Update c/image for sysregistriesv2 changes and automatic docker:// insecure configuration

API.md

@@ -609,7 +609,8 @@ $ varlink call -m unix:/run/podman/io.podman/io.podman.PullImage '{"name": "regi
 
 method PushImage(name: [string](https://godoc.org/builtin#string), tag: [string](https://godoc.org/builtin#string), tlsverify: [bool](https://godoc.org/builtin#bool)) [string](https://godoc.org/builtin#string)</div>
 PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image,
-and a boolean as to whether tls-verify should be used.  It will return an [ImageNotFound](#ImageNotFound) error if
+and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior).
+It will return an [ImageNotFound](#ImageNotFound) error if
 the image cannot be found in local storage; otherwise the ID of the image will be returned on success.
 ### <a name="RemoveContainer"></a>func RemoveContainer
 <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">

cmd/podman/create.go

@@ -129,7 +129,7 @@ func createContainer(c *cli.Context, runtime *libpod.Runtime) (*libpod.Container
 	var data *inspect.ImageData = nil
 
 	if rootfs == "" && !rootless.SkipStorageSetup() {
-		newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
+		newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false)
 		if err != nil {
 			return nil, nil, err
 		}

cmd/podman/login.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/containers/image/docker"
 	"github.com/containers/image/pkg/docker/config"
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod/common"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@@ -93,7 +94,9 @@ func loginCmd(c *cli.Context) error {
 		return errors.Wrapf(err, "error getting username and password")
 	}
 
-	sc.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+	if c.IsSet("tls-verify") {
+		sc.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
+	}
 	if c.String("cert-dir") != "" {
 		sc.DockerCertPath = c.String("cert-dir")
 	}

cmd/podman/pull.go

@@ -64,7 +64,6 @@ specified, the image with the 'latest' tag (if it exists) is pulled
 // pullCmd gets the data from the command line and calls pullImage
 // to copy an image from a registry to a local machine
 func pullCmd(c *cli.Context) error {
-	forceSecure := false
 	runtime, err := libpodruntime.GetRuntime(c)
 	if err != nil {
 		return errors.Wrapf(err, "could not get runtime")
@@ -104,12 +103,11 @@ func pullCmd(c *cli.Context) error {
 	}
 
 	dockerRegistryOptions := image2.DockerRegistryOptions{
-		DockerRegistryCreds:         registryCreds,
-		DockerCertPath:              c.String("cert-dir"),
-		DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
+		DockerRegistryCreds: registryCreds,
+		DockerCertPath:      c.String("cert-dir"),
 	}
 	if c.IsSet("tls-verify") {
-		forceSecure = c.Bool("tls-verify")
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
 	}
 
 	// Possible for docker-archive to have multiple tags, so use LoadFromArchiveReference instead
@@ -125,7 +123,7 @@ func pullCmd(c *cli.Context) error {
 		imgID = newImage[0].ID()
 	} else {
 		authfile := getAuthFile(c.String("authfile"))
-		newImage, err := runtime.ImageRuntime().New(getContext(), image, c.String("signature-policy"), authfile, writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
+		newImage, err := runtime.ImageRuntime().New(getContext(), image, c.String("signature-policy"), authfile, writer, &dockerRegistryOptions, image2.SigningOptions{}, true)
 		if err != nil {
 			return errors.Wrapf(err, "error pulling image %q", image)
 		}

cmd/podman/push.go

@@ -81,7 +81,6 @@ func pushCmd(c *cli.Context) error {
 	var (
 		registryCreds *types.DockerAuthConfig
 		destName      string
-		forceSecure   bool
 	)
 
 	args := c.Args()
@@ -108,7 +107,6 @@ func pushCmd(c *cli.Context) error {
 	}
 
 	certPath := c.String("cert-dir")
-	skipVerify := !c.BoolT("tls-verify")
 	removeSignatures := c.Bool("remove-signatures")
 	signBy := c.String("sign-by")
 
@@ -145,14 +143,12 @@ func pushCmd(c *cli.Context) error {
 		}
 	}
 
-	if c.IsSet("tls-verify") {
-		forceSecure = c.Bool("tls-verify")
-	}
-
 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerRegistryCreds:         registryCreds,
-		DockerCertPath:              certPath,
-		DockerInsecureSkipTLSVerify: skipVerify,
+		DockerRegistryCreds: registryCreds,
+		DockerCertPath:      certPath,
+	}
+	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
 	}
 
 	so := image.SigningOptions{
@@ -167,5 +163,5 @@ func pushCmd(c *cli.Context) error {
 
 	authfile := getAuthFile(c.String("authfile"))
 
-	return newImage.PushImageToHeuristicDestination(getContext(), destName, manifestType, authfile, c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions, forceSecure, nil)
+	return newImage.PushImageToHeuristicDestination(getContext(), destName, manifestType, authfile, c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions, nil)
 }

cmd/podman/runlabel.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/cmd/podman/libpodruntime"
 	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/libpod/image"
@@ -153,8 +154,10 @@ func runlabelCmd(c *cli.Context) error {
 	}
 
