aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-04-16 13:39:00 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-04-18 14:07:59 +0000
commit313e5e83e92f68349d2026fc3f358f237fe93a4a (patch)
tree91c523b44bb8f55790037a9a7b42bf63e3c90de6
parent982927468c6102cfc52e838be4815d2f89d3827e (diff)
downloadpodman-313e5e83e92f68349d2026fc3f358f237fe93a4a.tar.gz
podman-313e5e83e92f68349d2026fc3f358f237fe93a4a.tar.bz2
podman-313e5e83e92f68349d2026fc3f358f237fe93a4a.zip
regression: tls verify should be set on registries.conf if insecure
In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
-rw-r--r--cmd/podman/create.go2
-rw-r--r--cmd/podman/load.go6
-rw-r--r--cmd/podman/pull.go6
-rw-r--r--cmd/podman/run.go2
-rw-r--r--cmd/podman/search.go4
-rw-r--r--docs/podman-pull.1.md4
-rw-r--r--libpod/image/image.go4
-rw-r--r--libpod/image/image_test.go8
-rw-r--r--libpod/image/pull.go25
-rw-r--r--libpod/runtime.go5
-rw-r--r--libpod/runtime_img.go31
-rw-r--r--libpod/runtime_img_test.go5
-rw-r--r--pkg/registries/registries.go37
13 files changed, 87 insertions, 52 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index b95309980..97490d6c0 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -181,7 +181,7 @@ func createCmd(c *cli.Context) error {
rtc := runtime.GetConfig()
- newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
if err != nil {
return err
}
diff --git a/cmd/podman/load.go b/cmd/podman/load.go
index 941dd68d9..1fb723750 100644
--- a/cmd/podman/load.go
+++ b/cmd/podman/load.go
@@ -99,17 +99,17 @@ func loadCmd(c *cli.Context) error {
}
src := libpod.DockerArchive + ":" + input
- newImage, err := runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
// generate full src name with specified image:tag
fullSrc := libpod.OCIArchive + ":" + input
if image != "" {
fullSrc = fullSrc + ":" + image
}
- newImage, err = runtime.ImageRuntime().New(fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err = runtime.ImageRuntime().New(fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
src = libpod.DirTransport + ":" + input
- newImage, err = runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err = runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
return errors.Wrapf(err, "error pulling %q", src)
}
diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go
index 4ceae4596..43169635a 100644
--- a/cmd/podman/pull.go
+++ b/cmd/podman/pull.go
@@ -58,6 +58,7 @@ var (
// pullCmd gets the data from the command line and calls pullImage
// to copy an image from a registry to a local machine
func pullCmd(c *cli.Context) error {
+ forceSecure := true
runtime, err := getRuntime(c)
if err != nil {
return errors.Wrapf(err, "could not get runtime")
@@ -98,8 +99,11 @@ func pullCmd(c *cli.Context) error {
DockerCertPath: c.String("cert-dir"),
DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
}
+ if !c.IsSet("tls-verify") {
+ forceSecure = false
+ }
- newImage, err := runtime.ImageRuntime().New(image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true)
+ newImage, err := runtime.ImageRuntime().New(image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
if err != nil {
return errors.Wrapf(err, "error pulling image %q", image)
}
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index 2bf0668a3..ac6361070 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -59,7 +59,7 @@ func runCmd(c *cli.Context) error {
}
rtc := runtime.GetConfig()
- newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
if err != nil {
return errors.Wrapf(err, "unable to find image")
}
diff --git a/cmd/podman/search.go b/cmd/podman/search.go
index 01eaa6729..106513e34 100644
--- a/cmd/podman/search.go
+++ b/cmd/podman/search.go
@@ -9,8 +9,8 @@ import (
"github.com/containers/image/docker"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/cmd/podman/formats"
- "github.com/projectatomic/libpod/libpod"
"github.com/projectatomic/libpod/libpod/common"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
@@ -110,7 +110,7 @@ func searchCmd(c *cli.Context) error {
if len(c.StringSlice("registry")) > 0 {
registries = c.StringSlice("registry")
} else {
- registries, err = libpod.GetRegistries()
+ registries, err = sysreg.GetRegistries()
if err != nil {
return errors.Wrapf(err, "error getting registries to search")
}
diff --git a/docs/podman-pull.1.md b/docs/podman-pull.1.md
index 6f46fdf86..698314184 100644
--- a/docs/podman-pull.1.md
+++ b/docs/podman-pull.1.md
@@ -83,7 +83,9 @@ option be used, as the default behavior of using the system-wide default policy
**--tls-verify**
-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then tls verification will be used, If set to false then tls verification will not be used. If not specified
+tls verification will be used unless the target registry is listed as an insecure registry in registries.conf.
