diff options
| -rw-r--r-- | cmd/podman/images/sign.go | 5 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 1 | ||||
| -rw-r--r-- | docs/source/markdown/podman-image-sign.1.md | 9 | ||||
| -rw-r--r-- | pkg/domain/entities/images.go | 1 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/images.go | 1 | ||||
| -rw-r--r-- | pkg/specgen/generate/pod_create.go | 11 | ||||
| -rw-r--r-- | test/e2e/config/containers-netns2.conf | 3 | ||||
| -rw-r--r-- | test/e2e/play_kube_test.go | 28 | ||||
| -rw-r--r-- | test/system/011-image.bats | 54 |
9 files changed, 102 insertions, 11 deletions
diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go index 96f214d0b..4c42a0bd6 100644 --- a/cmd/podman/images/sign.go +++ b/cmd/podman/images/sign.go @@ -3,6 +3,7 @@ package images import ( "os" + "github.com/containers/common/pkg/auth" "github.com/containers/common/pkg/completion" "github.com/containers/podman/v3/cmd/podman/common" "github.com/containers/podman/v3/cmd/podman/registry" @@ -48,6 +49,10 @@ func init() { flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys") _ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault) flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image") + + authfileFlagName := "authfile" + flags.StringVar(&signOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + _ = signCommand.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault) } func sign(cmd *cobra.Command, args []string) error { diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 2db8f6e67..474add1af 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -361,6 +361,7 @@ Man pages for the %{name} commands Summary: Tests for %{name} Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: gnupg Requires: bats Requires: jq Requires: skopeo diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index e284955a2..5f23bbfaf 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -23,6 +23,13 @@ Print usage statement. Sign all the manifests of the multi-architecture image (default false). +#### **--authfile**=*path* + +Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json + +Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE +environment variable. `export REGISTRY_AUTH_FILE=path` + #### **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. @@ -41,6 +48,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + ## RELATED CONFIGURATION The write (and read) location for signatures is defined in YAML-based diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index 7583ce442..54f7b5d45 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -373,6 +373,7 @@ type SignOptions struct { Directory string SignBy string CertDir string + Authfile string All bool } diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 5c0227986..8b44b869a 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -641,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie } sc := ir.Libpod.SystemContext() sc.DockerCertPath = options.CertDir + sc.AuthFilePath = options.Authfile for _, signimage := range names { err = func() error { diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 501bce05d..bfd81739a 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -12,7 +12,6 @@ import ( "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/specgen" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -216,15 +215,6 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) { logrus.Debugf("No networking because the infra container is missing") break } - if rootless.IsRootless() { - logrus.Debugf("Pod will use slirp4netns") - if p.InfraContainerSpec.NetNS.NSMode != "host" { - p.InfraContainerSpec.NetworkOptions = p.NetworkOptions - p.InfraContainerSpec.NetNS.NSMode = specgen.NamespaceMode("slirp4netns") - } - } else { - logrus.Debugf("Pod using bridge network mode") - } case specgen.Bridge: p.InfraContainerSpec.NetNS.NSMode = specgen.Bridge logrus.Debugf("Pod using bridge network mode") @@ -258,7 +248,6 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) { return nil, errors.Errorf("pods presently do not support network mode %s", p.NetNS.NSMode) } - libpod.WithPodCgroups() if len(p.InfraCommand) > 0 { p.InfraContainerSpec.Entrypoint = p.InfraCommand } diff --git a/test/e2e/config/containers-netns2.conf b/test/e2e/config/containers-netns2.conf new file mode 100644 index 000000000..1ffd100f5 --- /dev/null +++ b/test/e2e/config/containers-netns2.conf @@ -0,0 +1,3 @@ +[containers] + +netns = "bridge" diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index b0b927445..64b46756f 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -2786,6 +2786,34 @@ invalid kube kind Expect(exists).To(Exit(0)) }) + It("podman play kube use network mode from config", func() { + confPath, err := filepath.Abs("config/containers-netns2.conf") + Expect(err).ToNot(HaveOccurred()) + os.Setenv("CONTAINERS_CONF", confPath) + defer os.Unsetenv("CONTAINERS_CONF") + if IsRemote() { + podmanTest.RestartRemoteService() + } + + pod := getPod() + err = generateKubeYaml("pod", pod, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube).Should(Exit(0)) + + podInspect := podmanTest.Podman([]string{"pod", "inspect", pod.Name, "--format", "{{.InfraContainerID}}"}) + podInspect.WaitWithDefaultTimeout() + Expect(podInspect).To(Exit(0)) + infraID := podInspect.OutputToString() + + inspect := podmanTest.Podman([]string{"inspect", "--format", "{{.HostConfig.NetworkMode}}", infraID}) + inspect.WaitWithDefaultTimeout() + Expect(inspect).To(Exit(0)) + Expect(inspect.OutputToString()).To(Equal("bridge")) + }) + It("podman play kube replace", func() { pod := getPod() err := generateKubeYaml("pod", pod, kubeYaml) diff --git a/test/system/011-image.bats b/test/system/011-image.bats new file mode 100644 index 000000000..5150e875e --- /dev/null +++ b/test/system/011-image.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + skip_if_remote "--sign-by does not work with podman-remote" + + basic_setup + + export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg + mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures + + cat >$PODMAN_TMPDIR/keydetails <<EOF + %echo Generating a basic OpenPGP key + Key-Type: RSA + Key-Length: 2048 + Subkey-Type: RSA + Subkey-Length: 2048 + Name-Real: Foo + Name-Comment: Foo + Name-Email: foo@bar.com + Expire-Date: 0 + %no-ask-passphrase + %no-protection + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done +EOF + GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails +} + +function check_signature() { + local sigfile=$1 + ls -laR $PODMAN_TMPDIR/signatures + run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN + local repodigest=${output/:/=} + + local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}" + test -d $dir || die "Missing signature directory $dir" + test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'" + + # Confirm good signature + run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile" + is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \ + "gpg --verify $sigfile" +} + + +@test "podman image - sign with no sigfile" { + GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" + check_signature "signature-1" +} + +# vim: filetype=sh |