summaryrefslogtreecommitdiff
path: root/libpod/image/pull.go
Commit message (Collapse)AuthorAge
* Set blob cache directory based on GraphDriverDaniel J Walsh2019-03-29
| | | | | | | | | | | | Currently in rootless containers, we end up not using the blob cache. We also don't store the blob cache based on the users specified graph storage. This change will cause the cache directory to be stored with the rest of the containe images. While doing this patch, I found that we had duplicated GetSystemContext in two places in libpod. I cleaned this up. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add event logging to libpod, even display to podmanbaude2019-03-11
| | | | | | | | | | | | | | | | | In lipod, we now log major events that occurr. These events can be displayed using the `podman events` command. Each event contains: * Type (container, image, volume, pod...) * Status (create, rm, stop, kill, ....) * Timestamp in RFC3339Nano format * Name (if applicable) * Image (if applicable) The format of the event and the varlink endpoint are to not be considered stable until cockpit has done its enablement. Signed-off-by: baude <bbaude@redhat.com>
* pull: promote debug statement to errorGiuseppe Scrivano2019-03-11
| | | | | | print an error if there is any failure pulling an image. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* OpenTracing support added to start, stop, run, create, pull, and psSebastian Jug2019-02-18
| | | | | | Drop context.Context field from cli.Context Signed-off-by: Sebastian Jug <sejug@redhat.com>
* Changes to container runlabel for toolbox projectbaude2019-01-30
| | | | | | | | | | The toolbox project would benefit from a few changes to more closely resembe the original atomic cli project. Changes made are: * only pull image for container runlabel if the label exists in the image * if a container image does not have the desired label, exit with non-zero Signed-off-by: baude <bbaude@redhat.com>
* Use getPullRefPair / getSinglePullRefPairGoal in ↵Miloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | pullGoalFromPossiblyUnqualifiedName This shortens the code a bit, but most importantly ensures that all pulls from docker.Transport are processed exactly the same way, and there is only a single store.ParseStoreReference in the pull code. It's a bit wasteful to call decompose() in getPullRefPair just after pullGoalFromPossiblyUnqualifiedName has qualified the name, but on balance only having exactly one code path seems worth it. Alternatively we could split getPullRefPairToQualifiedDestination from getPullRefPair. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.referenceWithRegistry in pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings, and adding /library to docker.io/shortname, only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.ParseNormalizedNamed and reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag, or libray/, or not. This also allows us to drop the problematic hasShaInInputName heuristic/condition/helper. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.referenceWithRegistry in getPullRefPairMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag or not. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Don't use imageParts.assemble when pulling from a qualified nameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. If the name is qualified, instead of decomposing it into components and re-assembling, just use the input name unmodified: - For name:tag values, .assemble() just recreates the input. - For untagged values, .assemble() adds ":latest"; we keep the input as is, but both docker.ParseReference and storage.Transport.ParseStoreReference use reference.TagNameOnly() already. - For digested references, .assemble() adds ":none", but the code was already bypassing .assemble() on that path already - for the source reference. For the destination, this replaces a :none destination with a the @digest reference, as expected. Note that while decompose() has already parsed the input, it (intentionally) bypassed the docker.io/library normalization; therefore we parse the input again (via docker.ParseReference) to ensure that the reference is normalized. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | Both imageParts and this function implicitly assume docker.Transport troughout, so instead of pretending to be flexible about DefaultTransport, just hard-code docker.ParseReference directly. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove imageParts.transportMiloslav Trmač2019-01-14
| | | | | | | | | | It is only ever set to DefaulTransport, and all of the code is docker/reference-specific anyway, so there's no point in making this a variable. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | After inlining assembleWithTransport, we have two branches with the same prepending of decomposedImage.transport; move that out of the branches. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Inline imageParts.assembleWithTransport into callersMiloslav Trmač2019-01-14
| | | | | | | | | | | | | imageParts.transport is a constant, and the design of imageParts is not transport-independent in any sense; we will want to eliminate the transport member entirely. As a first step, drop assembleWithTransport and inline an exact equivalent into all callers. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Drop image.DecomposeString, make image.Parts private imageParts againMiloslav Trmač2019-01-14
| | | | | | | | | Now that DecomposeString has no users, make the type private again. Any new users of it should come with a rationale - and new users of the "none"/"latest" handling of untagged/digested names that is currently implemented should have an exceptionaly unusual rationale. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* remote-client support for imagesbaude2019-01-10
| | | | Signed-off-by: baude <bbaude@redhat.com>
* Fix reporting the registries.conf path on errorMiloslav Trmač2018-12-06
| | | | | | | i.e. actually reflect the environment variable and/or rootless mode instead of always using the default path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove manual handling of insecure registries in doPullImageMiloslav Trmač2018-12-06
| | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Minimally update for the DockerInsecureSkipTLSVerify type changeMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Vendor in new new buildah/cibaude2018-10-17
| | | | | | | libpod requires new buildah and container image versions to resolve bug #1640298 Signed-off-by: baude <bbaude@redhat.com>
* libpod/image/pull: Return image-pulling errors from doPullImageW. Trevor King2018-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1456 Approved by: rhatdan
* Print errors from individual pull attemptsMatthew Heon2018-09-05
| | | | | | | | | | | Right now, we don't print errors from c/image while trying to pull images. This prints the errors when log-level=debug is set so we can debug errors while pulling. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1409 Approved by: baude
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Fix ambiguity in adding localhost to podman savehaircommander2018-08-08
| | | | | | | | | | | ...and some naming decisions. This change ensures podman save doesn't incorrectly prepend localhost when saving an image. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1140 Approved by: rhatdan
* Better pull error for fully-qualified imagesbaude2018-08-06
| | | | | | | | | | | | | | | | | | | When pulling a fully-qualified image that fails, we should not be talking about registries/search registries in the the error message as it is not applicable. If a image that is fq'd and fails to pull, the error should be simplified. ``` $ sudo podman pull this-does-not-exist.example.com/foo Trying to pull this-does-not-exist.example.com/foo...Failed error pulling image "this-does-not-exist.example.com/foo": unable to pull this-does-not-exist.example.com/foo: unable to pull image, or you do not have pull access $ ``` Resolves: #1212 Signed-off-by: baude <bbaude@redhat.com> Closes: #1216 Approved by: mheon
* clarify pull error messagebaude2018-08-02
| | | | | | | | | | | | | when pulling, we can fail to find an image (i.e. it doesn't exist) or we can not have authority/access to pull it. the registries don't tell us one way or another so the error message needs to cover both. Resolves #1194 Signed-off-by: baude <bbaude@redhat.com> Closes: #1195 Approved by: rhatdan
* Inline pullGoalNamesFromPossiblyUnqualifiedName into ↵Miloslav Trmač2018-08-02
| | | | | | | | | | | | | | | Runtime.pullGoalFromPossibly... Again, we only needed them split for tests; so, integrate them back. Then drop all remaining references to pullRefName and pullGoalNames, which are not used for anything. Should not change behavior Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1198 Approved by: mheon
* Replace getPullRefName by Runtime.getPullRefPairMiloslav Trmač2018-08-02
| | | | | | | | | | | | | | | | | | This more or less reverts 9c9401a96c0b7d43dcea19c2972ef9612cc0a136 "Replace getPullRefPair with getPullRefName"; now that tests don't require us to use pullRefName, move creation of storage references deeper into the calls stack to reduce string use. ir.getSinglePullRefNameGoal is accordingly updated to ir.getSinglePullRefPairGoal, and we need to add a ~duplicate singlePullRefPairGoal; that duplication of singlePullRefNameGoal will soon be resolved by dropping singlePullRefNameGoal. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1198 Approved by: mheon
* Inline pullGoalNamesFromImageReference back into ↵Miloslav Trmač2018-08-02
| | | | | | | | | | | | | | | | | | Runtime.pullGoalFromImageReference Now that we don't need a separate pullGoalNamesFromImageReference for running tests, inline it back. This forces us to add some glue code to getSinglePullRefNameGoal and to convert between pullGoal and *pullGoal; that is temporary and will be cleaned up soon. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1198 Approved by: mheon
* Introduce getSinglePullRefNameGoalMiloslav Trmač2018-08-02
| | | | | | | | | | | | | | | | | This merely wraps the > return singlePullRefNameGoal(getPullRefName(... reference)), nil pattern which is used for almost all getPullRefName uses. For now it seems not really worth it, but it will result in shorter code (and smaller migration) after we replace getPullRefName with getPullRefPair, which can fail, again - the pullGoalNamesFromImageReference will not have to add any error handling. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1198 Approved by: mheon
* RFC: Rename runtime.pullImage to runtime.pullImageFromHeuristicSourceMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | | | This is similar to the PushImageToHeuristicDestination RFC. The goal is to be very explicit about which functions try to heuristically guess what is the expected format of the string. Not quite "shaming" the users, but making sure they stand out. RFC: - Is this at all acceptable? Desirable? Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Introduce Runtime.pullImageFromReference, call it in Runtime.FromImageReferenceMiloslav Trmač2018-08-01
| | | | | | | | | | | FINALLY, (podman load) can pass through an ImageReference directly from loadCmd all the way to pullGoalNamesFromImageReference, making sure not to trigger the docker-like reference parsing heuristics. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Split doPullImage from pullImageMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | Now that we have a pullGoal, separate determination of the goal from performing it; we will then introduce another entry point with a supplied types.ImageReference. Also remove or correct some misleading comments. Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Remove the forceCompress parameter from getCopyOptions and DRO.GetSystemContextMiloslav Trmač2018-08-01
| | | | | | | | | | | Use the parent types.SystemContext data instead. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Remove the authFile parameter from getCopyOptions and DRO.GetSystemContextMiloslav Trmač2018-08-01
| | | | | | | | | | | Use the parent types.SystemContext data instead. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Remove the signaturePolicyPath parameter from getCopyOptions and ↵Miloslav Trmač2018-08-01