## EXAMPLES
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 89da71cb6..cf0c7ec1b 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -117,7 +117,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) {
// New creates a new image object where the image could be local
// or remote
-func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull bool) (*Image, error) {
+func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
// We don't know if the image is local or not ... check local first
newImage := Image{
InputName: name,
@@ -137,7 +137,7 @@ func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Wri
if signaturePolicyPath == "" {
signaturePolicyPath = ir.SignaturePolicyPath
}
- imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions)
+ imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
if err != nil {
return nil, errors.Errorf("unable to pull %s", name)
}
diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go
index 8c1138f71..f160a14a4 100644
--- a/libpod/image/image_test.go
+++ b/libpod/image/image_test.go
@@ -81,9 +81,9 @@ func TestImage_NewFromLocal(t *testing.T) {
// Need images to be present for this test
ir, err := NewImageRuntimeFromOptions(so)
assert.NoError(t, err)
- bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false)
+ bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
- bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false)
+ bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
tm, err := makeLocalMatrix(bb, bbglibc)
@@ -126,7 +126,7 @@ func TestImage_New(t *testing.T) {
// Iterate over the names and delete the image
// after the pull
for _, img := range names {
- newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false)
+ newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
assert.NotEqual(t, newImage.ID(), "")
err = newImage.Remove(false)
@@ -150,7 +150,7 @@ func TestImage_MatchRepoTag(t *testing.T) {
}
ir, err := NewImageRuntimeFromOptions(so)
assert.NoError(t, err)
- newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false)
+ newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
err = newImage.TagImage("foo:latest")
assert.NoError(t, err)
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 8c43c6054..b2d32b255 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/image/directory"
"github.com/containers/image/docker"
dockerarchive "github.com/containers/image/docker/archive"
+ "github.com/containers/image/docker/reference"
"github.com/containers/image/docker/tarfile"
ociarchive "github.com/containers/image/oci/archive"
"github.com/containers/image/pkg/sysregistries"
@@ -18,6 +19,9 @@ import (
"github.com/containers/image/transports/alltransports"
"github.com/containers/image/types"
"github.com/pkg/errors"
+ "github.com/projectatomic/libpod/pkg/registries"
+ "github.com/projectatomic/libpod/pkg/util"
+ "github.com/sirupsen/logrus"
)
var (
@@ -151,7 +155,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
// pullImage pulls an image from configured registries
// By default, only the latest tag (or a specific tag if requested) will be
// pulled.
