diff options
| author | Valentin Rothberg <vrothberg@redhat.com> | 2022-09-26 13:00:17 +0200 |
|---|---|---|
| committer | Valentin Rothberg <vrothberg@redhat.com> | 2022-09-26 17:07:05 +0200 |
| commit | 7bc36602f6c407cffdc799ca1b2fc7c00bc4f93b (patch) | |
| tree | 6149fd0c1e3a8fed2aaa07c82cbe1331e1085408 /libpod | |
| parent | 17f3756884f2f65a1da753e5b58895dc0b9145e8 (diff) | |
| download | podman-7bc36602f6c407cffdc799ca1b2fc7c00bc4f93b.tar.gz podman-7bc36602f6c407cffdc799ca1b2fc7c00bc4f93b.tar.bz2 podman-7bc36602f6c407cffdc799ca1b2fc7c00bc4f93b.zip | |
auto-update: validate container image
Auto updates using the "registry" policy require container to be created
with a fully-qualified image reference. Short names are not supported
due the ambiguity of their source registry. Initially, container
creation errored out for non FQN images but it seems that Podman has
regressed.
Fixes: #15879
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_validate.go | 33 | ||||
| -rw-r--r-- | libpod/define/autoupdate.go | 9 |
2 files changed, 42 insertions, 0 deletions
diff --git a/libpod/container_validate.go b/libpod/container_validate.go index f4611ecce..7224ec7db 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -3,6 +3,9 @@ package libpod import ( "fmt" + "github.com/containers/image/v5/docker" + "github.com/containers/image/v5/pkg/shortnames" + "github.com/containers/image/v5/transports/alltransports" "github.com/containers/podman/v4/libpod/define" spec "github.com/opencontainers/runtime-spec/specs-go" ) @@ -141,5 +144,35 @@ func (c *Container) validate() error { if c.config.HealthCheckOnFailureAction != define.HealthCheckOnFailureActionNone && c.config.HealthCheckConfig == nil { return fmt.Errorf("cannot set on-failure action to %s without a health check", c.config.HealthCheckOnFailureAction.String()) } + + if value, exists := c.config.Labels[define.AutoUpdateLabel]; exists { + // TODO: we cannot reference pkg/autoupdate here due to + // circular dependencies. It's worth considering moving the + // auto-update logic into the libpod package. + if value == "registry" || value == "image" { + if err := validateAutoUpdateImageReference(c.config.RawImageName); err != nil { + return err + } + } + } + + return nil +} + +// validateAutoUpdateImageReference checks if the specified imageName is a +// fully-qualified image reference to the docker transport. Such a reference +// includes a domain, name and tag (e.g., quay.io/podman/stable:latest). The +// reference may also be prefixed with "docker://" explicitly indicating that +// it's a reference to the docker transport. +func validateAutoUpdateImageReference(imageName string) error { + // Make sure the input image is a docker. + imageRef, err := alltransports.ParseImageName(imageName) + if err == nil && imageRef.Transport().Name() != docker.Transport.Name() { + return fmt.Errorf("auto updates require the docker image transport but image is of transport %q", imageRef.Transport().Name()) + } else if err != nil { + if shortnames.IsShortName(imageName) { + return fmt.Errorf("short name: auto updates require fully-qualified image reference: %q", imageName) + } + } return nil } diff --git a/libpod/define/autoupdate.go b/libpod/define/autoupdate.go new file mode 100644 index 000000000..7c278c3c5 --- /dev/null +++ b/libpod/define/autoupdate.go @@ -0,0 +1,9 @@ +package define + +// AutoUpdateLabel denotes the container/pod label key to specify auto-update +// policies in container labels. +const AutoUpdateLabel = "io.containers.autoupdate" + +// AutoUpdateAuthfileLabel denotes the container label key to specify authfile +// in container labels. +const AutoUpdateAuthfileLabel = "io.containers.autoupdate.authfile" |