summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/create.go2
-rw-r--r--cmd/podman/load.go6
-rw-r--r--cmd/podman/pull.go6
-rw-r--r--cmd/podman/run.go2
-rw-r--r--cmd/podman/search.go4
-rw-r--r--docs/podman-pull.1.md4
-rw-r--r--libpod/image/image.go4
-rw-r--r--libpod/image/image_test.go8
-rw-r--r--libpod/image/pull.go25
-rw-r--r--libpod/runtime.go5
-rw-r--r--libpod/runtime_img.go31
-rw-r--r--libpod/runtime_img_test.go5
-rw-r--r--pkg/registries/registries.go37
13 files changed, 87 insertions, 52 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index b95309980..97490d6c0 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -181,7 +181,7 @@ func createCmd(c *cli.Context) error {
rtc := runtime.GetConfig()
- newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
if err != nil {
return err
}
diff --git a/cmd/podman/load.go b/cmd/podman/load.go
index 941dd68d9..1fb723750 100644
--- a/cmd/podman/load.go
+++ b/cmd/podman/load.go
@@ -99,17 +99,17 @@ func loadCmd(c *cli.Context) error {
}
src := libpod.DockerArchive + ":" + input
- newImage, err := runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
// generate full src name with specified image:tag
fullSrc := libpod.OCIArchive + ":" + input
if image != "" {
fullSrc = fullSrc + ":" + image
}
- newImage, err = runtime.ImageRuntime().New(fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err = runtime.ImageRuntime().New(fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
src = libpod.DirTransport + ":" + input
- newImage, err = runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false)
+ newImage, err = runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
if err != nil {
return errors.Wrapf(err, "error pulling %q", src)
}
diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go
index 4ceae4596..43169635a 100644
--- a/cmd/podman/pull.go
+++ b/cmd/podman/pull.go
@@ -58,6 +58,7 @@ var (
// pullCmd gets the data from the command line and calls pullImage
// to copy an image from a registry to a local machine
func pullCmd(c *cli.Context) error {
+ forceSecure := true
runtime, err := getRuntime(c)
if err != nil {
return errors.Wrapf(err, "could not get runtime")
@@ -98,8 +99,11 @@ func pullCmd(c *cli.Context) error {
DockerCertPath: c.String("cert-dir"),
DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
}
+ if !c.IsSet("tls-verify") {
+ forceSecure = false
+ }
- newImage, err := runtime.ImageRuntime().New(image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true)
+ newImage, err := runtime.ImageRuntime().New(image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
if err != nil {
return errors.Wrapf(err, "error pulling image %q", image)
}
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index 2bf0668a3..ac6361070 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -59,7 +59,7 @@ func runCmd(c *cli.Context) error {
}
rtc := runtime.GetConfig()
- newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
+ newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
if err != nil {
return errors.Wrapf(err, "unable to find image")
}
diff --git a/cmd/podman/search.go b/cmd/podman/search.go
index 01eaa6729..106513e34 100644
--- a/cmd/podman/search.go
+++ b/cmd/podman/search.go
@@ -9,8 +9,8 @@ import (
"github.com/containers/image/docker"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/cmd/podman/formats"
- "github.com/projectatomic/libpod/libpod"
"github.com/projectatomic/libpod/libpod/common"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
@@ -110,7 +110,7 @@ func searchCmd(c *cli.Context) error {
if len(c.StringSlice("registry")) > 0 {
registries = c.StringSlice("registry")
} else {
- registries, err = libpod.GetRegistries()
+ registries, err = sysreg.GetRegistries()
if err != nil {
return errors.Wrapf(err, "error getting registries to search")
}
diff --git a/docs/podman-pull.1.md b/docs/podman-pull.1.md
index 6f46fdf86..698314184 100644
--- a/docs/podman-pull.1.md
+++ b/docs/podman-pull.1.md
@@ -83,7 +83,9 @@ option be used, as the default behavior of using the system-wide default policy
**--tls-verify**
-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then tls verification will be used, If set to false then tls verification will not be used. If not specified
+tls verification will be used unless the target registry is listed as an insecure registry in registries.conf.
