Add support to push image with unknown digest and no tag to
a registry. This will be used by farm build to construct a list
of multi arch builds after pushing images built on each node.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
... to avoid docker.io pull limits.
NewImageSource and NewImage actually access the remote
server (because NewImageSource is looking for a working mirror);
update NewImageDestination basically for symmetry.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
DockerReferenceNamespaces will also append wildcarded expressions for
subdomain matching in policy.json.
For example: [foo.example.com *.example.com *.com]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
... so that major-version-aware Go module import
(as opposed to vX.Y.Z+incompatible, which does not allow different
packages to use different versions) works right.
Also requires adding some more GO111MODULE=on options to Makefile.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Network IO paths should react to cancels now.
- File IO paths generally still won't.
- `SystemContext` objects have been renamed to `sys` to leave `ctx`
available for the stdlib context objects.
Signed-off-by: Mike Lundy <mike@fluffypenguin.org>
This reverts commit 4881a7500b.
We can now process the manifest lists ourselves.
Because docker_transport_test.go tests "//busybox".NewImage(),
which will now process transport lists, also add an architecture/OS
override to keep the test working e.g. on macOS, for which Docker
does not publish an image in the manifest list.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The requestedManifestMIMETypes parameter was added because a destination
might not support all manifest MIME types that the the source supports,
but the original use case now passes all manifest types and lets
containers/image convert internally. In generally, internal conversion
may be more comprehensive, is more predictable, and avoids bypassing
internal checks.
Fixes: containers/image#331
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
This will make /etc/docker/certs.d/$host[:$port], notably RHEL CDN
certificates, work by default.
types.SystemContext.DockerCertPath, if defined, overrides and disables
DockerPerHostCertDirPath. We now always look into _some_ (exactly one)
directory. (This also forces us to explicitly override the default path
in tests because in Travis /etc/docker has mode 0700, causing spurious failures.)
(See also the added comment about handling docker.io in certs.d.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
i
Otherwise we panic immediately below on using a nil object.
(Does not matter when tests are passing, merely a cleanup to avoid ugly
panics if they are not.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This replaces the copy of github.com/docker/docker/reference in the same
place, which we have just gotten rid of, and allows using this package
even in consumers which insist on an incompatible version of
docker/distribution.
The copy has been edited to drop a reference to
github.com/docker/distribution/digestset .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.ParseNormalizedNamed directly.
(This looks bigger than it really is because so many files now don't
need c/i/docker/reference, so they are dropping the “distreference”
qualifier for docker/distribution/reference.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of rebuilding it as name/name+digest/name+tag, just use the
return value from distreference.ParseNormalizedName without
modification.
THIS CHANGES BEHAVIOR: before, name@tag:digest inputs were silently
trated as name:digest, dropping the tag; now the semantics is correctly
preserved.
We already anticipate such strings as references in docker: and
docker-daemon: (where they are now rejected) and in signature
verification (where, unless we check repository names only, they must
match exactly).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead, call NamedTagged.Tag in all users.
XNamedTagged is now equivalent to distreference.NamedTagged.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Similar to the .our/.upstream dance in namedRef, add a second,
write-only implementation in taggedRef. Except now we go a bit faster
and skip the .our/.upstream member names.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.FamiliarString() for SOME uses, generally for
error messages and StringWithinTransport().
In signature/policy_reference_match.go and signature/docker.go, where we
care about equality but not exactly about the kind of normalization, call
XNamed.String() instead, with the same rationale as the earlier
Name/FamiliarName choice.
In copy.Image, when creating a singature, use .String() (i.e. the fully
explicit form), for that extra bit of safety.
In tests, generally use the simpler .String() and modify expected
results, instead of calling FamilarString().
XNamed is now equivalent to distreference.Named, all the extra methods
have went away.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is an intermediate step which will eventually go away.
The goal of this PR is to get rid of c/i/docker/daemon/reference and to
replace uses of it by direct calls to docker/distribution/reference.
We can't do that safely and easily, because the two have different
semantics for reference.Named.Name() and reference.Named.String(): we
return a minimized version, e.g. "busybox", upstream returns an expanded
version, e.g. "docker.io/library/busybox".
BEFORE this commit the difference is hidden by using
docker/distribution/reference.WithName, which allows using the minimized
version, and works with it correctly; but because we want to use the
upstream canonicalization code, which will change semantics, we can't
just mix and match.
To make the distinction explicit, this commmit adds an X to ALL public
names from c/i/docker/daemon/reference. E.g. a reference.XNamed type,
which has methods XName and XString.
This is pretty large, but does not change behavior at all. By
inspection it is clear to see that reference.XNamed and subtypes does
not expose any of the non-X, conflicting, method names.
Using e.g.
> git diff --word-diff-regex=.|grep -F '{+'|grep -v '^\([^{]\|{+X+}\)*{\?$'
it is possible to see that most lines in this diff only add a single X
letter, and manually inspect the few lines which don't match the regexp.
The only REALLY new code is an explicit definition of namedRef.XName()
and namedRef.XString(), and two newly added casts to namedRef in cases
where we need to use the underlying distreference.Reference within
a reference.XNamed value. Strictly speaking these changes change
behavior, in that third-party implementations of reference.XNamed are no
longer accepted; but we broke them by renaming at all.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Allows configuring "sigstore" (for RW) and "sigstore-write" (write-only)
for images/repositories/namespaces/registries in
/etc/containers/repositories.d/*.yaml .
If configured, uses them to store signatures in the docker: transport.
Also includes documentation in docs/registries.d.md.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows the selection to be consistent across GetManifest and
GetSignatures (which will be needed by Docker lookaside).
The API change causes lots of churn, but ultimately it just moves the
real origin of the value from image.FromSource() to transport.NewImageSource(),
both of which are static for the life of the ImageSource.
Does not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... instead of Docker-specific certPath and tlsVerify.
Also invert the sense of tlsVerify to make the default secure.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This improves the dockerReference encapsulation, and makes it more clear
that the reference.IsNameOnly case can not happen.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This e.g. rejects relative paths for directories.
Notably docker: transport is the only one which does not do any real
validation; we could copy&paste the character ranges and lengths
directly from docker/distribution/reference, which feels fairly ugly.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This makes the core policy lookup logic Docker-independent,
with the underlying Docker-specific implementation moved to
docker/policyconfiguration/naming.go.
Does not change behavior, only docker: and atomic: transports
currently implement the policy configuration naming, in a compatible
way, and the policy configuration is still not transport-aware. That
happens next.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will consolidate Docker reference usage to all go through
types.ImageReference.
No users yet, will be migrated imminently.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This minimizes transport-specific knowledge in image name parsing
(as in cmd/skopeo/utils.go) and allows separation of reference parsing
and their use.
Existing public NewImage... API has been removed; callers are expected
to use any of
* types.ImageTransport.ParseReference().NewImage...
(if they have a general string)
* transportpackage.ParseReference().NewImage...
(if they have a transport-specific string)
* transportpackage.NewReference().NewImage...
(if they have transport-specific raw values)
This usually adds an extra error checking step for the
ParseReference/NewReference call compared to the previous code; this is
considered not a big loss, especially because reporting “the reference
is invalid” and “the reference looks valid but connecting/using it
failed” as distinct failure modes seems quite useful for users.
The references are currently one-way (you can get a types.Image* from an
ImageReference, but not the other way around); that will be fixed soon.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Miloslav Trmač
Urvashi Mohnani
Josh Soref
Lokesh Mandvekar
Mike Lundy
Owen W. Taylor
Antonio Murdaca