summaryrefslogtreecommitdiff
path: root/libpod/image/pull.go
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-04-16 13:39:00 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-04-18 14:07:59 +0000
commit313e5e83e92f68349d2026fc3f358f237fe93a4a (patch)
tree91c523b44bb8f55790037a9a7b42bf63e3c90de6 /libpod/image/pull.go
parent982927468c6102cfc52e838be4815d2f89d3827e (diff)
downloadpodman-313e5e83e92f68349d2026fc3f358f237fe93a4a.tar.gz
podman-313e5e83e92f68349d2026fc3f358f237fe93a4a.tar.bz2
podman-313e5e83e92f68349d2026fc3f358f237fe93a4a.zip
regression: tls verify should be set on registries.conf if insecure
In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
Diffstat (limited to 'libpod/image/pull.go')
-rw-r--r--libpod/image/pull.go25
1 files changed, 23 insertions, 2 deletions
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 8c43c6054..b2d32b255 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/image/directory"
"github.com/containers/image/docker"
dockerarchive "github.com/containers/image/docker/archive"
+ "github.com/containers/image/docker/reference"
"github.com/containers/image/docker/tarfile"
ociarchive "github.com/containers/image/oci/archive"
"github.com/containers/image/pkg/sysregistries"
@@ -18,6 +19,9 @@ import (
"github.com/containers/image/transports/alltransports"
"github.com/containers/image/types"
"github.com/pkg/errors"
+ "github.com/projectatomic/libpod/pkg/registries"
+ "github.com/projectatomic/libpod/pkg/util"
+ "github.com/sirupsen/logrus"
)
var (
@@ -151,7 +155,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
// pullImage pulls an image from configured registries
// By default, only the latest tag (or a specific tag if requested) will be
// pulled.
-func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) {
+func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
// pullImage copies the image from the source to the destination
var pullStructs []*pullStruct
sc := GetSystemContext(signaturePolicyPath, authfile, false)
@@ -174,8 +178,25 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
}
defer policyContext.Destroy()
- copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ insecureRegistries, err := registries.GetInsecureRegistries()
+ if err != nil {
+ return "", err
+ }
+
for _, imageInfo := range pullStructs {
+ copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ if imageInfo.srcRef.Transport().Name() == DockerTransport {
+ imgRef, err := reference.Parse(imageInfo.srcRef.DockerReference().String())
+ if err != nil {
+ return "", err
+ }
+ registry := reference.Domain(imgRef.(reference.Named))
+
+ if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
+ copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
+ logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
+ }
+ }
// Print the following statement only when pulling from a docker or atomic registry
if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))