--insecure and --verbose flags for docker compatibility
--tls-verify for syntax compatibility and allow users to inspect
manifests at remote Container Registiries without requiring tls.
Helps fix: https://github.com/containers/podman/issues/14917
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 32f54a81ed.
`pkg/bindings` is supported outside of podman and we have to keep it
stable.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Accept a --amend flag in `podman manifest create`, and treat
`--insecure` as we would `--tls-verify=false` in `podman manifest`'s
"add", "create", and "push" subcommands.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
`podman-remote manifest push` has shown absolutely no progress at all.
Fix that by doing the same as the remote-push code does.
Like remote-push, `quiet` parameter is true by default for backwards
compatibility.
Signed-off-by: Naoto Kobayashi <naoto.kobayashi4c@gmail.com>
Bindings already support `Remove` which removes a manifest from the list
following function adds support for removing entire manifest for local
storage.
Similar functionality can be also used indirectly by using `Remove` defined in
image bindings
Signed-off-by: Aditya R <arajan@redhat.com>
* Update method/function signatures use the manifest list name and
images associated with the operation explicitly, in general
func f(ctx context.Context, manifestListName string,
ImageNames []string, options *fOptions)
* Leverage gorilla/mux Subrouters to support API v3.x and v4.x for
manifests
* Make manifest API endpoints more RESTful
* Add PUT /manifest/{id} to update existing manifests
* Add manifests.Annotate to go bindings, uncommented unit test
* Add DELETE /manifest/{Id} to remove existing manifest list, use
PUT /manifest/{id} to remove images from a list
* Deprecated POST /manifest/{id}/add and /manifest/{id}/remove, use
PUT /manifest/{id} instead
* Corrected swagger godoc and updated to cover API changes
* Update podman manifest commands to use registry.Context()
* Expose utils.GetVar() to obtain query parameters by name
* Unexpose server.registerSwaggerHandlers, not sure why this was ever
exposed.
* Refactored code to use http.Header instead of map[string]string when
operating on HTTP headers.
* Add API-Version header support in bindings to allow calling explicate
versions of the API. Header is _NOT_ forwarded to the API service.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When doing a podman images, manifests lists look just like images, so
it is logical that users would assume that they can just podman push them
to a registry. The problem is we throw out weird errors when this happens
and users need to somehow figure out this is a manifest list rather then
an image, and frankly the user will not understand the difference.
This PR will make podman push just do the right thing, by failing over and
attempting to push the manifest if it fails to push the image.
Fix up handling of manifest push
Protocol should bring back a digest string, which can either be
printed or stored in a file.
We should not reimplement the manifest push setup code in the tunnel
code but take advantage of the api path, to make sure remote and local
work the same way.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Extend the flags of `podman manifest add` to include also:
* cert-dir
* auth-file
* creds
* tls-verify
These options are useful when adding to a manifest an image that is not
part of the local image store. The image resides on a remote registry
that falls into one of these cases: it's not using tls termination, it requires
authentication or it's secured with an unknown tls certificate.
Consider the following scenario: a multi architecture manifest is created as
part of a multi-step CI pipeline running in a containerized way.
All the images referenced by the manifest live inside of a registry
secured with a self-signed tls certificate.
Without this patch the manifest creation step would have to pull all the
multi-architecture images locally via `podman pull`.
With this patch the usage of `podman pull` would not be needed because the
images' digests can be requested straight to the registry. That means the
execution of manifest creation step would be faster and result in less disk
space and network bandwidth being used.
Finally, this is a propagation of a similar fix done inside of buildah
via https://github.com/containers/buildah/pull/2593
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
* Support the `X-Registry-Auth` http-request header.
* The content of the header is a base64 encoded JSON payload which can
either be a single auth config or a map of auth configs (user+pw or
token) with the corresponding registries being the keys. Vanilla
Docker, projectatomic Docker and the bindings are transparantly
supported.
* Add a hidden `--registries-conf` flag. Buildah exposes the same
flag, mostly for testing purposes.
* Do all credential parsing in the client (i.e., `cmd/podman`) pass
the username and password in the backend instead of unparsed
credentials.
* Add a `pkg/auth` which handles most of the heavy lifting.
* Go through the authentication-handling code of most commands, bindings
and endpoints. Migrate them to the new code and fix issues as seen.
A final evaluation and more tests is still required *after* this
change.
* The manifest-push endpoint is missing certain parameters and should
use the ABI function instead. Adding auth-support isn't really
possible without these parts working.
* The container commands and endpoints (i.e., create and run) have not
been changed yet. The APIs don't yet account for the authfile.
* Add authentication tests to `pkg/bindings`.
Fixes: #6384
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Toshiki Sonoda
Daniel J Walsh
Paul Holzinger
Nalin Dahyabhai
Naoto Kobayashi
Aditya R
Jhon Honce
Valentin Rothberg
Flavio Castelli
Qi Wang