[CI:DOCS] podman machine: enforce a single search registry #11498
Conversation
openshift-ci
bot
added
the
do-not-merge/hold
openshift-ci
bot
added
the
approved
|
I think this should be done via the ignition file, https://github.com/containers/podman/blob/main/pkg/machine/ignition.go |
|
Also is it possible to only do this iff the machine is set in enforcing mode? |
Good idea!
Via ignition, I am absolutely not sure. But even via SSH it'll be tough since the short-name mode is not exposed in |
|
Now done via ignition |
|
@containers/podman-maintainers @mtrmac PTAL |
|
I know nothing about ingition, so can not comment. |
|
@miabbott PTAL |
There was a problem hiding this comment.
The code LGTM.
Why the CI:DOCS? (I don’t care very much at all what policy Podman chooses for testing incoming PRs; I find it very irritating to see it routinely bypassed. Should this be fully tested? If this is intentional and consistent with the project’s policy, it would be nice to update CONTRIBUTING.md to match.)
I can’t be bothered to read, it seems:
I apologize. |
|
Should |
Ignition does not have a native way of reacting to a configured state or even a configuration included in an Ignition config. https://coreos.github.io/ignition/rationale/#ignition-configs-are-declarative
If you wanted a change to only be applied when SELinux is enforcing, you'd have to write a systemd unit that can detect the condition and apply the change. |
|
Ok let's go with this solution for now, and then modify it once we have prompting capabilities. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Enforce "docker.io" to be the only search registry. Short-name resolution for remote clients is not fully supported since there is no means to prompt. Enforcing a single registry works around the problem since prompting only fires with more than one search registry. Fixes: containers#11489 Signed-off-by: Valentin Rothberg <[email protected]>
By popular request, turn decimals to octal. Most eyes are trained to parse file permissions in octal. [NO TESTS NEEDED] since machine isn't tested yet. Signed-off-by: Valentin Rothberg <[email protected]>
vrothberg
force-pushed
the
fix-11489
branch
from
2e8fe08 to
5bf2201
Compare
|
Updated. PTanotherL. I'll be on PTO next week. In case this PR is still open and more requests fly in, feel free to kick it over the finish line. |
|
/lgtm |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
Enforce "docker.io" to be the only search registry. Short-name
resolution for remote clients is not fully supported since there is no
means to prompt. Enforcing a single registry works around the problem
since prompting only fires with more than one search registry.
Fixes: #11489
Signed-off-by: Valentin Rothberg [email protected]
CI:DOCS since machine isn't yet tested in CI.
/hold
... to make sure everyone's on board.