-func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) {
+func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
// pullImage copies the image from the source to the destination
var pullStructs []*pullStruct
sc := GetSystemContext(signaturePolicyPath, authfile, false)
@@ -174,8 +178,25 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
}
defer policyContext.Destroy()
- copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ insecureRegistries, err := registries.GetInsecureRegistries()
+ if err != nil {
+ return "", err
+ }
+
for _, imageInfo := range pullStructs {
+ copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ if imageInfo.srcRef.Transport().Name() == DockerTransport {
+ imgRef, err := reference.Parse(imageInfo.srcRef.DockerReference().String())
+ if err != nil {
+ return "", err
+ }
+ registry := reference.Domain(imgRef.(reference.Named))
+
+ if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
+ copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
+ logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
+ }
+ }
// Print the following statement only when pulling from a docker or atomic registry
if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 94d412c84..168e27c67 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -16,6 +16,7 @@ import (
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod/image"
"github.com/projectatomic/libpod/pkg/hooks"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/sirupsen/logrus"
"github.com/ulule/deepcopier"
)
@@ -549,7 +550,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
}
info = append(info, InfoData{Type: "store", Data: storeInfo})
- reg, err := GetRegistries()
+ reg, err := sysreg.GetRegistries()
if err != nil {
return nil, errors.Wrapf(err, "error getting registries")
}
@@ -557,7 +558,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
registries["registries"] = reg
info = append(info, InfoData{Type: "registries", Data: registries})
- i, err := GetInsecureRegistries()
+ i, err := sysreg.GetInsecureRegistries()
if err != nil {
return nil, errors.Wrapf(err, "error getting registries")
}
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index ef1791884..041de0cc2 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -3,15 +3,12 @@ package libpod
import (
"fmt"
"io"
- "os"
"github.com/containers/image/directory"
"github.com/containers/image/docker"
dockerarchive "github.com/containers/image/docker/archive"
ociarchive "github.com/containers/image/oci/archive"
- "github.com/containers/image/pkg/sysregistries"
"github.com/containers/image/tarball"
- "github.com/containers/image/types"
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -180,31 +177,3 @@ func removeStorageContainers(ctrIDs []string, store storage.Store) error {
}
return nil
}
-
-// GetRegistries gets the searchable registries from the global registration file.
-func GetRegistries() ([]string, error) {
- registryConfigPath := ""
- envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
- if len(envOverride) > 0 {
- registryConfigPath = envOverride
- }
- searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
- if err != nil {
- return nil, errors.Errorf("unable to parse the registries.conf file")
- }
- return searchRegistries, nil
-}
-
-// GetInsecureRegistries obtains the list of inseure registries from the global registration file.
-func GetInsecureRegistries() ([]string, error) {
- registryConfigPath := ""
- envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
- if len(envOverride) > 0 {
- registryConfigPath = envOverride
- }
- registries, err := sysregistries.GetInsecureRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
- if err != nil {
- return nil, errors.Errorf("unable to parse the registries.conf file")
- }
- return registries, nil
-}
diff --git a/libpod/runtime_img_test.go b/libpod/runtime_img_test.go
index f7f7128a4..c608c1b25 100644
--- a/libpod/runtime_img_test.go
+++ b/libpod/runtime_img_test.go
@@ -6,6 +6,7 @@ import (
"reflect"
"testing"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/stretchr/testify/assert"
)
@@ -38,7 +39,7 @@ func TestGetRegistries(t *testing.T) {
assert.NoError(t, err)
defer os.Remove(registryPath)
os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
- registries, err := GetRegistries()
+ registries, err := sysreg.GetRegistries()
assert.NoError(t, err)
assert.True(t, reflect.DeepEqual(registries, []string{"one"}))
}
@@ -48,7 +49,7 @@ func TestGetInsecureRegistries(t *testing.T) {
assert.NoError(t, err)
os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
defer os.Remove(registryPath)
- registries, err := GetInsecureRegistries()
+ registries, err := sysreg.GetInsecureRegistries()
assert.NoError(t, err)
assert.True(t, reflect.DeepEqual(registries, []string{"two"}))
}
diff --git a/pkg/registries/registries.go b/pkg/registries/registries.go
new file mode 100644
index 000000000..8e43c8b91
--- /dev/null
+++ b/pkg/registries/registries.go
@@ -0,0 +1,37 @@
+package registries
+
+import (
+ "os"
+
+ "github.com/containers/image/pkg/sysregistries"
+ "github.com/containers/image/types"
+ "github.com/pkg/errors"
+)
+
+// GetRegistries obtains the list of registries defined in the global registries file.
+func GetRegistries() ([]string, error) {
+ registryConfigPath := ""
+ envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
+ if len(envOverride) > 0 {
+ registryConfigPath = envOverride
+ }
+ searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to parse the registries.conf file")
+ }
+ return searchRegistries, nil
+}
+
+// GetInsecureRegistries obtains the list of inseure registries from the global registration file.
+func GetInsecureRegistries() ([]string, error) {
+ registryConfigPath := ""
+ envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
+ if len(envOverride) > 0 {
+ registryConfigPath = envOverride
+ }
+ registries, err := sysregistries.GetInsecureRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to parse the registries.conf file")
+ }
+ return registries, nil
+}