summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-03-09 05:11:24 -0800
committerGitHub <noreply@github.com>2019-03-09 05:11:24 -0800
commitd95f97a63e03b4602ffeb80acb746fa6dfa6f7a1 (patch)
tree819864632da9517fdd5221531a28cb706f2a6355
parent68a984a9376d6258913ae130d52d6037339e87bf (diff)
parent2f3875d0098093fa740d871b81e91a8533fe9878 (diff)
downloadpodman-d95f97a63e03b4602ffeb80acb746fa6dfa6f7a1.tar.gz
podman-d95f97a63e03b4602ffeb80acb746fa6dfa6f7a1.tar.bz2
podman-d95f97a63e03b4602ffeb80acb746fa6dfa6f7a1.zip
Merge pull request #2516 from rhatdan/secrets
Move secrets package to buildah
-rw-r--r--libpod/container_internal_linux.go2
-rw-r--r--pkg/secrets/secrets.go323
-rw-r--r--vendor.conf2
-rw-r--r--vendor/github.com/containers/buildah/buildah.go2
-rw-r--r--vendor/github.com/containers/buildah/new.go77
-rw-r--r--vendor/github.com/containers/buildah/pkg/secrets/secrets.go12
-rw-r--r--vendor/github.com/containers/buildah/pull.go63
-rw-r--r--vendor/github.com/containers/buildah/util/util.go18
-rw-r--r--vendor/github.com/containers/buildah/vendor.conf2
9 files changed, 76 insertions, 425 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 5f9e5a20c..f50092550 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -18,13 +18,13 @@ import (
cnitypes "github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
+ "github.com/containers/buildah/pkg/secrets"
crioAnnotations "github.com/containers/libpod/pkg/annotations"
"github.com/containers/libpod/pkg/apparmor"
"github.com/containers/libpod/pkg/criu"
"github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
- "github.com/containers/libpod/pkg/secrets"
"github.com/containers/storage/pkg/idtools"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
deleted file mode 100644
index 3b64f8952..000000000
--- a/pkg/secrets/secrets.go
+++ /dev/null
@@ -1,323 +0,0 @@
-package secrets
-
-import (
- "bufio"
- "io/ioutil"
- "os"
- "path/filepath"
- "strings"
-
- "github.com/containers/libpod/pkg/rootless"
- "github.com/containers/storage/pkg/idtools"
- rspec "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/opencontainers/selinux/go-selinux/label"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
-)
-
-var (
- // DefaultMountsFile holds the default mount paths in the form
- // "host_path:container_path"
- DefaultMountsFile = "/usr/share/containers/mounts.conf"
- // OverrideMountsFile holds the default mount paths in the form
- // "host_path:container_path" overridden by the user
- OverrideMountsFile = "/etc/containers/mounts.conf"
- // UserOverrideMountsFile holds the default mount paths in the form
- // "host_path:container_path" overridden by the rootless user
- UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
-)
-
-// secretData stores the name of the file and the content read from it
-type secretData struct {
- name string
- data []byte
-}
-
-// saveTo saves secret data to given directory
-func (s secretData) saveTo(dir string) error {
- path := filepath.Join(dir, s.name)
- if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
- return err
- }
- return ioutil.WriteFile(path, s.data, 0700)
-}
-
-func readAll(root, prefix string) ([]secretData, error) {
- path := filepath.Join(root, prefix)
-
- data := []secretData{}
-
- files, err := ioutil.ReadDir(path)
- if err != nil {
- if os.IsNotExist(err) {
- return data, nil
- }
-
- return nil, err
- }
-
- for _, f := range files {
- fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
- if err != nil {
- // If the file did not exist, might be a dangling symlink
- // Ignore the error
- if os.IsNotExist(err) {
- continue
- }
- return nil, err
- }
- data = append(data, fileData...)
