From 313e5e83e92f68349d2026fc3f358f237fe93a4a Mon Sep 17 00:00:00 2001 From: baude Date: Mon, 16 Apr 2018 13:39:00 -0500 Subject: regression: tls verify should be set on registries.conf if insecure In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude Closes: #626 Approved by: mheon --- libpod/image/image.go | 4 ++-- libpod/image/image_test.go | 8 ++++---- libpod/image/pull.go | 25 +++++++++++++++++++++++-- 3 files changed, 29 insertions(+), 8 deletions(-) (limited to 'libpod/image') diff --git a/libpod/image/image.go b/libpod/image/image.go index 89da71cb6..cf0c7ec1b 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -117,7 +117,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) { // New creates a new image object where the image could be local // or remote -func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull bool) (*Image, error) { +func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) { // We don't know if the image is local or not ... check local first newImage := Image{ InputName: name, @@ -137,7 +137,7 @@ func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Wri if signaturePolicyPath == "" { signaturePolicyPath = ir.SignaturePolicyPath } - imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions) + imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure) if err != nil { return nil, errors.Errorf("unable to pull %s", name) } diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go index 8c1138f71..f160a14a4 100644 --- a/libpod/image/image_test.go +++ b/libpod/image/image_test.go @@ -81,9 +81,9 @@ func TestImage_NewFromLocal(t *testing.T) { // Need images to be present for this test ir, err := NewImageRuntimeFromOptions(so) assert.NoError(t, err) - bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false) + bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false) assert.NoError(t, err) - bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false) + bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false) assert.NoError(t, err) tm, err := makeLocalMatrix(bb, bbglibc) @@ -126,7 +126,7 @@ func TestImage_New(t *testing.T) { // Iterate over the names and delete the image // after the pull for _, img := range names { - newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false) + newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false, false) assert.NoError(t, err) assert.NotEqual(t, newImage.ID(), "") err = newImage.Remove(false) @@ -150,7 +150,7 @@ func TestImage_MatchRepoTag(t *testing.T) { } ir, err := NewImageRuntimeFromOptions(so) assert.NoError(t, err) - newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false) + newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false) assert.NoError(t, err) err = newImage.TagImage("foo:latest") assert.NoError(t, err) diff --git a/libpod/image/pull.go b/libpod/image/pull.go index 8c43c6054..b2d32b255 100644 --- a/libpod/image/pull.go +++ b/libpod/image/pull.go @@ -10,6 +10,7 @@ import ( "github.com/containers/image/directory" "github.com/containers/image/docker" dockerarchive "github.com/containers/image/docker/archive" + "github.com/containers/image/docker/reference" "github.com/containers/image/docker/tarfile" ociarchive "github.com/containers/image/oci/archive" "github.com/containers/image/pkg/sysregistries" @@ -18,6 +19,9 @@ import ( "github.com/containers/image/transports/alltransports" "github.com/containers/image/types" "github.com/pkg/errors" + "github.com/projectatomic/libpod/pkg/registries" + "github.com/projectatomic/libpod/pkg/util" + "github.com/sirupsen/logrus" ) var ( @@ -151,7 +155,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin // pullImage pulls an image from configured registries // By default, only the latest tag (or a specific tag if requested) will be // pulled. -func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions) (string, error) { +func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) { // pullImage copies the image from the source to the destination var pullStructs []*pullStruct sc := GetSystemContext(signaturePolicyPath, authfile, false) @@ -174,8 +178,25 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string } defer policyContext.Destroy() - copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false) + insecureRegistries, err := registries.GetInsecureRegistries() + if err != nil { + return "", err + } + for _, imageInfo := range pullStructs { + copyOptions := getCopyOptions(writer, signaturePolicyPath, dockerOptions, nil, signingOptions, authfile, "", false) + if imageInfo.srcRef.Transport().Name() == DockerTransport { + imgRef, err := reference.Parse(imageInfo.srcRef.DockerReference().String()) + if err != nil { + return "", err + } + registry := reference.Domain(imgRef.(reference.Named)) + + if util.StringInSlice(registry, insecureRegistries) && !forceSecure { + copyOptions.SourceCtx.DockerInsecureSkipTLSVerify = true + logrus.Info(fmt.Sprintf("%s is an insecure registry; pulling with tls-verify=false", registry)) + } + } // Print the following statement only when pulling from a docker or atomic registry if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) { io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image)) -- cgit v1.2.3-54-g00ecf