diff options
author | Valentin Rothberg <rothberg@redhat.com> | 2021-11-23 11:08:31 +0100 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2021-11-30 14:22:52 +0100 |
commit | 5bdd571b1e46f26e23f030456efb009cbb765e4c (patch) | |
tree | adad2324e3c5f094785a411cb537d8f922a3fafc /test | |
parent | 8de68b170716dd1293c5a044f3e9cfd962fdbfb1 (diff) | |
download | podman-5bdd571b1e46f26e23f030456efb009cbb765e4c.tar.gz podman-5bdd571b1e46f26e23f030456efb009cbb765e4c.tar.bz2 podman-5bdd571b1e46f26e23f030456efb009cbb765e4c.zip |
compat API: allow enforcing short-names resolution to Docker Hub
The Docker-compatible REST API has historically behaved just as the rest
of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where
`containers-registries.conf` is centrally controlling which registries
a short name may resolve to during pull or local image lookups. Please
refer to a blog for more details [1].
Docker, however, is only resolving short names to docker.io which has
been reported (see #12320) to break certain clients who rely on this
behavior. In order to support this scenario, `containers.conf(5)`
received a new option to control whether Podman's compat API resolves
to docker.io only or behaves as before.
Most endpoints allow for directly normalizing parameters that represent
an image. If set in containers.conf, Podman will then normalize the
references directly to docker.io. The build endpoint is an outlier
since images are also referenced in Dockerfiles. The Buildah API,
however, supports specifying a custom `types.SystemContext` in which
we can set a field that enforces short-name resolution to docker.io
in `c/image/pkg/shortnames`.
Notice that this a "hybrid" approach of doing the normalization directly
in the compat endpoints *and* in `pkg/shortnames` by passing a system
context. Doing such a hybrid approach is neccessary since the compat
and the libpod endpoints share the same `libimage.Runtime` which makes
a global enforcement via the `libimage.Runtime.systemContext`
impossible. Having two separate runtimes for the compat and the libpod
endpoints seems risky and not generally applicable to all endpoints.
[1] https://www.redhat.com/sysadmin/container-image-short-names
Fixes: #12320
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/apiv2/12-imagesMore.at | 3 | ||||
-rw-r--r-- | test/apiv2/70-short-names.at | 148 | ||||
-rw-r--r-- | test/apiv2/containers.conf | 8 |
3 files changed, 157 insertions, 2 deletions
diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at index 144b83194..3a5d5c096 100644 --- a/test/apiv2/12-imagesMore.at +++ b/test/apiv2/12-imagesMore.at @@ -47,8 +47,7 @@ t POST "images/localhost:5000/myrepo/push?tlsVerify=false&tag=mytag" 200 t POST "libpod/images/$iid/untag?repo=localhost:5000/myrepo&tag=mytag" 201 # Try to push non-existing image -t POST "images/localhost:5000/idonotexist/push?tlsVerify=false" 200 -jq -re 'select(.errorDetail)' <<<"$output" &>/dev/null || echo -e "${red}not ok: error message not found in output${nc}" 1>&2 +t POST "images/localhost:5000/idonotexist/push?tlsVerify=false" 404 t GET libpod/images/$IMAGE/json 200 \ .RepoTags[-1]=$IMAGE diff --git a/test/apiv2/70-short-names.at b/test/apiv2/70-short-names.at new file mode 100644 index 000000000..a5087c115 --- /dev/null +++ b/test/apiv2/70-short-names.at @@ -0,0 +1,148 @@ +# -*- sh -*- +# +# Tests for exercising short-name resolution in the compat API. +# + +# Pull the libpod/quay image which is used in all tests below. +t POST "images/create?fromImage=quay.io/libpod/alpine:latest" 200 .error~null .status~".*Download complete.*" + + +########## TAG + +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t DELETE "images/foo" 200 + + +########## BUILD + +function test_build { + from=$1 + tag=$2 + fqn=$3 + + TMPD=$(mktemp -d podman-apiv2-test.build.XXXXXXXX) + CONTAINERFILE_TAR="${TMPD}/containerfile.tar" + cat > $TMPD/containerfile << EOF +FROM $from +RUN touch /foo +EOF + tar --format=posix -C $TMPD -cvf ${CONTAINERFILE_TAR} containerfile &> /dev/null + + curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \ + -H "content-type: application/x-tar" \ + --dump-header "${TMPD}/headers.txt" \ + -o "${TMPD}/response.txt" \ + "http://$HOST:$PORT/build?dockerfile=containerfile&t=$tag" &> /dev/null + + if ! grep -q '200 OK' "${TMPD}/headers.txt"; then + cat "${TMPD}/headers.txt" + cat "${TMPD}/response.txt" + echo -e "${red}NOK: Image build from tar failed response was not 200 OK (application/x-tar)" + exit 1 + fi + + rm -rf $TMPD + t DELETE "images/$fqn" 200 +} + +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +test_build foo bar "docker.io/library/bar:latest" +t DELETE "images/foo" 200 + + +########## TAG + +# Looking up 'alpine' will fail as it gets normalized to docker.io. +t POST "images/alpine/tag?repo=foo" 404 .cause="image not known" + +# The libpod endpoint will resolve to it without issues. +t GET "libpod/images/alpine/exists" 204 + +# Now let's tag the image with 'foo'. Remember, it will be normalized to +# docker.io/library/foo. +t GET "libpod/images/docker.io/library/foo/exists" 404 +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t GET "libpod/images/docker.io/library/foo/exists" 204 + + +########## REMOVE + +t DELETE "images/alpine" 404 .cause="image not known" # fails since docker.io/library/alpine does not exist +t DELETE "images/foo" 200 # removes the previously tagged image + + +########## GET + +# Same procedure as above but with the /get endpoint. +t GET "images/alpine/get" 404 .cause="image not known" +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t GET "images/foo/get" 200 '[POSIX tar archive]' +t DELETE "images/foo" 200 + + +########## HISTORY + +t GET "images/alpine/history" 404 .cause="image not known" +t GET "images/quay.io/libpod/alpine/history" 200 +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t GET "libpod/images/foo/history" 200 +t DELETE "images/foo" 200 + + +########## PUSH + +t POST "images/alpine/push?destination=localhost:9999/do/not:exist" 404 .cause="image not known" +t POST "images/quay.io/libpod/alpine/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t POST "images/foo/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response +t DELETE "images/foo" 200 + + +########## CREATE A CONTAINER + +t POST "containers/create" Image=alpine 404 .cause="image not known" +t POST "containers/create" Image=quay.io/libpod/alpine:latest 201 +cid=$(jq -r '.Id' <<<"$output") +t POST "images/quay.io/libpod/alpine/tag?repo=foo" 201 +t POST "containers/create" Image=foo 201 +cid=$(jq -r '.Id' <<<"$output") +t DELETE "images/foo" 200 +t DELETE "containers/$cid" 204 + +########## COMMIT CONTAINER + +t POST "containers/create" Image=quay.io/libpod/alpine:latest 201 +cid=$(jq -r '.Id' <<<"$output") +t GET "images/alpine/get" 404 .cause="image not known" +t POST "commit?container=$cid&repo=foo&tag=tag" 201 +t GET "images/foo/get" 404 .cause="image not known" +t GET "images/foo:tag/get" 200 +t DELETE "images/docker.io/library/foo:tag" 200 +t DELETE "containers/$cid" 204 + + +######### SMOKE TESTS WITHOUT DOCKER.IO ENFORCEMENT + +# Note that we need to restart the service with a custom containers.conf to +# disable the docker.io enforcement. + +stop_service +CONTAINERS_CONF=$(pwd)/test/apiv2/containers.conf start_service + +t POST "images/create?fromImage=quay.io/libpod/alpine:latest" 200 .error~null .status~".*Download complete.*" +t POST "images/alpine/tag?repo=foo" 201 +t GET "images/localhost/foo:latest/get" 200 +t DELETE "images/foo" 200 +t GET "images/alpine/history" 200 +t POST "images/alpine/push?destination=localhost:9999/do/not:exist" 200 # Error is in the response +t POST "containers/create" Image=alpine 201 +cid=$(jq -r '.Id' <<<"$output") +t POST "commit?container=$cid&repo=foo&tag=tag" 201 +t DELETE "images/localhost/foo:tag" 200 +t DELETE "containers/$cid" 204 + +test_build alpine bar "localhost/bar:latest" + + +stop_service +start_service diff --git a/test/apiv2/containers.conf b/test/apiv2/containers.conf new file mode 100644 index 000000000..24762192f --- /dev/null +++ b/test/apiv2/containers.conf @@ -0,0 +1,8 @@ +# This containers.conf file is used to test enforcing short-name resolution to +# docker.io for Podman's *compat* API. By default, the compat API defaults to +# resolving to docker.io only. The behavior can be altered by configuring the +# containers.conf as done below in which case short names are subject to aliases, +# "localhost/" and the unqualified-search registries. + +[engine] +compat_api_enforce_docker_hub=false |