mirror of https://github.com/containers/podman
do not require policy.json
we are having second thoughts about *requiring* a policy.json on podman machine hosts. we are concerned that we need to work out some more use cases to be sure we do not make choices now that limit us in the near term future. for example, should the policy files be the same for container images and machine images? And should one live on the host machine and the other live in the machine? therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy. Signed-off-by: Brent Baude <baude@redhat.com> Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com> Signed-off-by: Brent Baude <bbaude@redhat.com>pull/22014/head
parent
c2695fc9d2
commit
d7bc7b7b41
6
Makefile
6
Makefile
|
@ -103,7 +103,6 @@ FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d
|
|||
|
||||
SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo -Z)
|
||||
|
||||
MACHINE_POLICY_JSON_DIR ?= .
|
||||
|
||||
COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true)
|
||||
GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),$(call err_if_empty,COMMIT_NO)-dirty,$(COMMIT_NO))
|
||||
|
@ -121,7 +120,6 @@ LDFLAGS_PODMAN ?= \
|
|||
-X $(LIBPOD)/config._installPrefix=$(PREFIX) \
|
||||
-X $(LIBPOD)/config._etcDir=$(ETCDIR) \
|
||||
-X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \
|
||||
-X $(PROJECT)/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=$(MACHINE_POLICY_JSON_DIR) \
|
||||
-X github.com/containers/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\
|
||||
$(EXTRA_LDFLAGS)
|
||||
LDFLAGS_PODMAN_STATIC ?= \
|
||||
|
@ -782,10 +780,6 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$
|
|||
cp -r ./docs/build/remote/$(GOOS) "$(tmpsubdir)/$(releasedir)/docs/"
|
||||
cp ./contrib/remote/containers.conf "$(tmpsubdir)/$(releasedir)/"
|
||||
$(MAKE) $(GOPLAT) $(_dstargs) SELINUXOPT="" install.remote
|
||||
# Placing the policy file in the bin directory is intentional This
|
||||
# could be changed in the future to mirror LSB on Linux/Unix but would
|
||||
# require path resolution logic changes to sustain the Win flat model
|
||||
cp ./pkg/machine/ocipull/policy.json "$(tmpsubdir)/$(releasedir)/$(RELEASE_PREFIX)/bin"
|
||||
cd "$(tmpsubdir)" && \
|
||||
zip --recurse-paths "$(CURDIR)/$@" "./$(releasedir)"
|
||||
if [[ "$(GOARCH)" != "$(NATIVE_GOARCH)" ]]; then $(MAKE) clean-binaries; fi
|
||||
|
|
|
@ -47,8 +47,9 @@ package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit
|
|||
cp $(TMP_BIN)/gvproxy $(PACKAGE_ROOT)/podman/bin/
|
||||
cp $(TMP_BIN)/vfkit $(PACKAGE_ROOT)/podman/bin/
|
||||
chmod a+x $(PACKAGE_ROOT)/podman/bin/*
|
||||
mkdir $(PACKAGE_ROOT)/podman/config
|
||||
cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
|
||||
# Leaving for future considerations
|
||||
# mkdir $(PACKAGE_ROOT)/podman/config
|
||||
# cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
|
||||
|
||||
%: %.in podman_version
|
||||
@sed -e 's/__VERSION__/'$(shell ../../test/version/version)'/g' $< >$@
|
||||
|
|
|
@ -41,7 +41,7 @@ function build_podman() {
|
|||
}
|
||||
|
||||
function build_podman_arch(){
|
||||
make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" MACHINE_POLICY_JSON_DIR="${MACHINE_POLICY_JSON_DIR}"
|
||||
make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
|
||||
make -B GOARCH="$1" podman-mac-helper
|
||||
mkdir -p "${tmpBin}"
|
||||
cp bin/darwin/podman "${tmpBin}/podman-$1"
|
||||
|
|
|
@ -144,13 +144,13 @@ if ($gvExists) {
|
|||
