profile
viewpoint

containers/podman 5411

Podman: A tool for managing OCI containers and pods

containers/buildah 3253

A tool that facilitates building OCI images

containers/skopeo 2538

Work with remote images registries - retrieving information, images, signing content

mtrmac/api 0

Canonical location of the OpenShift API definition.

mtrmac/atomic 0

Atomic Run Tool for installing/running/managing container images.

mtrmac/atomic-enterprise-training 0

Atomic Enterprise Training

mtrmac/buildah 0

A tool that facilitates building OCI images

mtrmac/builder 0

The image run by build pods to execute image building+pushing

mtrmac/cli 0

A simple, fast, and fun package for building command line apps in Go

Pull request review commentcontainers/image

use DOCKER_CONFIG if set

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}-	paths = append(paths,-		authPath{path: filepath.Join(homedir.Get(), dockerHomePath), legacyFormat: false},-		authPath{path: filepath.Join(homedir.Get(), dockerLegacyHomePath), legacyFormat: true},-	)+	if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {+		paths = append(paths,+			authPath{path: filepath.Join(dockerConfig, "config.json"), legacyFormat: false},+		)+	} else {+		paths = append(paths,+			authPath{path: filepath.Join(homedir.Get(), dockerHomePath), legacyFormat: false},+			authPath{path: filepath.Join(homedir.Get(), dockerLegacyHomePath), legacyFormat: true},+		)+	}

Sure, but we never want to end up researching why the two behave differently when we can easily prevent it before merging the PR.

rittneje

comment created time in 11 hours

PullRequestReviewEvent
PullRequestReviewEvent

pull request commentcontainers/image

copy: drop the check on the size of cached blobs

Actually, how does this fail precisely? Looking at storage commit b8e0174ae6b2dc083d9ada365b9a207371aa62a6 , CompressedSize and CompressedDigest are always updated together, and immediately before CompressedDigest is updated, the map used to look up LayersByCompressedDigest is updated. So, we should never get into the blobinfo.Digest != layers[0].CompressedDigest case AFAICS.

(Overall, before roughly the introduction of TryReusingBlob, the code is not very ready for substituting different blobs, and I’d lean towards dropping the reuse (forcing a re-pull of the layer) if we did have to change something, rather than introducing the new / never-before-exercised situations into a very old very stable branch. But right now I must be missing something.)

fgiudici

comment created time in 11 hours

pull request commentcontainers/image

copy: drop the check on the size of cached blobs

Following the idea in the comment above, added a commit to check if, when we found a cached layer by the uncompressed digest, the compressed digest matches too: if it does, we return the cached compressed size as before. If not, we have different compressed archives and we return the compressed size of the source image.

That doesn’t work in general because the input blobInfo.Size value may be -1 (unknown), but must not be unknown when returned from ReapplyBlob.

fgiudici

comment created time in 11 hours

Pull request review commentcontainers/image

use DOCKER_CONFIG if set

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}-	paths = append(paths,-		authPath{path: filepath.Join(homedir.Get(), dockerHomePath), legacyFormat: false},-		authPath{path: filepath.Join(homedir.Get(), dockerLegacyHomePath), legacyFormat: true},-	)+	if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {+		paths = append(paths,+			authPath{path: filepath.Join(dockerConfig, "config.json"), legacyFormat: false},+		)+	} else {+		paths = append(paths,+			authPath{path: filepath.Join(homedir.Get(), dockerHomePath), legacyFormat: false},+			authPath{path: filepath.Join(homedir.Get(), dockerLegacyHomePath), legacyFormat: true},+		)+	}

No, the legacy file always uses $HOME AFAICS, and is not ignored when DOCKER_CONFIG is set.

rittneje

comment created time in 12 hours

PullRequestReviewEvent

pull request commentcontainers/image

Fix CI in cri-o-release-1.11 branch

A quick drive-by comment: Rather than update formatting to conform to some recent version, it would be cleaner to freeze the Go or gofmt version back to the version at the branching time, to minimize the number of changes on the branch (and indirectly in CRI-O.). (OTOH I haven’t checked whether that’s even possible.)

Good point! I completely agree. I checked, the gofmt is taken from the distro.

It’s actually coming from the Go 1.9.2 tarball extracted in .travis.Dockerfile AFAICS.

Also switching back the the "artic" release, the gofmt version will report the unsorted import. You’re right about that — actually the breakage comes from a naive backport of 42fb012c4cb109d8a57a954e2673b6eb0b541834 , it’s not a version discrepancy as I assumed.

