Merge pull request #11205 from Shivkumar13/shivkumar-tls-fix

Support for --tls-verify flag in podman-run & podman-create

cmd/podman/common/create.go

@@ -544,6 +544,15 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) {
 	)
 	_ = cmd.RegisterFlagCompletionFunc(podIDFileFlagName, completion.AutocompleteDefault)
 
+	// Flag for TLS verification, so that `run` and `create` commands can make use of it.
+	// Make sure to use `=` while using this flag i.e `--tls-verify=false/true`
+	tlsVerifyFlagName := "tls-verify"
+	createFlags.BoolVar(
+		&cf.TLSVerify,
+		tlsVerifyFlagName, true,
+		"Require HTTPS and verify certificates when contacting registries for pulling images",
+	)
+
 	createFlags.BoolVar(
 		&cf.Privileged,
 		"privileged", false,

cmd/podman/common/create_opts.go

@@ -112,6 +112,7 @@ type ContainerCLIOpts struct {
 	Sysctl            []string
 	Systemd           string
 	Timeout           uint
+	TLSVerify         bool
 	TmpFS             []string
 	TTY               bool
 	Timezone          string

cmd/podman/containers/create.go

@@ -10,6 +10,7 @@ import (
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v3/cmd/podman/common"
 	"github.com/containers/podman/v3/cmd/podman/registry"
 	"github.com/containers/podman/v3/cmd/podman/utils"
@@ -261,7 +262,7 @@ func createInit(c *cobra.Command) error {
 }
 
 func pullImage(imageName string) (string, error) {
-	pullPolicy, err := config.ValidatePullPolicy(cliVals.Pull)
+	pullPolicy, err := config.ParsePullPolicy(cliVals.Pull)
 	if err != nil {
 		return "", err
 	}
@@ -287,6 +288,7 @@ func pullImage(imageName string) (string, error) {
 		Variant:         cliVals.Variant,
 		SignaturePolicy: cliVals.SignaturePolicy,
 		PullPolicy:      pullPolicy,
+		SkipTLSVerify:   types.NewOptionalBool(!cliVals.TLSVerify), // If Flag changed for TLS Verification
 	})
 	if pullErr != nil {
 		return "", pullErr

docs/source/markdown/podman-create.1.md

@@ -991,6 +991,10 @@ Maximum time a container is allowed to run before conmon sends it the kill
 signal.  By default containers will run until they exit or are stopped by
 `podman stop`.
 
+#### **--tls-verify**=**true**|**false**
+
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+
 #### **--tmpfs**=*fs*
 
 Create a tmpfs mount

docs/source/markdown/podman-run.1.md

@@ -1048,6 +1048,10 @@ Maximum time a container is allowed to run before conmon sends it the kill
 signal.  By default containers will run until they exit or are stopped by
 `podman stop`.
 
+#### **--tls-verify**=**true**|**false**
+
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+
 #### **--tmpfs**=*fs*
 
 Create a tmpfs mount.

test/e2e/create_test.go

@@ -60,10 +60,24 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman container create container based on a remote image", func() {
-		session := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"})
+		containerCreate := podmanTest.Podman([]string{"container", "create", BB_GLIBC, "ls"})
+		containerCreate.WaitWithDefaultTimeout()
+		Expect(containerCreate).Should(Exit(0))
+
+		lock := GetPortLock("5000")
+		defer lock.Unlock()
+		session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(podmanTest.NumberOfContainers()).To(Equal(1))
+
+		if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
+			Skip("Cannot start docker registry.")
+		}
+
+		create := podmanTest.Podman([]string{"container", "create", "--tls-verify=false", ALPINE})
+		create.WaitWithDefaultTimeout()
+		Expect(create).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(3))
 	})
 
 	It("podman create using short options", func() {
@@ -609,7 +623,7 @@ var _ = Describe("Podman create", func() {
 		Expect(session).Should(ExitWithError())
 	})
 
-	It("create container in pod ppublish ports should fail", func() {
+	It("create container in pod publish ports should fail", func() {
 		name := "createwithpublishports"
 		pod := podmanTest.RunTopContainerInPod("", "new:"+name)
 		pod.WaitWithDefaultTimeout()

test/e2e/run_test.go

@@ -166,9 +166,25 @@ var _ = Describe("Podman run", func() {
 	})
 
 	It("podman run a container based on remote image", func() {
-		session := podmanTest.Podman([]string{"run", "-dt", BB_GLIBC, "ls"})
+		// Changing session to rsession
+		rsession := podmanTest.Podman([]string{"run", "-dt", ALPINE, "ls"})
+		rsession.WaitWithDefaultTimeout()
+		Expect(rsession).Should(Exit(0))
+
+		lock := GetPortLock("5000")
+		defer lock.Unlock()
+		session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
+
+		if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) {
+			Skip("Cannot start docker registry.")
+		}
+
+		run := podmanTest.Podman([]string{"run", "--tls-verify=false", ALPINE})
+		run.WaitWithDefaultTimeout()
+		Expect(run).Should(Exit(0))
+		Expect(podmanTest.NumberOfContainers()).To(Equal(3))
 	})
 
 	It("podman run a container with a --rootfs", func() {