Update c/image for sysregistriesv2 changes and automatic docker:// insecure configuration #1930
Conversation
openshift-ci-robot
added
the
size/XXL
mtrmac
force-pushed
the
sysregistriesv2
branch
3 times, most recently
from
1022f43 to
9ef5816
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/test images |
pkg/registries/registries.go
Outdated
There was a problem hiding this comment.
previously the REGISTRIES_CONFIG_PATH environment variable was honored also for the rootless case.
It is probably enough to change the order of the checks
There was a problem hiding this comment.
Oops, thanks for catching this. Should be fixed now.
mtrmac
force-pushed
the
sysregistriesv2
branch
from
9ef5816 to
aff7bbf
Compare
vrothberg
left a comment
vrothberg
left a comment
There was a problem hiding this comment.
Just minor nits. Thanks for the nice PR! Especially for breaking the PR up into easier to digest pieces.
docs/podman-login.1.md
Outdated
There was a problem hiding this comment.
Same for docs/podman-push.1.md
There was a problem hiding this comment.
Thanks, updated all 5 man pages with --tls-verify similarly.
libpod/image/image.go
Outdated
There was a problem hiding this comment.
An idea for future work, orthogonal to this PR: maybe a (OptinalBoolFalse).IsFalse() method would be nice. Same for IsTrue().
There was a problem hiding this comment.
(Or, maybe, at a higher level, something roughly like TLSVerificationDisabled, to also clarify he double negatives in SkipVerify…. And, independently, in podman, a shared helper for the !c.BoolT("tls-verify") to make sure there can’t be simple typos… — or, ultimately, a CLI rework that does not rely on the "tis-verify" string.
Luckily, this particular line was completely removed in one of the next commits, in favor of sysregistriesv2 doing the right thing, and no check of an optional boolean is the best kind of check of an optional boolean :) )
mtrmac
force-pushed
the
sysregistriesv2
branch
from
aff7bbf to
37e0665
Compare
|
☔ The latest upstream changes (presumably #1932) made this pull request unmergeable. Please resolve the merge conflicts. |
mtrmac
force-pushed
the
sysregistriesv2
branch
from
37e0665 to
2129d1b
Compare
|
/lgtm |
|
Nice work @mtrmac and @vrothberg |
|
☔ The latest upstream changes (presumably #1924) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@mtrmac Needs a rebase. |
mtrmac
force-pushed
the
sysregistriesv2
branch
from
2129d1b to
ceccbbf
Compare
openshift-ci-robot
added
size/XL
and removed
lgtm
|
☔ The latest upstream changes (presumably #1946) made this pull request unmergeable. Please resolve the merge conflicts. |
mtrmac
force-pushed
the
sysregistriesv2
branch
2 times, most recently
from
042ff83 to
0794d52
Compare
|
Rebased, tests are passing. |
|
☔ The latest upstream changes (presumably #1905) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@mtrmac Sadly we got a conflict. |
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This updates buildah for the sysregistriesv2 changes. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... instead of unnecessarily adapting it for the DockerInsecureSkipTLSVerify type change. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Unrelated to the rest of the PR. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The newly introduced SystemRegistriesConfPath somewhat decreases duplication, but more importantly will allow future callers to set just a types.SystemContext.SystemRegistriesConfPath and not call GetRegistries / GetInsecureRegistries at all. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
i.e. actually reflect the environment variable and/or rootless mode instead of always using the default path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
force-pushed
the
sysregistriesv2
branch
from
0794d52 to
489164f
Compare
|
Rebased again; non-Linux builds are broken, so absolutely untested – not even that it compiles. |
|
Tests are passing. PTAL |
|
LGTM |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
8 participants
This updates c/image to include containers/image#468 , buildah to include containers/buildah#1214, and updates the callers.
In addition to the straightforward API change, it also rips out the existing code manually handling the list of insecure registries; this should now be handled by the
docker://transport.See the individual commit messages for details.
The way
types.SystemContext.SystemRegistriesConfPathis set continues to be fairly irregular, only at the places that immediately need it; this really feels like something that should be set in one (and no more than one) shared helper, andtypes.SystemContextvalues should be passed along either the call stack or the data structures (Runtime?); this PR only makes a localized transition, admits to it via added FIXMEs, and does not have the ambition to rework theSystemContextuse at all.Warning: I haven’t tested this manually one bit.
This is a prerequisite to merging the blob-info-caching branch.