summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #15466 from mtrmac/image-trust-sigstoreDaniel J Walsh2022-08-25
|\ | | | | podman image trust overhaul, incl. sigstore
| * Preserve all unknown PolicyRequirement fields on (podman image trust set)Miloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | | | We are unmarshaling and re-marshaling JSON, which can _silently_ drop data with the Go design decision.data. Try harder, by using json.RawMessage at least for the data we care about. Alternatively, this could use json.Decoder.DisallowUnknownFields. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Reorganize the types in policy.go a bitMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | ... to go from top to bottom. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Add support for showing keyPaths in (podman image trust show)Miloslav Trmač2022-08-25
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Support (image trust show) for sigstoreSigned entriesMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * BREAKING CHANGE: Change how (podman image trust show) represents multiple ↵Miloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | requirements Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Reorganize descriptionsOfPolicyRequirements a bitMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | Do the registries.d lookup once, separately from building an entry, so that we can share it across entries. Also prepare a separate res to allow adding multiple entries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use the full descriptionsOfPolicyRequirements for the default scopeMiloslav Trmač2022-08-25
| | | | | | | | | | | | ... instead of taking a shortcut, e.g. not listing any keys if they are required. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Rename haveMatchRegistry to registriesDConfigurationForScopeMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | Just so that we don't have a boolean-named function returning a struct. Also reorder the parameters to have the container first, and the lookup key second. Shoud not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Rename tempTrustShowOutput to entryMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | Now that it is the primary return value of a small function, the long name only makes reading harder. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Split descriptionsOfPolicyRequirements out of getPolicyShowOutputMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | This will evetually allow us to use it for the default scope as well, which currently uses a simplified version. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Recognize the new lookaside names for simple signing sigstoreMiloslav Trmač2022-08-25
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Add a unit test for trust.PolicyDescriptionMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | Add at least a basic unit test for the various entry types. So that we don't have to actually deal with GPG keys and /usr/bin/gpg*, parametrize the code with a gpgIDReader , and pass a fake one in the unit test. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Make the output of (podman image trust show) deterministicMiloslav Trmač2022-08-25
| | | | | | | | | | | | Sort map keys instead of iterating in the Go-imposed random order. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Make most of pkg/trust package-privateMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | We now have only a few entrypoints that are called externally, so make the rest private. This will make it more obvious that we are not breaking any external users. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescriptionMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Add support for sigstoreSigned in (podman image trust set)Miloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Create new policy entries together with validating inputMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | That way, we don't have to switch over trustType twice. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Improve validation of data in ImageEngine.SetTrustMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | - Also reject public keys with types that don't use them - Reject unknown trust types - And add unit tests Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntriesMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Add a variable for scopeMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | | | | | Only process the incoming args[] (which is a single-element array for some reason) once, and use a semantic variable name for the value we care about. Should not change behavior, the only caller already supposedly ensures that len(args) == 1. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Make trust.CreateTempFile privateMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | Nothing uses it outside the package. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Reorganize pkg/trustMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | Split the existing code into policy.go and registries.go, depending on which files it concerns. Only moves unchanged code, should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Remove an unused trust.ShowOutput typeMiloslav Trmač2022-08-25
| | | | | | | | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Remove commented out codeMiloslav Trmač2022-08-25
| | | | | | | | | | | | | | | | | | We can always recover it from git, but it seems to serve no purpose anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #15480 from lsm5/tmp-revert-packitOpenShift Merge Robot2022-08-25
|\ \ | | | | | | Temporarily Revert "Packit: Enable scratch build testing for Fedora 36, 37 and Rawhide"
| * | Temporarily Revert "Packit: Enable scratch build testing for Fedora 36, 37 ↵Lokesh Mandvekar2022-08-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and Rawhide" Packit will probably be brought back soon after including fix-spec-file-action. See: PR #15457 This reverts commit d45a5d4aa0d04b97ce8a6ad7467e85be870c8d7a. [NO NEW TESTS NEEDED] Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | | Merge pull request #15470 from edsantiago/docs_dedup_logoptsOpenShift Merge Robot2022-08-25