- }
-
- return data, nil
-}
-
-func readFile(root, name string) ([]secretData, error) {
- path := filepath.Join(root, name)
-
- s, err := os.Stat(path)
- if err != nil {
- return nil, err
- }
-
- if s.IsDir() {
- dirData, err := readAll(root, name)
- if err != nil {
- return nil, err
- }
- return dirData, nil
- }
- bytes, err := ioutil.ReadFile(path)
- if err != nil {
- return nil, err
- }
- return []secretData{{name: name, data: bytes}}, nil
-}
-
-func getHostSecretData(hostDir string) ([]secretData, error) {
- var allSecrets []secretData
- hostSecrets, err := readAll(hostDir, "")
- if err != nil {
- return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
- }
- return append(allSecrets, hostSecrets...), nil
-}
-
-func getMounts(filePath string) []string {
- file, err := os.Open(filePath)
- if err != nil {
- // This is expected on most systems
- logrus.Debugf("file %q not found, skipping...", filePath)
- return nil
- }
- defer file.Close()
- scanner := bufio.NewScanner(file)
- if err = scanner.Err(); err != nil {
- logrus.Errorf("error reading file %q, %v skipping...", filePath, err)
- return nil
- }
- var mounts []string
- for scanner.Scan() {
- mounts = append(mounts, scanner.Text())
- }
- return mounts
-}
-
-// getHostAndCtrDir separates the host:container paths
-func getMountsMap(path string) (string, string, error) {
- arr := strings.SplitN(path, ":", 2)
- if len(arr) == 2 {
- return arr[0], arr[1], nil
- }
- return "", "", errors.Errorf("unable to get host and container dir")
-}
-
-// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
-func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount {
- return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0)
-}
-
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int) []rspec.Mount {
- var (
- secretMounts []rspec.Mount
- mountFiles []string
- )
- // Add secrets from paths given in the mounts.conf files
- // mountFile will have a value if the hidden --default-mounts-file flag is set
- // Note for testing purposes only
- if mountFile == "" {
- mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
- if rootless.IsRootless() {
- mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
- _, err := os.Stat(UserOverrideMountsFile)
- if err != nil && os.IsNotExist(err) {
- os.MkdirAll(filepath.Dir(UserOverrideMountsFile), 0755)
- if f, err := os.Create(UserOverrideMountsFile); err != nil {
- logrus.Warnf("could not create file %s: %v", UserOverrideMountsFile, err)
- } else {
- f.Close()
- }
- }
- }
- } else {
- mountFiles = append(mountFiles, mountFile)
- }
- for _, file := range mountFiles {
- if _, err := os.Stat(file); err == nil {
- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
- if err != nil {
- logrus.Warnf("error mounting secrets, skipping: %v", err)
- }
- secretMounts = mounts
- break
- }
- }
-
- // Add FIPS mode secret if /etc/system-fips exists on the host
- _, err := os.Stat("/etc/system-fips")
- if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
- logrus.Errorf("error adding FIPS mode secret to container: %v", err)
- }
- } else if os.IsNotExist(err) {
- logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
- } else {
- logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
- }
- return secretMounts
-}
-
-func rchown(chowndir string, uid, gid int) error {
- return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
- return os.Lchown(filePath, uid, gid)
- })
-}
-
-// addSecretsFromMountsFile copies the contents of host directory to container directory
-// and returns a list of mounts
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
- var mounts []rspec.Mount
- defaultMountsPaths := getMounts(filePath)
- for _, path := range defaultMountsPaths {
- hostDir, ctrDir, err := getMountsMap(path)
- if err != nil {
- return nil, err
- }
- // skip if the hostDir path doesn't exist
- if _, err = os.Stat(hostDir); err != nil {
- if os.IsNotExist(err) {
- logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
- continue
- }
- return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
- }
-
- ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
-
- // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
- _, err = os.Stat(ctrDirOnHost)
- if os.IsNotExist(err) {
- if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
- return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
- }
- hostDir, err = resolveSymbolicLink(hostDir)
- if err != nil {
- return nil, err
- }
-
- data, err := getHostSecretData(hostDir)
- if err != nil {
- return nil, errors.Wrapf(err, "getting host secret data failed")
- }
- for _, s := range data {
- if err := s.saveTo(ctrDirOnHost); err != nil {
- return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
- }
- }
-
- err = label.Relabel(ctrDirOnHost, mountLabel, false)
- if err != nil {
- return nil, errors.Wrap(err, "error applying correct labels")
- }
- if uid != 0 || gid != 0 {
- if err := rchown(ctrDirOnHost, uid, gid); err != nil {
- return nil, err
- }
- }
- } else if err != nil {
- return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
- }
-
- m := rspec.Mount{
- Source: filepath.Join(mountPrefix, ctrDir),
- Destination: ctrDir,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
- }
-
- mounts = append(mounts, m)
- }
- return mounts, nil
-}
-
-// addFIPSModeSecret creates /run/secrets/system-fips in the container
-// root filesystem if /etc/system-fips exists on hosts.
