Merge pull request #2754 from rhatdan/policy

Add --policy flag to buildah pull
2020-11-13 23:10:50 +01:00 · 2020-11-13 23:10:50 +01:00 · 11964fc3d0
parent d0c958d65e f280cd0285
commit 11964fc3d0
11 changed files with 86 additions and 11 deletions
--- a/cmd/buildah/common.go
+++ b/cmd/buildah/common.go
@ -137,7 +137,7 @@ func openBuilder(ctx context.Context, store storage.Store, name string) (builder
 		}
 	}
 	if err != nil {
-		return nil, errors.Wrapf(err, "error reading build container")
+		return nil, err
 	}
 	if builder == nil {
 		return nil, errors.Errorf("error finding build container")
@ -156,7 +156,7 @@ func openImage(ctx context.Context, sc *types.SystemContext, store storage.Store
 	}
 	builder, err = buildah.ImportBuilderFromImage(ctx, store, options)
 	if err != nil {
-		return nil, errors.Wrapf(err, "error reading image")
+		return nil, err
 	}
 	if builder == nil {
 		return nil, errors.Errorf("error mocking up build configuration")
--- a/cmd/buildah/inspect.go
+++ b/cmd/buildah/inspect.go
@ -84,17 +84,17 @@ func inspectCmd(c *cobra.Command, args []string, iopts inspectResults) error {
 		builder, err = openBuilder(ctx, store, name)
 		if err != nil {
 			if c.Flag("type").Changed {
-				return errors.Wrapf(err, "error reading build container %q", name)
+				return errors.Wrapf(err, "error reading build container")
 			}
 			builder, err = openImage(ctx, systemContext, store, name)
 			if err != nil {
-				return errors.Wrapf(err, "error reading build object %q", name)
+				return err
 			}
 		}
 	case inspectTypeImage:
 		builder, err = openImage(ctx, systemContext, store, name)
 		if err != nil {
-			return errors.Wrapf(err, "error reading image %q", name)
+			return err
 		}
 	default:
 		return errors.Errorf("the only recognized types are %q and %q", inspectTypeContainer, inspectTypeImage)
--- a/cmd/buildah/pull.go
+++ b/cmd/buildah/pull.go
@ -6,6 +6,7 @@ import (
 	"runtime"

 	"github.com/containers/buildah"
+	"github.com/containers/buildah/define"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/common/pkg/auth"
@ -26,6 +27,7 @@ type pullOptions struct {
 	removeSignatures bool
 	tlsVerify        bool
 	decryptionKeys   []string
+	pullPolicy       string
 }

 func init() {
@ -57,6 +59,7 @@ func init() {
 	flags.StringVar(&opts.blobCache, "blob-cache", "", "store copies of pulled image blobs in the specified directory")
 	flags.StringVar(&opts.certDir, "cert-dir", "", "use certificates at the specified path to access the registry")
 	flags.StringVar(&opts.creds, "creds", "", "use `[username[:password]]` for accessing the registry")
+	flags.StringVar(&opts.pullPolicy, "policy", "missing", "missing, always, or never.")
 	flags.BoolVarP(&opts.removeSignatures, "remove-signatures", "", false, "don't copy signatures when pulling image")
 	flags.StringVar(&opts.signaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
 	flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", nil, "key needed to decrypt the image")
@ -109,6 +112,10 @@ func pullCmd(c *cobra.Command, args []string, iopts pullOptions) error {
 		return errors.Wrapf(err, "unable to obtain decrypt config")
 	}

+	policy, ok := define.PolicyMap[iopts.pullPolicy]
+	if !ok {
+		return fmt.Errorf("unrecognized pull policy %s", iopts.pullPolicy)
+	}
 	options := buildah.PullOptions{
 		SignaturePolicyPath: iopts.signaturePolicy,
 		Store:               store,
@ -120,6 +127,7 @@ func pullCmd(c *cobra.Command, args []string, iopts pullOptions) error {
 		MaxRetries:          maxPullPushRetries,
 		RetryDelay:          pullPushRetryDelay,
 		OciDecryptConfig:    decConfig,
+		PullPolicy:          policy,
 	}

 	if iopts.quiet {
--- a/contrib/completions/bash/buildah
+++ b/contrib/completions/bash/buildah
@ -613,6 +613,7 @@ return 1
     --cert-dir
     --creds
     --decryption-key
+     --policy
  "

     local all_options="$options_with_args $boolean_options"
--- a/define/types.go
+++ b/define/types.go
@ -1,6 +1,8 @@
 package define

-import "fmt"
+import (
+	"fmt"
+)

 // PullPolicy takes the value PullIfMissing, PullAlways, PullIfNewer, or PullNever.
 type PullPolicy int
@ -39,3 +41,10 @@ func (p PullPolicy) String() string {
 	}
 	return fmt.Sprintf("unrecognized policy %d", p)
 }
+
+var PolicyMap = map[string]PullPolicy{
+	"missing": PullIfMissing,
+	"always":  PullAlways,
+	"never":   PullNever,
+	"ifnewer": PullIfNewer,
+}
--- a/docs/buildah-pull.md
+++ b/docs/buildah-pull.md
@ -70,6 +70,14 @@ The [key[:passphrase]] to be used for decryption of images. Key can point to key

 If an image needs to be pulled from the registry, suppress progress output.

