Add --insecure flag to podman manifest inspect for Docker compatibility #15359
Conversation
openshift-ci
bot
added
do-not-merge/release-note-label-needed
test/system/012-manifest.bats
Outdated
|
|
||
| run_podman manifest create --insecure test:1.0 | ||
| run_podman images --format '{{.ID}}' --no-trunc | ||
| [[ "$output" == *"sha256:$iid"* ]] |
There was a problem hiding this comment.
Aaaaaaaahhhhhh! Evil! I must never have reviewed the initial commit. Please fix this to
assert "$output" =~ "sha256:$iid" "Original image ID still shown in podman-images output"
test/system/012-manifest.bats
Outdated
|
|
||
| run_podman manifest create test:1.0 | ||
| run_podman manifest inspect --insecure $output | ||
| is "$output" ".*\"mediaType\": \"application/vnd.docker.distribution.manifest.list.v2+json\"" "Original image ID still shown in podman-images output" |
There was a problem hiding this comment.
Nice addition, but comment ("Original image ID...") is misleading. Probably not worth the CI cost to re-push, but if you do, could you also add a comment something like "# --insecure is a NOP, we use it here just to make sure podman accepts it"
pkg/domain/infra/tunnel/manifest.go
Outdated
| @@ -33,8 +33,17 @@ func (ir *ImageEngine) ManifestExists(ctx context.Context, name string) (*entiti | |||
| } | |||
|
|
|||
| // ManifestInspect returns contents of manifest list with given name | |||
| func (ir *ImageEngine) ManifestInspect(_ context.Context, name string) ([]byte, error) { | |||
| list, err := manifests.Inspect(ir.ClientCtx, name, nil) | |||
| func (ir *ImageEngine) ManifestInspect(ctx context.Context, name string, opts entities.ImageSearchOptions) ([]byte, error) { | |||
There was a problem hiding this comment.
Why is this reusing a different method's options structure instead of rolling its own, as most of the others in this file that take options structures do?
test/system/012-manifest.bats
Outdated
| iid=$output | ||
|
|
||
| run_podman manifest create test:1.0 | ||
| run_podman manifest inspect --insecure $output |
There was a problem hiding this comment.
$output looks like it'll be the local manifest's ID, which I wouldn't expect us to ask a registry about. Is this testing the right thing?
There was a problem hiding this comment.
I was just checking that --insecure option would work, not testing against an insecure registry. Do we have an insecure registry to test against?
There was a problem hiding this comment.
The podman login tests fire up a registry container with TLS configured. If we did that here, so long as the client isn't configured to trust the CA certificate (HTTPS, but not verifiable), or there is no certificate (plain old HTTP), a client will have to have a working --insecure flag in order to be able to talk to it at all. But we'd have to be looking for an image using a name rather than an ID.
|
A friendly reminder that this PR had no activity for 30 days. |
rhatdan
force-pushed
the
manifest
branch
2 times, most recently
from
51a77d5 to
0bf64b1
Compare
github-actions
bot
added
the
kind/api-change
rhatdan
force-pushed
the
manifest
branch
5 times, most recently
from
798a420 to
adc69a8
Compare
|
@containers/podman-maintainers PTAL |
|
@vrothberg @mheon @edsantiago PTAL |
There was a problem hiding this comment.
Ugh, looks like I need to write a new CI check. For now, can you please:
git rm docs/source/markdown/podman-manifest-instpect.1.md- manually add
podman-manifest-inspect.1.mdto the filedocs/source/markdown/.gitignore(preferably in sorted order) - re-push
Otherwise LGTM, although all I reviewed was docs & tests.
--insecure and --verbose flags for docker compatibility --tls-verify for syntax compatibility and allow users to inspect manifests at remote Container Registiries without requiring tls. Helps fix: containers#14917 Signed-off-by: Daniel J Walsh <[email protected]>
|
CI is finally green (lots o' flakes). LGTM but this needs more approval than just mine. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: edsantiago, rhatdan, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
github-actions
bot
added
the
locked - please file new issue/PR
Helps fix: #14917
Signed-off-by: Daniel J Walsh [email protected]
Does this PR introduce a user-facing change?