-// This enables the container to be FIPS compliant and run openssl in
-// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
- secretsDir := "/run/secrets"
- ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
- if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
- if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
- return errors.Wrapf(err, "making container directory on host failed")
- }
- if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
- return errors.Wrap(err, "error applying correct labels")
- }
- }
- fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
- // In the event of restart, it is possible for the FIPS mode file to already exist
- if _, err := os.Stat(fipsFile); os.IsNotExist(err) {
- file, err := os.Create(fipsFile)
- if err != nil {
- return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode")
- }
- defer file.Close()
- }
-
- if !mountExists(*mounts, secretsDir) {
- m := rspec.Mount{
- Source: filepath.Join(mountPrefix, secretsDir),
- Destination: secretsDir,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
- }
- *mounts = append(*mounts, m)
- }
-
- return nil
-}
-
-// mountExists checks if a mount already exists in the spec
-func mountExists(mounts []rspec.Mount, dest string) bool {
- for _, mount := range mounts {
- if mount.Destination == dest {
- return true
- }
- }
- return false
-}
-
-// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
-// path; if not, returns the original path.
-func resolveSymbolicLink(path string) (string, error) {
- info, err := os.Lstat(path)
- if err != nil {
- return "", err
- }
- if info.Mode()&os.ModeSymlink != os.ModeSymlink {
- return path, nil
- }
- return filepath.EvalSymlinks(path)
-}
diff --git a/vendor.conf b/vendor.conf
index f739c76f4..e7aec5e35 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -93,7 +93,7 @@ k8s.io/apimachinery kubernetes-1.10.13-beta.0 https://github.com/kubernetes/apim
k8s.io/client-go kubernetes-1.10.13-beta.0 https://github.com/kubernetes/client-go
github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
github.com/varlink/go 3ac79db6fd6aec70924193b090962f92985fe199
-github.com/containers/buildah v1.7.1
+github.com/containers/buildah 11dd2197dfffedb40687de1d667e6c9fb0708de9
# TODO: Gotty has not been updated since 2012. Can we find replacement?
github.com/Nvveen/Gotty cd527374f1e5bff4938207604a14f2e38a9cf512
# do not go beyond the below commit as the next one requires a more recent
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index cca80a308..8f5364632 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -26,7 +26,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.7.1"
+ Version = "1.8-dev"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go
index 768cdd0c6..262c90220 100644
--- a/vendor/github.com/containers/buildah/new.go
+++ b/vendor/github.com/containers/buildah/new.go
@@ -22,27 +22,23 @@ const (
// BaseImageFakeName is the "name" of a source image which we interpret
// as "no image".
BaseImageFakeName = imagebuilder.NoBaseImageSpecifier
-
- // minimumTruncatedIDLength is the minimum length of an identifier that
- // we'll accept as possibly being a truncated image ID.
