-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image sign using per user registries.d #7357
image sign using per user registries.d #7357
Conversation
@QiWang19 Rebase and you should be able to pass the tests. |
e1bc559
to
54bf987
Compare
d7f9355
to
b508366
Compare
LGTM |
e2703b0
to
725bb9b
Compare
@mtrmac @vrothberg PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really want a head nod from @mtrmac. I may very well miss details/side effects I am may not be aware of.
@@ -38,7 +40,7 @@ Sign the busybox image with the identify of [email protected] with a user's keyring an | |||
## RELATED CONFIGURATION | |||
|
|||
The write (and read) location for signatures is defined in YAML-based | |||
configuration files in /etc/containers/registries.d/. When you sign | |||
configuration files in /etc/containers/registries.d/ for root user, or $HOME/.config/containers/registries.d for non-root user. When you sign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configuration files in /etc/containers/registries.d/ for root user, or $HOME/.config/containers/registries.d for non-root user. When you sign | |
configuration files in /etc/containers/registries.d/ for root, or $HOME/.config/containers/registries.d for non-root users. When you sign |
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory. | ||
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists, otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information. | ||
By default, the signature will be written into `/var/lib/containers/sigstore` from `/etc/containers/registries.d/default.yaml`, if the rootless user has no privilege to write the signature, the YAML format files | ||
under `$HOME/.config/containers/registries.d` can be configured, otherwise, `$HOME/.local/share/containers/sigstore` will be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment doesn't seem to match the code. We don't seem to check for permissions but use the rootless paths if they exist even for root.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’d prefer for this to be merged only after or together with containers/image#1035 to make sure the two are consistent.
Right now, the code LGTM, though the documentation does not match the code and needs updating.
The path lookup logic is complex enough that it probably makes sense to export c/image/docker.configuredSignatureStorageBase
(with a better name) now, and use it here instead of maintaining a second copy of the code. (While overall we do want readers/writers to use the c/image API to access signatures instead of raw access, this has clearly not stopped podman sign
, and modifying podman sign
to use a c/image/docker
ImageDestination
would now incompatibly introduce a requirement to be able to connect to the registry.)
pkg/trust/trust.go
Outdated
if sys.RootForImplicitAbsolutePaths != "" { | ||
return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath) | ||
} | ||
userRegistriesDir := filepath.FromSlash(".config/containers/registries.d") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these two be a top-level commented variables like the others?
pkg/domain/infra/abi/images.go
Outdated
if rootless.IsRootless() { | ||
sigStoreURI = trust.RootlessSignatureStoreURL() | ||
} else { | ||
sigStoreURI = trust.DefaultSignatureStoreURL() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dealing with URLs here seems to be an unnecessary complication; move the localPathFromURI
call to the registryInfo != nil
case, and this can just work with the sigStoreDir
path.
589485c
to
ef0f44a
Compare
A friendly reminder that this PR had no activity for 30 days. |
@QiWang19 This needs a rebase. Is this still being worked on? |
@rhatdan still being worked on, waiting to get this commit from c/image containers/image@1a0dda7 |
@QiWang19 you should have the containers/image PR in podman now. |
a5236b6
to
6103c23
Compare
6103c23
to
c3831ee
Compare
@mtrmac @vrothberg PTAL |
@mtrmac PTAL |
c3831ee
to
6af2958
Compare
@containers/podman-maintainers PTAL |
@@ -9,7 +9,9 @@ podman-image-sign - Create a signature for an image | |||
## DESCRIPTION | |||
**podman image sign** will create a local signature for one or more local images that have | |||
been pulled from a registry. The signature will be written to a directory | |||
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory. | |||
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists, | |
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if it exists, |
@@ -9,7 +9,9 @@ podman-image-sign - Create a signature for an image | |||
## DESCRIPTION | |||
**podman image sign** will create a local signature for one or more local images that have | |||
been pulled from a registry. The signature will be written to a directory | |||
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory. | |||
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists, | |||
otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like we don't list containers-registries-d(5)
at the bottom of this man page and I think we should.
6af2958
to
beff3f0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These code changes LGTM.
To be consistent, though, I think this PR should also update getPolicyShowOutput
, the other user of trust.LoadAndMergeConfig
+trust.HaveMatchRegistry
(and then delete them), so that that function also correctly shows the new built-in default paths.
A downside to that is that that function will now always show a sigstore, even for X-R-S-S registries (and there isn’t a way to tell whether a registry supports X-R-S-S without connecting to it), but that’s probably better than not showing a default sigstore path that would get used.
pkg/domain/infra/abi/images.go
Outdated
if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references | ||
return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String()) | ||
} | ||
sigStoreDir = filepath.Join(options.Directory, repo) | ||
} | ||
if sigStoreDir == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-blocking: This can just be an else
.
replace the above with |
Ouch… no. There is one case that works ( a
The last one is essentially unfixable given the current |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac, QiWang19, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
beff3f0
to
6056ec5
Compare
Changes LGTM, @QiWang19 needs a rebase though |
Support per user ~/.config/containers/registries.d to allow rootless image sign configurations. Signed-off-by: Qi Wang <[email protected]>
6056ec5
to
cf8f234
Compare
Needs lgtm label. |
/lgtm @mheon should we hold for the github-check failure? |
We can't do anything about the RDO check, but it's not a blocking failure, we can merge without it. |
Support per user ~/.config/containers/registries.d to allow rootless image sign configurations.
Signed-off-by: Qi Wang [email protected]