So, please just fix the code to conform; I’m sorry about the hassle.

fgiudici

comment created time in 12 hours

Pull request review commentcontainers/image

Fix CI in cri-o-release-1.11 branch

 test-skopeo: 	@export GOPATH=$$(mktemp -d) && \ 		skopeo_path=$${GOPATH}/src/github.com/containers/skopeo && \ 		vendor_path=$${skopeo_path}/vendor/github.com/containers/image && \-		git clone -b $(SKOPEO_BRANCH) https://github.com/$(SKOPEO_REPO) $${skopeo_path} && \-		rm -rf $${vendor_path} && cp -r . $${vendor_path} && rm -rf $${vendor_path}/vendor && \-		cd $${skopeo_path} && \+		git clone https://github.com/$(SKOPEO_REPO) $${skopeo_path} && \+		cd $${skopeo_path} && git checkout $(SKOPEO_BRANCH) && \+		sed -i 's/FROM fedora/FROM fedora:30/g' Dockerfile && \

The tests are failing due to

gpg: agent_genkey failed: No pinentry
gpg: key generation failed: No pinentry

And fedora:30 is newer than this code. At least this particular failure can be avoided by going back to :29.

fgiudici

comment created time in 12 hours

Pull request review commentcontainers/image

Fix CI in cri-o-release-1.11 branch

  # Which github repository and branch to use for testing with skopeo SKOPEO_REPO = containers/skopeo-SKOPEO_BRANCH = master+SKOPEO_BRANCH = 2b97124e

It doesn’t make much sense to me to use Skopeo commit 2b97124e4ac18c5f56650b89b8710bd5dc450fee (which introduces the two-return-value version of copy.Image) without including the immediately following 2734f93e301c441aabadf1902b7771e3c42bec70 .

The immediately preceding commit might be a better fit.

fgiudici

comment created time in 12 hours

Pull request review commentcontainers/image

Fix CI in cri-o-release-1.11 branch

 test-skopeo: 	@export GOPATH=$$(mktemp -d) && \ 		skopeo_path=$${GOPATH}/src/github.com/containers/skopeo && \ 		vendor_path=$${skopeo_path}/vendor/github.com/containers/image && \-		git clone -b $(SKOPEO_BRANCH) https://github.com/$(SKOPEO_REPO) $${skopeo_path} && \-		rm -rf $${vendor_path} && cp -r . $${vendor_path} && rm -rf $${vendor_path}/vendor && \-		cd $${skopeo_path} && \+		git clone https://github.com/$(SKOPEO_REPO) $${skopeo_path} && \+		cd $${skopeo_path} && git checkout $(SKOPEO_BRANCH) && \+		sed -i 's/FROM fedora/FROM fedora:30/g' Dockerfile && \+		rm -rf $${vendor_path} && cp -r /gopath/src/github.com/containers/image $${vendor_path} && rm -rf $${vendor_path}/vendor && \

Does anything change about what this line does? If not, wrapping the git checkout in a subshell (cd … && git checkout ) && should allow not changing this line, to make it clearer that nothing is going on, and avoid hard-coding the container layout in this Makefile.

fgiudici

comment created time in 12 hours

PullRequestReviewEvent
PullRequestReviewEvent

push eventmtrmac/skopeo

dependabot-preview[bot]

commit sha 4eda1d092d762f05f34ac42fba3eaedca01e35d8

Bump github.com/containers/storage from 1.23.4 to 1.23.5 Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.23.4 to 1.23.5. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.23.4...v1.23.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Daniel J Walsh

commit sha 62bafb102de09d25c1dba2cb9738319d9df3c782

Fix problems found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Daniel J Walsh

commit sha 45a9efb37f5ea8588496652366b728224dc6ee19

Merge pull request #1039 from containers/dependabot/go_modules/github.com/containers/storage-1.23.5 Bump github.com/containers/storage from 1.23.4 to 1.23.5

view details

dependabot-preview[bot]

commit sha 05d172a1f5043befa59f0c2be190c22cebf50e3d

Bump github.com/containers/common from 0.21.0 to 0.22.0 Bumps [github.com/containers/common](https://github.com/containers/common) from 0.21.0 to 0.22.0. - [Release notes](https://github.com/containers/common/releases) - [Commits](https://github.com/containers/common/compare/v0.21.0...v0.22.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Miloslav Trmač <mitr@redhat.com>

view details

Miloslav Trmač

commit sha 12ab19f5fd2b6d6cb8c0a70783c73dccd2b5968a

Merge pull request #1043 from containers/dependabot/go_modules/github.com/containers/common-0.22.0 Bump github.com/containers/common from 0.21.0 to 0.22.0

view details

Daniel J Walsh

commit sha bbd800f974f042c6e40b943a39b31ae14234d0d2

Merge pull request #1042 from rhatdan/codespell Fix problems found by codespell

view details

dependabot-preview[bot]

commit sha 1d0b1671f8763b06d0ce7930b7ce9d1df8ed5f7f

Bump github.com/containers/image/v5 from 5.5.2 to 5.6.0 Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.5.2 to 5.6.0. - [Release notes](https://github.com/containers/image/releases) - [Commits](https://github.com/containers/image/compare/v5.5.2...v5.6.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Wong Hoi Sing Edison

commit sha ec17cfcbf1ae808ac73cec9c20a44be3d0e2c935

Update nix pin with `make nixpkgs` Signed-off-by: Wong Hoi Sing Edison <hswong3i@gmail.com>

view details

Alvaro Iradier

commit sha 3c73c0c0cd0f96c537d9c90f9ae9a3ed19f045b0

Add --registry-token flags to support Bearer token authentication Signed-off-by: Alvaro Iradier <airadier@gmail.com>

