Commit a8d45f66 authored by Martin Peres's avatar Martin Peres
Browse files

podman: add support for --tls-verify

The patch will be sent to podman's upstream after proving we are happy
with it.
parent 5afbf1de
...@@ -24,10 +24,13 @@ ...@@ -24,10 +24,13 @@
FROM alpine:edge FROM alpine:edge
COPY patches /patches
RUN set -ex \ RUN set -ex \
&& apk add --no-cache bash go git upx make linux-headers crun busybox ca-certificates e2fsprogs parted gpgme gpgme-dev util-linux pigz libseccomp-dev conmon patch \ && apk add --no-cache bash go git upx make linux-headers crun busybox ca-certificates e2fsprogs parted gpgme gpgme-dev util-linux pigz libseccomp-dev conmon patch \
&& git clone https://github.com/containers/podman.git /src/podman/ \ && git clone https://github.com/containers/podman.git /src/podman/ \
&& cd /src/podman \ && cd /src/podman \
&& patch -p1 < /patches/podman/0001-create-run-mirror-the-tls-verify-argument-from-pull.patch \
&& make EXTRA_LDFLAGS="-w -s" BUILD_ARG="exclude_graphdriver_btrfs btrfs_noversion exclude_graphdriver_devicemapper seccomp" podman \ && make EXTRA_LDFLAGS="-w -s" BUILD_ARG="exclude_graphdriver_btrfs btrfs_noversion exclude_graphdriver_devicemapper seccomp" podman \
&& upx --best bin/podman \ && upx --best bin/podman \
&& cp bin/podman /bin/podman \ && cp bin/podman /bin/podman \
......
From 4f6faf3adf03fb110c4e078e6b98cb7218706b5c Mon Sep 17 00:00:00 2001
From: Martin Peres <martin.peres@mupuf.org>
Date: Tue, 23 Mar 2021 09:22:38 +0200
Subject: [PATCH] create/run: mirror the `tls-verify` argument from `pull`
This enables the use of insecure registries in the podman run/create
commands, rather than first having to pull the image, then referencing
it in podman run/create.
Signed-off-by: Martin Peres <martin.peres@mupuf.org>
---
cmd/podman/common/create.go | 6 ++++++
cmd/podman/common/create_opts.go | 1 +
cmd/podman/containers/create.go | 20 ++++++++++++++++----
cmd/podman/containers/run.go | 2 +-
4 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index d1170710b..4e332477b 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -689,6 +689,12 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) {
)
_ = cmd.RegisterFlagCompletionFunc(systemdFlagName, AutocompleteSystemdFlag)
+ createFlags.BoolVar(
+ &cf.TLSVerify,
+ "tls-verify", true,
+ "Require HTTPS and verify certificates when contacting registries",
+ )
+
tmpfsFlagName := "tmpfs"
createFlags.StringArrayVar(
&cf.TmpFS,
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
index a296ef4f1..2cff665a9 100644
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@@ -107,6 +107,7 @@ type ContainerCLIOpts struct {
SubGIDName string
Sysctl []string
Systemd string
+ TLSVerify bool
TmpFS []string
TTY bool
Timezone string
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index af9278ce1..ccd6bf1f4 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/common/pkg/config"
"github.com/containers/image/v5/storage"
"github.com/containers/image/v5/transports/alltransports"
+ "github.com/containers/image/v5/types"
"github.com/containers/podman/v3/cmd/podman/common"
"github.com/containers/podman/v3/cmd/podman/registry"
"github.com/containers/podman/v3/cmd/podman/utils"
@@ -102,7 +103,7 @@ func create(cmd *cobra.Command, args []string) error {
rawImageName := ""
if !cliVals.RootFS {
rawImageName = args[0]
- name, err := pullImage(args[0])
+ name, err := pullImage(cmd, args[0])
if err != nil {
return err
}
@@ -219,7 +220,7 @@ func createInit(c *cobra.Command) error {
return nil
}
-func pullImage(imageName string) (string, error) {
+func pullImage(cmd *cobra.Command, imageName string) (string, error) {
pullPolicy, err := config.ValidatePullPolicy(cliVals.Pull)
if err != nil {
return "", err
@@ -263,7 +264,8 @@ func pullImage(imageName string) (string, error) {
if pullPolicy == config.PullImageNever {
return "", errors.Wrapf(define.ErrNoSuchImage, "unable to find a name and tag match for %s in repotags", imageName)
}
- pullReport, pullErr := registry.ImageEngine().Pull(registry.GetContext(), imageName, entities.ImagePullOptions{
+
+ pullOptions := entities.ImagePullOptions{
Authfile: cliVals.Authfile,
Quiet: cliVals.Quiet,
Arch: cliVals.Arch,
@@ -271,7 +273,17 @@ func pullImage(imageName string) (string, error) {
Variant: cliVals.Variant,
SignaturePolicy: cliVals.SignaturePolicy,
PullPolicy: pullPolicy,
- })
+ }
+
+ // TLS verification in c/image is controlled via a `types.OptionalBool`
+ // which allows for distinguishing among set-true, set-false, unspecified
+ // which is important to implement a sane way of dealing with defaults of
+ // boolean CLI flags.
+ if cmd.Flags().Changed("tls-verify") {
+ pullOptions.SkipTLSVerify = types.NewOptionalBool(!cliVals.TLSVerify)
+ }
+
+ pullReport, pullErr := registry.ImageEngine().Pull(registry.GetContext(), imageName, pullOptions)
if pullErr != nil {
return "", pullErr
}
diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go
index 83a5d7b8a..ac70d973f 100644
--- a/cmd/podman/containers/run.go
+++ b/cmd/podman/containers/run.go
@@ -127,7 +127,7 @@ func run(cmd *cobra.Command, args []string) error {
rawImageName := ""
if !cliVals.RootFS {
rawImageName = args[0]
- name, err := pullImage(args[0])
+ name, err := pullImage(cmd, args[0])
if err != nil {
return err
}
--
2.30.2
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment