From 319c85e89ee2ee565da12680cca041335296a0c0 Mon Sep 17 00:00:00 2001 From: Shivkumar13 Date: Wed, 11 Aug 2021 22:57:25 +0530 Subject: Support for --tls-verify flag in podman run & podman create Signed-off-by: Shivkumar13 --- cmd/podman/common/create.go | 9 +++++++++ cmd/podman/common/create_opts.go | 1 + cmd/podman/containers/create.go | 4 +++- docs/source/markdown/podman-create.1.md | 4 ++++ docs/source/markdown/podman-run.1.md | 4 ++++ test/e2e/create_test.go | 20 +++++++++++++++++--- test/e2e/run_test.go | 18 +++++++++++++++++- 7 files changed, 55 insertions(+), 5 deletions(-) diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 602ad5d94..401cf2e09 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -544,6 +544,15 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) { ) _ = cmd.RegisterFlagCompletionFunc(podIDFileFlagName, completion.AutocompleteDefault) + // Flag for TLS verification, so that `run` and `create` commands can make use of it. + // Make sure to use `=` while using this flag i.e `--tls-verify=false/true` + tlsVerifyFlagName := "tls-verify" + createFlags.BoolVar( + &cf.TLSVerify, + tlsVerifyFlagName, true, + "Require HTTPS and verify certificates when contacting registries for pulling images", + ) + createFlags.BoolVar( &cf.Privileged, "privileged", false, diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index 0a969bfd2..3b39e39ea 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -112,6 +112,7 @@ type ContainerCLIOpts struct { Sysctl []string Systemd string Timeout uint + TLSVerify bool TmpFS []string TTY bool Timezone string diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 906ae4452..be5ace4c8 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -10,6 +10,7 @@ import ( "github.com/containers/common/pkg/completion" "github.com/containers/common/pkg/config" "github.com/containers/image/v5/transports/alltransports" + "github.com/containers/image/v5/types" "github.com/containers/podman/v3/cmd/podman/common" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/utils" @@ -260,7 +261,7 @@ func createInit(c *cobra.Command) error { } func pullImage(imageName string) (string, error) { - pullPolicy, err := config.ValidatePullPolicy(cliVals.Pull) + pullPolicy, err := config.ParsePullPolicy(cliVals.Pull) if err != nil { return "", err } @@ -286,6 +287,7 @@ func pullImage(imageName string) (string, error) { Variant: cliVals.Variant, SignaturePolicy: cliVals.SignaturePolicy, PullPolicy: pullPolicy, + SkipTLSVerify: types.NewOptionalBool(!cliVals.TLSVerify), // If Flag changed for TLS Verification }) if pullErr != nil { return "", pullErr diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 723592016..1fad18786 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -992,6 +992,10 @@ Maximum time a container is allowed to run before conmon sends it the kill signal. By default containers will run until they exit or are stopped by `podman stop`. +#### **--tls-verify**=**true**|**false** + +Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. + #### **--tmpfs**=*fs* Create a tmpfs mount diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index afee64775..caff714d6 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1048,6 +1048,10 @@ Maximum time a container is allowed to run before conmon sends it the kill signal. By default containers will run until they exit or are stopped by `podman stop`. +#### **--tls-verify**=**true**|**false** + +Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. + #### **--tmpfs**=*fs* Create a tmpfs mount. diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go index 975596dee..32d98c2a9 100644 --- a/test/e2e/create_test.go +++ b/test/e2e/create_test.go @@ -60,10 +60,24 @@ var _ = Describe("Podman create", func() { }) It("podman container create container based on a remote image", func() { - session := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"}) + containerCreate := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"}) + containerCreate.WaitWithDefaultTimeout() + Expect(containerCreate).Should(Exit(0)) + + lock := GetPortLock("5000") + defer lock.Unlock() + session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(podmanTest.NumberOfContainers()).To(Equal(1)) + + if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) { + Skip("Cannot start docker registry.") + } + + create := podmanTest.Podman([]string{"container", "create", "--tls-verify=false", ALPINE}) + create.WaitWithDefaultTimeout() + Expect(create).Should(Exit(0)) + Expect(podmanTest.NumberOfContainers()).To(Equal(3)) }) It("podman create using short options", func() { @@ -609,7 +623,7 @@ var _ = Describe("Podman create", func() { Expect(session).Should(ExitWithError()) }) - It("create container in pod ppublish ports should fail", func() { + It("create container in pod publish ports should fail", func() { name := "createwithpublishports" pod := podmanTest.RunTopContainerInPod("", "new:"+name) pod.WaitWithDefaultTimeout() diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index d68aa6ac4..f60cfcab8 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -166,9 +166,25 @@ var _ = Describe("Podman run", func() { }) It("podman run a container based on remote image", func() { - session := podmanTest.Podman([]string{"run", "-dt", BB_GLIBC, "ls"}) + // Changing session to rsession + rsession := podmanTest.Podman([]string{"run", "-dt", ALPINE, "ls"}) + rsession.WaitWithDefaultTimeout() + Expect(rsession).Should(Exit(0)) + + lock := GetPortLock("5000") + defer lock.Unlock() + session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) + + if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) { + Skip("Cannot start docker registry.") + } + + run := podmanTest.Podman([]string{"run", "--tls-verify=false", ALPINE}) + run.WaitWithDefaultTimeout() + Expect(run).Should(Exit(0)) + Expect(podmanTest.NumberOfContainers()).To(Equal(3)) }) It("podman run a container with a --rootfs", func() { -- cgit v1.2.3-54-g00ecf