 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerCertPath:              c.String("cert-dir"),
-		DockerInsecureSkipTLSVerify: !c.BoolT("tls-verify"),
+		DockerCertPath: c.String("cert-dir"),
+	}
+	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
 	}
 
 	authfile := getAuthFile(c.String("authfile"))

cmd/podman/save.go

@@ -146,7 +146,7 @@ func saveCmd(c *cli.Context) error {
 			return err
 		}
 	}
-	if err := newImage.PushImageToReference(getContext(), destRef, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}, false, additionaltags); err != nil {
+	if err := newImage.PushImageToReference(getContext(), destRef, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}, additionaltags); err != nil {
 		if err2 := os.Remove(output); err2 != nil {
 			logrus.Errorf("error deleting %q: %v", output, err)
 		}

cmd/podman/search.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/containers/image/docker"
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/cmd/podman/formats"
 	"github.com/containers/libpod/libpod/common"
 	sysreg "github.com/containers/libpod/pkg/registries"
@@ -72,11 +73,12 @@ type searchParams struct {
 }
 
 type searchOpts struct {
-	filter   []string
-	limit    int
-	noTrunc  bool
-	format   string
-	authfile string
+	filter                []string
+	limit                 int
+	noTrunc               bool
+	format                string
+	authfile              string
+	insecureSkipTLSVerify types.OptionalBool
 }
 
 type searchFilterParams struct {
@@ -116,7 +118,10 @@ func searchCmd(c *cli.Context) error {
 		filter:   c.StringSlice("filter"),
 		authfile: getAuthFile(c.String("authfile")),
 	}
-	regAndSkipTLS, err := getRegistriesAndSkipTLS(c, registry)
+	if c.IsSet("tls-verify") {
+		opts.insecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
+	}
+	registries, err := getRegistries(registry)
 	if err != nil {
 		return err
 	}
@@ -126,7 +131,7 @@ func searchCmd(c *cli.Context) error {
 		return err
 	}
 
-	return generateSearchOutput(term, regAndSkipTLS, opts, *filter)
+	return generateSearchOutput(term, registries, opts, *filter)
 }
 
 func genSearchFormat(format string) string {
@@ -157,16 +162,8 @@ func (s *searchParams) headerMap() map[string]string {
 	return values
 }
 
-// A function for finding which registries can skip TLS
-func getRegistriesAndSkipTLS(c *cli.Context, registry string) (map[string]bool, error) {
-	// Variables for setting up Registry and TLSVerify
-	tlsVerify := c.BoolT("tls-verify")
-	forceSecure := false
-
-	if c.IsSet("tls-verify") {
-		forceSecure = c.BoolT("tls-verify")
-	}
-
+// getRegistries returns the list of registries to search, depending on an optional registry specification
+func getRegistries(registry string) ([]string, error) {
 	var registries []string
 	if registry != "" {
 		registries = append(registries, registry)
@@ -177,46 +174,21 @@ func getRegistriesAndSkipTLS(c *cli.Context, registry string) (map[string]bool,
 			return nil, errors.Wrapf(err, "error getting registries to search")
 		}
 	}
-	regAndSkipTLS := make(map[string]bool)
-	// If tls-verify is set to false, allow insecure always.
-	if !tlsVerify {
-		for _, reg := range registries {
-			regAndSkipTLS[reg] = true
-		}
-	} else {
-		// initially set all registries to verify with TLS
-		for _, reg := range registries {
-			regAndSkipTLS[reg] = false
-		}
-		// if the user didn't allow nor disallow insecure registries, check to see if the registry is insecure
-		if !forceSecure {
-			insecureRegistries, err := sysreg.GetInsecureRegistries()
-			if err != nil {
-				return nil, errors.Wrapf(err, "error getting insecure registries to search")
-			}
-			for _, reg := range insecureRegistries {
-				// if there are any insecure registries in registries, allow for HTTP
-				if _, ok := regAndSkipTLS[reg]; ok {
-					regAndSkipTLS[reg] = true
-				}
-			}
-		}
-	}
-	return regAndSkipTLS, nil
+	return registries, nil
 }
 
