summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Support (image trust show) for sigstoreSigned entriesMiloslav Trmač2022-08-25
| | | | | | | | | sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* BREAKING CHANGE: Change how (podman image trust show) represents multiple ↵Miloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | requirements Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Reorganize descriptionsOfPolicyRequirements a bitMiloslav Trmač2022-08-25
| | | | | | | | | Do the registries.d lookup once, separately from building an entry, so that we can share it across entries. Also prepare a separate res to allow adding multiple entries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use the full descriptionsOfPolicyRequirements for the default scopeMiloslav Trmač2022-08-25
| | | | | | ... instead of taking a shortcut, e.g. not listing any keys if they are required. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Rename haveMatchRegistry to registriesDConfigurationForScopeMiloslav Trmač2022-08-25
| | | | | | | | | | Just so that we don't have a boolean-named function returning a struct. Also reorder the parameters to have the container first, and the lookup key second. Shoud not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Rename tempTrustShowOutput to entryMiloslav Trmač2022-08-25
| | | | | | | | | Now that it is the primary return value of a small function, the long name only makes reading harder. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Split descriptionsOfPolicyRequirements out of getPolicyShowOutputMiloslav Trmač2022-08-25
| | | | | | | | | This will evetually allow us to use it for the default scope as well, which currently uses a simplified version. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Recognize the new lookaside names for simple signing sigstoreMiloslav Trmač2022-08-25
| | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add a unit test for trust.PolicyDescriptionMiloslav Trmač2022-08-25
| | | | | | | | | | Add at least a basic unit test for the various entry types. So that we don't have to actually deal with GPG keys and /usr/bin/gpg*, parametrize the code with a gpgIDReader , and pass a fake one in the unit test. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Make the output of (podman image trust show) deterministicMiloslav Trmač2022-08-25
| | | | | | Sort map keys instead of iterating in the Go-imposed random order. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Make most of pkg/trust package-privateMiloslav Trmač2022-08-25
| | | | | | | | We now have only a few entrypoints that are called externally, so make the rest private. This will make it more obvious that we are not breaking any external users. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescriptionMiloslav Trmač2022-08-25
| | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add support for sigstoreSigned in (podman image trust set)Miloslav Trmač2022-08-25
| | | | | | | | NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Create new policy entries together with validating inputMiloslav Trmač2022-08-25
| | | | | | | | That way, we don't have to switch over trustType twice. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Improve validation of data in ImageEngine.SetTrustMiloslav Trmač2022-08-25
| | | | | | | | - Also reject public keys with types that don't use them - Reject unknown trust types - And add unit tests Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntriesMiloslav Trmač2022-08-25
| | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add a variable for scopeMiloslav Trmač2022-08-25
| | | | | | | | | | | Only process the incoming args[] (which is a single-element array for some reason) once, and use a semantic variable name for the value we care about. Should not change behavior, the only caller already supposedly ensures that len(args) == 1. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Make trust.CreateTempFile privateMiloslav Trmač2022-08-25
| | | | | | | | Nothing uses it outside the package. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Reorganize pkg/trustMiloslav Trmač2022-08-25
| | | | | | | | | Split the existing code into policy.go and registries.go, depending on which files it concerns. Only moves unchanged code, should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove an unused trust.ShowOutput typeMiloslav Trmač2022-08-25
| | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove commented out codeMiloslav Trmač2022-08-25
| | | | | | | | | We can always recover it from git, but it seems to serve no purpose anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #15453 from edsantiago/docs_dedup_ipcOpenShift Merge Robot2022-08-24
|\ | | | | [CI:DOCS] Man pages: refactor common options: --ipc
| * Man pages: refactor common options: --ipcEd Santiago2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is not an easy one to review, sorry. I went with the version from podman-create. The differences against podman-run are subtle: apostrophes, whitespace, and the arg description in the '####' line. Suggestion for review: run hack/markdown-preprocess-review, then after you finish with that, cd /tmp/markdown<TAB>/ipc and use your favorite two-file diff tool to compare podman-run* against zzz*. I did not even try to combine the podman-build one; that one is too different. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #15439 from rhatdan/serviceOpenShift Merge Robot2022-08-24
|\ \ | | | | | | Fix documentation of use of tcp connections
| * | Fix documentation of use of tcp connectionsDaniel J Walsh2022-08-23
| | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/15430 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #15437 from mheon/default_volume_timeoutOpenShift Merge Robot2022-08-24
|\ \ \ | | | | | | | | Add support for containers.conf volume timeouts
