6 files changed, 35 insertions, 43 deletions

diff --git a/libpod/image/image.go b/libpod/image/image.go
index 89da71cb6..cf0c7ec1b 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -117,7 +117,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) {
 
 // New creates a new image object where the image could be local
 // or remote
-func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull bool) (*Image, error) {
+func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
 	// We don't know if the image is local or not ... check local first
 	newImage := Image{
 		InputName:    name,
@@ -137,7 +137,7 @@ func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Wri
 	if signaturePolicyPath == "" {
 		signaturePolicyPath = ir.SignaturePolicyPath
 	}
-	imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions)
+	imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
 	if err != nil {
 		return nil, errors.Errorf("unable to pull %s", name)
 	}
diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go
index 8c1138f71..f160a14a4 100644
--- a/libpod/image/image_test.go
+++ b/libpod/image/image_test.go
@@ -81,9 +81,9 @@ func TestImage_NewFromLocal(t *testing.T) {
 	// Need images to be present for this test
 	ir, err := NewImageRuntimeFromOptions(so)
 	assert.NoError(t, err)
-	bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false)
+	bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
-	bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false)
+	bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
 
 	tm, err := makeLocalMatrix(bb, bbglibc)
@@ -126,7 +126,7 @@ func TestImage_New(t *testing.T) {
 	// Iterate over the names and delete the image
 	// after the pull
 	for _, img := range names {
-		newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false)
+		newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false, false)
 		assert.NoError(t, err)
 		assert.NotEqual(t, newImage.ID(), "")
 		err = newImage.Remove(false)
@@ -150,7 +150,7 @@ func TestImage_MatchRepoTag(t *testing.T) {
 	}
 	ir, err := NewImageRuntimeFromOptions(so)
 	assert.NoError(t, err)
-	newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false)
+	newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
 	err = newImage.TagImage("foo:latest")
 	assert.NoError(t, err)
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 8c43c6054..b2d32b255 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -10,6 +10,7 @@ import (
 	"github.com/containers/image/directory"
 	"github.com/containers/image/docker"
 	dockerarchive "github.com/containers/image/docker/archive"
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/docker/tarfile"
 	ociarchive "github.com/containers/image/oci/archive"
 	"github.com/containers/image/pkg/sysregistries"
@@ -18,6 +19,9 @@ import (
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"
+	"github.com/projectatomic/libpod/pkg/registries"
+	"github.com/projectatomic/libpod/pkg/util"
+	"github.com/sirupsen/logrus"
 )
 
 var (
@@ -151,7 +155,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
 // pullImage pulls an image from configured registries
 // By default, only the latest tag (or a specific tag if requested) will be
 // pulled.
-func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) {
+func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
 	// pullImage copies the image from the source to the destination
 	var pullStructs []*pullStruct
 	sc := GetSystemContext(signaturePolicyPath, authfile, false)
@@ -174,8 +178,25 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
 	}
 	defer policyContext.Destroy()
 
-	copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+	insecureRegistries, err := registries.GetInsecureRegistries()
+	if err != nil {
+		return "", err
+	}
+
 	for _, imageInfo := range pullStructs {
+		copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false)
+		if imageInfo.srcRef.Transport().Name() == DockerTransport {
+			imgRef, err := reference.Parse(imageInfo.srcRef.DockerReference().String())
+			if err != nil {
+				return "", err
+			}
+			registry := reference.Domain(imgRef.(reference.Named))
+
+			if util.StringInSlice(registry, insecureRegistries) && !forceSecure {
+				copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true
+				logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry))
+			}
+		}
 		// Print the following statement only when pulling from a docker or atomic registry
 		if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
 			io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 94d412c84..168e27c67 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -16,6 +16,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/projectatomic/libpod/libpod/image"
 	"github.com/projectatomic/libpod/pkg/hooks"
+	sysreg "github.com/projectatomic/libpod/pkg/registries"
 	"github.com/sirupsen/logrus"
 	"github.com/ulule/deepcopier"
 )
@@ -549,7 +550,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
 	}
 	info = append(info, InfoData{Type: "store", Data: storeInfo})
 
-	reg, err := GetRegistries()
+	reg, err := sysreg.GetRegistries()
 	if err != nil {
 		return nil, errors.Wrapf(err, "error getting registries")
 	}
@@ -557,7 +558,7 @@ func (r *Runtime) Info() ([]InfoData, error) {
 	registries["registries"] = reg
 	info = append(info, InfoData{Type: "registries", Data: registries})
 
-	i, err := GetInsecureRegistries()
+	i, err := sysreg.GetInsecureRegistries()
 	if err != nil {
 		return nil, errors.Wrapf(err, "error getting registries")
 	}
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index ef1791884..041de0cc2 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -3,15 +3,12 @@ package libpod
 import (
 	"fmt"
 	"io"
-	"os"
 
 	"github.com/containers/image/directory"
 	"github.com/containers/image/docker"
 	dockerarchive "github.com/containers/image/docker/archive"
 	ociarchive "github.com/containers/image/oci/archive"
-	"github.com/containers/image/pkg/sysregistries"
 	"github.com/containers/image/tarball"
-	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/archive"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -180,31 +177,3 @@ func removeStorageContainers(ctrIDs []string, store storage.Store) error {
 	}
 	return nil
 }
-
-// GetRegistries gets the searchable registries from the global registration file.
-func GetRegistries() ([]string, error) {
-	registryConfigPath := ""
-	envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
-	if len(envOverride) > 0 {
-		registryConfigPath = envOverride
-	}
-	searchRegistries, err := sysregistries.GetRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
-	if err != nil {
-		return nil, errors.Errorf("unable to parse the registries.conf file")
-	}
-	return searchRegistries, nil
-}
-
-// GetInsecureRegistries obtains the list of inseure registries from the global registration file.
-func GetInsecureRegistries() ([]string, error) {
-	registryConfigPath := ""
-	envOverride := os.Getenv("REGISTRIES_CONFIG_PATH")
-	if len(envOverride) > 0 {
-		registryConfigPath = envOverride
-	}
-	registries, err := sysregistries.GetInsecureRegistries(&types.SystemContext{SystemRegistriesConfPath: registryConfigPath})
-	if err != nil {
-		return nil, errors.Errorf("unable to parse the registries.conf file")
-	}
-	return registries, nil
-}
diff --git a/libpod/runtime_img_test.go b/libpod/runtime_img_test.go
index f7f7128a4..c608c1b25 100644
--- a/libpod/runtime_img_test.go
+++ b/libpod/runtime_img_test.go
@@ -6,6 +6,7 @@ import (
 	"reflect"
 	"testing"
 
+	sysreg "github.com/projectatomic/libpod/pkg/registries"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -38,7 +39,7 @@ func TestGetRegistries(t *testing.T) {
 	assert.NoError(t, err)
 	defer os.Remove(registryPath)
 	os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
-	registries, err := GetRegistries()
+	registries, err := sysreg.GetRegistries()
 	assert.NoError(t, err)
 	assert.True(t, reflect.DeepEqual(registries, []string{"one"}))
 }
@@ -48,7 +49,7 @@ func TestGetInsecureRegistries(t *testing.T) {
 	assert.NoError(t, err)
 	os.Setenv("REGISTRIES_CONFIG_PATH", registryPath)
 	defer os.Remove(registryPath)
-	registries, err := GetInsecureRegistries()
+	registries, err := sysreg.GetInsecureRegistries()
 	assert.NoError(t, err)
 	assert.True(t, reflect.DeepEqual(registries, []string{"two"}))
 }