- minimumTruncatedIDLength = 3
)
-func pullAndFindImage(ctx context.Context, store storage.Store, transport string, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
+func pullAndFindImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
pullOptions := PullOptions{
ReportWriter: options.ReportWriter,
Store: store,
SystemContext: options.SystemContext,
BlobDirectory: options.PullBlobDirectory,
}
- ref, err := pullImage(ctx, store, transport, imageName, pullOptions, sc)
+ ref, err := pullImage(ctx, store, srcRef, pullOptions, sc)
if err != nil {
- logrus.Debugf("error pulling image %q: %v", imageName, err)
+ logrus.Debugf("error pulling image %q: %v", transports.ImageName(srcRef), err)
return nil, nil, err
}
img, err := is.Transport.GetStoreImage(store, ref)
if err != nil {
- logrus.Debugf("error reading pulled image %q: %v", imageName, err)
+ logrus.Debugf("error reading pulled image %q: %v", transports.ImageName(srcRef), err)
return nil, nil, errors.Wrapf(err, "error locating image %q in local storage", transports.ImageName(ref))
}
return img, ref, nil
@@ -112,56 +108,45 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
failures := []failure{}
for _, image := range candidates {
- var err error
- if len(image) >= minimumTruncatedIDLength {
- if img, err := store.Image(image); err == nil && img != nil && strings.HasPrefix(img.ID, image) {
- ref, err := is.Transport.ParseStoreReference(store, img.ID)
- if err != nil {
- return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
- }
- return ref, transport, img, nil
- }
- }
-
- if options.PullPolicy == PullAlways {
- pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext)
+ if transport == "" {
+ img, err := store.Image(image)
if err != nil {
- logrus.Debugf("unable to pull and read image %q: %v", image, err)
+ logrus.Debugf("error looking up known-local image %q: %v", image, err)
failures = append(failures, failure{resolvedImageName: image, err: err})
continue
}
- return pulledReference, transport, pulledImg, nil
+ ref, err := is.Transport.ParseStoreReference(store, img.ID)
+ if err != nil {
+ return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
+ }
+ return ref, transport, img, nil
}
- srcRef, err := alltransports.ParseImageName(image)
+ trans := transport
+ if transport != util.DefaultTransport {
+ trans = trans + ":"
+ }
+ srcRef, err := alltransports.ParseImageName(trans + image)
if err != nil {
- if transport == "" {
- logrus.Debugf("error parsing image name %q: %v", image, err)
- failures = append(failures, failure{
- resolvedImageName: image,
- err: errors.Wrapf(err, "error parsing image name"),
- })
- continue
- }
- logrus.Debugf("error parsing image name %q as given, trying with transport %q: %v", image, transport, err)
+ logrus.Debugf("error parsing image name %q: %v", trans+image, err)
+ failures = append(failures, failure{
+ resolvedImageName: image,
+ err: errors.Wrapf(err, "error parsing attempted image name %q", trans+image),
+ })
+ continue
+ }
- trans := transport
- if transport != util.DefaultTransport {
- trans = trans + ":"
- }
- srcRef2, err := alltransports.ParseImageName(trans + image)
+ if options.PullPolicy == PullAlways {
+ pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
if err != nil {
- logrus.Debugf("error parsing image name %q: %v", transport+image, err)
- failures = append(failures, failure{
- resolvedImageName: image,
- err: errors.Wrapf(err, "error parsing attempted image name %q", transport+image),
- })
+ logrus.Debugf("unable to pull and read image %q: %v", image, err)
+ failures = append(failures, failure{resolvedImageName: image, err: err})
continue
}
- srcRef = srcRef2
+ return pulledReference, transport, pulledImg, nil
}
- destImage, err := localImageNameForReference(ctx, store, srcRef, options.FromImage)
+ destImage, err := localImageNameForReference(ctx, store, srcRef)
if err != nil {
return nil, "", nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
}
@@ -187,7 +172,7 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
continue
}
- pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext)
+ pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
if err != nil {
logrus.Debugf("unable to pull and read image %q: %v", image, err)
failures = append(failures, failure{resolvedImageName: image, err: err})
diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
index 242953609..3b64f8952 100644
--- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
+++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
@@ -8,6 +8,7 @@ import (
"strings"
"github.com/containers/libpod/pkg/rootless"
+ "github.com/containers/storage/pkg/idtools"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
}
} else if os.IsNotExist(err) {
@@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
// root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
- if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
return errors.Wrapf(err, "making container directory on host failed")
}
+ if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+ return errors.Wrap(err, "error applying correct labels")
+ }
}
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
// In the event of restart, it is possible for the FIPS mode file to already exist
@@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error
if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{
- Source: ctrDirOnHost,
+ Source: filepath.Join(mountPrefix, secretsDir),
Destination: secretsDir,
Type: "bind",
Options: []string{"bind", "rprivate"},
diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go
index 363cf5ce2..d3c9870af 100644
--- a/vendor/github.com/containers/buildah/pull.go
+++ b/vendor/github.com/containers/buildah/pull.go
@@ -19,10 +19,9 @@ import (
"github.com/containers/image/signature"
is "github.com/containers/image/storage"
"github.com/containers/image/transports"
- "github.com/containers/image/transports/alltransports"
"github.com/containers/image/types"
"github.com/containers/storage"
- "github.com/hashicorp/go-multierror"
+ multierror "github.com/hashicorp/go-multierror"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -52,15 +51,14 @@ type PullOptions struct {
AllTags bool
}
-func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference, spec string) (string, error) {
+func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference) (string, error) {
if srcRef == nil {
return "", errors.Errorf("reference to image is empty")
}
- split := strings.SplitN(spec, ":", 2)
- file := split[len(split)-1]
var name string
switch srcRef.Transport().Name() {
case dockerarchive.Transport.Name():
+ file := srcRef.StringWithinTransport()
tarSource, err := tarfile.NewSourceFromFile(file)
if err != nil {
return "", errors.Wrapf(err, "error opening tarfile %q as a source image", file)
@@ -104,14 +102,15 @@ func localImageNameForReference(ctx context.Context, store storage.Store, srcRef
}
case directory.Transport.Name():
// supports pull from a directory
- name = split[1]
+ name = srcRef.StringWithinTransport()
// remove leading "/"
if name[:1] == "/" {
name = name[1:]
}
case oci.Transport.Name():
// supports pull from a directory
- name = split[1]
+ split := strings.SplitN(srcRef.StringWithinTransport(), ":", 2)
+ name = split[0]
// remove leading "/"
if name[:1] == "/" {
name = name[1:]
@@ -175,21 +174,29 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error {
return errors.New("Non-docker transport is not supported, for --all-tags pulling")
}
- spec := transport + storageRef.DockerReference().Name()
- storageRef, err = alltransports.ParseImageName(spec)
+ repo := reference.TrimNamed(storageRef.DockerReference())
+ dockerRef, err := docker.NewReference(reference.TagNameOnly(storageRef.DockerReference()))
if err != nil {
- return errors.Wrapf(err, "error getting repository tags")
+ return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", storageRef.DockerReference().String())
}
- tags, err := docker.GetRepositoryTags(ctx, systemContext, storageRef)
+ tags, err := docker.GetRepositoryTags(ctx, systemContext, dockerRef)
if err != nil {
return errors.Wrapf(err, "error getting repository tags")
}
for _, tag := range tags {
- name := spec + ":" + tag
+ tagged, err := reference.WithTag(repo, tag)
+ if err != nil {
+ errs = multierror.Append(errs, err)
+ continue
+ }
+ taggedRef, err := docker.NewReference(tagged)
+ if err != nil {
+ return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", tagged.String())
+ }
if options.ReportWriter != nil {
- options.ReportWriter.Write([]byte("Pulling " + name + "\n"))
+ options.ReportWriter.Write([]byte("Pulling " + tagged.String() + "\n"))
}
- ref, err := pullImage(ctx, options.Store, transport, name, options, systemContext)
+ ref, err := pullImage(ctx, options.Store, taggedRef, options, systemContext)