view details

Alvaro Iradier

commit sha 2d5f12b9a63d12eceb4b190e2ed45eb901114674

Add --registry-token tests to utils_tests.go Signed-off-by: Alvaro Iradier <airadier@gmail.com>

view details

Alvaro Iradier

commit sha 242b573f9aee53155e06d3000918e8222b129d70

Adding periods

view details

Alvaro Iradier

commit sha 467b462b79f98b32a0bcc7490bd295245fca531c

Keep options order in code and add missing bash completions

view details

Miloslav Trmač

commit sha 77293ff9c42a9c8d3db36a6c02fe26c70b232ec9

Merge pull request #1047 from airadier/registry-token-cli-flag Add --registry-token flags to support Bearer token authentication

view details

Daniel J Walsh

commit sha cbd7fb7d377b2ce573ea2a7f0144a8ae6371563b

Merge pull request #1045 from containers/dependabot/go_modules/github.com/containers/image/v5-5.6.0 Bump github.com/containers/image/v5 from 5.5.2 to 5.6.0

view details

Daniel J Walsh

commit sha 8151b89b8161e4b0d378df2e10a9c8601fed08b2

Merge pull request #1038 from alvistack/master-linux-amd64 Update nix pin with `make nixpkgs`

view details

Daniel J Walsh

commit sha 2b4097bc13e7ba1d16a5225e2292a5cf88072f63

Bump to v1.2.0 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Daniel J Walsh

commit sha 3a75b51b59901fb84230a7247fbf95509a8553e6

Move to v1.2.1-dev Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Lokesh Mandvekar

commit sha 248a1dd01a5ab42c95b6b01cf6f5bf5ac8eff70b

include OBS install steps for CentOS additional formatting changes Co-authored-by: Tom Sweeney <tsweeney@redhat.com> Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

view details

Daniel J Walsh

commit sha f91a9c569db3d1bc345f1122fa000973114b59e9

Merge pull request #1049 from rhatdan/VENDOR Bump to v1.2.0

view details

dependabot-preview[bot]

commit sha 1c45df1e035cd787c96f94fb8d1f6c40a7da9488

Bump github.com/containers/common from 0.22.0 to 0.23.0 Bumps [github.com/containers/common](https://github.com/containers/common) from 0.22.0 to 0.23.0. - [Release notes](https://github.com/containers/common/releases) - [Commits](https://github.com/containers/common/compare/v0.22.0...v0.23.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

push time in 12 hours

issue closedcontainers/skopeo

skopeo inspect ignores docker login credentials

The readme currently says this:

skopeo uses credentials from the --creds (for skopeo inspect|delete) or --src-creds|--dest-creds (for skopeo copy) flags, if set; otherwise it uses configuration set by skopeo login, podman login, buildah login, or docker login.

I have already logged into my private registry via docker login. My ~/.docker/config.json file looks like this:

{
	"auths": {
		"<private-registry>": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (darwin)"
	},
	"credsStore": "desktop",
	"experimental": "disabled",
	"stackOrchestrator": "swarm"
}

However, using skopeo v1.2.0, skopeo inspect docker://<private-registry>/<img>:<tag> always fails with an error:

FATA[0000] Error parsing image name "docker://<private-registry>/<img>:<tag>": unable to retrieve auth token: invalid username/password: unknown: Authentication is required 

Passing credentials manually via --creds does work as expected. The private registry is hosted on JFrog Artifactory, if it matters.

closed time in 13 hours

rittneje

issue commentcontainers/skopeo

skopeo inspect ignores docker login credentials

Thanks for your report. As you note, this is a missing functionality in c/image, and will be fixed in there.

rittneje

comment created time in 13 hours

PullRequestReviewEvent

pull request commentcontainers/image

Bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0

@dependabot rebase

dependabot-preview[bot]

comment created time in 13 hours

delete branch mtrmac/image

delete branch : certificates

delete time in 13 hours

push eventcontainers/image

Miloslav Trmač

commit sha 36eb57cf89d4aee693630c3014fb47f73f1636b9

Extend the lifetime of test certificates to 10 years ... so that we don't have to re-generate every year. Signed-off-by: Miloslav Trmač <mitr@redhat.com>

view details

Miloslav Trmač

commit sha 4d44c78ff71802f321cf47b38eec9502f71f6e8b

Regenerate oci/layout fixture certificates Signed-off-by: Miloslav Trmač <mitr@redhat.com>

view details

Miloslav Trmač

commit sha a5061e5a5f00333ea3a92e7103effd11c6e2f51d

Merge pull request #1057 from mtrmac/certificates Regenerate expired certificates

view details

push time in 13 hours

PR merged containers/image

Regenerate expired certificates

… to fix CI.

Thanks to Jesse Rittner rittneje@gmail.com (@rittneje ) for preparing this in #1056.