-func getSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts, filter searchFilterParams) ([]searchParams, error) {
+func getSearchOutput(term string, registries []string, opts searchOpts, filter searchFilterParams) ([]searchParams, error) {
 	// Max number of queries by default is 25
 	limit := maxQueries
 	if opts.limit != 0 {
 		limit = opts.limit
 	}
 
 	sc := common.GetSystemContext("", opts.authfile, false)
+	sc.DockerInsecureSkipTLSVerify = opts.insecureSkipTLSVerify
+	sc.SystemRegistriesConfPath = sysreg.SystemRegistriesConfPath() // FIXME: Set this more globally.  Probably no reason not to have it in every types.SystemContext, and to compute the value just once in one place.
 	var paramsArr []searchParams
-	for reg, skipTLS := range regAndSkipTLS {
-		// set the SkipTLSVerify bool depending on the registry being searched through
-		sc.DockerInsecureSkipTLSVerify = skipTLS
+	for _, reg := range registries {
 		results, err := docker.SearchRegistry(context.TODO(), sc, reg, term, limit)
 		if err != nil {
 			logrus.Errorf("error searching registry %q: %v", reg, err)
@@ -276,8 +248,8 @@ func getSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts
 	return paramsArr, nil
 }
 
-func generateSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts, filter searchFilterParams) error {
-	searchOutput, err := getSearchOutput(term, regAndSkipTLS, opts, filter)
+func generateSearchOutput(term string, registries []string, opts searchOpts, filter searchFilterParams) error {
+	searchOutput, err := getSearchOutput(term, registries, opts, filter)
 	if err != nil {
 		return err
 	}

cmd/podman/shared/container.go

@@ -4,11 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/containers/image/types"
-	"github.com/containers/libpod/libpod/image"
-	"github.com/containers/libpod/pkg/util"
-	"github.com/cri-o/ocicni/pkg/ocicni"
-	"github.com/docker/go-units"
 	"io"
 	"os"
 	"path/filepath"
@@ -18,9 +13,14 @@ import (
 	"sync"
 	"time"
 
+	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod"
+	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/inspect"
 	cc "github.com/containers/libpod/pkg/spec"
+	"github.com/containers/libpod/pkg/util"
+	"github.com/cri-o/ocicni/pkg/ocicni"
+	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -620,7 +620,7 @@ func GetRunlabel(label string, runlabelImage string, ctx context.Context, runtim
 			registryCreds = creds
 		}
 		dockerRegistryOptions.DockerRegistryCreds = registryCreds
-		newImage, err = runtime.ImageRuntime().New(ctx, runlabelImage, signaturePolicyPath, authfile, output, &dockerRegistryOptions, image.SigningOptions{}, false, false)
+		newImage, err = runtime.ImageRuntime().New(ctx, runlabelImage, signaturePolicyPath, authfile, output, &dockerRegistryOptions, image.SigningOptions{}, false)
 	} else {
 		newImage, err = runtime.ImageRuntime().NewFromLocal(runlabelImage)
 	}

cmd/podman/varlink/io.podman.varlink

@@ -610,7 +610,8 @@ method InspectImage(name: string) -> (image: string)
 method HistoryImage(name: string) -> (history: []ImageHistory)
 
 # PushImage takes three input arguments: the name or ID of an image, the fully-qualified destination name of the image,
-# and a boolean as to whether tls-verify should be used.  It will return an [ImageNotFound](#ImageNotFound) error if
+# and a boolean as to whether tls-verify should be used (with false disabling TLS, not affecting the default behavior).
+# It will return an [ImageNotFound](#ImageNotFound) error if
 # the image cannot be found in local storage; otherwise the ID of the image will be returned on success.
 method PushImage(name: string, tag: string, tlsverify: bool) -> (image: string)
 

docs/podman-container-runlabel.1.md

@@ -95,8 +95,8 @@ option be used, as the default behavior of using the system-wide default policy
 **--tls-verify**
 
 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used, If set to false then tls verification will not be used. If not specified
-tls verification will be used unless the target registry is listed as an insecure registry in registries.conf
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf
 
 ## Examples ##
 

docs/podman-login.1.md

@@ -43,7 +43,9 @@ Default certificates directory is _/etc/containers/certs.d_.
 
 **--tls-verify**
 
-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
 
 **--help**, **-h**
 

docs/podman-pull.1.md

@@ -77,8 +77,8 @@ option be used, as the default behavior of using the system-wide default policy
 **--tls-verify**
 
 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used, If set to false then tls verification will not be used. If not specified
-tls verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
 
 **--help**, **-h**
 

docs/podman-push.1.md

@@ -93,7 +93,9 @@ Add a signature at the destination using the specified key
 
 **--tls-verify**
 
-Require HTTPS and verify certificates when contacting registries (default: true)
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
+then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
+TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
 
 ## EXAMPLE
 

docs/podman-search.1.md

@@ -72,8 +72,8 @@ Do not truncate the output
 **--tls-verify**
 
 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then tls verification will be used. If set to false then tls verification will not be used if needed. If not specified
-default registries will be searched through (in /etc/containers/registries.conf), and tls will be skipped if a default
+then TLS verification will be used. If set to false, then TLS verification will not be used if needed. If not specified,
+default registries will be searched through (in /etc/containers/registries.conf), and TLS will be skipped if a default
 registry is listed in the insecure registries.
 
 **--help**, **-h**