summaryrefslogtreecommitdiff
path: root/libpod/image
Commit message (Collapse)AuthorAge
* Changes to container runlabel for toolbox projectbaude2019-01-30
| | | | | | | | | | The toolbox project would benefit from a few changes to more closely resembe the original atomic cli project. Changes made are: * only pull image for container runlabel if the label exists in the image * if a container image does not have the desired label, exit with non-zero Signed-off-by: baude <bbaude@redhat.com>
* podman image prune -- implement all flagbaude2019-01-29
| | | | | | | | | | | we now, by default, only prune dangling images. if --all is passed, we prune dangling images AND images that do not have an associated containers. also went ahead and enabled the podman-remote image prune side of things. Fixes: #2192 Signed-off-by: baude <bbaude@redhat.com>
* Remove imageParts.{isTagged,registry,name,tag}Miloslav Trmač2019-01-14
| | | | | | | | | | | | | Finally, these members no longer have any users. Future users should usually call referenceWithRegistry / normalizedReference, and work with the returned value, instead of reintroducing these variables. Similarly, direct uses of unnormalizedRef should be rare (only for cases where the registry and/or path truly does not matter). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Clarify comments about isRegistry a bit.Miloslav Trmač2019-01-14
| | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.unnormalizedRef in GetImageBaseNameMiloslav Trmač2019-01-14
| | | | | | | | ... to remove the last user of imageParts.name. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* FIXME? Introduce imageParts.suspiciousRefNameTagValuesForSearchMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | Image.MatchRepoTag and findImageInRepoTags do some kind of heuristic search; the motivation and design of both, and how they should deal with digests, is not obvious to me. Instead of figuring that out now, just factor it out into a scary-named method and leave the "tag" value (with its "latest"/"none" value) alone. Similarly, the .registry and .name fields should typically not be used; users should use either hasRegistry or normalized reference types; so, isolate the difficult-to-understand search code, and computation of these values, into this new search-specific helper. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.referenceWithRegistry in Image.getLocalImageMiloslav Trmač2019-01-14
| | | | | | | | ... to make sure everything uses the same code path. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Don't try to look up local images with an explicit :latest suffixMiloslav Trmač2019-01-14
| | | | | | | | | | imageruntime.getImage, through ParseStoreReference, already uses reference.TagNameOnly on the input, so this extra lookup is completely redundant to the lookup that has already happened. Should not change behavior, apart from speeding up the code a bit. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Return a reference.Named from normalizedTagMiloslav Trmač2019-01-14
| | | | | | | | | | Instead of returning a string, return a native value and convert it into the string in the caller, to make it that small bit more common to use reference types. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use reference.TagNameOnly instead of manually adding imageParts.tag in ↵Miloslav Trmač2019-01-14
| | | | | | | | | | | | | | normalizeTag Again, rely on the official API, instead of the suprising "suspiciousTagValueForSearch" value (set to :latest on untagged images, and :none on digested ones!) CHANGES BEHAVIOR, but the previous output of normalization of digested values was not even syntatically valid, so this can't really be worse. Still, maybe we should refuse to tag with digested references in the first place. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.normalizedReference in normalizeTagMiloslav Trmač2019-01-14
| | | | | | | | This is another step to using reference values instead of strings here. CHANGES BEHAVIOR: docker.io/busybox is now normalized to docker.io/library/busybox. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add imageParts.normalizedReference()Miloslav Trmač2019-01-14
| | | | | | | | This will be used in normalizeTag to work with references instead of strings. Not used anywhere yet, should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageparts.referenceWithRegistry in normalizeTagMiloslav Trmač2019-01-14
| | | | | | | | | ... instead of open-coding something similar. Eventually we will use the reference type further in here. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove no longer used imageParts.assemble()Miloslav Trmač2019-01-14
| | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use getPullRefPair / getSinglePullRefPairGoal in ↵Miloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | pullGoalFromPossiblyUnqualifiedName This shortens the code a bit, but most importantly ensures that all pulls from docker.Transport are processed exactly the same way, and there is only a single store.ParseStoreReference in the pull code. It's a bit wasteful to call decompose() in getPullRefPair just after pullGoalFromPossiblyUnqualifiedName has qualified the name, but on balance only having exactly one code path seems worth it. Alternatively we could split getPullRefPairToQualifiedDestination from getPullRefPair. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.referenceWithRegistry in pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings, and adding /library to docker.io/shortname, only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.ParseNormalizedNamed and reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag, or libray/, or not. This also allows us to drop the problematic hasShaInInputName heuristic/condition/helper. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use imageParts.referenceWithRegistry in getPullRefPairMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag or not. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add imageParts.referenceWithRegistryMiloslav Trmač2019-01-14
| | | | | | | | | This is the primary goal of decompose()+assemble(), to support qualifying an image name. Does not have any users yet, so does not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Don't use imageParts.assemble when pulling from a qualified nameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. If the name is qualified, instead of decomposing it into components and re-assembling, just use the input name unmodified: - For name:tag values, .assemble() just recreates the input. - For untagged values, .assemble() adds ":latest"; we keep the input as is, but both docker.ParseReference and storage.Transport.ParseStoreReference use reference.TagNameOnly() already. - For digested references, .assemble() adds ":none", but the code was already bypassing .assemble() on that path already - for the source reference. For the destination, this replaces a :none destination with a the @digest reference, as expected. Note that while decompose() has already parsed the input, it (intentionally) bypassed the docker.io/library normalization; therefore we parse the input again (via docker.ParseReference) to ensure that the reference is normalized. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Reorganize normalizeTagMiloslav Trmač2019-01-14
| | | | | | | | Move the registry defaulting before tag defaulting. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | Both imageParts and this function implicitly assume docker.Transport troughout, so instead of pretending to be flexible about DefaultTransport, just hard-code docker.ParseReference directly. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove imageParts.transportMiloslav Trmač2019-01-14
| | | | | | | | | | It is only ever set to DefaulTransport, and all of the code is docker/reference-specific anyway, so there's no point in making this a variable. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | After inlining assembleWithTransport, we have two branches with the same prepending of decomposedImage.transport; move that out of the branches. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Inline imageParts.assembleWithTransport into callersMiloslav Trmač2019-01-14
| | | | | | | | | | | | | imageParts.transport is a constant, and the design of imageParts is not transport-independent in any sense; we will want to eliminate the transport member entirely. As a first step, drop assembleWithTransport and inline an exact equivalent into all callers. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Record the original reference.Named in imagePartsMiloslav Trmač2019-01-14
| | | | | | | | | | | | We will eventually want to eliminate most members of imageParts in favor of using the c/image/docker/reference API directly. For now, just record the reference.Named value, and we will replace uses of the other members before removing them. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Drop image.DecomposeString, make image.Parts private imageParts againMiloslav Trmač2019-01-14
| | | | | | | | | Now that DecomposeString has no users, make the type private again. Any new users of it should come with a rationale - and new users of the "none"/"latest" handling of untagged/digested names that is currently implemented should have an exceptionaly unusual rationale. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* remote-client support for imagesbaude2019-01-10
| | | | Signed-off-by: baude <bbaude@redhat.com>
* libpod/image: Use ParseNormalizedNamed in RepoDigestsW. Trevor King2019-01-09
| | | | | | | | | | | | | | | | Avoid generating quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and similar when the image name is already digest-based [1]. It's not clear exactly how we get into this state, but as shown by the unit tests, the new code handles this case correctly (while the previous code does not). [1]: https://github.com/containers/libpod/issues/2086 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #2106 Approved by: rhatdan
* container runlabel NAME implementationbaude2019-01-04