+28 -28

2 comments

5 changed files

mtrmac

pr closed time in 13 hours

pull request commentcontainers/image

Regenerate expired certificates

@vrothberg PTAL again

mtrmac

comment created time in 13 hours

pull request commentcontainers/image

Regenerate expired certificates

Actually:

  • Let’s extend the lifetime of certificates to 10 years
  • And update the rejected_certs one as well, so that we are testing trust, not just expiration.
mtrmac

comment created time in 13 hours

push eventmtrmac/image

Miloslav Trmač

commit sha 36eb57cf89d4aee693630c3014fb47f73f1636b9

Extend the lifetime of test certificates to 10 years ... so that we don't have to re-generate every year. Signed-off-by: Miloslav Trmač <mitr@redhat.com>

view details

Miloslav Trmač

commit sha 4d44c78ff71802f321cf47b38eec9502f71f6e8b

Regenerate oci/layout fixture certificates Signed-off-by: Miloslav Trmač <mitr@redhat.com>

view details

push time in 13 hours

Pull request review commentcontainers/image

use DOCKER_CONFIG if set

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}+	if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {+		paths = append(paths,+			authPath{path: filepath.Join(dockerConfig, "config.json"), legacyFormat: false},+		)+	}

Looking at https://github.com/projectatomic/docker/blob/master/cliconfig/config.go as well as more recent versions, the DOCKER_CONFIG path replaces the $HOME/.docker, it does not add one more file to check. So this code should do the same thing.

rittneje

comment created time in 14 hours

PullRequestReviewEvent
PullRequestReviewEvent

issue commentcontainers/skopeo

skopeo ignores DOCKER_CONFIG environment variable

FWIW the --authfile option allows directing Skopeo to use a specific file in a much more direct and transparent way.

rittneje

comment created time in 14 hours

pull request commentcontainers/image

use DOCKER_CONFIG if set

Thanks for the certificate update — it’s unrelated and urgent, so let’s split it into #1057 so that we can discuss the details of this PR here.

rittneje

comment created time in 14 hours

PR opened containers/image

Regenerate expired certificates

… to fix CI.

Thanks to Jesse Rittner rittneje@gmail.com (@rittneje ) for preparing this in #1056.

+24 -24

0 comment

2 changed files

pr created time in 14 hours

create barnchmtrmac/image

branch : certificates

created branch time in 14 hours

issue commentcontainers/podman

Pushing to TLS registry with non-standard port fails

From a Podman / c/image point of view, the thing to check is just running the upstream registry server on 5443 . If that works, and the nginx proxy doesn’t, my starting hypothesis would be that the nginx proxy is not implementing the protocol as expected.

jskovjyskebankdk

comment created time in 14 hours

issue commentcontainers/podman

Pushing to TLS registry with non-standard port fails

The PATCH URL comes directly from a Location header sent the server, so the server is misconfigured and does not know its own port. The -p 5443:443 might have something to do with it.

jskovjyskebankdk

comment created time in 14 hours

IssuesEvent

issue commentcontainers/podman

Pulling container images using unqualified names from local registry

Reopening to see what the parser is doing — and moving to c/image.

fdegir

comment created time in 2 days

pull request commentcontainers/image

Fix CI in cri-o-release-1.11 branch

A quick drive-by comment: Rather than update formatting to conform to some recent version, it would be cleaner to freeze the Go or gofmt version back to the version at the branching time, to minimize the number of changes on the branch (and indirectly in CRI-O.). (OTOH I haven’t checked whether that’s even possible.)

fgiudici

comment created time in 2 days

issue commentcontainers/skopeo

Network error message is misleading

It should be possible to wrap the io.Reader passed to PutBlob with something that adds a “happened during read:” context (and that would end up in the middle of the final error string), or possibly even wraps it in a marker type that can be detected/unwound to discard all the PutBlob-related error context (“Error writing:”).

joel0

comment created time in 3 days

PullRequestReviewEvent

issue commentcontainers/podman

Pulling container images using unqualified names from local registry

@fdegir The configuration file is mixing up v1 and v2 syntax; drop all lines before the unqualified-search-registries line.

That will make it work, but the way it fails is surprising to me — I can’t see how we can end up using the v1 search value while using the v2 registries list; AFAICS the code should refuse to work on mixed v1/v2 files completely.

fdegir

comment created time in 7 days

delete branch mtrmac/library-go

delete branch : registries

delete time in 7 days

PR closed openshift/library-go

Reviewers
Add pkg/image/registries.EditRegistriesConfig lifecycle/stale needs-rebase size/XXL

This code originates from https://github.com/openshift/machine-config-operator/blob/9e770a71b70d52651eb4c26abb0b9eb8d0b1a681/pkg/controller/container-runtime-config/helpers.go#L331 , and at least openshift-controller-manager needs the same code to correctly interpret ImageContentSourcePolicy: https://github.com/openshift/openshift-controller-manager/pull/19 .

ImageStream import/mirror/update code might need the same code to build correct registries.conf to support mirrors, for https://bugzilla.redhat.com/show_bug.cgi?id=1741391 .

https://github.com/openshift/machine-config-operator/pull/1087 validates that this API is usable for machine-config-operator, and the review in there confirms that the openshift-controller-manager code can use it as well.


