If the registry is set to insecure allowd using BUILD_REGISTRY_SOURCES, hardcode to skip the tls verify to avoid the errors.
Returns error if set insecureRegistries but force to use tls-verify.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Pass our own API values for retry delays to common's retry package when
we use it to handle retrying image pull/commit/push operations.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If PullOptions/BuilderOptions/CommitOptions/PushOptions includes a
MaxRetries value other than 0, retry operations except for (currently)
connection-refused, authentication, and no-such-repository/no-such-tag
errors, at a default-but-configurable interval of 5 seconds.
Set the default for `buildah pull/from/commit/push` to 3 retries at 2
second intervals.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add the --sign-by option to `buildah build-using-dockerfile`,
`buildah commit`, `buildah push`, and `buildah manifest push`. Add the
`--remove-signatures` option to `buildah pull`, `buildah push`, and
`buildah manifest push`. We just pass them to the image library, which
does all of the heavy lifting.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2085
Approved by: rhatdan
If $BUILD_REGISTRY_SOURCES is set, expect it to be a valid
github.com/openshift/api/config/v1.Image, and parse its
AllowedRegistries and BlockedRegistries lists when, pulling, committing,
or pushing images.
Override the local signature policy when committing or pushing an image
to ensure that local storage is always allowed.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1787
Approved by: rhatdan
This is a breaking change and modifies the resulting image name when
pull from an directory via `oci:...` or `dir:...`.
Without this patch, the image names pulled via a local directory got
prefixed with `docker.io/{library/}`, which is not correct.
We now use either the full path to the image, or the relative path as
image name, but prefixed with `localhost` to indicate that the image is
not being pulled from a remote location.
Fixes: https://github.com/containers/buildah/issues/1797
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1800
Approved by: nalind
This commit enabled the `unparam` linter and applies all reported issues.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1719
Approved by: rhatdan
Avoid calling fmt.Printf() to print things in library logic, which can't
be controlled or suppressed by callers. Prefer returning values and
printing them in our CLI wrapper, as callers would.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1596
Approved by: rhatdan
should omit type ... from declaration of var ...; it will be
inferred from the right-hand side
Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
Closes: #1426
Approved by: nalind
Miloslav had some good comments on a previous commit.
https://github.com/containers/buildah/pull/1411
These changes address his issues by removing them.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1412
Approved by: mtrmac
Currently rootless podman attempts to write to /var/lib/containers/cache
and fails. This causes us to repeatedly push images that have already been
pushed. This cache directory should be relative to the location of containers/storage
and not always stored in the same directory.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1411
Approved by: TomSweeneyRedHat
The code is already calling docker.GetRepositoryTags
immediately below, so the dependency already exists, and this
removes an unnecessary dependency on alltransports.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
Use a typed value, to hopefully decrease further temptation to process strings
manually, and to avoid the unnecessary alltransports.ParseImageName which
resolveImage has already called.
This may change the strings used in some error/debug messages, which
now use transports.ImageName instead of the original input; the strings
should by definition have the same semantics.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
Right now, we (conceptually unnecesarily) require an image with an existing
tag on the remote repository to list all other tags.
Given that, use the user-specified name:tag, if any, instead of discarding the
tag and requiring :latest to exist on the remote registry.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
It should always be redundant with the reference itself; so,
use srcRef.StringWithinTransport() in the cases where we do
need to understand and hard-code the string syntax, after all.
Also improve the oci: format parsing a bit, to be robust
against including an image name.
NOTE: This might change the semantics a bit because StringWithinTransport
does not guarantee preserving the original string (e.g. paths
tend to be normalized not to contain symlinks). Using local paths
as docker/distribution image names is conceptually so problematic
that this seems worth the code cleanup - but I might be wrong.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
Both callers now consistently pass the transport in the "transport"
parameter, so parsing imageName could only be incorrect.
This could possibly fix cases like pulling docker://dir:localpath,
and the debug log will no longer say
"error parsing image name %q, trying with transport %q: %v" on every pull attempt.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
Should not change behavior, except possibly failing early if the server
returns an invalid tag name.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
pullImage has a dedicated transport: parameter, don't pass the transport
in the image name as well. The semantics of the imageName parameter to
pullImage is now unambiguous.
