hasSession = err == nil
+ break
+ }
+ }
}
if !hasSession && unshare.GetRootlessUID() != 0 {
diff --git a/vendor/github.com/containers/common/pkg/config/pull_policy.go b/vendor/github.com/containers/common/pkg/config/pull_policy.go
index 7c32dd660..8c1f0ec29 100644
--- a/vendor/github.com/containers/common/pkg/config/pull_policy.go
+++ b/vendor/github.com/containers/common/pkg/config/pull_policy.go
@@ -76,13 +76,13 @@ func (p PullPolicy) Validate() error {
// * "never" <-> PullPolicyNever
func ParsePullPolicy(s string) (PullPolicy, error) {
switch s {
- case "always":
+ case "always", "Always":
return PullPolicyAlways, nil
- case "missing", "ifnotpresent", "":
+ case "missing", "Missing", "ifnotpresent", "IfNotPresent", "":
return PullPolicyMissing, nil
- case "newer", "ifnewer":
+ case "newer", "Newer", "ifnewer", "IfNewer":
return PullPolicyNewer, nil
- case "never":
+ case "never", "Never":
return PullPolicyNever, nil
default:
return PullPolicyUnsupported, errors.Errorf("unsupported pull policy %q", s)
diff --git a/vendor/github.com/containers/common/pkg/seccomp/types.go b/vendor/github.com/containers/common/pkg/seccomp/types.go
index 36712458a..07751f729 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/types.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/types.go
@@ -7,7 +7,7 @@ package seccomp
// Seccomp represents the config for a seccomp profile for syscall restriction.
type Seccomp struct {
DefaultAction Action `json:"defaultAction"`
- DefaultErrnoRet *uint `json:"defaultErrnoRet"`
+ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
// Architectures is kept to maintain backward compatibility with the old
// seccomp profile.
Architectures []Arch `json:"architectures,omitempty"`
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d5fbd6c96..b6537b82f 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/overlay
github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/util
-# github.com/containers/common v0.41.1-0.20210721172332-291287e9d060
+# github.com/containers/common v0.41.1-0.20210730122913-cd6c45fd20e3
github.com/containers/common/libimage
github.com/containers/common/libimage/manifests
github.com/containers/common/pkg/apparmor