From 9c6b865fb8e7efea684d18362377321e445203dd Mon Sep 17 00:00:00 2001 From: Gianluca Zuccarelli Date: Tue, 3 Sep 2024 12:45:43 +0100 Subject: [PATCH] bib: disable `--tls-verify` flag Since all containers are coming from local storage and require the user to pull in the container before-hand, we can disable the `--tls-verify` flag. The containers will not be resolved from a remote registry but rather from the local container store. --- README.md | 2 -- bib/cmd/bootc-image-builder/image.go | 17 ++++++----------- bib/cmd/bootc-image-builder/main.go | 7 ++++--- test/test_opts.py | 27 --------------------------- 4 files changed, 10 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 0b42e593..3957bf4b 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,6 @@ Usage: Flags: --chown string chown the ouput directory to match the specified UID:GID - --tls-verify require HTTPS and verify certificates when contacting registries (default true) --type string image type to build [qcow2, ami] (default "qcow2") --target-arch string architecture to build image for (default is the native architecture) ``` @@ -137,7 +136,6 @@ Flags: |-------------------|-----------------------------------------------------------------------------------------------------------|:-------------:| | **--chown** | chown the output directory to match the specified UID:GID | ❌ | | **--rootfs** | Root filesystem type. Overrides the default from the source container. Supported values: ext4, xfs, btrfs | ❌ | -| **--tls-verify** | Require HTTPS and verify certificates when contacting registries | `true` | | **--type** | [Image type](#-image-types) to build | `qcow2` | | **--target-arch** | [Target arch](#-target-architecture) to build | ❌ | diff --git a/bib/cmd/bootc-image-builder/image.go b/bib/cmd/bootc-image-builder/image.go index d4091448..4b35f43b 100644 --- a/bib/cmd/bootc-image-builder/image.go +++ b/bib/cmd/bootc-image-builder/image.go @@ -47,9 +47,6 @@ type ManifestConfig struct { // CPU architecture of the image Architecture arch.Arch - // TLSVerify specifies whether HTTPS and a valid TLS certificate are required - TLSVerify bool - // The minimum size required for the root fs in order to fit the container // contents RootfsMinsize uint64 @@ -316,10 +313,9 @@ func manifestForDiskImage(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest return nil, fmt.Errorf("pipeline: no base image defined") } containerSource := container.SourceSpec{ - Source: c.Imgref, - Name: c.Imgref, - TLSVerify: &c.TLSVerify, - Local: true, + Source: c.Imgref, + Name: c.Imgref, + Local: true, } var customizations *blueprint.Customizations @@ -432,10 +428,9 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro } containerSource := container.SourceSpec{ - Source: c.Imgref, - Name: c.Imgref, - TLSVerify: &c.TLSVerify, - Local: true, + Source: c.Imgref, + Name: c.Imgref, + Local: true, } // The ref is not needed and will be removed from the ctor later diff --git a/bib/cmd/bootc-image-builder/main.go b/bib/cmd/bootc-image-builder/main.go index b8b722c1..af94fe81 100644 --- a/bib/cmd/bootc-image-builder/main.go +++ b/bib/cmd/bootc-image-builder/main.go @@ -179,7 +179,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string) ([]byte, *mTLSConfig, imgTypes, _ := cmd.Flags().GetStringArray("type") rpmCacheRoot, _ := cmd.Flags().GetString("rpmmd") targetArch, _ := cmd.Flags().GetString("target-arch") - tlsVerify, _ := cmd.Flags().GetBool("tls-verify") rootFs, _ := cmd.Flags().GetString("rootfs") // If --local was given, warn in the case of --local or --local=true (true is the default), error in the case of --local=false @@ -286,7 +285,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string) ([]byte, *mTLSConfig, Config: config, ImageTypes: imageTypes, Imgref: imgref, - TLSVerify: tlsVerify, RootfsMinsize: cntSize * containerSizeToDiskSizeMultiplier, DistroDefPaths: distroDefPaths, SourceInfo: sourceinfo, @@ -574,7 +572,10 @@ func buildCobraCmdline() (*cobra.Command, error) { rootCmd.AddCommand(versionCmd) rootCmd.AddCommand(manifestCmd) - manifestCmd.Flags().Bool("tls-verify", true, "require HTTPS and verify certificates when contacting registries") + manifestCmd.Flags().Bool("tls-verify", false, "DEPRECATED: require HTTPS and verify certificates when contacting registries") + if err := manifestCmd.Flags().MarkHidden("tls-verify"); err != nil { + return nil, fmt.Errorf("cannot hide 'tls-verify' :%w", err) + } manifestCmd.Flags().String("rpmmd", "/rpmmd", "rpm metadata cache directory") manifestCmd.Flags().String("target-arch", "", "build for the given target architecture (experimental)") manifestCmd.Flags().StringArray("type", []string{"qcow2"}, fmt.Sprintf("image types to build [%s]", imagetypes.Available())) diff --git a/test/test_opts.py b/test/test_opts.py index 68b5cf8b..57f059b8 100644 --- a/test/test_opts.py +++ b/test/test_opts.py @@ -76,33 +76,6 @@ def test_opts_arch_is_same_arch_is_fine(tmp_path, build_fake_container, target_a assert expected_err in res.stderr -@pytest.mark.parametrize("tls_opt,expected_cmdline", [ - ([], "--tls-verify=true"), - (["--tls-verify"], "--tls-verify=true"), - (["--tls-verify=true"], "--tls-verify=true"), - (["--tls-verify=false"], "--tls-verify=false"), - (["--tls-verify=0"], "--tls-verify=false"), -]) -def test_bib_tls_opts(tmp_path, container_storage, build_fake_container, tls_opt, expected_cmdline): - output_path = tmp_path / "output" - output_path.mkdir(exist_ok=True) - - container_ref = "quay.io/centos-bootc/centos-bootc:stream9" - testutil.pull_container(container_ref) - - subprocess.check_call([ - "podman", "run", "--rm", - "--privileged", - "--security-opt", "label=type:unconfined_t", - "-v", f"{container_storage}:/var/lib/containers/storage", - "-v", f"{output_path}:/output", - build_fake_container, - container_ref, - ] + tls_opt) - podman_log = output_path / "podman.log" - assert expected_cmdline in podman_log.read_text() - - @pytest.mark.parametrize("with_debug", [False, True]) def test_bib_log_level_smoke(tmp_path, container_storage, build_fake_container, with_debug): output_path = tmp_path / "output"