$env:UseGVProxy = "Skip"
|
||||
}
|
||||
|
||||
$pExists = Test-Path "artifacts/policy.json"
|
||||
if ($pExists) {
|
||||
Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
|
||||
} else {
|
||||
$env:IncludePolicyJSON = "Skip"
|
||||
}
|
||||
|
||||
# Retaining for possible future additions
|
||||
# $pExists = Test-Path "artifacts/policy.json"
|
||||
# if ($pExists) {
|
||||
# Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
|
||||
# } else {
|
||||
# $env:IncludePolicyJSON = "Skip"
|
||||
# }
|
||||
.\build-msi.bat $ENV:INSTVER; ExitOnError
|
||||
SignItem @("podman.msi")
|
||||
|
||||
|
|
|
@ -12,11 +12,6 @@
|
|||
<?define UseGVProxy = ""?>
|
||||
<?endif?>
|
||||
|
||||
<?ifdef env.IncludePolicyJSON?>
|
||||
<?define IncludePolicyJSON = "$(env.IncludePolicyJSON)"?>
|
||||
<?else?>
|
||||
<?define IncludePolicyJSON = ""?>
|
||||
<?endif?>
|
||||
|
||||
<Product Name="Podman $(var.VERSION)" Id="*" UpgradeCode="696BAB5D-CA1F-4B05-B123-320F245B8D6D" Version="$(var.VERSION)" Language="1033" Manufacturer="Red Hat Inc.">
|
||||
|
||||
|
@ -47,11 +42,6 @@
|
|||
<File Id="GvProxyExecutableFile" Name="gvproxy.exe" Source="artifacts/gvproxy.exe" KeyPath="yes"/>
|
||||
</Component>
|
||||
<?endif?>
|
||||
<?if $(var.IncludePolicyJSON) != Skip?>
|
||||
<Component Id="PolicyJSON" Guid="C6135EDA-7C17-4A0E-BC52-5AB38BD54A61" Win64="yes">
|
||||
<File Id="PolicyJSONFile" Name="policy.json" Source="artifacts/policy.json" KeyPath="yes"/>
|
||||
</Component>
|
||||
<?endif?>
|
||||
<Component Id="GuideHTMLComponent" Guid="8B23C76B-F7D4-4030-8C46-1B5729E616B5" Win64="yes">
|
||||
<File Id="GuideHTMLFile" Name="welcome-podman.html" Source="docs/podman-for-windows.html" KeyPath="yes"/>
|
||||
</Component>
|
||||
|
@ -85,9 +75,6 @@
|
|||
<?if $(var.UseGVProxy) != Skip?>
|
||||
<ComponentRef Id="GvProxyExecutable"/>
|
||||
<?endif?>
|
||||
<?if $(var.IncludePolicyJSON) != Skip?>
|
||||
<ComponentRef Id="PolicyJSON"/>
|
||||
<?endif?>
|
||||
<ComponentRef Id="GuideHTMLComponent"/>
|
||||
<ComponentGroupRef Id="ManFiles"/>
|
||||
<ComponentGroupRef Id="WSLFeature"/>
|
||||
|
|
|
@ -135,12 +135,13 @@ try {
|
|||
Copy-Artifact("gvproxy.exe")
|
||||
}
|
||||
|
||||
$loc = Get-ChildItem -Recurse -Path . -Name policy.json
|
||||
if (!$loc) {
|
||||
Write-Host "Skipping policy.json artifact"
|
||||
} else {
|
||||
Copy-Artifact("policy.json")
|
||||
}
|
||||
# Retaining for future additions
|
||||
# $loc = Get-ChildItem -Recurse -Path . -Name policy.json
|
||||
# if (!$loc) {
|
||||
# Write-Host "Skipping policy.json artifact"
|
||||
# } else {
|
||||
# Copy-Artifact("policy.json")
|
||||
# }
|
||||
|
||||
$docsloc = Get-ChildItem -Path . -Name docs -Recurse
|
||||
$loc = Get-ChildItem -Recurse -Path . -Name podman-for-windows.html
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
package ocipull
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where
|
||||
|
@ -15,33 +16,18 @@ var DefaultPolicyJSONPath = ""
|
|||
|
||||
const policyfile = "policy.json"
|
||||
|
||||
type defaultPolicyError struct {
|
||||
errs []error
|
||||
}
|
||||
|
||||
func (e *defaultPolicyError) Error() string {
|
||||
return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs)
|
||||
}
|
||||
|
||||
func policyPath() (string, error) {
|
||||
// policyPaths returns a slice of possible directories where a policy.json might live
|
||||
func policyPaths() []string {
|
||||
paths := localPolicyOverwrites()
|
||||
errs := make([]error, 0, len(paths))
|
||||