ImageContentSourcePolicy is supplied by the caller directly, to be fully interpreted by this function; the caller is typically expected to just list the CRD (or, in the case of MCO bootstrap, read it from disk).

The ignored/blocked registries lists are passed as individual parameters instead of using Image.Spec.RegistrySources because MCO modifies the RegistrySources data to remove the cluster’s release ClusterVersionStatus.Desired.Image.


This allows callers to (optionally supply a starting point) and create a /etc/containers/registries.conf configuration based on the ImageContentSourcePolicy CRD and insecure/blocked registries (typically from Image.Spec.RegistrySources).

Currently known users that need this:

  • openshift/machine-config-operator (for nodes’ registries.conf)
  • openshift/openshit-controller-manager (for builds’ registries.conf)
+195280 -115

8 comments

820 changed files

mtrmac

pr closed time in 7 days

pull request commentopenshift/library-go

Add pkg/image/registries.EditRegistriesConfig

The code now lives in https://github.com/openshift/runtime-utils/blob/master/pkg/registries/registries.go .

mtrmac

comment created time in 7 days

pull request commentcontainers/image

Compare destination image manifest copy optimization/feature

As a very quick guess without actually checking, skipping the copy also skips the opportunity to add a signature via --sign-by. I guess some earlier copy was optimized out, causing the image to not be signed as expected; this error complains about a different signature that does exist; if there were a valid signature, that complaint would not be reported to the user.

gjenkins8

comment created time in 7 days

pull request commentcontainers/image

Search credentials under XDG_CONFIG_HOME

I think we typically do document search order and the like in the file format man pages. (Otherwise it would have to be documented not only in the login page, but also in pull and push and so on, in every single consumer of c/image, with no way to tell which man page is authoritative if they differed.)

.docker/config.json is a bit different in that this project is not authoritative about the format specification — but mentioning it in the containers-auth.json(5) man page could also be useful.

OTOH with the long-planned move to prioritize credential helpers, we admittedly might need a different place for the primary documentation of the mechanism. I’m not sure what that place would be; registries.conf would not be easy enough to find.

QiWang19

comment created time in 7 days

issue commentopenshift/openshift-apiserver

Use openshift/runtime-utils/pkg/registries and containers/image instead local copies

/remove-lifecycle stale

#111 has dropped the copy of containers/image/pkg/sysregistriesv2 (although a very old version is vendored), but the registries subpackage still exists.

mtrmac

comment created time in 7 days

issue commentcontainers/skopeo

copy.Image manifest mismatch on containerd

Thanks for your report.

This does not ring a bell. I’d suggest first isolating whether this is a bug in the writer or in the reader:

  • read the raw manifest with skopeo inspect --raw and see the data in the manifest
  • skopeo copy docker://… dir:$tmpdir, verify the layer digest, and see its size.
  • If the on-registry contents are already unexpected, maybe try using a dir: destination or a different registry implementation to check whether it might be registry-specific.
carlpett

comment created time in 7 days

Pull request review commentcontainers/skopeo

include OBS install steps for CentOS

 RHEL/CentOS ≥ 8 or Fedora you can install it using: $ sudo dnf install skopeo ``` +Newer skopeo releases may be available on the repositories provided by the+Kubic project. Beware, these may not be suitable for production environments.++on CentOS 8:++```sh+$ sudo dnf -y module disable container-tools+$ sudo dnf -y install 'dnf-command(copr)'+$ sudo dnf -y copr enable rhcontainerbot/container-selinux+$ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo+$ sudo dnf -y install skopeo+```++on CentOS 8 Stream:++```sh+sudo dnf -y module disable container-tools+sudo dnf -y install 'dnf-command(copr)'+sudo dnf -y copr enable rhcontainerbot/container-selinux+sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo+sudo dnf -y install skopeo+```+ on RHEL/CentOS ≤ 7.x:  ```sh $ sudo yum install skopeo ``` +Newer skopeo releases may be available on the repositories provided by the+Kubic project. Beware, these may not be suitable for production environments.++```sh+$ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo+$ sudo yum -y install podman

installpodman?

lsm5

comment created time in 7 days

PullRequestReviewEvent
PullRequestReviewEvent

issue commentcontainers/skopeo

list-tags ignores mirrors?

The way I’m thinking about mirrors (which is may not be the way anyone else thinks, and isn’t documented anywhere), they are not intentionally specifically restricted to pulls (e.g. pushes are not included because it’s much harder / impossible to do across unsynchronized destinations, not because it’s fundamentally not interesting to do).

It might well make sense to implemented mirrors for list-tags. OTOH…

Or at least could lead to unexpected results in some configurations. this suggests the situation where mirrors only have a subset of images available.

For pulls, that’s an expected and valuable benefit — but that’s also a good reason not to use mirrors for listing tags.

Also, I’d argue that a skopeo sync by the mirror admin is one of the cases where the user is clearly aware of the mirroring topology, so the user can easily change the skopeo sync command line to read directly from the intended mirror instead of referencing the primary registry and expecting the mirror configuration to apply.

So, on balance I’m leaning towards not changing the current implementation; but there may well be something I’m missing.


I do agree that the documentation should be clarified.