| | | | | | | | | | | | | DRO.GetSystemContext Use the parent types.SystemContext data instead. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Add a *types.SystemContext parameter to getCopyOptions and DRO.GetSystemContextMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | All callers of getCopyOptions also call GetSystemContext with the same three parameters; we will want to simplify this by passing the first SystemContext to getCopyOptions, which can then inherit this data instead of so many parameters everywhere. For now, just add a *types.SystemContext parameter without using it. Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Move pullImage from Image to RuntimeMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | | pullImage (now) only uses Image.InputName; it is really used to _create_ an Image object, based on the pull results (as is most visible in the LoadFromArchive caller), so it should not be a method on it. This also simplifies a bit the number of different kids of uses of Image.InputName; still apparently not enough to clearly document the field, though. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Do not re-parse the list of search registries just for an error messageMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | ... when we even only count them. This eliminates a rare error case, and saves time re-reading and re-parsing the input. (We still compute registryPath redundantly, and it may get out of sync.) Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Eliminate duplicate determination whether to use search registriesMiloslav Trmač2018-08-01
| | | | | | | | | | | | Instead of duplicating the hasRegistry logic, just record whether we did use search or not. Should not change behavior (but does not add unit tests for all of it). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Eliminate the "DockerArchive means pull all refPairs" special caseMiloslav Trmač2018-08-01
| | | | | | | | | | | | Instead, encode it explicitly in pullGoal.pullAllPairs. Should not change behavior (but does not add unit tests for all of it). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Introduce struct pullGoalNamesMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | | | | This is an intermediate version of pullGoal, which exists basically only for easier testing without containers-storage: (i.e. root access) in unit tests. Like pullGoal, we will add more members to make it useful in the future. RFC: Unlike pullGoal, the return value is *pullGoalNames, because there are quite a few (return nil, err) cases which would be more difficult to read when returning a value. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Introduce struct pullGoalMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | The eventual goal is to cleanly capture semantics like "pull all images for DockerArchive" and "did a search through $registries" without hard-coding it through; and to allow a pullImage variant where the caller can pass an imageReference directly. For now, this just wraps []pullRefPair and should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Use []pullRefPair instead of []*pullRefPairMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | We are passing the values, don't really need the pointer sharing semantics, and the structures are small enough, and the arrays short enough, that we very likely lose on the indirect accesses more than we save on quicker copying of the slices when extending them. Value semantics is safer anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Use []pullRefName instead of []*pullRefNameMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | We are passing the values, don't really need the pointer sharing semantics, and the structures are small enough, and the arrays short enough, that we very likely lose on the indirect accesses more than we save on quicker copying of the slices when extending them. Value semantics is safer anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Introduce singlePullRefNameGoalMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | All but two cases returning a []*pullRefName only return a single item. Introduce a helper for that case, which seems not worth it now, but the return value will get a bit more complex and introducing the helper now will minimize code changes in future commits. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Use an early return from refNamesFromPossiblyUnqualifiedNameMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | We will introduce helpers for the "single image" case, and having a separate return statement will make them applicable here. (Also allows us to reduce the scope of some variables a bit.) Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Remove an unnecessary use of alltransports.ParseImageNameMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | When the string is formatted including a constant transport name, just call the transport to create or parse a reference explicitly. This avoids unnecessary string formatting and parsing. Then drop image.TarballTransport, which has no remaining users. Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Don't format to string and re-parse a DockerReference()Miloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | We already have a c/image/docker/reference.Named; no need to round-trip it through a string. This also eliminates the theoretical parsing failure, and the unchecked .(reference.Named) cast. Also add a check for DockerReference() == nil to be extra paranoid, although that should never happen. Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* Remove the :// end from DockerTransportMiloslav Trmač2018-08-01
| | | | | | | | | | | | | | | | | | | | | | | (... but keep it in DefaultTransport, which remains irregular.) This makes DockerTransport consistent with the others, and much more importantly, allows several instances to do > imgRef.Transport().Name() == DockerTransport instead of the current > strings.HasPrefix(DockerTransport, imgRef.Transport().Name()) , which currently works but is pretty nonsensical (it does not check the "docker://" prefix against the _full reference_, but it checks the _transport name_ as a prefix of "docker://", i.e. a transport named "d" would be accepted. Should not change behavior, because the only currently existing transport which has a name that is a prefix of "docker://" is c/image/docker.Transport (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan