Four leading spaces are interpreted by go-md2man as a code block.
Add a new line to start a new paragraph, so that go-md2man recognizes
the list syntax.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Clarify that a `[[registry.mirror]]` is associated only with the
previous `[[registry]]`.
Fixes: #1523
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Close: https://github.com/containers/image/issues/1407
Add pull-from-mirror: all, digest-only, tag-only for adding per-mirror level restrictions
to image pull through mirrors.
The `mirror-by-digest-only` for primary is still allowed configuring,
and it is honored for compatibility
Signed-off-by: Qi Wang <qiwan@redhat.com>
Found by the Debian Lintian tool, this avoids some nroff warnings
in the generated manpages and allows proper whatis/apropos indexing.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Fix a number of indentation issues in the containers-registries.conf man
page which caused rendering issues both in the man pages and the
upstream markdown on GitHub; move all to the root indent level/scope.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We now error on login if repositories or repository namespaces are used
for other credential helpers than the `AuthenticationFileHelper`. On
logout we ignore them and debug log a warning that nothing has been
modified.
The functions `SetCredentials` (for login) as well as
`RemoveAuthentication` (for logout) already feature support for path
based registries for the `AuthenticationFileHelper`. This patch adds
unit tests to ensure that the support will not break in the future.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This patch adds support for `host[:port]/ns/…repo` to auth.json while
keeping the backwards compatible behavior.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit allows the prefix field in registries.conf to be in the
format: `prefix = "*.example.com" for wildcard subdomain matching.
refMatchesPrefix has been renamed to refMatchingPrefix. refMatchingPrefix
now returns the length of the prefix if there's a match
and the prefix doesn't contain `*.`. If prefix contains `*.` and there's
a match, then refMatchingPrefix returns the length of the refString
without the image. This change removes the need for
any additional string comparison in `rewriteReference`.
Co-authored-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Allow for configuring credential helpers in `registries.conf` files.
Credential helpers are configured as a top-level field
`credential-helpers`. This is an array of strings. Items listed in the
array are consulted in the specified order when looking up or removing
credentials.
Note that there is a built-in credential helpers `containers-auth.json`
for using auth files. If no global defaults are specified, we will
fallback to using auth files. This assures backwards compat and a
working default setting.
The traces of the disabled "keyring" functionality have largely been
removed. If we ever want to re-enable support, we can follow the
example of auth files and specify a new built-in keyring helper.
Using a built-in helper simplifies the code quite a bit since the code
structure boilds down to conditionally dispatching helpers; everything's
a credential helper with some special values for built-in helpers.
Make sure that the execution paths are properly logged (debug level).
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As shown in github.com/containers/podman/issues/8559, writing to the
$HOME directory or root may be undesired. Using /var/cache for root and
$HOME./cache for ordinary users, however, is common practice.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This change is intended to make the GitHub markdown render correctly.
The man page rendering was unaffected and still renders correctly.
Signed-off-by: TerraTech <TerraTech@users.noreply.github.com>
DockerReferenceNamespaces will also append wildcarded expressions for
subdomain matching in policy.json.
For example: [foo.example.com *.example.com *.com]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This allows accepting signatures for a complete or partial
mirror of some other repository namespace in a single step,
similar in signing effect to setting up mirrors in registries.conf,
but letting image consumers to refer to the mirrors directly.
For tag/digest matching, this currently only implemnents the
default matchRepoDigestOrExact-like semantics; it's the right
choice for almost all users, and we can add other alternatives
later if it turned out to be necessary.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add a new package for short-name resolution. `pkg/shortnames` is built
around the short-name aliasing in the registries.conf and introduces two
functions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add XDG_CONFIG_HOME to the paths to be searched when login a registry. If XDG_CONFIG_HOME is empty, search under $HOME/.config. In the order that first search for authfile, XDG_RUNTIME_DIR, XDG_CONFIG_HOME, and docker config file.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Set default rootless sigstore to ~/.local/share/containers/sigstore if the caller is non-root.
Export the func ConfiguredSignatureStorageBase() for Podman image sign implementation.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Add support for path:@index (e.g. path:@0, path:@1 ...) reference syntax
to docker-archive.
This will allow reading even untagged images from multi-image archives.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We already accept the syntax for docker-archive: references,
now implement the lookup instead of warning and ignoring the value.
Implement the lookup in tarfile.Reader, not tarfile.Source,
because we will want to provide an API to obtain tags from a
Reader+Reference, without constructing a Source.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Only load `.conf` suffixed files
- Enforce v2 format of registries.conf
- Don't recurse into sub-directories
- Rootless support
- Cache key consists of conf and dir path
- Merge `[[registry]]` tables
- Several code clean ups and minor fixes
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We want to allow users to store certs in their homedir when running in rootless mode.
We want rootless podman and rootless buildah to add $HOME/.config/containers/certs.d
to the search path for certificates by default.
Currently there is no way for a non privileged user to get certs without being root on
the system or specify the certs dir on ever call.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
provide per-user configuration of registries.conf under $HOME/.config/containers/registries.conf for other tools.
Signed-off-by: Qi Wang <qiwan@redhat.com>
When loading the registries.conf, allow for loading additional files
from `/etc/containers/registries.conf.d`. The files are loaded in
alpha-numerical order and specified fields will overwrite the previous
config.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We now document the already existing internal `/library` suffix for
docker.io mirrors and provide an example how to deal with them.
I also fixed two typos in `containers-registries.d.5.md`.
Closes https://github.com/containers/image/issues/775
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Catching up with be91505 (docs: rename manpages to *.5.md, 2019-03-01, #594).
Generated with:
$ sed -i 's/policy.json.md/containers-policy.json.5.md/g' $(git grep -l policy.json.md)
Looking to carry this over the finish line for Wking.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Primarily, start with explaining the "prefix" field and its matching semantics,
and only then explain other fields.
Also, use definition lists (using a Markdown extension supported by go-md2man)
for the individual options instead of wordy "The option `foo` will ..." text
to make it easier to find the relevant sections.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This makes the order of all of the []Registry entries irrelevant, makes the
search order easy to find/determine, and makes it much easier to edit either
the search list or the other attributes of registries independently.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Daniel J Walsh