AstraLuma

comment created time in 7 days

pull request commentcontainers/skopeo

Bump to v1.2.0

ACK, I don’t think there’s any urgent work in progress we need to wait for.

rhatdan

comment created time in 7 days

PullRequestReviewEvent

issue commentcontainers/image

Error "Manifest does not match provided manifest digest" when using @sha256:digest in docker-daemon

Thanks for your report. You’re right, the original compressed representation can’t be regenerated.

airadier

comment created time in 7 days

pull request commentcontainers/image

Error message change

#1035 was merged, making this no longer applicable.

ParkerVR

comment created time in 12 days

PR closed containers/image

Error message change

PR Response to https://bugzilla.redhat.com/show_bug.cgi?id=1848150

Minor change to error messages to provide more user-friendly experience

Signed-off-by: Parker Van Roy pvanroy@redhat.com

+2 -2

8 comments

1 changed file

ParkerVR

pr closed time in 12 days

push eventcontainers/image

Qi Wang

commit sha 701023dd1aa1cdb316726496a9cecfd5d0b45c24

Set default rootless sigstore Set default rootless sigstore to ~/.local/share/containers/sigstore if the caller is non-root. Export the func ConfiguredSignatureStorageBase() for Podman image sign implementation. Signed-off-by: Qi Wang <qiwan@redhat.com>

view details

Miloslav Trmač

commit sha 1a0dda734e3bed323a9674e274b379cf841fe8b1

Merge pull request #1035 from QiWang19/sigstore Set default rootless sigstore

view details

push time in 12 days

PR merged containers/image

Set default rootless sigstore

Set default rootless sigstore to ~/.local/share/containers/sigstore if the caller is non-root. Fix rootless podman push --sign-by.

Signed-off-by: Qi Wang qiwan@redhat.com

+117 -76

7 comments

8 changed files

QiWang19

pr closed time in 12 days

issue closedcontainers/image

Wrong sigstore location on rootless podman push --sign-by

Reproducible with podman v1.8.0, If I want to use my local GPG keys to push signed images:

> podman pull docker.io/alpine
> podman tag docker.io/alpine quay.io/saschagrunert/alpine
> podman push --sign-by sgrunert@suse.com quay.io/saschagrunert/alpine
Error: Error copying image to the remote destination: Error writing signatures: mkdir /var/lib/containers/sigstore: permission denied

I think the issue is that signatureTopLevel returns the wrong path when running rootless: https://github.com/containers/image/blob/143904cdaa199b9f3e0a19e1e2a965df10f1f0f9/docker/lookaside.go#L178-L190

If write == true then ns.SigStoreStaging == "file:///var/lib/containers/sigstore"

closed time in 12 days

saschagrunert
PullRequestReviewEvent

push eventcontainers/skopeo

Alvaro Iradier

commit sha 3c73c0c0cd0f96c537d9c90f9ae9a3ed19f045b0

Add --registry-token flags to support Bearer token authentication Signed-off-by: Alvaro Iradier <airadier@gmail.com>

view details

Alvaro Iradier

commit sha 2d5f12b9a63d12eceb4b190e2ed45eb901114674

Add --registry-token tests to utils_tests.go Signed-off-by: Alvaro Iradier <airadier@gmail.com>

view details

Alvaro Iradier

commit sha 242b573f9aee53155e06d3000918e8222b129d70

Adding periods

view details

Alvaro Iradier

commit sha 467b462b79f98b32a0bcc7490bd295245fca531c

Keep options order in code and add missing bash completions

view details

Miloslav Trmač

commit sha 77293ff9c42a9c8d3db36a6c02fe26c70b232ec9

Merge pull request #1047 from airadier/registry-token-cli-flag Add --registry-token flags to support Bearer token authentication

view details

push time in 12 days

PR merged containers/skopeo

Reviewers
Add --registry-token flags to support Bearer token authentication

This feature https://github.com/containers/image/pull/842 was merged in containers/image to support authentication using a provided Bearer token (example use case: integration with Harbor webhooks).

This PR adds a flag to the skopeo CLI to provide support for the registry Bearer token.

Signed-off-by: Alvaro Iradier airadier@gmail.com

+49 -18

4 comments

8 changed files

airadier

pr closed time in 12 days

PullRequestReviewEvent

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 _skopeo_list_repository_tags() {      --authfile

Thanks for the other fixes!

airadier

comment created time in 12 days

PullRequestReviewEvent

pull request commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

In the implementation of utils.go, the flag parsing can be done without or with a prefix ("src" or "dest" currently), so I guess that testing flag parsing with prefix "whatever" and then testing the parameters --whatever-registry-token is enough.

