summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/main.go18
-rw-r--r--cmd/podman/sign.go17
-rw-r--r--cmd/podman/trust.go58
3 files changed, 38 insertions, 55 deletions
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 43804ee35..604404827 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -148,16 +148,20 @@ func main() {
logrus.SetLevel(level)
}
- // Only if not rootless, set rlimits for open files.
- // We open numerous FDs for ports opened
- if !rootless.IsRootless() {
- rlimits := new(syscall.Rlimit)
- rlimits.Cur = 1048576
- rlimits.Max = 1048576
+ rlimits := new(syscall.Rlimit)
+ rlimits.Cur = 1048576
+ rlimits.Max = 1048576
+ if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ return errors.Wrapf(err, "error getting rlimits")
+ }
+ rlimits.Cur = rlimits.Max
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
return errors.Wrapf(err, "error setting new rlimits")
}
- } else {
+ }
+
+ if rootless.IsRootless() {
logrus.Info("running as rootless")
}
diff --git a/cmd/podman/sign.go b/cmd/podman/sign.go
index 8a31ddb98..1d9aecdc9 100644
--- a/cmd/podman/sign.go
+++ b/cmd/podman/sign.go
@@ -1,10 +1,10 @@
package main
import (
- "fmt"
"io/ioutil"
"net/url"
"os"
+ "path/filepath"
"strconv"
"strings"
@@ -59,7 +59,7 @@ func signCmd(c *cli.Context) error {
signby := c.String("sign-by")
if signby == "" {
- return errors.Errorf("You must provide an identity")
+ return errors.Errorf("please provide an identity")
}
var sigStoreDir string
@@ -72,11 +72,11 @@ func signCmd(c *cli.Context) error {
mech, err := signature.NewGPGSigningMechanism()
if err != nil {
- return errors.Wrap(err, "Error initializing GPG")
+ return errors.Wrap(err, "error initializing GPG")
}
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
- return errors.Wrap(err, "Signing is not supported")
+ return errors.Wrap(err, "signing is not supported")
}
systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext())
@@ -100,7 +100,7 @@ func signCmd(c *cli.Context) error {
}
dockerReference := rawSource.Reference().DockerReference()
if dockerReference == nil {
- return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
+ return errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
}
// create the signstore file
@@ -141,7 +141,8 @@ func signCmd(c *cli.Context) error {
return errors.Wrapf(err, "error creating new signature")
}
- sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1))
+ trimmedDigest := strings.TrimPrefix(repos[0], strings.Split(repos[0], "/")[0])
+ sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(trimmedDigest, ":", "=", 1))
if err := os.MkdirAll(sigStoreDir, 0751); err != nil {
// The directory is allowed to exist
if !os.IsExist(err) {
@@ -154,7 +155,7 @@ func signCmd(c *cli.Context) error {
logrus.Errorf("error creating sigstore file: %v", err)
continue
}
- err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644)
+ err = ioutil.WriteFile(filepath.Join(sigStoreDir, sigFilename), newSig, 0644)
if err != nil {
logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
continue
@@ -190,7 +191,7 @@ func isValidSigStoreDir(sigStoreDir string) (string, error) {
}
_, exists := writeURIs[url.Scheme]
if !exists {
- return sigStoreDir, errors.Errorf("Writing to %s is not supported. Use a supported scheme", sigStoreDir)
+ return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir)
}
sigStoreDir = url.Path
return sigStoreDir, nil
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go
index 7c404cd3f..863f36d09 100644
--- a/cmd/podman/trust.go
+++ b/cmd/podman/trust.go
@@ -13,7 +13,6 @@ import (
"github.com/containers/libpod/libpod/image"
"github.com/containers/libpod/pkg/trust"
"github.com/pkg/errors"
- "github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
@@ -132,7 +131,7 @@ func showTrustCmd(c *cli.Context) error {
if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
return errors.Errorf("could not read trust policies")
}
- policyJSON, err := trust.GetPolicyJSON(policyContentStruct, systemRegistriesDirPath)
+ policyJSON, showOutputMap, err := trust.GetPolicy(policyContentStruct, systemRegistriesDirPath)
if err != nil {
return errors.Wrapf(err, "error reading registry config file")
}
@@ -144,31 +143,12 @@ func showTrustCmd(c *cli.Context) error {
}
sortedRepos := sortPolicyJSONKey(policyJSON)
- type policydefault struct {
- Repo string
- Trusttype string
- GPGid string
- Sigstore string
- }
- var policyoutput []policydefault
- for _, repo := range sortedRepos {
- repoval := policyJSON[repo]
- var defaultstruct policydefault
- defaultstruct.Repo = repo
- if repoval["type"] != nil {
- defaultstruct.Trusttype = trustTypeDescription(repoval["type"].(string))
- }
- if repoval["keys"] != nil && len(repoval["keys"].([]string)) > 0 {
- defaultstruct.GPGid = trust.GetGPGId(repoval["keys"].([]string))
- }
- if repoval["sigstore"] != nil {
- defaultstruct.Sigstore = repoval["sigstore"].(string)
- }
- policyoutput = append(policyoutput, defaultstruct)
- }
var output []interface{}
- for _, ele := range policyoutput {
- output = append(output, interface{}(ele))
+ for _, reponame := range sortedRepos {
+ showOutput, exists := showOutputMap[reponame]
+ if exists {
+ output = append(output, interface{}(showOutput))
+ }
}
out := formats.StdoutTemplateArray{Output: output, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"}
return formats.Writer(out).Out()
@@ -209,8 +189,10 @@ func setTrustCmd(c *cli.Context) error {
policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
}
var policyContentStruct trust.PolicyContent
+ policyFileExists := false
_, err = os.Stat(policyPath)
if !os.IsNotExist(err) {
+ policyFileExists = true
policyContent, err := ioutil.ReadFile(policyPath)
if err != nil {
return errors.Wrapf(err, "unable to read %s", policyPath)
@@ -218,6 +200,9 @@ func setTrustCmd(c *cli.Context) error {
if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
return errors.Errorf("could not read trust policies")
}
+ if args[0] != "default" && len(policyContentStruct.Default) == 0 {
+ return errors.Errorf("Default trust policy must be set.")
+ }
}
var newReposContent []trust.RepoContent
if len(pubkeysfile) != 0 {
@@ -230,15 +215,18 @@ func setTrustCmd(c *cli.Context) error {
if args[0] == "default" {
policyContentStruct.Default = newReposContent
} else {
- exists := false
+ if policyFileExists == false && len(policyContentStruct.Default) == 0 {
+ return errors.Errorf("Default trust policy must be set to create the policy file.")
+ }
+ registryExists := false
for transport, transportval := range policyContentStruct.Transports {
- _, exists = transportval[args[0]]
- if exists {
+ _, registryExists = transportval[args[0]]
+ if registryExists {
policyContentStruct.Transports[transport][args[0]] = newReposContent
break
}
}
- if !exists {
+ if !registryExists {
if policyContentStruct.Transports == nil {
policyContentStruct.Transports = make(map[string]trust.RepoMap)
}
@@ -260,16 +248,6 @@ func setTrustCmd(c *cli.Context) error {
return nil
}
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
-
-func trustTypeDescription(trustType string) string {
- trustDescription, exist := typeDescription[trustType]
- if !exist {
- logrus.Warnf("invalid trust type %s", trustType)
- }
- return trustDescription
-}
-
func sortPolicyJSONKey(m map[string]map[string]interface{}) []string {
keys := make([]string, len(m))
i := 0