for _, path := range paths {
|
||||
_, err := os.Stat(path)
|
||||
if err == nil {
|
||||
return path, nil
|
||||
}
|
||||
errs = append(errs, err)
|
||||
}
|
||||
if DefaultPolicyJSONPath != "" {
|
||||
if filepath.IsAbs(DefaultPolicyJSONPath) {
|
||||
return filepath.Join(DefaultPolicyJSONPath, policyfile), nil
|
||||
return append(paths, filepath.Join(DefaultPolicyJSONPath, policyfile))
|
||||
}
|
||||
p, err := os.Executable()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not resolve relative path to binary: %w", err)
|
||||
logrus.Warnf("could not resolve relative path to binary: %q", err)
|
||||
}
|
||||
return filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile), nil
|
||||
paths = append(paths, filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile))
|
||||
}
|
||||
return "", &defaultPolicyError{errs: errs}
|
||||
return paths
|
||||
}
|
||||
|
|
|
@ -2,7 +2,9 @@ package ocipull
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os"
|
||||
|
||||
"github.com/containers/buildah/pkg/parse"
|
||||
|
@ -13,6 +15,7 @@ import (
|
|||
"github.com/containers/image/v5/transports/alltransports"
|
||||
"github.com/containers/image/v5/types"
|
||||
"github.com/containers/podman/v5/pkg/machine/define"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// PullOptions includes data to alter certain knobs when pulling a source
|
||||
|
@ -26,8 +29,17 @@ type PullOptions struct {
|
|||
Quiet bool
|
||||
}
|
||||
|
||||
var (
|
||||
// noSignaturePolicy is a default policy if policy.json is not found on
|
||||
// the host machine.
|
||||
noSignaturePolicy string = `{"default":[{"type":"insecureAcceptAnything"}]}`
|
||||
)
|
||||
|
||||
// Pull `imageInput` from a container registry to `sourcePath`.
|
||||
func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *define.VMFile, options *PullOptions) error {
|
||||
var (
|
||||
policy *signature.Policy
|
||||
)
|
||||
destRef, err := layout.ParseReference(localDestPath.GetPath())
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -44,15 +56,28 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
|
|||
sysCtx.DockerAuthConfig = authConf
|
||||
}
|
||||
|
||||
path, err := policyPath()
|
||||
if err != nil {
|
||||
return err
|
||||
// Policy paths returns a slice of directories where the policy.json
|
||||
// may live. Iterate those directories and try to see if any are
|
||||
// valid ignoring when the file does not exist
|
||||
for _, path := range policyPaths() {
|
||||
policy, err = signature.NewPolicyFromFile(path)
|
||||
if err != nil {
|
||||
if errors.Is(err, fs.ErrNotExist) {
|
||||
continue
|
||||
}
|
||||
return fmt.Errorf("reading signature policy: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
policy, err := signature.NewPolicyFromFile(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("obtaining signature policy: %w", err)
|
||||
// If no policy has been found yet, we use a no signature policy automatically
|
||||
if policy == nil {
|
||||
logrus.Debug("no signature policy file found: using default allow everything signature policy")
|
||||
policy, err = signature.NewPolicyFromBytes([]byte(noSignaturePolicy))
|
||||
if err != nil {
|
||||
return fmt.Errorf("obtaining signature policy: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
policyContext, err := signature.NewPolicyContext(policy)
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating new signature policy context: %w", err)
|
||||
|
|
Loading…
Reference in New Issue