aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-09-26 20:45:30 +0200
committerGitHub <noreply@github.com>2022-09-26 20:45:30 +0200
commita0c0971e63b42031d05e82c26add5354ae69a7cf (patch)
tree902c463e0753d9549fd097abbbb001ea15704806 /libpod
parentaaeabb0e8cc4aca1c621677f9c73f1757df300c4 (diff)
parent7bc36602f6c407cffdc799ca1b2fc7c00bc4f93b (diff)
downloadpodman-a0c0971e63b42031d05e82c26add5354ae69a7cf.tar.gz
podman-a0c0971e63b42031d05e82c26add5354ae69a7cf.tar.bz2
podman-a0c0971e63b42031d05e82c26add5354ae69a7cf.zip
Merge pull request #15933 from vrothberg/fix-15879
auto-update: validate container image
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_validate.go33
-rw-r--r--libpod/define/autoupdate.go9
2 files changed, 42 insertions, 0 deletions
diff --git a/libpod/container_validate.go b/libpod/container_validate.go
index f4611ecce..7224ec7db 100644
--- a/libpod/container_validate.go
+++ b/libpod/container_validate.go
@@ -3,6 +3,9 @@ package libpod
import (
"fmt"
+ "github.com/containers/image/v5/docker"
+ "github.com/containers/image/v5/pkg/shortnames"
+ "github.com/containers/image/v5/transports/alltransports"
"github.com/containers/podman/v4/libpod/define"
spec "github.com/opencontainers/runtime-spec/specs-go"
)
@@ -141,5 +144,35 @@ func (c *Container) validate() error {
if c.config.HealthCheckOnFailureAction != define.HealthCheckOnFailureActionNone && c.config.HealthCheckConfig == nil {
return fmt.Errorf("cannot set on-failure action to %s without a health check", c.config.HealthCheckOnFailureAction.String())
}
+
+ if value, exists := c.config.Labels[define.AutoUpdateLabel]; exists {
+ // TODO: we cannot reference pkg/autoupdate here due to
+ // circular dependencies. It's worth considering moving the
+ // auto-update logic into the libpod package.
+ if value == "registry" || value == "image" {
+ if err := validateAutoUpdateImageReference(c.config.RawImageName); err != nil {
+ return err
+ }
+ }
+ }
+
+ return nil
+}
+
+// validateAutoUpdateImageReference checks if the specified imageName is a
+// fully-qualified image reference to the docker transport. Such a reference
+// includes a domain, name and tag (e.g., quay.io/podman/stable:latest). The
+// reference may also be prefixed with "docker://" explicitly indicating that
+// it's a reference to the docker transport.
+func validateAutoUpdateImageReference(imageName string) error {
+ // Make sure the input image is a docker.
+ imageRef, err := alltransports.ParseImageName(imageName)
+ if err == nil && imageRef.Transport().Name() != docker.Transport.Name() {
+ return fmt.Errorf("auto updates require the docker image transport but image is of transport %q", imageRef.Transport().Name())
+ } else if err != nil {
+ if shortnames.IsShortName(imageName) {
+ return fmt.Errorf("short name: auto updates require fully-qualified image reference: %q", imageName)
+ }
+ }
return nil
}
diff --git a/libpod/define/autoupdate.go b/libpod/define/autoupdate.go
new file mode 100644
index 000000000..7c278c3c5
--- /dev/null
+++ b/libpod/define/autoupdate.go
@@ -0,0 +1,9 @@
+package define
+
+// AutoUpdateLabel denotes the container/pod label key to specify auto-update
+// policies in container labels.
+const AutoUpdateLabel = "io.containers.autoupdate"
+
+// AutoUpdateAuthfileLabel denotes the container label key to specify authfile
+// in container labels.
+const AutoUpdateAuthfileLabel = "io.containers.autoupdate.authfile"