All existing users pass a reference.Named, and check for nil before
calling this function.
This only changes the interface; the implementation will be simplified
presently.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Before touching the internals of reference representation, make sure
the expected values of verboseName are known so that we don't
break any users by touching the internals.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Re-enable the failing tests, and rewrite the implementation to match expected inputs.
Notably this re-enables the @ID form with no name.
Like docker.Transport, this does no validation of the name part; using
the docker/reference parses is not correct because they are not intended to
accept e.g. hostname-only "docker.io"
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
For some unfanthomable reason I wrote the test to accept non-canonical
inputs to ParseReference, instead of the canonicalized prefixes returned by
PolicyConfigurationIdentity and PolicyConfigurationNamespace.
So, replace the expected cases by the actually returned forms, up to
the full name:tag@digest@ID, and the relevant prefixes.
This only changes the tests; the cases which would fail are commented out
for now.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... if PolicyConfigurationIdentity includes @id. At least the :tag form is clearly useful.
This does not handle the name:tag@digest case (which _can_ happen), where the tag is
currently recorded inside s.name but not s.tag; the possible code handling it would
be very non-obviously pointing out this difference. For now, only leave a FIXME in the test.
Maybe it should be handled by refusing such input instead; e.g. that's what
docker.Transport does.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... using validReferenceTestCases.
The cases in that table are a superset of the two previously used cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
In this commit you can see how at the beginning of the function
`getManifestDescriptor` it was being checked for an error was different than
nil and returning in that case, however, few lines later that error (remember,
with nil value) was being wrapped. Since the original error was nil, the
wrapping was as well returning a nil.
A regression tests was added.
This commit should close the following issue in skopeo as per @mtrmac
suggestion: github.com/projectatomic/skopeo/issues/496
Signed-off-by: Álex González <agonzalezro@gmail.com>
Since https://github.com/ostreedev/ostree/pull/1555, locking is
enabled by default in OSTree. Unfortunately it uses thread-private
data and it breaks the Golang bindings. Force the same thread for the
write operations to the OSTree repository.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Tools can use them to help users debug
We are seeing lots of issues with people taking podman and buildah and just
building them and installing them without greating registries.conf file.
They end up doing
buildah from fedora
or
podman from fedora
And we report that fedora does not exist.
I would like to make podman/buildah smarter so that they could state something like
podman from fedora
fedora does not exist. Your /etc/containers/registries.conf and /etc/contaienrs/registries.d directory are empty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes#445. Added containerd/continuity dep since it is required by docker code that is required by this library.
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
The docker-archive and oci-archive transport should allow the
destination of the image to be valid without the reference part also.
Format is transport:path[:reference] where reference is optional.
This is for the case where a user just wants to save/push an image with
the image ID only and not the name.
Creates archives with empty repotags.
Signed-off-by: umohnani8 <umohnani@redhat.com>
To be backwards compatible with the v1 config format, fallback to using
https when no URI scheme is specified (e.g., "docker.io").
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
This commit exposes a variable `unixTempDirForBigFiles` to allow some
Linux distributions to use `/tmp`.
On NixOS for instance, `/tmp` is not a tmpfs and Nix sandboxed builds
do not allow to write to `/var/tmp`, only to `/tmp`.
Note the `tmpdir.TemporaryDirectoryForBigFiles()` is now also used in
the `storage` package to create temporary directories.
Signed-off-by: Antoine Eiche <lewo@abesis.fr>
This is necessary for verification / policy enforcement of in-daemon
images.
It is awkward in that an image may have no name and be usable only by an
ID; such IDs could have a policy identity but they can’t really be
namespaced.
For now, implement policy configuration scopes only for named image
references; ID-only references use the root scope. This allows users to
make ID-only images untrusted or to reject them, forcing users to use
image names if they want the policy to approve. This gives a fairly
natural semantics, equivalent to docker: policies. ID-like policy
configuration scopes are forbidden. If truly necessary, we can add
support for single-ID policy IDs into the policy in the future, but
that’s unlikely to be too useful—IDs change over time, so such a policy
would not be likely to be persistent; and a single-use policy built for
a single image can just as well use the universal "" scope.
(Note that docker-daemon: and docker: namespaces are still separate in
the policy—images from any source can be loaded into the daemon via
(docker load) / copy to docker-daemon:, so there is in general no
expectation that the two namespaces are equal. Though a
special-purpose tool may well want to create an in-memory policy by
loading the system-wide one and grafting the docker:
PolicyTransportScopes map to docker-daemon: as well.)
[In many cases an image will have an unique RepoTags/RepoDigests value
which can be used to get _a_ name from the ID, probably the right guess.
For now we keep the ImageReference implementation dumb, though
inspecting the image by ID and giving the reference a tagged/digested
name is at least plausible in principle. Special-purpose tools
can script this without having to wait for daemonReference to add this.]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
1) docker tags api is paginated, so follow Link headers
2) an ImageSource (and thus a docker.Image) requires a tag to exist, so
this formerly could not operate on repos without a `latest` tag. This
reworks the function as a package function that takes an
ImageReference instead of a source, and uses the tag for policy
enforcement (but doesn't get upset if the tag is not provided, since
it defaults to "latest").
3) a backwards-compat function is provided that matches the old
function.
Signed-off-by: Mike Lundy <mike@fluffypenguin.org>
If the image is a public image, credentials are not needed to pull it,
try pulling the image even if XDG_RUNTIME_DIR is set to a non-existent path.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Introduce sysregistriesv2, which changes the format of the
`registries.conf` TOML configuration. Instead of having different lists
to specify search registries, blocked and insecure ones, all data is
encapsulated into one registry type. The registry type allows to
specify a list of mirrors, which can be used in the endpoint lookup to
serve, for instance, as pull through caches for the associated registry.
An example configuration may look as follows:
```toml
[[registry]]
url = "https://registry.com"
prefix = "another-registry.com"
[[registry.mirror]]
url = "http://registry-mirror.com"
insecure = true
```
The upper example shows the configuration for `https://registry.com`.
The prefix is used for matching images, and to translate one namespace
to another. If `prefix="example.com/bar"`, `url="https://example.com/foo/bar"`
and we pull from `example.com/bar/myimage:latest`, the image can
effectively be pulled from `example.com/foo/bar/myimage:latest`. If no
prefix is specified, it defaults to the specified URL.
Ease migration from sysregistries v1 to v2 by also loading
configurations in the v1 TOML format. Throw an error in case a config
tries to mix both formats. This allows a smoother migration for
developers, maintainers and the user, who can switch to the new config
format once all tools have been updated to v2.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Add support to create a docker-archive with more than one RepoTag,
enabling users such as skopeo, to create or copy multitag archives.
Support for other transports can be added in the future.
Fixes: https://github.com/containers/image/issues/447
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Add what the syntax of the oci and oci-archive transport should be if an error
is returned when preparing the destination.
Signed-off-by: umohnani8 <umohnani@redhat.com>
It would be nice if those could be canceled, although so far we seem not
to have any users which would benefit.
Many would be easily handled with a cancelable variant of io.Copy,
but a few might be much more involved.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Miloslav Trmač