Should not change behavior, pullImage was trying
alltransports.ParseImageName(imageName) first.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
The result of ParseImageName("docker://"...) is not a storageRef.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
For some reason, the CI does not report any of these; on macOS
I see many more reports (including complaints about the standard
library), this only cleans up the trivial cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1365
Approved by: rhatdan
Change references to Transfer to transfer to make it internal only.
It should be determined from the image specification and only determined
in one place.
Make buildah.Pull use registries.conf
Currently buildah pull does not resolve images based on registries.conf
This does not match the behaviour of buildah from or buildah bud
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1319
Approved by: rhatdan
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Add Quiet to the PullOptions and PushOptions structures.
If set to true output will be in 'quiet' mode. This
will primarily be used by callers such as OpenShift.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1302
Approved by: rhatdan
Add API hooks for designating locations to be used as blob caches when
pulling and pushing images. When we commit read-only copies of
container layers for use in images, if we're using blob caching, store a
copy of the layer in the blob cache directory so that it can be found.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1149
Approved by: rhatdan
Copying an image now returns the manifest of the written image. Return
the digest of that manifest, and a canonical reference, from our Commit
and Push APIs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1097
Approved by: rhatdan
Use the value now returned by util.ResolveImage instead of trying to
recompute it.
Then drop the no longer used getRegistries. (It might be reasonable
to split that part of util.ResolveImage to make it shorter; but it should
not ideally have any independent second-guessing callers. So, just
keep the inlined one instead; that way we certainly don't break it.)
Also drop the no longer used hasRegistry.
CHANGES BEHAVIOR:
- Most notably, the "short name but no search registries" code
has been broken for some time; pullImage was called with
localhost/$shortname, which was a qualified name, so the
specialized error handling was never attempted.
- Temporarily, the error handling in the "short name but no
search registries" code trigers even if there were actually
valid values to try (in practice there is always localhost/$shortname,
and possibly also options.Registry/$shortname). The next commit
will improve it again.
- We now have more legitimate access to the original short name,
so include it in the error message (it was technically available
before, but using it was awkward).
NOTE: registriesConfPath is computed using the sysregistries
package, but actual access happens using the sysregistriesv2 package.
That should be cleaned up eventually.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #909
Approved by: rhatdan
Make sure that when attempting to diagnose an error, if we encounter an
error during the diagnostic attempt, we return the original error rather
than the error encountered in trying to diagnose it. Log that one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1072
Approved by: rhatdan
If we're handed a name for a source image, and
alltransports.ParseImageName() doesn't like it as-is, we normally try
prefixing the Transport option and parsing it again. If that option
isn't set, though, we return an error, when we should be trying the
default ("docker"), which is how NewBuilder() does things.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1072
Approved by: rhatdan
Check if reading and writing from the registry named by an image is
allowed when the transport is "docker".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1056
Approved by: rhatdan
The image library's copy routine doesn't itself consult the registries
configuration in order to decide whether or not to disable TLS
verification when communicating with a registry, so it's on us to use
the name of a source or destination image to decide whether to set the
flag for that behavior.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1056
Approved by: rhatdan
Instead of throwing out the upstream error message, save it and return
it if we can't come up with a more-specific suggestion. This softens
the approach from 043fd2e3 (Add registry errors for pull,
2018-06-01, #747), because that could make debugging harder [1].
[1]: https://github.com/projectatomic/buildah/issues/849
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1014
Approved by: rhatdan
- The result is not used anywhere
- In the common case of pulling from docker:// this does not do
anything notable (only sets up configuration, no network checks)
- ... but it can be pretty expensive for compressed archives,
creating an uncompressed on-disk copy.
- copy.Image soon after the removed code calls srcRef.NewImageSource
internally anyway.
This should not change behavior on success; it may change which error is
reported if there is more than one reason for the pull to fail.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #922
Approved by: TomSweeneyRedHat
Provide a Pull() function that can be called directly, to go with the
Push() function.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #918
Approved by: rhatdan
OpenShift Merge Robot
Valentin Rothberg
Daniel J Walsh
Qi Wang
Nalin Dahyabhai
Brandon Lum
Miloslav Trmač
Sascha Grunert
Douglas Schilling Landgraf
TomSweeneyRedHat
Zhou Hao
Ben Parees
W. Trevor King