## EXAMPLES
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 89da71cb6..cf0c7ec1b 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -117,7 +117,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) {
// New creates a new image object where the image could be local
// or remote
-func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull bool) (*Image, error) {
+func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
// We don't know if the image is local or not ... check local first
newImage := Image{
InputName: name,
@@ -137,7 +137,7 @@ func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Wri
if signaturePolicyPath == "" {
signaturePolicyPath = ir.SignaturePolicyPath
}
- imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions)
+ imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
if err != nil {
return nil, errors.Errorf("unable to pull %s", name)
}
diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go
index 8c1138f71..f160a14a4 100644
--- a/libpod/image/image_test.go
+++ b/libpod/image/image_test.go
@@ -81,9 +81,9 @@ func TestImage_NewFromLocal(t *testing.T) {
// Need images to be present for this test
ir, err := NewImageRuntimeFromOptions(so)
assert.NoError(t, err)
- bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false)
+ bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
- bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false)
+ bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
tm, err := makeLocalMatrix(bb, bbglibc)
@@ -126,7 +126,7 @@ func TestImage_New(t *testing.T) {
// Iterate over the names and delete the image
// after the pull
for _, img := range names {
- newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false)
+ newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
assert.NotEqual(t, newImage.ID(), "")
err = newImage.Remove(false)
@@ -150,7 +150,7 @@ func TestImage_MatchRepoTag(t *testing.T) {
}
ir, err := NewImageRuntimeFromOptions(so)
assert.NoError(t, err)
- newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false)
+ newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
assert.NoError(t, err)
err = newImage.TagImage("foo:latest")
assert.NoError(t, err)
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 8c43c6054..b2d32b255 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/image/directory"
"github.com/containers/image/docker"
dockerarchive "github.com/containers/image/docker/archive"
+ "github.com/containers/image/docker/reference"
"github.com/containers/image/docker/tarfile"
ociarchive "github.com/containers/image/oci/archive"
"github.com/containers/image/pkg/sysregistries"
@@ -18,6 +19,9 @@ import (
"github.com/containers/image/transports/alltransports"
"github.com/containers/image/types"
"github.com/pkg/errors"
+ "github.com/projectatomic/libpod/pkg/registries"
+ "github.com/projectatomic/libpod/pkg/util"
+ "github.com/sirupsen/logrus"
)
var (
@@ -151,7 +155,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
// pullImage pulls an image from configured registries
// By default, only the latest tag (or a specific tag if requested) will be
// pulled.
-func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) {
+func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
// pullImage copies the image from the source to the destination
var pullStructs []*pullStruct
sc := GetSystemContext(signaturePolicyPath, authfile, false)
@@ -174,8 +178,25 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
}
defer policyContext.Destroy()
- copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ insecureRegistries, err := registries.GetInsecureRegistries()
+ if err != nil {
+ return "", err
+ }
+
for _, imageInfo := range pullStructs {
+ copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+ if imageInfo.srcRef.Transport().Name() == DockerTransport {
+ imgRef, err := reference.Parse(imageInfo.srcRef.DockerReference().String())
+ if err != nil {
+ return "", err
+ }
+ registry := reference.Domain(imgRef.(reference.Named))
+
+ if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
+ copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
+ logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
+ }
+ }
// Print the following statement only when pulling from a docker or atomic registry
if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 94d412c84..168e27c67 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -16,6 +16,7 @@ import (
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod/image"
"github.com/projectatomic/libpod/pkg/hooks"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/sirupsen/logrus"
"github.com/ulule/deepcopier"
)
@@ -549,7 +550,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
}
info = append(info, InfoData{Type: "store", Data: storeInfo})
- reg, err := GetRegistries()
+ reg, err := sysreg.GetRegistries()
if err != nil {
return nil, errors.Wrapf(err, "error getting registries")
}
@@ -557,7 +558,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
registries["registries"] = reg
info = append(info, InfoData{Type: "registries", Data: registries})
- i, err := GetInsecureRegistries()
+ i, err := sysreg.GetInsecureRegistries()
if err != nil {
return nil, errors.Wrapf(err, "error getting registries")
}
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index ef1791884..041de0cc2 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -3,15 +3,12 @@ package libpod
import (
"fmt"
"io"
- "os"
"github.com/containers/image/directory"
"github.com/containers/image/docker"
dockerarchive "github.com/containers/image/docker/archive"
ociarchive "github.com/containers/image/oci/archive"
- "github.com/containers/image/pkg/sysregistries"
"github.com/containers/image/tarball"
- "github.com/containers/image/types"
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -180,31 +177,3 @@ func removeStorageContainers(ctrIDs []string, store storage.Store) error {
}
return nil
}
-
-// GetRegistries gets the searchable registries from the global registration file.