| * | | Add support for containers.conf volume timeoutsMatthew Heon2022-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, do a general cleanup of all the timeout code. Changes include: - Convert from int to *uint where possible. Timeouts cannot be negative, hence the uint change; and a timeout of 0 is valid, so we need a new way to detect that the user set a timeout (hence, pointer). - Change name in the database to avoid conflicts between new data type and old one. This will cause timeouts set with 4.2.0 to be lost, but considering nobody is using the feature at present (and the lack of validation means we could have invalid, negative timeouts in the DB) this feels safe. - Ensure volume plugin timeouts can only be used with volumes created using a plugin. Timeouts on the local driver are nonsensical. - Remove the existing test, as it did not use a volume plugin. Write a new test that does. The actual plumbing of the containers.conf timeout in is one line in volume_api.go; the remainder are the above-described cleanups. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #15443 from flouthoc/env-merge-supportOpenShift Merge Robot2022-08-24
|\ \ \ \ | |_|_|/ |/| | | run,create: add support for `--env-merge` for preprocessing default environment variables
| * | | run,create: add support for --env-merge for preprocessing varsAditya R2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow end users to preprocess default environment variables before injecting them into container using `--env-merge` Usage ``` podman run -it --rm --env-merge some=${some}-edit --env-merge some2=${some2}-edit2 myimage sh ``` Closes: https://github.com/containers/podman/issues/15288 Signed-off-by: Aditya R <arajan@redhat.com>
* | | | Merge pull request #15450 from edsantiago/docs_dedup_gidmapOpenShift Merge Robot2022-08-24
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Man pages: refactor common options: --gidmap
| * | | | Man pages: refactor common options: --gidmapEd Santiago2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Two versions: one for container-related commands, one for pods. The container one is easy: all versions matched, so I made no changes. The pod one is hard to review. I went with the pod-clone version because the pod-create one looks suspicious: it talks in terms of containers, not pods. It's possible that I've got it wrong, and that these two cannot be combined, so please review very carefully. I strongly recommend using hack/markdown-preprocess-review for this one. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | Merge pull request #15444 from foriequal0/podman-docker-rootlessOpenShift Merge Robot2022-08-24
|\ \ \ \ \ | | | | | | | | | | | | Rootless Docker API socket alias can be exposed with user mode systemd-tmpfiles
| * | | | | Fix rpm packaging errorSeongChan Lee2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: SeongChan Lee <foriequal@gmail.com>
| * | | | | Install podman-docker.conf on user-tmpfiles.d tooSeongChan Lee2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `systemd-tmpfiles` reads "user" configurations in `/usr/share/user-tmpfiles.d` when `--user` mode is set. User unit `systemd-tmpfiles-setup.service` can be enabled to alias rootless socket through systemd-tmpfiles. Signed-off-by: SeongChan Lee <foriequal@gmail.com>
| * | | | | Use tmpfiles.d specifiers instead of fixed pathSeongChan Lee2022-08-24
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rootless Docker daemon exposes its API socket on `$XDG_RUNTIME_DIR/docker.sock`. On tmpfiles.d, `%t` is same as `$XDG_RUNTIME_DIR` in `--user` mode, and `/run` otherwise. We can reuse the same config file for both mode with this change. Signed-off-by: SeongChan Lee <foriequal@gmail.com>
* | | | | Merge pull request #15447 from sstosh/e2e-memswapOpenShift Merge Robot2022-08-24
|\ \ \ \ \ | | | | | | | | | | | | e2e: Add run --memory-swap test
| * | | | | e2e: Add run --memory-swap testToshiki Sonoda2022-08-24
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | There is not e2e/system test of --memory-swap option. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | | | Merge pull request #15445 from dfr/freebsd-infoOpenShift Merge Robot2022-08-24
|\ \ \ \ \ | |_|/ / / |/| | | | libpod: Add support for 'podman info' on FreeBSD
| * | | | libpod: Enable 'podman info' for FreeBSDDoug Rabson2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | | | libpod: Move getCPUUtilization to info_linux.goDoug Rabson2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Linux implementation uses /proc/stat - the FreeBSD equivalent is quite different where this information is exposed via sysctl. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | | | libpod: Read kernel version and uptime using buildah/pkg/utilDoug Rabson2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | | | libpod: Split out platform-specific code from hostInfoDoug Rabson2022-08-24
| |/ / / | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | | | Merge pull request #15449 from edsantiago/docs_dedup_workdirOpenShift Merge Robot2022-08-24
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Man pages: Refactor common options: --workdir
| * | | | Man pages: Refactor common options: --workdirEd Santiago2022-08-24
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | I chose the version from podman-run because it is the most up-to-date, and most correct wrt current syntax guidelines. Differences are in arg description, language, and asterisks. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #15351 from marshall-lee/images-pull-simpleOpenShift Merge Robot2022-08-24
|\ \ \ \ | | | | | | | | | | Simplify ImagesPull for when Quiet flag is on
| * | | | Add ProgressWriter to PullOptionsVladimir Kochnev2022-08-19
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
| * | | | Pass io.Writer when pushing images/manifests from command lineVladimir Kochnev2022-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
| * | | | Use request Context() in API handlersVladimir Kochnev2022-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Request object has its own context which must be used during a request lifetime instead of just context.Background() [NO NEW TESTS NEEDED] Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
| * | | | Simplify ImagesPull for when Quiet flag is onVladimir Kochnev2022-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor ImagesPull the same way the ImagesPush and ManifestPush are done. [NO NEW TESTS NEEDED] Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
* | | | | Merge pull request #15375 from lsm5/packit-f37OpenShift Merge Robot2022-08-24
|\ \ \ \ \ | | | | | | | | | | | | Packit: Enable scratch build testing for Fedora 36, 37 and Rawhide