| | | | | | | | | | | when using container runlabel, if a --name is not provided, we must deduce the container name from the base name of the image to maintain parity with the atomic cli. fixed small bug where we split the cmd on " " rather than using fields could lead to extra spaces in command output. Signed-off-by: baude <bbaude@redhat.com>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support podman image trust commandQi Wang2018-12-19
| | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Fix reporting the registries.conf path on errorMiloslav Trmač2018-12-06
| | | | | | | i.e. actually reflect the environment variable and/or rootless mode instead of always using the default path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove manual handling of insecure registries in doPullImageMiloslav Trmač2018-12-06
| | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove manual handling of insecure registries in PushImageToReferenceMiloslav Trmač2018-12-06
| | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the forceSecure parameter of Image.PushImageTo*Miloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Minimally update for the DockerInsecureSkipTLSVerify type changeMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add ability to prune containers and imagesbaude2018-12-05
| | | | | | | | | | | Allow user to prune unused/unnamed images, the layer images from building, via podman rmi --prune. Allow user to prune stopped/exiuted containers via podman rm --prune. This should resolve #1910 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1868 from QiWang19/issue860OpenShift Merge Robot2018-11-26
|\ | | | | Add history field to image inspect
| * Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | add podman container|image existsbaude2018-11-26
|/ | | | | | | | | | Add an exists subcommand to podman container and podman image that allows users to verify the existence of a container or image by ID or name. The return code can be 0 (success), 1 (failed to find), or 125 (failed to work with runtime). Issue #1845 Signed-off-by: baude <bbaude@redhat.com>
* Vendor in new new buildah/cibaude2018-10-17
| | | | | | | libpod requires new buildah and container image versions to resolve bug #1640298 Signed-off-by: baude <bbaude@redhat.com>
* Add container runlabel commandbaude2018-09-28
| | | | | | | | | | | | | Execute the command as described by a container image. The value of the label is processed into a command by: 1. Ensuring the first argument of the command is podman. 2. Substituting any variables with those defined by the environment or otherwise. If no label exists in the container image, nothing is done. podman container runlabel LABEL IMAGE extra_args Signed-off-by: baude <bbaude@redhat.com>
* run complex image names with short namesbaude2018-09-28
| | | | | | | | | | | | | In cases where the image name is more complex like: quay/baude/alpine_nginx:latest and is not from the docker registry, we need to be able to run the image by its shortname such as baude/alpine_nginx. The same goes when the image is not from a registry but instead has the localhost repository. This resolves buildah issue #1034 Signed-off-by: baude <bbaude@redhat.com>
* libpod/image/pull: Return image-pulling errors from doPullImageW. Trevor King2018-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1456 Approved by: rhatdan
* Print errors from individual pull attemptsMatthew Heon2018-09-05
| | | | | | | | | | | Right now, we don't print errors from c/image while trying to pull images. This prints the errors when log-level=debug is set so we can debug errors while pulling. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1409 Approved by: baude
* We are mistakenly seeing repos as registries.Daniel J Walsh2018-08-31
| | | | | | | | | | | | Currently `podman pull rhel7/rhel-tools` is failing because it sees rhel7 as a registry. This change will verify that the returned registry from the parser is actually a registry and not a repo, if a repo it will return the correct content, and we will pull the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1387 Approved by: mtrmac
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Fix ambiguity in adding localhost to podman savehaircommander2018-08-08
| | | | | | | | | | | ...and some naming decisions. This change ensures podman save doesn't incorrectly prepend localhost when saving an image. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1140 Approved by: rhatdan
* Better pull error for fully-qualified imagesbaude2018-08-06
| | | | | | | | | | | | | | | | | | | When pulling a fully-qualified image that fails, we should not be talking about registries/search registries in the the error message as it is not applicable. If a image that is fq'd and fails to pull, the error should be simplified. ``` $ sudo podman pull this-does-not-exist.example.com/foo Trying to pull this-does-not-exist.example.com/foo...Failed error pulling image "this-does-not-exist.example.com/foo": unable to pull this-does-not-exist.example.com/foo: unable to pull image, or you do not have pull access $ ``` Resolves: #1212 Signed-off-by: baude <bbaude@redhat.com> Closes: #1216 Approved by: mheon