Yes, that’s the idea. “whatever” just happens to be spelled dest in the tests.

airadier

comment created time in 12 days

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPre 	fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon") 	optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)") 	fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously")+	fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")

Please keep the code in the same order as dockerImageOptions to make the correspondence easier to follow.

airadier

comment created time in 12 days

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 func TestImageOptionsNewSystemContext(t *testing.T) { 		DockerDaemonHost:                  "daemon-host.example.com", 		DockerDaemonInsecureSkipTLSVerify: true, 		BigFilesTemporaryDir:              "/srv",+		DockerBearerRegistryToken:         "faketoken",

Move this just below DockerAuthConfig.

airadier

comment created time in 12 days

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 _skopeo_list_repository_tags() {      --authfile

Shouldn’t `skopeo layers’ have the option added as well?

airadier

comment created time in 12 days

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 func TestImageDestOptionsNewSystemContext(t *testing.T) { 		DockerDaemonInsecureSkipTLSVerify: true, 		DirForceCompress:                  true, 		BigFilesTemporaryDir:              "/srv",+		DockerBearerRegistryToken:         "faketoken",

Move this just below DockerAuthConfig.

airadier

comment created time in 12 days

PullRequestReviewEvent

Pull request review commentcontainers/skopeo

Add --registry-token flags to support Bearer token authentication

 func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) { 	ctx.AuthFilePath = opts.shared.authFilePath 	ctx.DockerDaemonHost = opts.dockerDaemonHost 	ctx.DockerDaemonCertPath = opts.dockerCertPath+	if opts.registryToken.present {+		ctx.DockerBearerRegistryToken = opts.registryToken.value+	}

(Here, similarly, it would be a bit easier to follow to have this option after credsOption, the order is already different, let’s not make it worse.)

airadier

comment created time in 12 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentcontainers/image

Search credentials under XDG_CONFIG_HOME

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}++	var xdgCfgHomePath string+	if xdgCfgHome := os.Getenv("XDG_CONFIG_HOME"); xdgCfgHome != "" {+		xdgCfgHomePath = filepath.Join(xdgCfgHome, xdgRuntimeDirPath)+	} else {+		xdgCfgHomePath = filepath.Join(homedir.Get(), nonLinuxAuthFilePath)+	}

The same user can already specify --authfile pointing anywhere else (unless the user somehow able to manipulate the environment of a future su/sudo, but not the command being run… I’m not too worried about that, and setting XDG_RUNTIME_DIR would allow the same attack already).

The suffix is a known constant, we don’t need securejoin to protect against that constant containing ../.

QiWang19

comment created time in 13 days

Pull request review commentcontainers/image

Search credentials under XDG_CONFIG_HOME

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}++	var xdgCfgHomePath string+	if xdgCfgHome := os.Getenv("XDG_CONFIG_HOME"); xdgCfgHome != "" {+		xdgCfgHomePath = filepath.Join(xdgCfgHome, xdgRuntimeDirPath)

Looking at the other comment — this should probably end up as a “get XDG_CONFIG_HOME path” + “append a path relative to XDG_CONFIG_HOME”.

QiWang19

comment created time in 13 days

PullRequestReviewEvent

Pull request review commentcontainers/image

Search credentials under XDG_CONFIG_HOME

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}++	var xdgCfgHomePath string+	if xdgCfgHome := os.Getenv("XDG_CONFIG_HOME"); xdgCfgHome != "" {+		xdgCfgHomePath = filepath.Join(xdgCfgHome, xdgRuntimeDirPath)

Please introduce a new xdcConfigHomePath constant, or maybe somehow rename the old one; don’t just silently reuse it for a different purpose.

QiWang19

comment created time in 13 days

Pull request review commentcontainers/image

Search credentials under XDG_CONFIG_HOME

 func getAuthFilePaths(sys *types.SystemContext) []authPath { 		// Logging the error as a warning instead and moving on to pulling the image 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err) 	}++	var xdgCfgHomePath string+	if xdgCfgHome := os.Getenv("XDG_CONFIG_HOME"); xdgCfgHome != "" {+		xdgCfgHomePath = filepath.Join(xdgCfgHome, xdgRuntimeDirPath)+	} else {+		xdgCfgHomePath = filepath.Join(homedir.Get(), nonLinuxAuthFilePath)

Using a “nonLinux” path on Linux is also confusing — and on non-Linux that path was already added.

(In this context, it’s not a “non-linux” code path; it’s a “following the XDG base dir spec, XDG_CONFIG_HOME is not set so use the spec-defined default” path; i.e. the if/else should conceptually only get the $HOME/.config)

QiWang19

comment created time in 13 days

PullRequestReviewEvent
PullRequestReviewEvent

pull request commentcontainers/image

Set default rootless sigstore

LGTM after dropping the docker/docker_transport.go part, actually.

QiWang19

comment created time in 13 days

Pull request review commentcontainers/image

Set default rootless sigstore

 more general scopes is ignored.  For example, if _any_ configuration exists for `docker.io/library/busybox`, the configuration for `docker.io` is ignored (even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`). +### Built-in Defaults++If default-docker not configured and no matched configuration applied for the container image can be found,

(Maybe something like

If no `docker` section can be found for the container image, and no `default-docker` section is configured

to go from the most-specific to the most general, in the “order of evaluation”)

QiWang19

comment created time in 13 days

Pull request review commentcontainers/image

Set default rootless sigstore

 func (t dockerTransport) ValidatePolicyConfigurationScope(scope string) error { 	return nil } -// dockerReference is an ImageReference for Docker images.+// DockerReference is an ImageReference for Docker images.

This should probably be dropped.

QiWang19

comment created time in 13 days

Pull request review commentcontainers/image

Set default rootless sigstore

 func (s *dockerImageSource) GetSignatures(ctx context.Context, instanceDigest *d 		return nil, err 	} 	switch {-	case s.c.signatureBase != nil:-		return s.getSignaturesFromLookaside(ctx, instanceDigest) 	case s.c.supportsSignatures: 		return s.getSignaturesFromAPIExtension(ctx, instanceDigest)+	case s.c.signatureBase != nil:+		return s.getSignaturesFromLookaside(ctx, instanceDigest) 	default:-		return [][]byte{}, nil+		return [][]byte{}, errors.Errorf("Internal error: X-Registry-Supports-Signatures extension not supported, and lookaside should not be empty configuration")

(This can be return nil, errors.Errorf(…))

QiWang19

comment created time in 13 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventcontainers/image

Brandon Lum

commit sha 5018157ba8a478a6c8e2248c746137f6636d75f3

Update copier/imagecopier to fix race Signed-off-by: Brandon Lum <lumjjb@gmail.com>

view details

Miloslav Trmač

commit sha a1e2b3535b902624d25de3a4604f8cad343e44cf

Merge pull request #1047 from lumjjb/encstruct_fix Update copier/imagecopier to fix race

view details

push time in 14 days

PR merged containers/image

Update copier/imagecopier to fix race

Addressing https://github.com/containers/image/issues/999

Signed-off-by: Brandon Lum lumjjb@gmail.com

+6 -10

0 comment

1 changed file

lumjjb

pr closed time in 14 days

PullRequestReviewEvent

issue commentcontainers/podman

podman image digest showing incorrect value in some cases

No, that doesn’t immediately look expected.

(… but it’s close :) The Docker archive format does not have manifests, so it also does not have manifest digests. (c/image manufactures an in-memory manifest for “obscure internal reasons”.) So, it would not be surprising that (podman save + podman load on a different machine with no images) does not preserve the digest.)

The Docker archive format does, though, preserve schema2 (only) configs, so I would expect the image ID to be the the same, and the thus deduplicated on podman load on this reproducer where the original image remains in storage. And it is a rather surprising to me that podman inspect of the same image with a different way to reference it leads to a different Digest value.

I have reproduced this, and verified that the image ID ({{.Id}} for both lines is the same), but from a very quick look at the code, the .Digest value available to image inspect comes straight from c/storage, so both ways to find it should AFAICS be copies of the same data and contain the same values.

dustymabe

comment created time in 14 days

issue commentcontainers/podman

podman save capability to remove signatures

Currently It might be possible to use podman push --remove-signatures podman save -o $image@sha256:… docker-archive:test.tar (probably losing some functionality like the ability to add extra tags); I didn’t try in practice.

I agree adding --remove-signatures to podman save makes some sense. (To an extent, arguably it should be the default for Podman because podman pull, in general, breaks signatures of the typical compressed images, so pushing the pre-existing signatures is rarely useful. OTOH I’m not sure it always breaks signatures, it might be possible to construct a workflow with uncompressed images without registries or something like that, and always using --remove-signatures would break that.)

jdockter

comment created time in 14 days

delete branch mtrmac/image

delete branch : release-5.6.0

delete time in 14 days

pull request commentcontainers/podman

image list: return all associated names

RepoTags is part of the entities return type where we have full control over. We can change the name to better reflect the semantics (and also document the fields) in the future.

AFAICT it is visible in the JSON output of podman images, but I may well have overlooked something; I didn’t read the code end-to-end.

Either way, displaying unexpected digests is better than not displaying anything at all, so this is clearly an improvement.

vrothberg

comment created time in 14 days

PullRequestReviewEvent
PullRequestReviewEvent

issue commentcontainers/skopeo

Different Digest than source registry with skopeo copy to local directory

Thanks for your report.

The image is a multi-architecture image, and skopeo copy by default copies only the image for the current architecture. Recent versions of Skopeo provide skopeo copy --all to copy the full multi-architecture image; that should preserve the digest (as long as the destination registry supports the format).

fjcloud

comment created time in 15 days

push eventcontainers/image

Daniel J Walsh

commit sha 33bcba75bb181318608f989e18e086f0d83d254c

Fix problems found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Miloslav Trmač

commit sha f7f591ea7ccfe8b45b16a4065782f82acf3b29a4

Merge pull request #1045 from rhatdan/codespell Fix problems found by codespell

view details

push time in 15 days

PR merged containers/image

Fix problems found by codespell

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

+56 -56

1 comment

35 changed files

rhatdan

pr closed time in 15 days

issue commentcontainers/image

Re-review encryption and/or concurrency-safety in the copy pipeline

My initial guess is that the fields should be initialized in copier when creating it, and not present in imageCopier at all.

This issue also serves as a more general reminder to check what else I should have paid attention to — and to document how it should work for future contributors.

mtrmac

comment created time in 15 days

PullRequestReviewEvent
more