-func GetRegistries() ([]string, error) {
- registryConfigPath := ""
- envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
- if len(envOverride) > 0 {
- registryConfigPath = envOverride
- }
- searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
- if err != nil {
- return nil, errors.Errorf("unable to parse the registries.conf file")
- }
- return searchRegistries, nil
-}
-
-// GetInsecureRegistries obtains the list of inseure registries from the global registration file.
-func GetInsecureRegistries() ([]string, error) {
- registryConfigPath := ""
- envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
- if len(envOverride) > 0 {
- registryConfigPath = envOverride
- }
- registries, err := sysregistries.GetInsecureRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
- if err != nil {
- return nil, errors.Errorf("unable to parse the registries.conf file")
- }
- return registries, nil
-}
diff --git a/libpod/runtime_img_test.go b/libpod/runtime_img_test.go
index f7f7128a4..c608c1b25 100644
--- a/libpod/runtime_img_test.go
+++ b/libpod/runtime_img_test.go
@@ -6,6 +6,7 @@ import (
"reflect"
"testing"
+ sysreg "github.com/projectatomic/libpod/pkg/registries"
"github.com/stretchr/testify/assert"
)
@@ -38,7 +39,7 @@ func TestGetRegistries(t *testing.T) {
assert.NoError(t, err)
defer os.Remove(registryPath)
os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
- registries, err := GetRegistries()
+ registries, err := sysreg.GetRegistries()
assert.NoError(t, err)
assert.True(t, reflect.DeepEqual(registries, []string{"one"}))
}
@@ -48,7 +49,7 @@ func TestGetInsecureRegistries(t *testing.T) {
assert.NoError(t, err)
os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
defer os.Remove(registryPath)
- registries, err := GetInsecureRegistries()
+ registries, err := sysreg.GetInsecureRegistries()
assert.NoError(t, err)
assert.True(t, reflect.DeepEqual(registries, []string{"two"}))
}
diff --git a/pkg/registries/registries.go b/pkg/registries/registries.go
new file mode 100644
index 000000000..8e43c8b91
--- /dev/null
+++ b/pkg/registries/registries.go
@@ -0,0 +1,37 @@
+package registries
+
+import (
+ "os"
+
+ "github.com/containers/image/pkg/sysregistries"
+ "github.com/containers/image/types"
+ "github.com/pkg/errors"
+)
+
+// GetRegistries obtains the list of registries defined in the global registries file.
+func GetRegistries() ([]string, error) {
+ registryConfigPath := ""
+ envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
+ if len(envOverride) > 0 {
+ registryConfigPath = envOverride
+ }
+ searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to parse the registries.conf file")
+ }
+ return searchRegistries, nil
+}
+
+// GetInsecureRegistries obtains the list of inseure registries from the global registration file.
+func GetInsecureRegistries() ([]string, error) {
+ registryConfigPath := ""
+ envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
+ if len(envOverride) > 0 {
+ registryConfigPath = envOverride
+ }
+ registries, err := sysregistries.GetInsecureRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to parse the registries.conf file")
+ }
+ return registries, nil
+}