+**--policy**=**always**|**missing**|**never**
+
+Pull image policy. The default is **missing**.
+
+- **missing**: attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist. Raise an error if the image is not in any listed registry and is not present locally.
+- **always**: Pull the image from the first registry it is found in as listed in  registries.conf. Raise an error if not found in the registries, even if the image is present locally.
+- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
+
 **--remove-signatures**

 Don't copy signatures when pulling images.
--- a/import.go
+++ b/import.go
@ -154,7 +154,7 @@ func importBuilderFromImage(ctx context.Context, store storage.Store, options Im

 	_, img, err := util.FindImage(store, "", systemContext, options.Image)
 	if err != nil {
-		return nil, errors.Wrapf(err, "error locating image %q for importing settings", options.Image)
+		return nil, errors.Wrapf(err, "importing settings")
 	}

 	builder, err := importBuilderDataFromImage(ctx, store, systemContext, img.ID, "", "")
--- a/pull.go
+++ b/pull.go
@ -60,6 +60,8 @@ type PullOptions struct {
 	// OciDecryptConfig contains the config that can be used to decrypt an image if it is
 	// encrypted if non-nil. If nil, it does not attempt to decrypt an image.
 	OciDecryptConfig *encconfig.DecryptConfig
+	// PullPolicy takes the value PullIfMissing, PullAlways, PullIfNewer, or PullNever.
+	PullPolicy PullPolicy
 }

 func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference) (string, error) {
@ -169,6 +171,7 @@ func Pull(ctx context.Context, imageName string, options PullOptions) (imageID s
 		MaxPullRetries:      options.MaxRetries,
 		PullRetryDelay:      options.RetryDelay,
 		OciDecryptConfig:    options.OciDecryptConfig,
+		PullPolicy:          options.PullPolicy,
 	}

 	if !options.AllTags {
--- a/tests/commit.bats
+++ b/tests/commit.bats
@ -53,7 +53,7 @@ load helpers
  cid=$output
  run_buildah commit --signature-policy ${TESTSDIR}/policy.json --rm $cid alpine-image
  run_buildah 125 rm $cid
-  expect_output --substring "error removing container \"alpine-working-container\": error reading build container: container not known"
+  expect_output --substring "error removing container \"alpine-working-container\": container not known"
 }

@test "commit-alternate-storage" {
--- a/tests/pull.bats
+++ b/tests/pull.bats
@ -266,3 +266,49 @@ load helpers
  iid=$output
  run_buildah rmi ${iid}
 }
+
+@test "pull-policy" {
+  mkdir ${TESTDIR}/buildahtest
+  run_buildah 125 pull --signature-policy ${TESTSDIR}/policy.json --policy bogus alpine
+  expect_output --substring "unrecognized pull policy bogus"
+
+  #  If image does not exist the never will fail
+  run_buildah 125 pull -q --signature-policy ${TESTSDIR}/policy.json --policy never alpine
+  expect_output --substring "no such image"
+  run_buildah 125 inspect alpine
+  expect_output --substring "image not known"
+
+  # create bogus alpine image
+  run_buildah from --signature-policy ${TESTSDIR}/policy.json scratch
+  cid=$output
+  run_buildah commit -q $cid docker.io/library/alpine
+  iid=$output
+
+  #  If image does not exist the never will succeed, but iid should not change
+  run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy never alpine
+  expect_output $iid
+
+  # Pull image by default should change the image id
+  run_buildah pull -q --policy always --signature-policy ${TESTSDIR}/policy.json alpine
+  if [[ $output == $iid ]]; then
+      expect_output "[output should not be '$iid']"
+  fi
+
+  # Recreate image
+  run_buildah commit -q $cid docker.io/library/alpine
+  iid=$output
+
+  # Make sure missing image works
+  run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing alpine
+  expect_output $iid
+
+  run_buildah rmi alpine
+  run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json alpine
+  run_buildah inspect alpine
+
+  run_buildah rmi alpine
+  run_buildah pull -q --signature-policy ${TESTSDIR}/policy.json --policy missing alpine
+  run_buildah inspect alpine
+
+  run_buildah rmi alpine
+}
--- a/tests/rm.bats
+++ b/tests/rm.bats
@ -12,9 +12,9 @@ load helpers

@test "remove multiple containers errors" {
  run_buildah 125 rm mycontainer1 mycontainer2 mycontainer3
-  expect_output --from="${lines[0]}" "error removing container \"mycontainer1\": error reading build container: container not known" "output line 1"
-  expect_output --from="${lines[1]}" "error removing container \"mycontainer2\": error reading build container: container not known" "output line 2"
-  expect_output --from="${lines[2]}" "error removing container \"mycontainer3\": error reading build container: container not known" "output line 3"
+  expect_output --from="${lines[0]}" "error removing container \"mycontainer1\": container not known" "output line 1"
+  expect_output --from="${lines[1]}" "error removing container \"mycontainer2\": container not known" "output line 2"
+  expect_output --from="${lines[2]}" "error removing container \"mycontainer3\": container not known" "output line 3"
  expect_line_count 3
 }