diff options
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/main.go | 18 | ||||
-rw-r--r-- | cmd/podman/sign.go | 17 | ||||
-rw-r--r-- | cmd/podman/trust.go | 58 |
3 files changed, 38 insertions, 55 deletions
diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 43804ee35..604404827 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -148,16 +148,20 @@ func main() { logrus.SetLevel(level) } - // Only if not rootless, set rlimits for open files. - // We open numerous FDs for ports opened - if !rootless.IsRootless() { - rlimits := new(syscall.Rlimit) - rlimits.Cur = 1048576 - rlimits.Max = 1048576 + rlimits := new(syscall.Rlimit) + rlimits.Cur = 1048576 + rlimits.Max = 1048576 + if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + return errors.Wrapf(err, "error getting rlimits") + } + rlimits.Cur = rlimits.Max if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { return errors.Wrapf(err, "error setting new rlimits") } - } else { + } + + if rootless.IsRootless() { logrus.Info("running as rootless") } diff --git a/cmd/podman/sign.go b/cmd/podman/sign.go index 8a31ddb98..1d9aecdc9 100644 --- a/cmd/podman/sign.go +++ b/cmd/podman/sign.go @@ -1,10 +1,10 @@ package main import ( - "fmt" "io/ioutil" "net/url" "os" + "path/filepath" "strconv" "strings" @@ -59,7 +59,7 @@ func signCmd(c *cli.Context) error { signby := c.String("sign-by") if signby == "" { - return errors.Errorf("You must provide an identity") + return errors.Errorf("please provide an identity") } var sigStoreDir string @@ -72,11 +72,11 @@ func signCmd(c *cli.Context) error { mech, err := signature.NewGPGSigningMechanism() if err != nil { - return errors.Wrap(err, "Error initializing GPG") + return errors.Wrap(err, "error initializing GPG") } defer mech.Close() if err := mech.SupportsSigning(); err != nil { - return errors.Wrap(err, "Signing is not supported") + return errors.Wrap(err, "signing is not supported") } systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext()) @@ -100,7 +100,7 @@ func signCmd(c *cli.Context) error { } dockerReference := rawSource.Reference().DockerReference() if dockerReference == nil { - return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference())) + return errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference())) } // create the signstore file @@ -141,7 +141,8 @@ func signCmd(c *cli.Context) error { return errors.Wrapf(err, "error creating new signature") } - sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1)) + trimmedDigest := strings.TrimPrefix(repos[0], strings.Split(repos[0], "/")[0]) + sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(trimmedDigest, ":", "=", 1)) if err := os.MkdirAll(sigStoreDir, 0751); err != nil { // The directory is allowed to exist if !os.IsExist(err) { @@ -154,7 +155,7 @@ func signCmd(c *cli.Context) error { logrus.Errorf("error creating sigstore file: %v", err) continue } - err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644) + err = ioutil.WriteFile(filepath.Join(sigStoreDir, sigFilename), newSig, 0644) if err != nil { logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String()) continue @@ -190,7 +191,7 @@ func isValidSigStoreDir(sigStoreDir string) (string, error) { } _, exists := writeURIs[url.Scheme] if !exists { - return sigStoreDir, errors.Errorf("Writing to %s is not supported. Use a supported scheme", sigStoreDir) + return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir) } sigStoreDir = url.Path return sigStoreDir, nil diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go index 7c404cd3f..863f36d09 100644 --- a/cmd/podman/trust.go +++ b/cmd/podman/trust.go @@ -13,7 +13,6 @@ import ( "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/trust" "github.com/pkg/errors" - "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -132,7 +131,7 @@ func showTrustCmd(c *cli.Context) error { if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil { return errors.Errorf("could not read trust policies") } - policyJSON, err := trust.GetPolicyJSON(policyContentStruct, systemRegistriesDirPath) + policyJSON, showOutputMap, err := trust.GetPolicy(policyContentStruct, systemRegistriesDirPath) if err != nil { return errors.Wrapf(err, "error reading registry config file") } @@ -144,31 +143,12 @@ func showTrustCmd(c *cli.Context) error { } sortedRepos := sortPolicyJSONKey(policyJSON) - type policydefault struct { - Repo string - Trusttype string - GPGid string - Sigstore string - } - var policyoutput []policydefault - for _, repo := range sortedRepos { - repoval := policyJSON[repo] - var defaultstruct policydefault - defaultstruct.Repo = repo - if repoval["type"] != nil { - defaultstruct.Trusttype = trustTypeDescription(repoval["type"].(string)) - } - if repoval["keys"] != nil && len(repoval["keys"].([]string)) > 0 { - defaultstruct.GPGid = trust.GetGPGId(repoval["keys"].([]string)) - } - if repoval["sigstore"] != nil { - defaultstruct.Sigstore = repoval["sigstore"].(string) - } - policyoutput = append(policyoutput, defaultstruct) - } var output []interface{} - for _, ele := range policyoutput { - output = append(output, interface{}(ele)) + for _, reponame := range sortedRepos { + showOutput, exists := showOutputMap[reponame] + if exists { + output = append(output, interface{}(showOutput)) + } } out := formats.StdoutTemplateArray{Output: output, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"} return formats.Writer(out).Out() @@ -209,8 +189,10 @@ func setTrustCmd(c *cli.Context) error { policyPath = trust.DefaultPolicyPath(runtime.SystemContext()) } var policyContentStruct trust.PolicyContent + policyFileExists := false _, err = os.Stat(policyPath) if !os.IsNotExist(err) { + policyFileExists = true policyContent, err := ioutil.ReadFile(policyPath) if err != nil { return errors.Wrapf(err, "unable to read %s", policyPath) @@ -218,6 +200,9 @@ func setTrustCmd(c *cli.Context) error { if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil { return errors.Errorf("could not read trust policies") } + if args[0] != "default" && len(policyContentStruct.Default) == 0 { + return errors.Errorf("Default trust policy must be set.") + } } var newReposContent []trust.RepoContent if len(pubkeysfile) != 0 { @@ -230,15 +215,18 @@ func setTrustCmd(c *cli.Context) error { if args[0] == "default" { policyContentStruct.Default = newReposContent } else { - exists := false + if policyFileExists == false && len(policyContentStruct.Default) == 0 { + return errors.Errorf("Default trust policy must be set to create the policy file.") + } + registryExists := false for transport, transportval := range policyContentStruct.Transports { - _, exists = transportval[args[0]] - if exists { + _, registryExists = transportval[args[0]] + if registryExists { policyContentStruct.Transports[transport][args[0]] = newReposContent break } } - if !exists { + if !registryExists { if policyContentStruct.Transports == nil { policyContentStruct.Transports = make(map[string]trust.RepoMap) } @@ -260,16 +248,6 @@ func setTrustCmd(c *cli.Context) error { return nil } -var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"} - -func trustTypeDescription(trustType string) string { - trustDescription, exist := typeDescription[trustType] - if !exist { - logrus.Warnf("invalid trust type %s", trustType) - } - return trustDescription -} - func sortPolicyJSONKey(m map[string]map[string]interface{}) []string { keys := make([]string, len(m)) i := 0 |