if err != nil {
errs = multierror.Append(errs, err)
continue
@@ -208,27 +215,7 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error {
return errs.ErrorOrNil()
}
-func pullImage(ctx context.Context, store storage.Store, transport string, imageName string, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) {
- spec := imageName
- srcRef, err := alltransports.ParseImageName(spec)
- if err != nil {
- logrus.Debugf("error parsing image name %q, trying with transport %q: %v", spec, transport, err)
- if transport == "" {
- transport = util.DefaultTransport
- } else {
- if transport != util.DefaultTransport {
- transport = transport + ":"
- }
- }
- spec = transport + spec
- srcRef2, err2 := alltransports.ParseImageName(spec)
- if err2 != nil {
- return nil, errors.Wrapf(err2, "error parsing image name %q", spec)
- }
- srcRef = srcRef2
- }
- logrus.Debugf("parsed image name %q", spec)
-
+func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) {
blocked, err := isReferenceBlocked(srcRef, sc)
if err != nil {
return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef))
@@ -237,7 +224,7 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image
return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
}
- destName, err := localImageNameForReference(ctx, store, srcRef, spec)
+ destName, err := localImageNameForReference(ctx, store, srcRef)
if err != nil {
return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
}
@@ -274,9 +261,9 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image
}
}()
- logrus.Debugf("copying %q to %q", spec, destName)
+ logrus.Debugf("copying %q to %q", transports.ImageName(srcRef), destName)
if _, err := cp.Image(ctx, policyContext, maybeCachedDestRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, maybeCachedDestRef, nil, "")); err != nil {
- logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", spec, destName, err)
+ logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", transports.ImageName(srcRef), destName, err)
return nil, err
}
return destRef, nil
diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go
index d98493634..7f3bbaef4 100644
--- a/vendor/github.com/containers/buildah/util/util.go
+++ b/vendor/github.com/containers/buildah/util/util.go
@@ -20,7 +20,7 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
"github.com/docker/distribution/registry/api/errcode"
- "github.com/opencontainers/runtime-spec/specs-go"
+ specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -47,6 +47,12 @@ var (
// correspond to in the set of configured registries, the transport used to
// pull the image, and a boolean which is true iff
// 1) the list of search registries was used, and 2) it was empty.
+//
+// The returned image names never include a transport: prefix, and if transport != "",
+// (transport, image) should be a valid input to alltransports.ParseImageName.
+// transport == "" indicates that image that already exists in a local storage,
+// and the name is valid for store.Image() / storage.Transport.ParseStoreReference().
+//
// NOTE: The "list of search registries is empty" check does not count blocked registries,
// and neither the implied "localhost" nor a possible firstRegistry are counted
func ResolveName(name string, firstRegistry string, sc *types.SystemContext, store storage.Store) ([]string, string, bool, error) {
@@ -162,15 +168,7 @@ func ExpandNames(names []string, firstRegistry string, systemContext *types.Syst
name = named
}
name = reference.TagNameOnly(name)
- tag := ""
- digest := ""
- if tagged, ok := name.(reference.NamedTagged); ok {
- tag = ":" + tagged.Tag()
- }
- if digested, ok := name.(reference.Digested); ok {
- digest = "@" + digested.Digest().String()
- }
- expanded = append(expanded, name.Name()+tag+digest)
+ expanded = append(expanded, name.String())
}
return expanded, nil
}
diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf
index 27bf45541..3cdb9c95f 100644
--- a/vendor/github.com/containers/buildah/vendor.conf
+++ b/vendor/github.com/containers/buildah/vendor.conf
@@ -9,7 +9,7 @@ github.com/mattn/go-isatty v0.0.4
github.com/VividCortex/ewma v1.1.1
github.com/boltdb/bolt v1.3.1
github.com/containers/libpod v1.0
-github.com/containers/storage v1.10
+github.com/containers/storage v1.11
github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
github.com/docker/docker-credential-helpers v0.6.1