|\ \ \ | | | | | | | | [CI:DOCS] Man pages: refactor common options: log-related options
| * | | Man pages: refactor common options: log-related optionsEd Santiago2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman-logs and podman-pod-logs. Most of these were already identical, needing no review. Exceptions: --follow : needed some container/pod tweaking. This is the only one that really needs careful review. --names : I went with the longer version Note that podman-events has --since and --until options too, but those are too different to be combined here. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #15468 from edsantiago/test_cleanup_batsOpenShift Merge Robot2022-08-25
|\ \ \ \ | |_|/ / |/| | | System test cleanup
| * | | System test cleanupEd Santiago2022-08-24
| |/ / | | | | | | | | | | | | | | | Misspellings, broken code, missing tests Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #15469 from edsantiago/test_cleanup_apiv2Valentin Rothberg2022-08-25
|\ \ \ | | | | | | | | APIv2 test cleanup
| * | | APIv2 test cleanupEd Santiago2022-08-24
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Whole slew of bugs that got introduced while I wasn't paying attention. Most of them are of the form "let's use hand-crafted curl commands and do our own error checking and exit uncleanly on error and leave the system in an unstable state". To be fair, those were done because there was no existing mechanism for uploading JSON files or somesuch. So, add one. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #15455 from baude/issue15247Valentin Rothberg2022-08-25
|\ \ \ | | | | | | | | Allow colons in windows file paths
| * | | Allow colons in windows file pathsBrent Baude2022-08-24
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the `podman save` command was failing on windows due to the use of a colon between the drive letter and first directory. the check was intended for Linux and not windows. Fixes #15247 [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #15467 from giuseppe/mount-test-privateOpenShift Merge Robot2022-08-25
|\ \ \ | |_|/ |/| | test: use private instead of slave for the mount
| * | test: use private instead of slave for the mountGiuseppe Scrivano2022-08-24
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | using "slave" means that every mount operation on the host that happens between the mount creation for `/host` and running `findmnt` will be propagated to the container mount. To prevent new mounts on the host to appear in the container thus invalidating the test we have, just create the mount as private and use `/sys` as source as it has multiple mounts on the top but less likely to get new mounts once it is configured. Closes: https://github.com/containers/podman/issues/15241 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #15433 from arixmkii/win_compat3_rootlessOpenShift Merge Robot2022-08-24
|\ \ | | | | | | Fixes isRootful check using qemu machine on Windows
| * | Fixes isRootfull check using qemu machine on WindowsArthur Sengileyev2022-08-24
| | | | | | | | | | | | Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
* | | Merge pull request #15458 from edsantiago/docs_dedup_pidOpenShift Merge Robot2022-08-24
|\ \ \ | | | | | | | | [CI:DOCS] Man pages: refactor common options: --pid
| * | | Man pages: refactor common options: --pidEd Santiago2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I chose the one from podman-run, but reordered ns/private to put them in alphabetical order. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #15454 from vrothberg/bump-psgoDaniel J Walsh2022-08-24
|\ \ \ \ | |/ / / |/| | | vendor containers/psgo@v1.7.3
| * | | vendor containers/psgo@v1.7.3Valentin Rothberg2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add three new capabilities that would otherwise be reported as unknown. Also add an e2e test making sure that `podman top` knows all capabilities of the current kernel. I refrained from adding a system test since this may blow up in gating tests. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | | Merge pull request #15434 from rhatdan/manifest1OpenShift Merge Robot2022-08-24
|\ \ \ \ | | | | | | | | | | Allow podman to run in an environment with keys containing spaces
| * | | | Allow podman to run in an environment with keys containing spacesDaniel J Walsh2022-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/15251 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #15459 from giuseppe/fix-test-commentDaniel J Walsh2022-08-24
|\ \ \ \ \ | |_|_|_|/ |/| | | | test: fix comment
| * | | | test: fix commentGiuseppe Scrivano2022-08-24
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it is not a kernel bug. Rootless users are not allowed to use non recursive bind mounts, otherwise they would be able to uncover mounts that were not visible before to them. [CI:DOCS] it is just a comment fix. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #15453 from edsantiago/docs_dedup_ipcOpenShift Merge Robot2022-08-24
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Man pages: refactor common options: --ipc
| * | | | Man pages: refactor common options: --ipcEd Santiago2022-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is not an easy one to review, sorry. I went with the version from podman-create. The differences against podman-run are subtle: apostrophes, whitespace, and the arg description in the '####' line. Suggestion for review: run hack/markdown-preprocess-review, then after you finish with that, cd /tmp/markdown<TAB>/ipc and use your favorite two-file diff tool to compare podman-run* against zzz*. I did not even try to combine the podman-build one; that one is too different. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | Merge pull request #15439 from rhatdan/serviceOpenShift Merge Robot2022-08-24
|\ \ \ \ \ | |_|_|/ / |/| | | | Fix documentation of use of tcp connections